from Hacker News

The HTTP crash course nobody asked for

by g0xA52A2A on 10/20/22, 8:58 PM with 141 comments

  • by Joker_vD on 10/21/22, 9:33 AM

    > HTTP/1.1 is a delightfully simple protocol, if you ignore most of it.

    As someone who had to write a couple of proxy servers, I can't express how so sadly accurate it is.

  • by Donckele on 10/21/22, 8:57 AM

    “By contrast, I think about Bluetooth a lot. I wish I didn't.”

    LOL, yes same here. Can’t wait for Bluetooths b̶a̶l̶l̶s̶ baggage to be chopped.

  • by leinadho on 10/21/22, 12:34 PM

    The humorous style is very refreshing, if only my networking lecturers had been more witty I might remember more of this

  • by X-Istence on 10/21/22, 2:31 PM

    > This is not the same as HTTP pipelining, which I will not discuss, out of spite.

    That is cause HTTP pipelining was and is a mistake and is responsible for a ton of http request smuggling vulnerabilities because the http 1.1 protocol has no framing.

    No browser supports it anymore, thankfully.

  • by yfiapo on 10/21/22, 12:48 PM

    > We're not done with our request payload yet! We sent:

    > Host: neverssl.com

    > This is actually a requirement for HTTP/1.1, and was one of its big selling points compared to, uh...

    > AhAH! Drew yourself into a corner didn't you.

    > ...Gopher? I guess?

    I feel like the author must know this.. HTTP/1.0 supported but didn't require the Host header and thus HTTP/1.1 allowed consistent name-based virtual hosting on web servers.

    I did appreciate the simple natures of the early protocols, although it is hard to argue against the many improvements in newer protocols. It was so easy to use nc to test SMTP and HTTP in particular.

    I did enjoy the article's notes on the protocols however the huge sections of code snippets lost my attention midway.

  • by I_complete_me on 10/21/22, 9:13 AM

    That was an excellent, well-written, well-thought out, well presented, interesting, humorous, enjoyable read. Coincidentally I recently did a Rust crash course so it all made perfect sense - I am not an IT pro. Anyhows, thanks.

  • by Andys on 10/21/22, 9:11 AM

    I learned HTTP1 pretty well but not much of 2.

    Since playing with QUIC, I've lost all interest in learning HTTP/2, it feels like something already outdated that we're collectively going to skip over soon.

  • by Icathian on 10/21/22, 12:58 PM

    Amos' writing style is just so incredibly good. I don't know anyone else doing these very long-form, conversational style articles.

    Plus, you know, just an awesome dev who knows his stuff. Huge fan.

  • by juped on 10/21/22, 7:29 AM

    If you're using OpenBSD nc already, just use nc -c for TLS.

  • by photochemsyn on 10/21/22, 1:32 PM

    What a great overall site. Hopping down the links I found the section on files with code examples in JS, Rust and C, plus strace, really the best short explanation I've ever found online.

    https://fasterthanli.me/series/reading-files-the-hard-way/pa...

  • by rpigab on 10/21/22, 2:00 PM

    This is awesome, didn't read all of it yet, but I will for sure, I use HTTP way too much and too often to ignore some of these underlying concepts, and when I try to look it up, there's always way too much abstraction and the claims aren't proven to me with a simple example, and this article is full of simple examples. Thanks Amos!

  • by est on 10/21/22, 7:21 AM

    I hope there's a h2 or TLS crash course.

  • by antonvs on 10/21/22, 9:04 PM

    > Where every line ends with \r\n, also known as CRLF, for Carriage Return + Line Feed, that's right, HTTP is based on teletypes, which are just remote typewriters

    Does it need to be pointed out that this is complete bullshit?

  • by sireat on 10/21/22, 10:20 AM

    Is HTTP always the same protocol as HTTPS - given the same version - and ignoring the encryption from TLS?

    Theoretically yes, but in practice?

    I've done my share of nc testing even simpler protocols than HTTP/1.1

    For some reason the migration to HTTPS scared me despite the security assurances. I could not see anything useful in wireshark anymore. I now had to trust one more layer of abstraction.

  • by mannyv on 10/23/22, 3:37 AM

    As far as i can tell the host header is pointless, because if it's ssl/tls you won't be able to read it and route it. That's what sni is for. If you aren't tls then you don't need it, unless you hit the server as an ip. But then why would you do that?

  • by mahdi7d1 on 10/21/22, 11:59 AM

    I didn't ask but I needed it.

  • by mannyv on 10/23/22, 3:39 AM

    Also, never trust the content length. It's been that way since before http was finalized. Use it as guidance, but don't treat it as canonical.

  • by mannyv on 10/23/22, 3:32 AM

    When doing http by hand, it's better to do http/1.0 because that tells the server you (and it) can't do anything exciting.

  • by mustak_im on 10/21/22, 10:46 AM

    Yay! this is going to be a great read for the weekend!

  • by danesparza on 10/21/22, 2:32 PM

    More articles should be written in the style of this article. Thank you for this.

  • by tinglymintyfrsh on 10/22/22, 1:25 AM

        GET / HTTP/1.0\r\n\r\n
    Still works with many websites.

  • by mlindner on 10/21/22, 7:52 PM

    Is there a way to get this guide without the annoying side-commentary?

  • by tomcam on 10/21/22, 7:57 AM

    Funny and very helpful. Thank you.

  • by cph123 on 10/21/22, 12:20 PM

    For a crash course would the code examples have been better in something like Python rather than Rust?

  • by tmountain on 10/21/22, 1:23 PM

    This is gold.