41

I'm extremely excited about html5's websockets spec but I have a concern.

These days everyone is operating off of some network, with routers (wired/wireless) that have built in firewalls, windows has a built in firewall too.

With that in mind when the server attempts to connect back to the browser that started the websocket handshake will it fail for the vast majority of users? (most people have no idea how to set up port forwarding on their routers)

Or is my thinking incorrect and it will go through fine?

Travis
  • 7,391
  • 12
  • 43
  • 52
  • Also c https://www.infoq.com/articles/Web-Sockets-Proxy-Servers and https://superuser.com/a/1263106/78897 – Pacerier Oct 27 '17 at 19:07

3 Answers3

27

I'm not an expert (so please check to confirm) but I believe there will be an UPGRADE mechanism where a regular HTTP connection can be made, then upgraded to a WebSocket, so no existing firewall rules interfere unless they are doing aggressive application level packet inspection. Connections are still initiated by the browser.

Maria Ines Parnisari
  • 16,584
  • 9
  • 85
  • 130
Mark Renouf
  • 30,697
  • 19
  • 94
  • 123
  • I believe you're right, the whole protocol is effectively an extension of HTTP so all the traffic goes over port 80 – teepark Dec 28 '09 at 04:32
  • 12
    Any firewall that does statefull packet inspection will drop WebSocket traffic. After the upgrade - it's not HTTP anymore. – Brian Dilley Oct 18 '10 at 21:35
  • 1
    it is actually not HTTP. it is designed to fool firewalls to seem LIKE HTTP. – andrewjsaid Jul 05 '11 at 10:50
  • 8
    @Brian Statefull firewalls only verify that a packet correlates to an existing, unclosed, connection. It tracks the state of the connection (opening, open, closing, closed) hence the name. When it detects a packet is part of an already open, authorized connection, it can short circuit all of the other rule checks and let the packet through. What you're thinking of is a layer 7 filter. These are much less common, and much more expensive than normal layer 3 statefull firewalls found by default in most OSs. – joshperry Jul 14 '11 at 22:31
  • 5
    FWIW, I'm currently unable to connect to websocket server from a customer network. The connection attempt hangs indefinitely. So far I found they are using WatchGuard.com. I'm allowed to access HTTP on my websocket host but websocket connection hangs. WG site lists bug: "Connections with WebSocket protocol (RFC6455) fail through HTTP Proxy and HTTPS Proxy with Content Inspection". Status is "open". – JohnMudd May 11 '17 at 14:32
  • 1
    @BrianDilley, So they drop HTTPS packets too? – Pacerier Oct 23 '17 at 21:17
  • 1
    @JohnMudd, What happens with HTTPS for such firewalls? – Pacerier Oct 23 '17 at 21:19
9

HTML 5 WebSockets don't require port forwarding. Connections continue to be established from the client, but the client and server asymmetry disappears once the connection is established. WebSockets also punch through proxies by using the same CONNECT mechanism that HTTPS uses today.

Marcelo Cantos
  • 181,030
  • 38
  • 327
  • 365
8

Since firewalls typically simply enforce the rules for inbound traffic rejection and outbound traffic routing (usually through the proxy server), there usually are no specific WebSocket traffic-related firewall concerns.

Proxy servers (and to some extent, certain load balancing routers as well) are a different matter though (See Why don't current websocket client implementations support proxies?)

Community
  • 1
  • 1
Peter Lubbers
  • 959
  • 5
  • 8