After finding out that nearly 3% out of 100k requests were from beyond a firewall and thus unable to reach our Node instance on port 4000, we needed to come up with an alternative (fallback) port. However, there's personal firewalls, and some of them are known to block WebSockets.
Some networks also interrupt WebSocket traffic over port 80 -- we've found several schools (even ones that don't filter Facebook) having trouble with WebSockets. Moving WebSocket traffic to port 443 (with and without SSL) fixed the problem.
An excellent test/diagnostic page for WebSockets network compatibility exists at: http://websocketstest.com/
We also tested a number of firewall software:
All tests were done in a Virtual Machine (parallels 6) running Windows XP. Only one of the software packages were installed per test and the Virtual Machine was rolled back to a clean snapshot after each run. The software was tested with the default settings and the "zomg paranoid panix button" settings.
I've done two tests:
The client js will initially try to connect to port 4000 and fall back to ports 80 or 843, if that doesn't work. I also tested different orders for port 80 and 843, to make sure both work (or not).
These tests were preformed using a non-https connection. Browser cache was disabled, cookies cleared between each testing run. I used Chrome and Firefox (3.6). Where possible, I checked in IE as well, but since IE doesn't kill cookies when you tell it to, I mostly tried in browsers that do. This exercise is painful enough as it is...
In alphabetical order:
The only change I made was removing the local network from the friends list. Production sites tend to be outside that range as well.
Note, this research was done using avast 6.0.1289 or older. The version 6.0.1367 seems to fix at least some of the issues.
Interestingly enough, McAfee notified me of a Trojan my VM appeared to have, and that Windows Defender and Avast never mentioned. Interesting.
Interestingly enough, Comodo cried wolf about the entries in the hosts file that Parallels put there, classing it as a trojan. It also claimed to find a worm in Silverlight that no other package had found.
I assume Comodo's free firewall is the same as the one included in this package, so I didn't test it separately.
The first one to ask questions about the browser opening connections to Node on port 4000. After that it's smooth sailing.
The trial version wouldn't let me enable the firewall... There is some web protection stuff in there, but it doesn't block any connectivity.
Bitdefender has a fair bit of options to make the firewall super paranoid. Wonderful, let's switch on ALL the options... =]
I used Privoxy's default settings. Since the user can cook up any rule they want, it would be possible to block the handshake, I think, but I don't consider it very likely.
Last edited by pimguilherme,