- From: Richard's Hotmail <maher_rj@hotmail.com>
- Date: Wed, 29 Oct 2008 17:54:10 +0800
Hi Shannon, Bummer :-( Please don't give up! Sorry if this is a really stupid question (my knowledge of proxy-servers is minimal) but what issues are involved here that have not been solved with a product such as Orbited? http://www.orbited.org/ Look, I've never used it but, if I understand it correctly, it sits behind the proxy-server and traps the Socket traffic and forwards it onto the designated run-o'-the-mill TCP/IP server. Could a similar mechanism(s) not work here? Is it that we're dealing with runtime discovery of public proxy-servers outside any firewalls? Something else? Cheers Richard Maher PS. Much prefer the websocket.read(bytes) and websocket.write(bytes) well done! Please don't forget websocket.peek(bytes). ----- Original Message ----- From: "Shannon" <shannon@arc.net.au> To: "WHAT working group" <whatwg at lists.whatwg.org> Sent: Tuesday, October 14, 2008 7:22 AM Subject: [whatwg] WebSocket and proxies > In the process of testing my WebSocket proposal I discovered the CONNECT > method has a major restriction. Most proxies disable CONNECT to anything > but port 443. > > The following is from "Squid and the Blowfish": > ------------------ > It is very important that you stop CONNECT type requests to non-SSL > ports. The CONNECT method allows data transfer in any direction at any > time, regardless of the transport protocol used. As a consequence, a > malicious user could telnet(1) to a (very) badly configured proxy, enter > something like: > ... snip example ... > and end up connected to the remote server, as if the connection was > originated by the proxy. > ------------------- > > I verified that Squid and all public proxies I tried disable CONNECT by > default to non-SSL ports. It's unlikely many internet hosts will have > 443 available for WebSockets if they also run a webserver. It could be > done with virtual IPs or dedicated hosts but this imposes complex > requirements and costs over alternatives like CGI. > > The availability and capabilities of the OPTIONS and GET protocols also > varied from proxy to proxy. The IETF draft related to TLS > (http://tools.ietf.org/html/draft-ietf-tls-http-upgrade-05) has this to say: > > ------------------- > 3.2 Mandatory Upgrade > > If an unsecured response would be unacceptable, a client MUST send > an OPTIONS request first to complete the switch to TLS/1.0 (if > possible). > > OPTIONS * HTTP/1.1 > Host: example.bank.com > Upgrade: TLS/1.0 > Connection: Upgrade > ------------------- > > So according to this draft spec OPTIONS is the only way to do a > *mandatory* upgrade of our connection. Once again this failed in testing > > ------------------- > => OPTIONS * HTTP/1.1 > => Proxy-Connection: keep-alive > => Connection: Upgrade > => Upgrade: WebSocket/1.0 > => Host: warriorhut.org:8000 > => > <= HTTP/1.0 400 Bad Request > <= Server: squid/3.0.STABLE8 > -------------------- > > Other proxies gave different errors or simply returned nothing. The > problem may be related to the Upgrade and Connection headers rather than > OPTIONS, since I had similar issues using Connection: Upgrade with GET. > > I had the most success using GET without a Connection: Upgrade header. > It seems that the proxy thinks the header is directed at it so it does > not pass it on to the remote host. In many cases it will abort the > connection. Using the Upgrade: header without Connection allows the > Upgrade header through to the actual websocket service. > > It seems to me that whatever we try in many cases the connection will be > silently dropped by the proxy and the reasons will be unclear due to the > lack of error handling. There seems to be a wide variation in proxy > behaviour for uncommon operations. I suppose proxy developers could fix > these issues but whether a significant rollout could be achieved before > HTML5 is released is questionable. > > Given that an asynchronous connection cannot be cached the only reasons > remaining for going through a proxy are anonymity and firewall > traversal. Automatically bypassing the users proxy configuration to > solve the issues above has the potential to break both of these. It > would be a significant breach of trust for a UA to bypass the users > proxy and some networks only allow connections via a proxy (for security > and monitoring). > > It seems that we're stuck between a rock and hard place here. In light > of this I reiterate my earlier suggestion that the time could be better > spent providing guidelines for communication via an asynchronous CGI > interface. This would allow reuse of existing port 80 and 443 web > services which would resolve the cross-domain issues (the CGI can relay > the actual service via a backend connection) and most of the proxy > issues above (since proxy GET and CONNECT are more reliable on these ports). > > Shannon >
Received on Wednesday, 29 October 2008 02:54:10 UTC