辅导CS3214留学生程序、写作Personal Web and Video Server

” 辅导CS3214留学生程序、写作Personal Web and Video ServerCS3214 Spring 2021 Project 4 – Personal Web and Video ServerDue Date: Check course website for due date.This project should be Done in groups of 2 students.1 IntroductionThis assignment introduces you to the principles of internetwork communication usingthe HTTP and TCP protocols, which form two of the most widely used protocols in todaysInternet.In addition, the assignment will introduce you to emerging standards for securely representingclaims between parties, specifically JSON Web Tokens as described in RFC7519 [2].Last but not least, it will provide an example of how to implement a concurrent serverthat can handle multiple clients simultaneously.2 FunctionalityThe goal of the Project is to build a small personal web server that can serve files, streamMP4 video, and provides a simple token-based authentication API.The web server should implement persistent connections as per the HTTP/1.1 protocol.HTTP/1.1 is specified in a series of request for comments standards documents (RFC7230-7237), though the earlier RFC 2616 [1] provides a shorter read.You may use code we provide as a base from which to start. To that end, fork the repositoryat httpss://git.cs.vt.edu/cs3214-staff/pserv. Be sure to set your fork tobe private!2.1 Serving FilesYour web server should, like a traditional web server, support serving files from a directory(the server root) in the servers file system. These files should appear under the /URL. For instance, if the URL /private/secure.html is visited, and the root directoryis set to a directory $DIR that contains the directory private, the content of the file$DIR/private/secure.html should be served. You should return appropriate contenttype headers, based on the served files suffix. Support at least .html, .js, and .cssfiles; see /etc/mime.types for a complete list.Make sure that you do not accidentally expose other files by ensuring that the request urlspath does not contain .. (two adjacent periods), such as /public/../../../../../etc/passwd.You should return appropriate error codes for requests to URLs you do not support.Created by G. Back (gback@cs.vt.edu) 1 April 14, 2021CS3214 Spring 2021 Project 4 – Personal Web and Video Server2.2 AuthenticationYou must, at a minimum, support a single user that will authenticate with a usernameand password. If the user is authenticated, they should have access to the secure portionof your server, which are all files located under /private. Otherwise, such access shouldbe denied.Your server should implement /api/login as follows: When used as the target of a POST request, the body of the request must contain{username:user0,password:thepassword}where user0 is the name of the user and thepassword is their password. If thepassword is correct, your server should respond with a JSON object that describesclaims that the client can later use to prove it has successfully authenticated.Send (at least) the following Claims: (a) sub – to describe the subject (the principal aswhich the server will recognize the bearer of the claim), (b) iat – the time at whichthe claim was issued, in seconds since Jan 1, 1970, and (c) exp – the time at whichthe claim will expire.For example, a claim may look like this:{exp:1523737086,iat:1523650686,sub:user0}Returning the claim in the response, however, is not sufficient. The client must alsoobtain a signature from the server that certifies that the server issued the token (i.e.,that the users password was correct and thus the user has successfully authenticated).This signature is obtained in the form of a JSON Web Token, which the server shouldreturn as a cookie to the client. You may choose an appropriate signing mechanism(either HMAC or using a private/public key pair using RSA). You may use thejansson and libjwt libraries which are installed as part of the provided code. Checkout the files jwt demo hs256.c and jwt demo rs256.c for examples.See MDN for documentation on the Set-Cookie header. Make sure to set the cookiespath to / so that the cookie is sent along for all URIs. You may choose a suitablecookie-name such as auth token.If the username/password does not match, your server should return 403 Forbidden. When used in a GET request, /api/login should return the claims the client presentedin its request if the user is authenticated, or an empty object {} if not.Be sure to validate tokens before deciding whether the client is authenticated or not;do not accept tokens that have expired or whose signature does not validate.Created by G. Back (gback@cs.vt.edu) 2 April 14, 2021CS3214 Spring 2021 Project 4 – Personal Web and Video ServerYou should implement this without Storing state server-side, but rather simply byvalidating the token the client presents.The type of stateless authentication can be used to provide a simple, yet scalableform of authentication. Unlike in traditional schemes in which the server mustmaintain a session store to remember past actions by a client, the presented tokencontains proof of past Authentication, and thus the server can directly proceed inhandling the request if it can validate the token. Moreover, this way of securelypresenting claims allows Authentication servers that are separate from the serversprovides the resource or service: for instance, if you log onto a website via Googleor Facebook, their authentication server will present a signed token to you whichyou can later use to prove to a third server that Google or Facebook successfullyauthenticated you.However, such stateless authentication also has drawbacks: revoking a users accesscan be more difficult since a token, once issued, cannot be taken away. Thus,the server either has to keep revocation lists (in which case a session-like functionalitymust be implemented), or keep token expiration times short (requiring morefrequent reauthentication or a token refresh scheme), or by changing the serverskey (which invalidates all tokens for all users). For this assignment, you do notneed to implement revocation.We recommend you read the Introduction to JSON Web Tokens tutorial by Auth0.2.3 Supporting HTML5 FallbackModern web applications exploit the History API, which is a feature by which JavaScriptcode in the client can change the URL thats displayed in the address bar, making it appearto the user that they have navigated to a new URL when in fact all changes to thepage were driven by JavaScript code that was originally loaded. This is also known asclient-side routing, see React Router for how this is accomplished in the popular React.jsframework.When a URL that was modified in this way is bookmarked and later retrieved, or if theuser refreshes the page while the modified URL is displayed, a request with this URL willbe sent to the server, but it does not correspond to an existing server resource. In this case,the server should be programmed to return a fallback resource rather than 404. Whenyour server is run with the -a flag it should return this fallback resource, specifically thefile index.html in its root directory. (As a sidenote, this ability is provided by the nginxserver using the try files directive.)2.4 Streaming MP4To support MP4 streaming, your server Should advertise that it can handle Range requeststo transfer only part (a byte range) of a file. You should send an appropriateCreated by G. Back (gback@cs.vt.edu) 3 April 14, 2021CS3214 Spring 2021 Project 4 – Personal Web and Video ServerAccept-Ranges header and your server should interpret Range headers sent by a client.To support a basic streaming server, it is sufficient to support only single-range requestssuch as Range: bytes=203232- or Range: bytes=500-700. Be sure to returnan appropriate Content-Range header. Note that browsers will typically sever a connection(and create a new one) if the User forwards or rewinds to a different point in thestream.To learn about which videos are available for streaming, your server should support anentry point /api/video. GET requests to this entry point should return a JSON objectthat is a list of videos that can be served, in the following format:[{size: 1659601458,name: LectureVirtualMemory.mp4},{size: 961734828,name: Boggle.mp4},{size: 1312962263,name: OptimizingLocking.mp4},{size: 423958714,name: DemoFork.mp4}]Use the opendir(3) and readdir(3) calls to list all files in the servers root directory,selecting those that carry the suffix .mp4. Use the stat(2) system call to find the size ofeach file.2.5 Multiple Client SupportFor all of the above services, your implementation should support multiple clients simultaneously.This means that it must be able to accept new clients and process HTTPrequests even while HTTP transactions with already accepted clients are still in progress.You must use a single-process approach, either using multiple threads, or using an eventbasedapproach.1If using a thread-based approach, it is up to you whether you spawnnew threads for every client, or use a thread pool. You may modify or reuse parts of your1For the purposes of this Project, a multi-process approach is not acceptable.Created by G. Back (gback@cs.vt.edu) 4 April 14, 2021CS3214 Spring 2021 Project 4 – Personal Web and Video Serverthread pool implementation from project 2, if this is useful.2To test that your implementation supports multiple clients correctly, we will connect toyour server, then delay the sending of the HTTP request. While your server has acceptedone client and is waiting for the first HTTP request by that client, it must be ready toaccept and serve additional clients. Your server may impose a reasonable limit on thenumber of clients it simultaneously serves in this way.2.6 RobustnessNetwork servers are designed for long running use. As such, they must be programmedin a manner that is robust, even when individual clients send ill-formed requests, crash,delay responses, or violate the HTTP protocol specification in other ways. No error incurredwhile handling one clients request should impede your servers ability to accept and handlefuture clients.This semester we will be using the american fuzzy lop (AFL) fuzzer to test your serversoftware. Instructions for how to do this will be separately provided.2.7 Performance and ScalabilityWe will benchmark your service to figure out the maximum number of clients and rate ofrequests it can support. Note that for your server to be benchmarked, it must obtain a fullscore in the robustness category first. We will publish a script to benchmark your server.A scoreboard will be posted to compare your results with the rest of the class.2.8 Protocol IndependenceThe Internet has been undergoing a transition from IPv4 to IPv6 over the last 2 decades.To see a current data point, Google publishes current statistics on the number of usersthat use IPv6 to access Googles services. This transition is spurred by the exhaustion ofthe IPv4 address space as well as by political mandates.Since IPv4 addresses can be used to communicate only between IPv4-enabled applications,and since IPv6 addresses can be used to communicate only between IPv6-enabledapplications, applications Need to be designed to support both protocols and addresses,using whichever is appropriate for a particular connection. For a TCP/UDP server, thisrequires to accept connections both via IPv6 as well as via IPv4, depending on which versionsare enabled on a particular system. For a TCP/UDP client, this requires to identify2 Please note, however, that the fork-join thread pool was implemented with a different goal in mindand that some aspects here do not apply to this project, notably the fork-join aspect. We recommend tryinga thread-based approach first.Created by G. Back (gback@cs.vt.edu) 5 April 14, 2021CS3214 Spring 2021 Project 4 – Personal Web and Video Serverthe addresses at which a particular server can be reached, and try them in order. Typically,if a server is reachable via both IPv4 and IPv6, the IPv6 address is tried first, then afallback onto the IPv4 address is performed.Ensuring protocol independence requires avoiding any dependence on a specific protocolin your code. Fortunately, the socket API was designed to support multiple protocolsfrom the beginning as its designers foresaw that protocols and addressing mechanismswould evolve. For instance, the bind() and connect() calls refer to the addresses passedusing the type struct sockaddr * which is an opaque type that could refer to eithera IPv4 or IPv6 address.To implement protocol independence, you need to avoid any dependence on a particularaddress family. Accordingly, you should use the getaddrinfo(3) or getnameinfo(3)functions to translate from symbolic names to addresses and vice versa and you shouldavoid the outdated functions gethostbyname(3), getaddrbyname(3), or inet ntoa(3)or inet ntop(3).A tutorial on how to write protocol independent network code is given in this resourceand in the code for the textbooks 3rd edition. However, both tutorials are fully correctand will required minor adaptations.Ensuring that your server can accept both IPv4 and IPv6 clients can be implementedusing two separate sockets, one bound to either family. Two separate threads can thenbe devoted to these sockets to accept clients that connect using either of the two protocolfamilies.However, the Linux kernel provides a convenience feature that provides a simpler facilityfor accepting both IPv6 and IPv4 clients. This so-called dual-bind feature allowsa socket bound to an IPv6 socket to accept IPv4 clients. Linux activates this feature if/proc/sys/net/ipv6/bindv6only contains 0. You may assume in your code that dualbindis turned on. 3Our starter code uses protocol independent functions, but it is tested with IPv4 only.Augmenting it to implement protocol independence is part of your assignment.2.9 Choice of Port NumbersPort numbers are shared among all processes on a machine. To reduce the potential forconflicts, use a port number that is 10, 000 + last four digits of the student id of a teammember.If a port number is already in use, bind() will fail with EADDRINUSE. If you werentusing that port number before, someone else might have. Choose a different port numberin that case. Otherwise, it may be that the port number is still in use because of yourtesting. Check that you have killed all processes you may have started while testing. Even3I should point out, however, that this will make your code Linux-specific; truly portable socket codewill need to resort to handling accepts on multiple sockets.Created by G. Back (gback@cs.vt.edu) 6 April 14, 2021CS3214 Spring 2021 Project 4 – Personal Web and Video Serverafter you have killed your processes, binding to a port number may fail for an additional2 min period if that port number recently accepted clients. This timeout is built into theTCP protocol to avoid mistaking delayed packets sent on old connections for packets thatbelong to new connections using the same port number. To prevent that, you may usesetsockopt() with the SO REUSEADDR flag to allow address reuse.3 StrategyMake sure you understand the roles of DNS host names, IP addresses, and port numbersin the context of TCP communication. Study the roles of the necessary socket API calls.Since you may be using a multi-threaded design, use thread-safe versions of all functions.Familiarize yourselves with the commands wget(1) and curl(1) and the specific flagsthat show you headers and protocol versions. These programs can be extremely helpfulin debugging web servers.Refresh your knowledge of strace(1), which is an essential tool to debug your serversinteractions with the outside world. Use -s 1024 to avoid cutting off the contents ofreads and writes (or recv and send). Dont forget -f to allow strace to follow spawnedthreads. A trick to easily verify that your Content-Length computation is correct is toissue the body of each HTTP response in a separate system call.4 Grading4.1 Coding StyleYour service must be implemented in the C language. You should follow proper codingconventions with respect to documentation, naming, and scoping. You must check thereturn values of all system calls and library functions.Your code should compile under -Wall without warnings, the use of the -Werror flagas part of CFLAGS should have become a habit by now, as is the use of git for revisioncontrol.4.2 SubmissionYou should submit a .tar.gz file of your project, which must contain a Makefile. Yourproject should build with make clean all This command must build an executable serverthat must accept the following command line arguments:Created by G. Back (gback@cs.vt.edu) 7 April 14, 2021CS3214 Spring 2021 Project 4 – Personal Web and Video Server -p port When given, your web service must start accepting HTTP clients andserving HTTP requests on port port. Multiple connection must be supported. -R path When given, path specifies the root directory of your server. -s Silent mode (for benchmarking). When given, your server should suppress anyoutput to standard output. -e sec Specify the expiration time for the issued JWT in seconds. Your server mustenforce this expiration time. -a HTML5 Fallback mode. When given, requests for non-existing resources shouldbe responded to as if the request had been for /index.html.Please test that make clean removes all executables and object files. Issue make cleanbefore submitting to keep the size of the tar ball small. Please use the submit.py script orweb page and submit as p4. Only one group member need submit.Further submission instructions are posted on the course website.This project will count for 120 points.Good Luck!References[1] Roy Fielding, Jim Gettys, Jeff Mogul, H. Frystyk, L. Masinter, P. Leach, and TimBerners-Lee. Rfc 2616: Hypertext transfer protocol https/1.1. https://www.w3.org/-Protocols/rfc2616/rfc2616.html.[2] M. Jones, J. Bradley, and N. Sakimura. Json web token (jwt), 2015. RFC7519.Created by G. Back (gback@cs.vt.edu) 8 April 14, 2021请加QQ：99515681 或邮箱：99515681@qq.com WX：codehelp

“