flash policy service daemon

Sorry it took me so long to post this, but WordPress 2.5 doesn’t seem to like me trying to upload gz/zip files, so I had to upload the source manually.

Well, it’s been months since I promised to post some usable socket policy service code, so I will.

The script here is meant to serve as a good starting point for people whose servers need to allow flash clients to make socket connections. I have not actually used this exact code in a production environment, but I have been using code that is 99% identical for a while now. I am confident that any blatant flaws are the result of simple copy-paste errors as I compiled the package. Please let me know if you find any.

I have however, stress tested the heck out of this service. One instance successfully served up over 16000 policy file requests fed into it as rapidly as I could send them. The same networking code has also handled requests from at least 100 different hosts at roughly the same time.

Everything has been combined into a single cli php script that requires no special installation. Just plop it down on the server and run it as root. It will take care of the rest. The config defaults should be safe, but you probably want to specify them more clearly – just to be safe.

The daemon is made of three classes:

  • Logger – A rudimentary log file management class that I copy from project to project in one form or another. The included version is stripped down from some of the other versions I’ve written, and I’m planning on releasing a more feature-rich version in the future.
  • Daemon – A simple class for daemonizing a process. Adapted and re-adapted countless times from an original php4 class I found on the net a few years ago by some guy named Seth (whose email domain no longer exists).
  • FlashPolicyService – The meat and potatoes, a child of Daemon. Mostly, this is just the requisite networking code and glue to make everything work together.

As with any of my other code, this is licensed under CC Attribution 3.0.

Download:

Source code after the jump.

43 thoughts on “flash policy service daemon”

  1. Thanks,
    I have a PHP Parse error when I run ./FlashPolicyService.php.
    The message is:
    PHP Parse error: parse error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUCTION or T_VAR or ‘}’ in /root/flashpolicyd/FlashPolicyService.php on line 73
    Content-type: text/html
    X-Powered-By: PHP/4.3.9

    Does anybody know how to run this?
    Thanks in advance.

  2. Yeah, this class requires PHP5 to work – I even said so in the requirements.

    PHP 5.0.0 is almost four years old now, there’s really not any good reason to continue running PHP4 on production servers – especially something so old as 4.3.9.

  3. Hi….I know this is a little late to be adding a comment…I have a socket connecting to a Java server and I added the code to send the xml response to the swf….everything works fine in IE7 but not in FF. It just seems to sit there waiting. Any ideas?
    Thanks.

  4. I can’t find a php4 alternative solution to the System Daemon, but a quick rip to some php4 friendly syntax, and I’ve finally managed to establish a socket connection since the security update!! Thank you Ammon, I would love php5, but server admin refuses to update, agh.

  5. lee: Sorry, the php4 version of the daemon that you’d pasted in here didn’t come through cleanly – wordpress chopped it all to pieces 🙁

  6. Hello there!, have anyone tried to run this in a chroot? is getting rather complicated and i’m not sure what i’m missing… if anyone have, could you please send me some pointers?

    regards,

  7. alejandro: There are two ways of handling chroot.

    1) The easy way, write the program to chroot() once it’s finished launching. Unfortunately, my daemon doesn’t handle this yet. It’s on the list of things I’d like to support in a future version.

    2) The complicated way, works with software that doesn’t have native jail support. There is a lot of effort involved in setting up the environment. Personally, I’ve always had bad luck trying to configure jails by hand. I like jailkit, it takes most of the pain for you.

  8. Well, I in fact found a typo: Due to a typo, the posix_setuid() call is useless and the daemon always runs at root *cough*:

    } else if( !posix_setuid($this->uid) ) {

    and $this->uid is unset, defaulting to int 0.

    Simply remove the “this->” part and you are fine, since the local variable $uid holds “nobody”‘s uid.

    nobody 42313 0.0 0.3 10732 6556 ?? SsJ 4:36PM 0:00.00 /usr/local/bin/php /usr/local/www/data/flash-policy/FlashPolicyService.php -d

  9. hey there,

    i’m a flash designer/developer but don’t know anything about servers and running things as root. i’ve got WAMP on my machine so i can test stuff, could you step me through how to setup this script. it’d be a lifesaver. thanks.

    luke

  10. luke: Unfortunately, this sort of script doesn’t work under windows. It is very Unix-specific. To make things work under Unix, you literally just download the script, make sure it’s executable, and run it. Making something run 24×7 on a server is beyond the scope of a comment here, and is rather specific to your individual unix distro.

  11. Two fixes…
    both from the zip file.
    1) The log function has \\n, rather than just \n – this doesn’t seem to be the case for the code that isn’t in the zip 🙁 Was causing the log to all appear on one line.
    2) The line
    if( strlen($xml_filename) || !file_exists($xml_filename) ) {
    Should be
    if( strlen($xml_filename)==0 || !file_exists($xml_filename) ) {
    This one is in both version of the code.
    This was causing reading the XML from file to fail.

    Thanks.

  12. Mike A: Yeah, the \n vs \\n is a problem I bump into all the time trying to get code to appear correctly formatted on WordPress. It looks like I put the wrong file in the zip after making my Jan 10th update. As far as the strlen() being backwards… oops! I’ll correct things as soon as I can tonight.

  13. We got following Error messages…

    Error: Connection to socket server failed (Flash Security Error).

    how to fix this issue.. please help me..

    Thanks
    SR

  14. Unfortunately, the only way to get any meaningful detail from flash about WHY a socket connection failed is to use a debug player with security logging enabled.

    The most common reasons for a socket security error are:
    1) no socket policy server at all
    2) firewall is preventing your connection
    3) policy xml being served isn’t correct

  15. We got following Error messages…
    only client side (Chat Window)..
    Error: Connection to socket server failed (Flash Security Error).

    how to fix this issue.. please give some extra tips..

    by
    SR

  16. Push based mechanism is working fine, but one client chatting message another client didn’t get message. once he/she entered some other text.plz help me..

  17. Socket server is working fine.. but Ajax chat is not working properly. one person chatting means another person won’t get message… anybody help me..

  18. I was considering using this on a web-server, until the PHP warning scared that idea away.

    http://us3.php.net/manual/en/intro.pcntl.php
    Process Control support in PHP implements the Unix style of process creation, program execution, signal handling and process termination. Process Control should not be enabled within a web server environment and unexpected results may happen if any Process Control functions are used within a web server environment.

  19. @lf:

    They are correct, but you misunderstand them. You generally don’t want to invoke pcntl calls from a web server “environment”. Ie, you probably don’t want Apache spawning other daemons.

    I’ll repeat it again, this sort of script should NOT be launched by your web server software.

    But there’s absolutely no reason not to (and often many reasons TO) run this sort of script on the web server hardware.

  20. Dear Ammon,

    I have php5.2.12, posix is enabled, and I run the script as root. It tells me saying that posix is missing.

    When I execute your file from CLI, posix is not available.

    if (function_exists(‘posix_getuid’)) {
    echo “posix_getuid available”;
    } else {
    echo “posix_getuid not available”;
    }

    I think safe_mode needs to be enabled to run your file. Do you know why it didn’t run in my server?

    thank you.
    Nizzy

  21. Ammon, I am second question. I had a flash debug version and I log the xdomain requests. I see this warning there. how can I get rid of this warning? thank you in advanced.

    ————————————————
    OK: Root-level SWF loaded: http://www.example.com/Chat.swf
    OK: Searching for in policy files to authorize data loading from resource at xmlsocket://www.example.com:8000 by requestor from http://www.example.com/Chat.swf
    Warning: Found secure=’true’ in policy file from xmlsocket://www.example.com:843, but host http://www.example.com does not appear to refer to the local machine. This may be insecure. See http://www.adobe.com/go/strict_policy_files for details.
    OK: Policy file accepted: xmlsocket://www.example.com:843
    OK: Request for resource at xmlsocket://www.example.com:8000 by requestor from http://www.example.com/Chat.swf is permitted due to policy file at xmlsocket://www.example.com:843
    ————————————————

  22. “Safe mode” never worked as intended in the first place. It is deprecated as of php 5.3 and entirely removed in 6.0. That said, it shouldn’t have anything to do with scripts run from CLI, it should only give things running from a web server trouble. I never run any of my servers in safe mode and have never had a problem with it as a result.

    The documentation does not list the posix methods I use as being explicitly restricted by safe mode:
    http://www.php.net/manual/en/features.safe-mode.functions.php

    Run a ‘php -m’ in the same environment you’re launching the daemon, it should list the posix module if it is available.

  23. Ammon, posix does not appear when I run php -m cmd, however, I see it from the phpinfo() ‘–enable-posix=shared’

    [PHP Modules]
    bz2
    calendar
    ctype
    curl
    date
    dbase
    dom
    exif
    fileinfo
    filter
    ftp
    gd
    geoip
    gettext
    gmp
    hash
    iconv
    imap
    ionCube Loader
    json
    libxml
    mbstring
    mcrypt
    memcache
    mhash
    mysql
    mysqli
    openssl
    pcntl
    pcre
    PDO
    pdo_mysql
    pdo_sqlite
    readline
    Reflection
    session
    shmop
    SimpleXML
    sockets
    SPL
    sqlite
    standard
    tokenizer
    wddx
    xml
    xmlreader
    xmlwriter
    xsl
    zip
    zlib

  24. Ammon, regarding security warning, I already used secure=”false”, actually I am using your file to deliver xdomain policy. I still see that warning in the policy log file. Do you have any more idea how to resolve this? thank you

    // define the xml policy “file”
    $policy_file =
    ”.
    ”.
    ”.
    ”.
    ”;

  25. Ammon,

    I think I don’t have posix installed although phpinfo shows it’s enabled. I tried to install it on Plesk, and it shows that it’s installed.

    yum -y install php-posix
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    * atomic: www5.atomicorp.com
    Excluding Packages from Plesk Server Administrator
    Finished
    Setting up Install Process
    Package php-common-5.2.12-2.el5.art.x86_64 already installed and latest version
    Package php-common-5.2.12-2.el5.art.i386 already installed and latest version
    Nothing to do

    Could you please show me how to install posix? thank you

  26. If you don’t have posix running in your server, you can activate it by installing the following cmd. I have plesk 9 on linux.

    yum install php-process

  27. Dear Ammon, I ran your script and I get this in the /tmp/flash-policy.log,

    Last line shows that it got invalid request. is this normal? How can I fix that? thank you.

    [10-02-04 01:55:42] fps: connection accepted from XX.XX.XX.XX, Resource id #13
    [10-02-04 01:55:42] fps: sending policy xml to Resource id #13
    [10-02-04 01:55:43] fps: connection accepted from XX.XX.XX.XX, Resource id #14
    [10-02-04 01:55:43] fps: got invalid request from Resource id #14

  28. to run this script correctly, make sure:

    1) convert the format to unix. because this file has CR|LF at the end of lines. You need LF only.
    2) chmod +x FlashPolicyService.php
    3) then you can run as in ./FlashPolicyService.php

  29. Flash likes making repeat connections on the policy port. I’ve had various degrees of success with making it behave. One thing I seem to recall helping in this case is null terminating the policy data you send – ie, append “\0” to the xml.

    My production servers currently each average about 12k policy xml requests a day and while they have long since evolved from the code I’m sharing here, the core logic is very similar. See if the \0 makes it less likely to re-request the data.

    I’m sorry I can’t be more helpful right now, I’m too busy banging out new code to look over this old class tonight.

  30. I’m having some sort of strange blockage with the p-r-f. I can call it up through my socket in the browsers with http://192.168.1.100:843/crossdomain.xml and also have configured my C# chat server to respond with the same file if the request header regex = . I have also validated that the server is sending out the entire file including the terminating null character ().

    According to adobe, there has been some changes to the policy schema and the crossdomain.xml file should include:

    and for socket connections your header need to include:
    Content-Type: text/x-cross-domain-policy

    In AS I added the command:
    Security.loadPolicyFile(“xmlsocket://192.168.1.100:843);
    …yet I still get:

    Error: Request for resource at xmlsocket://192.168.1.100:843 by requestor from http://192.168.1.100:843/chat.swf is denied due to lack of policy file permissions.

    This has been a 2.5 week journey of frustation for me. Is there someone I can pay to debug my code so I can get on with my life?

  31. Sorry I forget to escape characters for HTML on my last post.

    I’m having some sort of strange blockage with the p-r-f. I can call it up through my socket in the browsers with http://192.168.1.100:843/crossdomain.xml and also have configured my C# chat server to respond with the same file if the request header regex = policy-file-request. I have also validated that the server is sending out the entire file including the terminating null character (0).

    According to adobe, there has been some changes to the policy schema and the crossdomain.xml file should include:

    >site-control permitted-cross-domain-policies=”all”/<

    and for socket connections your header need to include:
    Content-Type: text/x-cross-domain-policy

    In AS I added the command:
    Security.loadPolicyFile(“xmlsocket://192.168.1.100:843);
    …yet I still get:

    Error: Request for resource at xmlsocket://192.168.1.100:843 by requestor from http://192.168.1.100:843/chat.swf is denied due to lack of policy file permissions.

    This has been a 2.5 week journey of frustation for me. Is there someone I can pay to debug my code so I can get on with my life?

  32. Unfortunately, you cannot use http to serve up socket policy files at all – you can only serve policies for http via http. If you want to serve a socket policy, it needs to come from a socket server so you either have to modify your existing socket server or you have to run something like the daemon I have here.

Leave a Reply

Your email address will not be published. Required fields are marked *