什么是 HTTP“主机”标头?
[英]What is HTTP “Host” header?
问题描述
Given that the TCP connection is already established when the HTTP request is sent, the IP address and port are implicitly known -- a TCP connection is an IP + Port.
鉴于发送 HTTP 请求时 TCP 连接已经建立,IP 地址和端口是隐式已知的——TCP 连接是 IP + 端口。
So, why do we need the Host header?那么,为什么我们需要Host标头? Is this only needed for the case where there are multiple hosts mapped to the IP address implied in the TCP connection?这是否仅在有多个主机映射到 TCP 连接中隐含的 IP 地址的情况下才需要?
2 个解决方案
解决方案1
180 已采纳 2017-04-01 11:11:32
The Host Header tells the webserver which virtual host to use (if set up). Host头告诉网络服务器使用哪个虚拟主机(如果已设置)。 You can even have the same virtual host using several aliases (= domains and wildcard-domains).您甚至可以使用多个别名(= 域和通配符域)来拥有相同的虚拟主机。 In this case, you still have the possibility to read that header manually in your web app if you want to provide different behavior based on different domains addressed.在这种情况下,如果您想根据不同的域提供不同的行为,您仍然可以在 Web 应用程序中手动读取该标头。 This is possible because in your webserver you can (and if I'm not mistaken you must) set up one vhost to be the default host.这是可能的,因为在您的网络服务器中,您可以(如果我没记错的话,您必须)将一个虚拟主机设置为默认主机。 This default vhost is used whenever the host header does not match any of the configured virtual hosts.每当host标头与任何配置的虚拟主机不匹配时,就会使用此默认虚拟主机。
That means: You get it right, although saying "multiple hosts" may be somewhat misleading: The host (the addressed machine) is the same, what really gets resolved to the IP address are different domain names (including subdomains) that are also referred to as hostnames (but not hosts!).这意味着:你说得对,虽然说“多个主机”可能有点误导:主机(被寻址的机器)是相同的,真正解析到 IP 地址的是不同的域名(包括子域),它们也被引用作为主机名(但不是主机!)。
Although not part of the question, a fun fact: This specification led to problems with SSL in early days because the web server has to deliver the certificate that corresponds to the domain the client has addressed.尽管不是问题的一部分,但一个有趣的事实是:该规范在早期导致 SSL 出现问题,因为 Web 服务器必须提供与客户端所寻址的域对应的证书。 However, in order to know what certificate to use, the webserver should have known the addressed hostname in advance.但是,为了知道要使用什么证书,网络服务器应该事先知道所寻址的主机名。 But because the client sends that information only over the encrypted channel (which means: after the certificate has already been sent), the server had to assume you browsed the default host.但是因为客户端仅通过加密通道发送该信息(这意味着:在证书已经发送之后),服务器必须假设您浏览了默认主机。 That meant one ssl-secured domain per IP address / port-combination.这意味着每个 IP 地址/端口组合有一个 ssl 安全域。
This has been overcome with Server Name Indication ;这已经通过服务器名称指示克服了; however, that again breaks some privacy, as the server name is now transferred in plain text again, so every man-in-the-middle would see which hostname you are trying to connect to.然而,这又破坏了一些隐私,因为服务器名称现在再次以纯文本形式传输,因此每个中间人都会看到您尝试连接的主机名。
Although the webserver would know the hostname from Server Name Indication, the Host header is not obsolete, because the Server Name Indication information is only used within the TLS handshake.尽管网络服务器会从服务器名称指示中知道主机名,但Host标头并未过时,因为服务器名称指示信息仅在 TLS 握手中使用。 With an unsecured connection, there is no Server Name Indication at all, so the Host header is still valid (and necessary).对于不安全的连接,根本没有服务器名称指示,因此Host标头仍然有效(并且是必要的)。
Another fun fact: Most webservers (if not all) reject your HTTP request if it does not contain exactly one Host header, even if it could be omitted because there is only the default vhost configured.另一个有趣的事实:如果您的 HTTP 请求不完全包含一个Host标头,大多数网络服务器(如果不是全部)会拒绝您的 HTTP 请求,即使它可以被省略,因为只配置了默认的 vhost。 That means the minimum required information in an http-(get-)request is the first line containing METHOD RESOURCE and PROTOCOL VERSION and at least the Host header, like this:这意味着 http-(get-) 请求中所需的最少信息是包含METHOD RESOURCE和PROTOCOL VERSION的第一行,至少是Host标头,如下所示:
GET /someresource.html HTTP/1.1
Host: www.example.com
In the MDN Documentation on the "Host" header they actually phrase it like this:在 “主机”标题的MDN 文档中,他们实际上是这样表述的:
A Host header field must be sent in all HTTP/1.1 request messages.
As mentioned by Darrel Miller, the complete specs can be found in RFC7230 .正如 Darrel Miller 所提到的,完整的规范可以在RFC7230 中找到。
解决方案2
45 2017-11-19 01:52:49
I would always recommend going to the authoritative source when trying to understand the meaning and purpose of HTTP headers.在尝试理解 HTTP 标头的含义和目的时,我总是建议去权威来源。
The "Host" header field in a request provides the host and port
information from the target URI, enabling the origin server to
distinguish among resources while servicing requests for multiple
host names on a single IP address.
https://tools.ietf.org/html/rfc7230#section-5.4 https://tools.ietf.org/html/rfc7230#section-5.4
解决方案3
0 2018-12-13 06:20:02
HTTP 1.1, a host header is a third piece of information that you can use in addition to the IP address and port number to uniquely identify a Web domain or, as Microsoft calls it, an application server. HTTP 1.1,主机头是第三条信息,除了IP地址和端口号之外,您还可以使用它来唯一地标识Web域,或者像Microsoft称之为应用服务器。 For example, the host header name for the URL www.example.com is www.example.com. 例如,URL www.example.com的主机头名称是www.example.com。 An HTML 3.0 or later browser supports HTTP 1.1. HTML 3.0或更高版本的浏览器支持HTTP 1.1。 The browser includes the host header name you specified in the location field of the request header that the browser sends to the server. 浏览器包括您在浏览器发送到服务器的请求标头的位置字段中指定的主机标头名称。 If you don't specify a host header name in the request header, the root Web domain acts as the default Web server. 如果未在请求标头中指定主机标头名称,则根Web域将充当默认Web服务器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.