{NEW} Connection Test

Need help with SmartFoxServer? You didn't find an answer in our documentation? Please, post your questions here!

Moderators: Lapo, Bax

User avatar
Lapo
Site Admin
Posts: 23009
Joined: 21 Mar 2005, 09:50
Location: Italy

{NEW} Connection Test

Postby Lapo » 05 Jan 2008, 10:03

Hello!
The most popular issue in the support board is always the "I can't connect from the browser" type problem. The major culprit for this show-stopper is the Flash Player security sandbox which doesn't allow cross-domain connection unless properly configured.

An overview of the problem is found in our documentation, chapter 3.1

Additionally, Adobe has recently introduced new important changes in the security policy with the Flash Player 9 Update 3 (9,0,115,0)

All the details can be found at this url

On our website we have added a connection test example that can be used to check where the problem is when you have troubles connecting to SmartFoxServer.

At this url -> http://www.smartfoxserver.com/labs/connTest/
you can find the connection tester.


The tester SWF is located on our main domain (smartfoxserver.com) while the SmartFoxServer (1.6) is running on another machine.

The test will first attempt a socket connection and then a BlueBox connection.

The cross-domain policy file is NOT served via the socket, it was simply placed in the root folder of the embedded SFS web-server.

We have done various tests using Internet Explorer, FireFox and Safari with the latest Flash Player 9 versions including 9,0,115,0 and the connection was always successful, using both socket and http (BlueBox) connections.
Last edited by Lapo on 05 Jan 2008, 10:14, edited 2 times in total.
Lapo
--
gotoAndPlay()
...addicted to flash games
User avatar
Lapo
Site Admin
Posts: 23009
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 05 Jan 2008, 10:12

From what I understand in the new Adobe security papers, the policy file served via the socket should be loaded from a specific port (843) which doesn't sound very convenient. ( At least I am not very happy with it :) )

However, from our tests so far, it looks like the policy can be served by the webserver as well, without issues.
For the moment we recommend following this path to make sure that all Flash Players, including the very last one, can connect to your SFS instance without flaws.

Finally Adobe says that there's going to be a second phase coming in the next months that will consolidate the security policy changes.

I haven't finished to check all the new Adobe docs, so if there's anyone who wants to add comments or offer further insight it would be great. :)
Lapo

--

gotoAndPlay()

...addicted to flash games
User avatar
Lapo
Site Admin
Posts: 23009
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 05 Jan 2008, 10:18

Here are a few screenshots taken from our various tests.

-> Internet Explorer / Windows XP(sp2) / socket
Image


-> Safari / MacOS X / socket
Image


-> FireFox / MacOS X / bluebox
Image
Lapo

--

gotoAndPlay()

...addicted to flash games
macrotools
Posts: 24
Joined: 16 Nov 2007, 16:18

Postby macrotools » 06 Jan 2008, 06:47

Lapo I want to add something, do not know whether it gives any idea.

When i was testing the SFS, one of our clients' IT manager helped us by analyzing where the connection stucked.

He said that there was a connection attempt at port 843 (while our SFS port was 9339) which could not be successful.

Here is the test result that i have made at home.
Image


I will try it at work at several computers.[/img]
User avatar
Lapo
Site Admin
Posts: 23009
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 07 Jan 2008, 08:47

He said that there was a connection attempt at port 843 (while our SFS port was 9339) which could not be successful.

Yes, according to the new rules introduced in the latest Flash Player update, port 843 is now the default for serving a "master policy" file.

However it looks like this step is avoidable if the server sends a policy on each connection, which is what SFS does. The only difference is that now you have to explicitly include the server domain in the list of allowed domains.

Excerpt from the Adobe document:
if a socket port 1024 or higher serves a socket policy file that does not list its own domain, then SWF files from that domain, which previously were permitted to connect without a policy file, will be unable to connect.


The whole doc is found here -> http://www.adobe.com/devnet/flashplayer ... urity.html
Lapo

--

gotoAndPlay()

...addicted to flash games
User avatar
Lapo
Site Admin
Posts: 23009
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 07 Jan 2008, 08:50

We have added a new test, in Actionscript 3, which connects to the same domain. In order to make it work we had to add the server domain to the allowed domains list in the policy file.

(see previous message)

Test page -> http://213.92.118.83/connectionAS3/
Lapo

--

gotoAndPlay()

...addicted to flash games
User avatar
Lapo
Site Admin
Posts: 23009
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 07 Jan 2008, 10:45

Update: the connection via the BlueBox works okay if you use any flash player prior to 9,0,115,0.
If you the latest you'll get an Error #2048, which is the Security Error.

We'll check what's going on with the policy madness :shock:
Lapo

--

gotoAndPlay()

...addicted to flash games
macrotools
Posts: 24
Joined: 16 Nov 2007, 16:18

Postby macrotools » 08 Jan 2008, 08:25

Lapo here are my first test results

Code: Select all

--> Flash Player: WIN 9,0,45,0 / Windows XP
--> SFS Client API: 1.5.3
--> Connection successfull!
--> Connected via: socket


Blocked port 9339 from modem

Code: Select all

--> Flash Player: WIN 9,0,45,0 / Windows XP
--> SFS Client API: 1.5.3
--> Connection successfull!
--> Connected via: http



Blocked port 9339 from modem

Code: Select all

--> Flash Player: WIN 9,0,115,0 / Windows XP
--> SFS Client API: 1.5.3
--> Security error: Error #2048: Security sandbox violation: http://213.92.118.83/connectionAS3/connection_AS3.swf cannot load data from 213.92.118.83:9339.


Port 9339 open

Code: Select all

--> Flash Player: WIN 9,0,47,0 / Windows XP
--> SFS Client API: 1.5.3
--> Connection successfull!
--> Connected via: socket


Port 9339 Open

Code: Select all

--> Policy file invoked
--> Flash Player: WIN 9,0,115,0 / Windows XP
--> SFS Client API: 1.5.3
--> Connection successfull!
--> Connected via: socket


Port 9339 Open

Code: Select all

--> Policy file invoked
--> Flash Player: MAC 9,0,115,0 / Mac OS 10.5.1
--> SFS Client API: 1.5.3
--> Connection successfull!
--> Connected via: socket


Looking forward for the solution for 9.0.115.0
Last edited by macrotools on 08 Jan 2008, 10:02, edited 3 times in total.
Olthrion
Posts: 15
Joined: 04 Jan 2008, 14:54
Location: Sweden
Contact:

Postby Olthrion » 08 Jan 2008, 09:03

--> Flash Player: WIN 9,0,115,0 / Windows XP
--> SFS Client API: 1.5.3
--> Connection successfull!
--> Connected via: socket

Got this one just now, didn't work earlier today but now it seems to be doing the connection successfully every time.
User avatar
Lapo
Site Admin
Posts: 23009
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 08 Jan 2008, 09:43

macrotools
The problem is actually switching to another connection once the socket has failed. While this is possible with ANY player < 9,0,115,0 it is not with the latest update.

The problem is the following:

1 -> Try a socket connection to any port (let's say 9339)
2 -> Connection fails. Let's try an http connection (same domain) --> FAIL
3 -> Even a stupid getURL() will fail !!! :)

We tried adding a manual Security.loadPolicy(....) call to load the default crossdomain.xml file at the root of the Http server. NO LUCK :(

By analyzing the traffic I see that the player attempts a call to port 843, so I guess that if the policy is served from there it should work.

However if this is the only option (socket connection to port 843) I hope that Adobe will be flooded with complaints and take appropriate action to fix this absurd set of rules.

It's absolutely evident that there are hundreds of situations in which a socket connection is not possible (firewalls / proxies) ... so ... is the most popular browser plugin going to fail under all these circumstances ??

As a first countermeasure to this mess we'll provide a standalone policy-server that you can run side-by-side with SFS or even alone, so it can be helpful in other cases as well.

I am also going to post our findings on the Adobe forums and see if someone can shed some light on this problem
Lapo

--

gotoAndPlay()

...addicted to flash games
macrotools
Posts: 24
Joined: 16 Nov 2007, 16:18

Postby macrotools » 08 Jan 2008, 10:40

Hi Lapo,

Thanks for your all effort. I understand the Adobe thing. There is nothing to do for 115(my unlucky number from now on) at this point.

I want to mention that my main problem is that people using firewall or proxies cannot connect to port 9339 (mainly to any port other than 80 or 8080). So I try to send this people to Bluebox.

Could you send me all configurations and source codes of the latest test file? (config.xml of SFS, policy file, connection AS etc). By the way I use AS 3.0.

Because I still cannot connect to BlueBox (having that sandbox error, port 9339 is blocked) from the browser. I want to connect to it at least from the players prior to 115. (I can connect when 9339 is not blocked even with 9.0.115)

I put the exact copy of your crossdomain.xml of your latest test.
Put Security.loadPolicyFile("http://XXX.XX.X.X/crossdomain.xml"); (the IP is my SFS servers IP, also tried with the domain)

Put Security.loadPolicyFile("xmlsocket://XXX.XX.X.X:9339")

Checked that BlueBox is ok (view it standalone).

added <PolicyAllowedDomains> to config.xml

I think I do something wrong, so the best way is analyzing your latest settings.

Thanks again.

IMPORTANT EDIT

If I view my test SWF by using IP (e.g : http://XXX.XX.X.X/bluebox, the IP is same for SFS and webserver) BlueBox works fine (not with 115). But If I view by using the domain (e.g : http://xxxxxx.com/bluebox) I have the security error.
If I use mydomain when connecting to SFS there is no problem.
User avatar
mariana
Posts: 77
Joined: 26 Mar 2007, 11:15
Location: Buenos Aires, Argentina

Postby mariana » 08 Jan 2008, 15:45

Lapo:

The web server (Apache, not the default webserver) and the SFS (1.5.3) server are on the same domain (xx.xxx.xx.xx). I'm using two machines, a PC and a Mac and I'm having trouble accessing SFS from the Mac ever since I downloaded the last Flash Player (I already explained all this in another post). So I was waiting for your instructions, and today I did the following:

1. placed a crossdomain.xml file in the Apache root directory (the same directory where my .swf files reside, right?). The contents of this file are:

Code: Select all

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>

   <allow-access-from domain="*" />

</cross-domain-policy>

2. placed a statement in the .swf file, before the connect statement, as follows:

Code: Select all

System.security.loadPolicyFile("xmlsocket://xx.xxx.xx.xx:9339")

but STILL I cannot connect from inside a browser, although I can connect when I use the .swf file by itself (by doubleClicking on it).

When I run your connection test, by clickig on
http://www.smartfoxserver.com/labs/connTest/
all is OK, I get connected to your server ---which I never doubted I would be, I imagine you guys know how to configure SFS--- my problem is how to configure my own server...

WHAT am I doing wrong???

Thanks,

Mariana
User avatar
Lapo
Site Admin
Posts: 23009
Joined: 21 Mar 2005, 09:50
Location: Italy

Postby Lapo » 08 Jan 2008, 17:22

macrotools: Check this AS3 connection example -> http://213.92.118.83/connectionAS3/

Does it work for you?

We'll finish our tests in the next days and post our final findings, patches or whatever else is needed.
Lapo

--

gotoAndPlay()

...addicted to flash games
macrotools
Posts: 24
Joined: 16 Nov 2007, 16:18

Postby macrotools » 09 Jan 2008, 07:33

Lapo wrote:macrotools: Check this AS3 connection example -> http://213.92.118.83/connectionAS3/

Does it work for you?

We'll finish our tests in the next days and post our final findings, patches or whatever else is needed.


9339 blocked

Code: Select all

--> Flash Player: WIN 9,0,115,0 / Windows XP
--> SFS Client API: 1.5.4
--> Connection successfull!
--> Connected via: http


9339 open

Code: Select all

--> Flash Player: WIN 9,0,115,0 / Windows XP
--> SFS Client API: 1.5.4
--> Connection successfull!
--> Connected via: socket


I also managed to get my server connected if I use IP in the browser.
But If I use the domain name I still get the error (in my own server).

IMPORTANT EDIT

If I view my test SWF by using IP (e.g : http://XXX.XX.X.X/bluebox, the IP is same for SFS and webserver) BlueBox works fine (not with 115). But If I view by using the domain (e.g : http://xxxxxx.com/bluebox) I have the security error.
If I use mydomain when connecting to SFS there is no problem.


May be I do something wrong and your test will work on my server too (when using domain).
User avatar
mariana
Posts: 77
Joined: 26 Mar 2007, 11:15
Location: Buenos Aires, Argentina

Postby mariana » 13 Jan 2008, 12:11

As you know, I'm waiting for an answer to the Flash 9 connection problem since the beginning of Dec. I'm getting to the point where I need a solution, as my game is starting to be tested by friends.

On Jan 7 Lapo said:
Yes, according to the new rules introduced in the latest Flash Player update, port 843 is now the default for serving a "master policy" file.

However it looks like this step is avoidable if the server sends a policy on each connection, which is what SFS does. The only difference is that now you have to explicitly include the server domain in the list of allowed domains.

so, not knowing what else to do, I tried "moving" everything to port 843; I did this by replacing "9339" everywhere (in my fla file, in the SFS configuration file, in the admin tool).

However, I am now worse off than I was before: I cannot even run my game from my server! I am not a security expert, and am counting on my future service provider to do this for me once I'm running; however, now, during the testing phase, I need help connecting to SFS. Up to now I NEVER had a problem connecting from any machine/browser combination (and I've been working on my game and SFS since March07).

PLEASE, PLEASE, Lapo, can you post a step-by-step set of instructions on how to set up the whole thing, including (but perhaps not limited to):
    -changes required to the firewall (especially the standard Windows one)
    -configuring the web server(for those who use, say, Apache)
    -configuring the SFS server
    -writing (and placing) the crossdomain file
    -what to include in the .fla file
    -any others I don't even know about....

And again, I know how busy you guys are, but this is going to get more & more serious as more people out there migrate to Flash 9. I don't think waiting for Adobe's security team to soften up is a good policy.....

Thanks,
Mariana

Return to “SmartFoxServer 1.x Discussions and Help”

Who is online

Users browsing this forum: No registered users and 38 guests