jchampio / apache-websocket Goto Github PK
View Code? Open in Web Editor NEWThis project forked from disconnect/apache-websocket
WebSocket plugin module for the Apache HTTP Server
License: Apache License 2.0
This project forked from disconnect/apache-websocket
WebSocket plugin module for the Apache HTTP Server
License: Apache License 2.0
mod_websocket_protocol_set()
takes a const char*
as an argument. This implies that it is legal for plugins to provide any string as a subprotocol, when in fact they must choose a subprotocol from the list provided by the client (or use none at all). The API should change to accept a numerical index (pointing to a subprotocol in the connection's protocols array) rather than any arbitrary string.
Plugins should be able to write to the server log through the WebSocketServer *
without having to write through a magic request_rec *
.
Certain applications may benefit from the ability to stream WebSocket frames, both incoming and outgoing. The current API allows only message-level communication.
RFC 6455 allows endpoints to send application data in pings. If we don't let the plugin read the application data received in the pong, this feature is somewhat useless.
t.w.c.Agent now completely ignores 1xx responses. See twisted/twisted#583.
The test suite currently hardcodes ws://127.0.0.1
as its root for constructing test URLs. It should be possible for developers to point the test suite at any arbitrary scheme/hostname/port, both as a general usability improvement and to assist in the testing of TLS-enabled installations (wss://
).
If a plugin doesn't manually set a subprotocol in its on_connect
callback, mod_websocket will just choose the first one provided by the client. This means that unsuspecting plugins may be "agreeing" to speak a subprotocol that they know nothing about. This behavior should be removed.
The tests are written in Python 2/Twisted 16.5. They need a update, and a possible port to Python 3's native async support, since modern versions of Twisted no longer support our t.w.c.Agent
use case.
Autobahn|TestSuite might hinder movement here; the documentation as of now still claims that only Python 2 is supported.
It should be possible for clients to create a module that can pass the Autobahn test suite.
This issue should gate any "1.0" release.
The architecture is currently a hub/spoke plugin model, but other server modules should be able to implement their own handlers using the same API.
Use mod_grpcbackend as the driving use case. #32 is one implementation, using an OPTIONAL_HOOK
; is there another hook option that makes clients' lives easier?
Open up a connection (i.e. through the sample echo page) and watch top. Not sure when this was introduced; I don't remember seeing it in the 2.4.10-ish timeframe.
Plugins currently cannot read or write the status code or reason string for close frames. Incoming close frames are completely hidden by the module, and server->close()
does not take any code or reason string in its parameter list.
httpd 2.4.17 added experimental hooks for automatically handling Upgrade requests (for HTTP/2), which might greatly simplify the module handshake code. Even if it doesn't work out, getting feedback upstream to the mod_http2 devs would be appreciated.
With upstream changes to autobahntestsuite, it appears that the current requirements.txt no longer works correctly -- several pip modules are either missing or incorrect. See also crossbario/autobahn-testsuite#55.
mod_reqtimeout (predictably) causes WebSocket connections to close before we want them to. Perhaps there is a way to tell mod_reqtimeout not to worry about a certain connection?
If a plugin sends an empty (zero-length) message, the return code of 0
("zero bytes written") is indistinguishable from failure.
mod_websocket is too lax in its parsing of the initial client handshake (i.e. it doesn't correctly implement Sec. 4.2.1 of the RFC). Some examples:
Sec-WebSocket-Version
values such as 13abc
, +13
, and 08
are allowedHEAD
requests are upgradedOrigin
header isn't checked at allSec-WebSocket-Key
Per this conversation with Tobias Oberstein: WebSocket plugin developers and server admins should have a switch which allows reserved+undefined opcodes in the range 1000-2999. This would allow developers to research new official extensions to the protocol.
This switch should default to "off", since most end users of the module will not be doing official development work on RFCs. Additionally, reserved opcodes that are defined as "MUST NOT be set as a status code" should continue to be rejected even if this mode is turned on.
Incoming frames are concatenated into a single contiguous block of memory, which is realloc
'd once for every single frame. This craters performance for extremely fragmented messages (see for example Autobahn|TestSuite case 9.3.1
).
Look into minimizing the number of reallocations that must be done (maybe keep a linked list of frames and concatenate once at the end?).
Autobahn flags a few issues in the way we handle close frames:
It's really old.
The MaxMessageSize
directive only rejects frames that are longer than the payload_limit
. If an adversary sends a huge number of frames that are smaller than the MaxMessageSize
, the module will happily try to buffer all of them.
Side note: why is MaxMessageSize
not named WebSocketMaxMessageSize
?
A test that fails to conform to expectations usually results in a hang (since the test will end up waiting for an event that never actually occurs). This is annoying when debugging issues.
The test suite framework should be modified to understand the concept of a timeout.
The MaxMessageSize
directive should be renamed to match the rest of the module's directives, which all start with the WebSocket...
prefix.
The current threading architecture blocks an entire worker thread for the duration of a WebSocket connection. This means that once a certain number of WebSocket connections are established, the server will be completely unable to serve new requests.
We need some way to either change the architecture so that idle workers can be released back to the server, or provide a limit on the number of simultaneous WebSocket connections that can be made to the server, in order to avoid this denial-of-service situation.
This would allow plugins to be configured via the main server configuration file.
Turns out ap_get_conn_socket
is Apache 2.4 only. The "2.2 way" is to use
ap_get_core_module_config(state->r->connection->conn_config);
but it seems like that function isn't exported publicly...
The Origin
header (or Sec-WebSocket-Origin
, for earlier draft versions) is never checked during the opening handshake, which means the server does not reject unauthorized cross-origin connections.
apr_int64_t
is used almost everywhere. Sometimes it's not needed (i.e. the WebSocket protocol version), sometimes an apr_size_t
should be there instead (i.e. when calculating buffer sizes), and sometimes we should probably use apr_uint64_t
because negative values are unnecessary.
...such as MaxMessageSize
. Obviously this will require a version bump.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.