网络拓扑和安全_popordersearchrequest

1 简述

大学我们都学过计算机网络和计算机组成原理，个人大学时并不是很注重这方面的知识，以前傻傻的觉得计算机组成原理这些东西不太重要，在工作过程中才发现越是计算机组成原理这玩意，越重要。这里个人回忆和学习的章节一些题外编程知识，主要章节如下（备注：这里是收集资料和学习工作思考笔记，按理说大部分借鉴，如有版权问题，请联系我删除）；

1. 报文传输
2. 网络拓扑图
3. 安全防控
4. 一些漏洞分析和修复

2 内容章节

2.1 报文传输

个人这里简单使用nginx代理查看nginx的debuger日志来学习报文结构数据，首先配置nginx的debuger模式

1. 安装nginx（个人mac os系统），brew install nginx
2. 配置nginx配置,一般本地安装完会有提示配置文件路径，个人配置文件路径是/usr/local/etc/nginx/nginx.conf，如果没有提示，可以直接搜索locate nginx.config
3. 找到配置文件后监听端口，配置如下

server {
        listen       8888;
        server_name  localhost;
        error_log /Users/error.log debug;
        location / {
	    proxy_set_header   Host yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net;
            proxy_set_header   X-Real-IP   $remote_addr;
            proxy_set_header   REMOTE-HOST $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
	    proxy_pass http://yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net;
        }
    }
1
2
3
4
5
6
7
8
9
10
11
12

配置完后测试请求,发送 http://localhost:8888/order/popOrderSearch 请求后，请求参数

{
    "test":"张三",
    "age":241111
}
1
2
3
4

查看nginx日志/Users/error.log

http process request header line
http header: "Content-Type: application/json"
http header: "User-Agent: PostmanRuntime/7.26.8"
http header: "Accept: */*"
http header: "Cache-Control: no-cache"
http header: "Postman-Token: 501c36d1-75b2-4cd4-aa80-0a29fcebd486"
http header: "Host: localhost:8888"
http header: "Accept-Encoding: gzip, deflate, br"
http header: "Connection: keep-alive"
http header: "Content-Length: 41"
http header done
generic phase: 0
rewrite phase: 1
test location: "/"
using configuration "/"
http cl:41 max:1048576
rewrite phase: 3
post rewrite phase: 4
generic phase: 5
generic phase: 6
generic phase: 7
generic phase: 8
access phase: 9
access phase: 10
access phase: 11
post access phase: 12
generic phase: 13
generic phase: 14
http client request body preread 41
http request body content length filter
http body new buf t:1 f:0 00007FAA4680D72B, pos 00007FAA4680D72B, size: 41 file: 0, size: 0
http init upstream, client timer: 0
http script copy: "Host"
http script copy: "yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net"
http script copy: "X-Real-IP"
http script var: "127.0.0.1"
http script copy: "REMOTE-HOST"
http script var: "127.0.0.1"
http script copy: "X-Forwarded-For"
http script var: "127.0.0.1"
http script copy: "Connection"
http script copy: "close"
http script copy: "Content-Length"
http script var: "41"
http script copy: ""
http proxy header: "Content-Type: application/json"
http proxy header: "User-Agent: PostmanRuntime/7.26.8"
http proxy header: "Accept: */*"
http proxy header: "Cache-Control: no-cache"
http proxy header: "Postman-Token: 501c36d1-75b2-4cd4-aa80-0a29fcebd486"
http proxy header: "Accept-Encoding: gzip, deflate, br"
http proxy header:

"POST /order/popOrderSearch HTTP/1.0^M
Host: yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net^M
X-Real-IP: 127.0.0.1^M
REMOTE-HOST: 127.0.0.1^M
X-Forwarded-For: 127.0.0.1^M
Connection: close^M
Content-Length: 41^M
Content-Type: application/json^M
User-Agent: PostmanRuntime/7.26.8^M
Accept: '*/*'
Cache-Control: no-cache^M
Postman-Token: 501c36d1-75b2-4cd4-aa80-0a29fcebd486^M
Accept-Encoding: gzip, deflate, br^M
^M
"


http cleanup add: 00007FAA4680ED90
get rr peer, try: 1
stream socket 4
connect to 101.124.18.198:80, fd:4 #23
kevent set event: 4: ft:-1 fl:0025
kevent set event: 4: ft:-2 fl:0025
http upstream connect: -2
posix_memalign: 00007FAA45C05680:128 @16
event timer add: 4: 60000:259302474
http finalize request: -4, "/order/popOrderSearch?" a:1, c:2
http request count:2 blk:0
http upstream request: "/order/popOrderSearch?"
http upstream send request handler
http upstream send request
http upstream send request body
chain writer buf fl:0 s:398
chain writer buf fl:1 s:41
chain writer in: 00007FAA4680EDF0
writev: 439 of 439
chain writer out: 0000000000000000
event timer del: 4: 259302474
event timer add: 4: 60000:259302564
http upstream request: "/order/popOrderSearch?"
http upstream dummy handler
http upstream request: "/order/popOrderSearch?"
http upstream process header
malloc: 00007FAA48015C00:4096
recv: eof:1, avail:377, err:0
recv: fd:4 377 of 4096
http proxy status 401 "401 Unauthorized"
http proxy header: "Date: Thu, 11 Mar 2021 11:58:26 GMT"
http proxy header: "Content-Type: application/json; charset=utf-8"
http proxy header: "Connection: close"
http proxy header: "x-jdcloud-request-id: c150bpgmqwr218ur1oe60vsg2ome1qgn"
http proxy header: "Server: jfe"
http proxy header done
posix_memalign: 00007FAA48017200:4096 @16

HTTP/1.1 401 Unauthorized^M
Server: nginx/1.19.6^M
Date: Thu, 11 Mar 2021 12:00:01 GMT^M
Content-Type: application/json; charset=utf-8^M
Transfer-Encoding: chunked^M
Connection: keep-alive^M
x-jdcloud-request-id: c150cg912cgphbkph7eeutuoqtb3944o^M

write new buf t:1 f:0 00007FAA48017220, pos 00007FAA48017220, size: 243 file: 0, size: 0
http write filter: l:0 f:0 s:243
http cacheable: 0
http proxy filter init s:401 h:0 c:0 l:-1
http upstream process upstream
pipe read upstream: 1
pipe preread: 176
pipe buf free s:0 t:1 f:0 00007FAA48015C00, pos 00007FAA48015CC9, size: 176 file: 0, size: 0
pipe length: -1
input buf #0
pipe write downstream: 1
pipe write downstream flush in
http output filter "/order/popOrderSearch?"
http copy filter: "/order/popOrderSearch?"
http postpone filter "/order/popOrderSearch?" 00007FAA4680EE00
http chunk: 176
write old buf t:1 f:0 00007FAA48017220, pos 00007FAA48017220, size: 243 file: 0, size: 0
write new buf t:1 f:0 00007FAA480174B8, pos 00007FAA480174B8, size: 4 file: 0, size: 0
write new buf t:1 f:0 00007FAA48015C00, pos 00007FAA48015CC9, size: 176 file: 0, size: 0
write new buf t:0 f:0 0000000000000000, pos 0000000105B29148, size: 2 file: 0, size: 0
http write filter: l:0 f:0 s:425
http copy filter: 0 "/order/popOrderSearch?"
pipe write downstream done
event timer: 4, old: 259302564, new: 259302612
http upstream exit: 0000000000000000
finalize http upstream request: 0
finalize http proxy request
free rr peer 1 0
close http upstream connection: 4
free: 00007FAA45C05680, unused: 48
event timer del: 4: 259302564
reusable connection: 0
http upstream temp fd: -1
http output filter "/order/popOrderSearch?"
http copy filter: "/order/popOrderSearch?"
http postpone filter "/order/popOrderSearch?" 00007FFEEA1AAFF0
http chunk: 0
write old buf t:1 f:0 00007FAA48017220, pos 00007FAA48017220, size: 243 file: 0, size: 0
write old buf t:1 f:0 00007FAA480174B8, pos 00007FAA480174B8, size: 4 file: 0, size: 0
write old buf t:1 f:0 00007FAA48015C00, pos 00007FAA48015CC9, size: 176 file: 0, size: 0
write old buf t:0 f:0 0000000000000000, pos 0000000105B29148, size: 2 file: 0, size: 0
write new buf t:0 f:0 0000000000000000, pos 0000000105B298D4, size: 5 file: 0, size: 0
http write filter: l:1 f:0 s:430
http write filter limit 0
writev: 430 of 430
http write filter 0000000000000000
http copy filter: 0 "/order/popOrderSearch?"
http finalize request: 0, "/order/popOrderSearch?" a:1, c:1
set http keepalive handler
http close request
http log handler
free: 00007FAA48015C00
free: 00007FAA4680F200, unused: 0
free: 00007FAA4680E200, unused: 8
free: 00007FAA48017200, unused: 2889
free: 00007FAA4680D600
hc free: 0000000000000000
hc busy: 0000000000000000 0
reusable connection: 1
event timer add: 3: 65000:259307612
http empty handler
event timer del: 3: 259307612
http keepalive handler
close http connection: 3
reusable connection: 0
free: 0000000000000000
free: 00007FAA472045C0, unused: 136
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

自己来分析一下报文结构：

"POST /order/popOrderSearch HTTP/1.0^M
Host: yqylfdyhg1gi-test.cn-north-1.jdcloud-api.net^M
X-Real-IP: 127.0.0.1^M
REMOTE-HOST: 127.0.0.1^M
X-Forwarded-For: 127.0.0.1^M
Connection: close^M
Content-Length: 41^M
Content-Type: application/json^M
User-Agent: PostmanRuntime/7.26.8^M
Accept: *\/*^M
Cache-Control: no-cache^M
Postman-Token: 5c574468-1bf1-47ea-9cd9-0d88b245090c^M
Accept-Encoding: gzip, deflate, br^M
^M
"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

2.1.1 请求报文格式

1、进程处理中的请求行request header line
请求行主要由三部分组成: 请求方法（POST）、资源路径（/order/popOrderSearch或加文件名，若是get请求，请求报文会在后面拼接）、协议版本（HTTP/1.0）
POST /order/popOrderSearch HTTP/1.0

2、请求头http header
请求头主要包括验证签名数据，协议，版本，数据传输类型，host，接收数据类型，cookie等等，保证安全行访问有一篇文章https://infosec.mozilla.org/guidelines/web_security#x-xss-protection
3、空行
可能这里设计读取报文方式，个人没再查找资料
3、请求报文体 request body,由于stream，nginx没打印
如nginx代理数据：
http body new buf t:1 f:0 00007FAA4680D72B, pos 00007FAA4680D72B, size: 41 file: 0, size: 0

2.1.2 响应报文数据

HTTP/1.1 401 Unauthorized^M
Server: nginx/1.19.6^M
Date: Thu, 11 Mar 2021 12:00:01 GMT^M
Content-Type: application/json; charset=utf-8^M
Transfer-Encoding: chunked^M
Connection: keep-alive^M
x-jdcloud-request-id: c150cg912cgphbkph7eeutuoqtb3944o^M
1
2
3
4
5
6
7

1、响应状态行
协议、状态码、信息，如 HTTP/1.1 401 Unauthorized
2、响应头
报文响应头，和请求头类似

erver: nginx/1.19.6^M
Date: Thu, 11 Mar 2021 12:00:01 GMT^M
Content-Type: application/json; charset=utf-8^M
Transfer-Encoding: chunked^M
Connection: keep-alive^M
1
2
3
4
5

3、空行
4、返回体
返回的数据结构体，是stream流

2.2网络拓扑图

这里参考别人文献图 https://blog.csdn.net/tryheart/article/details/107471119

更多网络拓扑基本信息可参考 https://blog.csdn.net/tryheart/article/details/107471119
个人这里总结几点：

1. internet的ip地址无法伪造，每个internet国际互联网都需要登记备案
2. WAN广域网内部互通，路由寻地址
   这就存在广域网、互联网、DMZ区的概念，正是因为存在这些原理，所以才能保证网络安全规范和操作。

2.3安全防控

我们可以利用抓包脚本抓包或者安装抓包工具（wireshark，fidder）
因为公网IP是不可伪造，可以利用防火墙强制设置出口和入口的就近公网IP
1、终端计算机
终端计算机非常关键，防止终端计算机中毒，电量不足等
2、出口防控
出口防控主要端口限制，更加安全操作有定向访问IP和端口，更加强制安全要求是访问网关，网关安全出口数据格式。在出口数据主要上报安全数据，指定的报文结构数据。端口防火墙开发等各种技术手段防控，防止一些木马程序导致数据安全丢失和不正当的操作导致数据丢失
3、入口防控
入口数据，访问数据授权，防止恶意窃取数据。这里防控主要IP白名单和和名单准入，以及端口开发转入，更多是上报数据报文格式操作。
4、公司对外发布服务的DMZ服务器
DMZ也就是“隔离区”，可地区隔离，局域网隔离，时间隔离，端口隔离等等
5、VPN和类似远程连接设备。
VPN专用虚拟网通道，就是创建一个专用IP通道进行通讯。更多可设计VPC虚拟物理隔离网

3 Web漏洞缺陷分析和修复（简介）

3.1服务器

1. XSS跨站脚本攻击，通过非资源网站访问禁止操作。站点识别，签名验证等
2. SQL注入，主要保证数据库安全，防止数据丢失等。可以通过sql过滤，预编译
3. 水平垂直越权。不同用户动态权限校验，防止出现不该有的角色拿到越权的数据
4. 防重复提交，防止数据错乱等等
5. 数据存储。加密数据存储
6. 数据枚举。特别是重要数据，用户数据枚举防控
7. 若密码防控。只用多种符号密码组成判断
8. 服务器文件目录遍历。目录权限控制，防止目录遍历
9. 接口权限控制。接口鉴权。
10. 宏机操作。防止雪崩效应，实现分布式
11. …………

3.2客户端

1. 客户端篡改。ios 手机禁止越狱判断、android root权限校验
2. 屏幕录像。屏蔽屏幕录像监控，保护密码和用户私下截图
3. 权限控制。尽量禁止定位和操作，防止个人行踪泄漏
4. 数据存储。加密数据存储
5. 敏感信息泄漏。查看信息脱敏
6. 数据页面权限控制，防止接口泄漏和页面泄漏
7. 代码泄漏。通过混淆编译，增加代码可读性等

4 参考文献

【1】HTTP报文的结构
【2】认识网络、几种常用的网络拓扑图