I need to test a functionality internal to my company's server whose benefit is evident only when clients run slow (as of latency and packet loss). To that extent, I need to simulate clients on a slow and/or lossy connection (TCP/HTTP). I'm using a Mac, Mountain Lion, and ideally I'd need to run both server and client locally.
One approach I tried to pursue -- unsuccessfully -- was to get hold of some java APIs that allow me to build clients with slow connections. I know JMeter has got something called SlowSockets (or something similar), but I was looking for APIs more focused on slow-performing clients. Any ideas of useful APIs?
Another approach I tried consisted in using a proxy to act as a middleman between client and server. In that case, the proxy should provide functionalities for simulating slow links. I've tried Charles proxy (Mac) and Apache TCPMon, however I seem to miss something when I try to get them at work. With TCPMon, for instance, when I start it in 'Proxy' mode (which is the mode that offers the 'simulate slow link' functionality) I define port for the local proxy, but I can't see how to define the remote host and port. Something similar happens with Charles Proxy; I can set the local port in the Proxy settings, but I can't understand how to define the remote end of the proxy (in fact connections fail saying the remote server is not responding). Anyone having ideas what I'm doing wrong?
One further approach I have tried to pursue is by using lower-level (e.g. OS-based) means; in this case, I tried Apple's Network Link Conditioner. I switched it on and defined my slowness parameters, but when I ping I don't seem to see the expected RTT etc. I've got a feeling NLC has a tight relationship with XCode and iOS testing, anyone capable of putting it at work for testing other (e.g. Java) applications? I've also tried ipfw on Mac, however the manual says ipfw is now deprecated and I don't want to dedicate time to get to know a tool that won't be available soon.
Any idea/help will be highly appreciated.
Thanks in advance.
Related
For the past few weeks, I have been scouring the internet, the minds of computer programmers, and just a few random people over the situation I am looking to overcome. Basically, what I am trying to do it write a AntiJoinBot "plugin" (if you will) for the popular game Minecraft. This would be like all others in respect that it blocks IPs based on if they are using a proxy or not, but this AntiJoinBot is running on a different VPS than the actual server.
This is the best graph I can make of the situation (it's not that good):
(non-minecraft server) Connection -> Proxy check -> Redirect to the
server -> Minecraft
The only problem is, I need to be able to redirect the IP and close the connection so that the player's real IP is the one that would connect to the server. If the connection is not able to be closed, it would cause real problems due to some of the plugins we are running.
If you have a solution or a better way to do this, please help me.
Redirection of connections along the lines that you want requires support from the (application) protocol. TCP/IP does not support it. AFAIK, SOCKS does not support it either. Unless the Minecraft application protocol (and by implication, Minecraft clients and servers) include support for redirection, you are out of luck.
(FWIW - that's how HTTP redirection works. HTTP has a "protocol element" that allows the server to tell the client to redirect, and where to redirect to. The client then resends the original request to a new address.)
But that doesn't mean that you can't deal with the pests. It just means that the redirection approach is not viable. Try a custom proxy or an IP filter / redirector instead.
You are trying to save the server's resources on the cost of increase Traffic.
I am not sure with the answer but may be by looking into the concept of LBS(Load Balancing Server) you may find the answer.
LBS is purely defined and controlled by us so you can manage the resources of two servers using one load balancing server.
I created a game and I want to put it on online. I want to buy a website (I'll probably use goddaddy to buy a domain name and use them as the web host) to use as the server to handle game play. Because I would need a separate server for each game, I would need each game's server to exists on different ports. So this leads to my question, is is possible to access these ports on my future web server? (I wrote the program in Java, so I would assume that I would access the ports from the server side by choosing a port for a ServerSocket, and from the client side by using the IP address from the website and the chosen port for a Socket)
(note: also, I am aware that it may be easier to simply use one port and run the servers on different threads instead, but I am just curious to have my question answered)
thanks a lot,
Ian
Technically it is possible to use different ports, but I don't think that a webhoster like goddaddy will let you run a java process that binds to a special port.
If you mean that you are going to create your own TCP server you obviously can create as many instances of your server and configure them to listen to different ports. But it is year 2011 now. This solution was OK in early 90s.
I'd suggest you to use Restful API that works over HTTP. In this case you can forward calls to server side of each application using URL, e.g.
http://www.lan.com/foo/login?user=u123&password=123456 - log in into application foo
http://www.lan.com/bar/login?user=u123&password=123456 - log in into application bar
In this case you need only one server (the web server) that is listening to socket (port 80).
Your server side implementation could be done using various web techonlogis (php, java, asp.net etc) on your choice.
Yes, that should work. The security manager permits connections to a different port on the same IP address that the applet was loaded from.
You can run a Java server on whatever port you want. Each server will accept incoming requests on one port.
The correct way is simply run on one port and each connection will instantiate a new servlet instance (which happens to run in its own thread) that can then service that request. You usually don't need to run separate ports or worry about concurrency, especially if all the stuff that's shared between connections (e.g. multiple players in one game) is handled through database read/writes.
Your host (GoDaddy) will have to allow you use of those ports, but if they are providing proper hosting (not virtual hosting) and given you your own IP there's no reason why you shouldn't be able to.
Your solution may work theoritically, and I like AlexR's solution. But providers like godaddy doesnt let you run a java server, on ANY port. You will need to find out somebody who does. What I found is the cost goes up from $5/mo to about $20/mo, but you get a much better (read faster) machine. Good wishes, - MS.
I have simple server-client application that uses JDBC to connect to database and things works ok. Application does few simple things with JDBC connection (get data, insert new line and few others).
Now, I would like to keep the same application but use it outside of firewall - so, I would put something else on some host:port (and open that port to outside world) - instead of JDBC opening database access directly.
I guess that this problem is faced many many times and sure there are a lot approches.
One way can be doing servlet on one side, accessing it on client side.
I guess, I haven't touched Spring yet, maybe another would be to do POJO Java Class and using Spring configure it as http service.
I have heard also "rumors" that Jetty has something that can help in this case (to minimaze coding on server and client side)
I would prefer something that:
- is not complicate (easy learning path)
- reuse something that is already done.
What approach would you recommend ?
Thank you and regards,
Igor
The normal approach would be to implement a web service, which can be pretty easy these days with Axis etc.
You really don't want to open direct JDBC to clients outside a firewall by tunnelling over HTTP... the server should strictly control what kind of interaction takes place with the database.
I would recommend using something like SSH tunnels to carry your JDBC connections through the firewall. Set up a tunnel on the DMZ machine on whatever publicly open port your can, and connect the other end of the tunnel to the appropriate port on the DB server.
Then just change your JDBC connection settings to connect to the tunnel machine's public port and it will transparently end up communicating with the database as usual, while passing through the firewall via the accepted port.
If this is an IT policy problem, in that they won't let you directly access the database, then you would need to work out what you are allowed to do and work with that as far as possible. Changing JDBC to another access method is unlikely to be acceptable to the IT policy in this case.
Edit: after reading Jon's answer, he may be right. I was assuming that the issue was the connection between your server/webapp, and the database server. If you were talking about the client creating direct JDBC connections to the database, then yes - firewall or no, this is very bad practice. The client should talk to your server to ask for what it wants, and your server should do the DB queries as required to get the information.
I think that would just be an unnecessary complication. Your DBMS (usually) brings access control and transport layer security. If you introduce your own layer, are you sure that you can make it safer than a direct connection to the DB?
I see your rationale, but if there isn't a framework to do this, avoid building your own! For example, PostgreSQL comes with a bunch of nifty options to tie things down. For example, require SSL certificate-based authentication on the transport level (clients must present a cert that the server checks), or IP-based access.
Of course you still have to trust your DBMS implementation to get basic details like access control right (= "uncrackable"), but you still need to rely on this anyway after the black hats have broken into your web-proxy ;)
#dtsazza: Maybe edit your answer to include the keyword "VPN"? ssh tunnels probably scale badly outside of a private setup.
Volker
I have written a TCP IP socket program which works fine.
But my socket program did not work if my server or client is behind proxy.
So how to overcome from this type of issue.
Thanks
Bapi
Well there's two issues to consider:
Behind a proxy; and
Behind a firewall.
Firewall tends to be easier: you simply use port 80 (HTTP) or 443 (HTTPS). Proxy is harder because direct network communication tends to be disabled from normal PCs.
This is why you often find people using HTTP and/or SSL as their transport mediums because they bypass these kinds of security issues. You can do push content (with long-lived connections aka Comet techniques) so there's typically no real technical reason not to.
But it's hard to say one way or the other if that's a good idea or not without knowing more about your application and any pertinent requirements.
Proxies usually work at the application level, not at the transport level.
Here is some information about Java and proxies.
Depending on the proxy, there may be little that you can do. If the Proxy is designed to block all traffic that it does not directly handle, then you have to either go through the proxy, somehow working with it, or you have to find a way to sneak through the proxy.
For example, many applications are built on top of HTTP precisely because it is commonly allowed through firewalls and is commonly proxy-friendly. Thus, it's a pretty safe way of communicating when you know that you'll be installing the application in environments where proxies may exist.
In your case, it depends on what port(s) your application uses, on whether these ports are commonly handled by a proxy for any existing protocol, on whether or not you're using a standard (commonly known) protocol or have invented your own, and so on.
Is this proxy a transparent proxy? (That is, do web browsers have to be configured to see it, or not?) The kind of proxy it is determines part of how your application needs to work with it. Is the proxy controlled by your organization?
You say you are using port 5018. Just as an experiment, can you try using port 80? Just because you're using port 80 doesn't mean you have to use HTTP. This is worth a try to see if it helps.
We have some applications that sometimes get into a bad state, but only in production (of course!). While taking a heap dump can help to gather state information, it's often easier to use a remote debugger. Setting this up is easy -- one need only add this to his command line:
-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=PORT
There seems to be no available security mechanism, so turning on debugging in production would effectively allow arbitrary code execution (via hotswap).
We have a mix of 1.4.2 and 1.5 Sun JVMs running on Solaris 9 and Linux (Redhat Enterprise 4). How can we enable secure debugging? Any other ways to achieve our goal of production server inspection?
Update: For JDK 1.5+ JVMs, one can specify an interface and port to which the debugger should bind. So, KarlP's suggestion of binding to loopback and just using a SSH tunnel to a local developer box should work given SSH is set up properly on the servers.
However, it seems that JDK1.4x does not allow an interface to be specified for the debug port. So, we can either block access to the debug port somewhere in the network or do some system-specific blocking in the OS itself (IPChains as Jared suggested, etc.)?
Update #2: This is a hack that will let us limit our risk, even on 1.4.2 JVMs:
Command line params:
-Xdebug
-Xrunjdwp:
transport=dt_socket,
server=y,
suspend=n,
address=9001,
onthrow=com.whatever.TurnOnDebuggerException,
launch=nothing
Java Code to turn on debugger:
try {
throw new TurnOnDebuggerException();
} catch (TurnOnDebugger td) {
//Nothing
}
TurnOnDebuggerException can be any exception guaranteed not to be thrown anywhere else.
I tested this on a Windows box to prove that (1) the debugger port does not receive connections initially, and (2) throwing the TurnOnDebugger exception as shown above causes the debugger to come alive. The launch parameter was required (at least on JDK1.4.2), but a garbage value was handled gracefully by the JVM.
We're planning on making a small servlet that, behind appropriate security, can allow us to turn on the debugger. Of course, one can't turn it off afterward, and the debugger still listens promiscuously once its on. But, these are limitations we're willing to accept as debugging of a production system will always result in a restart afterward.
Update #3: I ended up writing three classes: (1) TurnOnDebuggerException, a plain 'ol Java exception, (2) DebuggerPoller, a background thread the checks for the existence of a specified file on the filesystem, and (3) DebuggerMainWrapper, a class that kicks off the polling thread and then reflectively calls the main method of another specified class.
This is how its used:
Replace your "main" class with DebuggerMainWrapper in your start-up scripts
Add two system (-D) params, one specifying the real main class, and the other specifying a file on the filesystem.
Configure the debugger on the command line with the onthrow=com.whatever.TurnOnDebuggerException part added
Add a jar with the three classes mentioned above to the classpath.
Now, when you start up your JVM everything is the same except that a background poller thread is started. Presuming that the file (ours is called TurnOnDebugger) doesn't initially exist, the poller checks for it every N seconds. When the poller first notices it, it throws and immediately catches the TurnOnDebuggerException. Then, the agent is kicked off.
You can't turn it back off, and the machine is not terribly secure when its on. On the upside, I don't think the debugger allows for multiple simultaneous connections, so maintaining a debugging connection is your best defense. We chose the file notification method because it allowed us to piggyback off of our existing Unix authen/author by specifying the trigger file in a directory where only the proper uses have rights. You could easily build a little war file that achieved the same purpose via a socket connection. Of course, since we can't turn off the debugger, we'll only use it to gather data before killing off a sick application. If anyone wants this code, please let me know. However, it will only take you a few minutes to throw it together yourself.
If you use SSH you can allow tunneling and tunnel a port to your local host. No development required, all done using sshd, ssh and/or putty.
The debug socket on your java server can be set up on the local interface 127.0.0.1.
You're absolutely right: the Java Debugging API is inherently insecure. You can, however, limit it to UNIX domain sockets, and write a proxy with SSL/SSH to let you have authenticated and encrypted external connections that are then proxied into the UNIX domain socket. That at least reduces your exposure to someone who can get a process into the server, or someone who can crack your SSL.
Export information/services into JMX and then use RMI+SSL to access it remotely. Your situation is what JMX is designed for (the M stands for Management).
Good question.
I'm not aware of any built-in ability to encrypt connections to the debugging port.
There may be a much better/easier solution, but I would do the following:
Put the production machine behind a firewall that blocks access to the debugging port(s).
Run a proxy process on the host itself that connects to the port, and encrypts the input and output from the socket.
Run a proxy client on the debugging workstation that also encrypts/decrypts the input. Have this connect to the server proxy. Communication between them would be encrypted.
Connect your debugger to the proxy client.