This file is a mess. It's just my notes.
http://www.html5rocks.com/en/tutorials/websockets/basics/
RFC6455
-
What are websockets
-
Created to standardize the hacks built on http to achieve low-latency communication.
- Why not the hacks? No time to talk about that.
-
Features:
- WebSocket is like TCP protocol of messages instead of bytes, the standardization of Comet techniques.
- "the intent of WebSockets is to provide a relatively simple protocol that can coexist with HTTP and deployed HTTP infrastructure "
- The protocol is intended to be extensible; future versions will likely introduce additional concepts such as multiplexing.
- Full duplex, frame based not stream. Means the client and server can both send data at any time.
- Distinction between binary and unicode.
- done over port 80, 443 - or any port. but stick to 80/443 for best compatibility
- "Upgraded" from a usual http 1.1 connection
- ws and wss schemes
- Proxy servers: Sum up http://www.infoq.com/articles/Web-Sockets-Proxy-Servers
-
Supported browsers
-
What does it look like?
-
Request with upgraded: Picture: computer on left service on right. GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: http://example.com Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13
HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= Sec-WebSocket-Protocol: chat
-
Frames.
- There are control frames: close, ping, pong. pong frame may be used as a heartbeat.
- There are text and binary "data" frames.
- Client frames are masked, server frames are not. This is to avoid proxies misinterpretting the data. New each frame.
-
But you don't need to know that: JS Libraries: Socket.io, sockjs, autobahnjs
<script> var sock = new SockJS('http://mydomain.com/my_prefix'); sock.onopen = function() { console.log('open'); }; sock.onmessage = function(e) { console.log('message', e.data); }; sock.onclose = function() { console.log('close'); }; </script>
-
-
When to use it Use Cases: Multiplayer Games / Interactive experiments Presence Chat Realtime Data Tickers / charts User interactions (lock this resource, it's being edited)
-
But PHP just isn't like that!
- Neither is Heroku and other auto-scaling cloud systems. Hello, Redis? Is is time for PubSub. (I have no idea what i'm doing)
-
-
What is Ratchet
- What is react? Event-driven, non-blocking I/O with PHP, like EventMachine (Ruby), Twisted (Python) and Node.js (V8)
- Components
-
How to do something simple
- Tail a log
-
Security
- Suseptible to XSS
- Validate client input as normal (untrusted)
- Validate server responses as if dangerous: Send data not code and JSON.parse().
- Connections can easily be initiated non-browsers.
- Auth on a page doesnt mean websocket is authed
- You cannot customize the headers from JS, so use cookies and Authorization: headers sent with the http request
- Common pattern is to bake a token system into the protocol: request token from server via http, include token in first message.
- CORS is baked in, but that just protects the client. Be careful on the server.
- fields starting with |Sec-| cannot be set by an attacker from a web browser using only HTML and JavaScript APIs such as XMLHttpRequest
-
Problems
- Testing
- Deployment
- Long running, not stateless like traditional php
- And We are not sysadmins (I can count to potato)
- When code changes server needs be restarted
- Solutions:
- restart the socket server and lose connections (?) via capistrano, rocketeer
- Make websocket server thin state store. php-wsthinstate
-
How to do something useful
- WAMP
- Autobahnjs
- Theory of operation
- Server
- Environment: libevent, ulimit, -xdebug
- Be on port 80, 443 for best compatibility
- Run on subdomain: ws.example.com
- Reverse proxy (HAProxy or Varnish)
- nginx: http://nginx.org/en/docs/http/websocket.html
- version > 1.3.13
- Apache 2.4 mod_proxy_wstunnel: http://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html