AskApache » Search Results » pipelining

PortaPutty Auto-Reconnecting SSH Tunnels on an Encrypted TrueCrypt Portable USB Key w GPG

AskApache — Tue, 23 Feb 2010 10:11:11 +0000

Ok I just came back up to write the intro.. I'm trying to keep it short to avoid getting bogged down by the coolness of each step. Here is what goes on. When I logon to my XP machine at work, I bring my usb key and plug it in first. On logging a window pops up first and it's a password prompt to mount my encrypted drive leonardo. It also checks a keyfile that is located on my usb key, but all I do now is type in my password. That causes my encrypted folder to be accessible to me like a normal drive, and it autoruns a startup batch file. The batch file causes Portable versions of Firefox (all my bookmarks, my settings) to load, and launches Portable Mozilla Thunderbird (IMAP makes this work well), which is my favorite program (great GPG features and open-source!). Also Some Adobe CS4 software is loaded from the hard drive, like DreamWeaver.

The batch file also runs PortaPuttY plink to create forwarded tunnels from various remote servers and accounts, all using key-based encryption. This includes dynamic SOCKS 4/5 tunnels, VPN tun device tunnels, and of course the basic SSH port forwarding tunnels that are so powerful. These tunnels are automatically reconnected if they are disconnected, using simple windows builtin command-line tools. And believe me it was not easy to figure out how to make this all work using plink ( essentially the same as putty minus the gui ), I literally had to use almost all of my Windows kung fu to finally end up with this.

Using MyEnTunnel

Initially I was using the MyEnTunnel program combined with a custom windows batch install script I wrote to handle the tunnels.

The tunnels are very important to making things easy while improving security. It's not easy to understand at first, but basically it means you can now connect to ANY IP address:port as if you were on that very machine connecting to localhost, like if you pinged yourself!. The result is any traffic you want is now encrypted, and you can set up your servers to only accept connections from localhost, which could save you tons of memory, bandwidth, and security attack vectors to think about. So I configure everything to use these tunnels as proxies, like Mozilla Thunderbird and Chrome, Firefox, Pidgeon, all portable versions and running from my encrypted usb drive.

This means you can walk into my house with that usb key, plug into any computer here, and surf the web/check your emails all across SSH... I know for a fact I wouldn't be able to snoop that traffic! There is a lot of exciting things going on around here, new servers and all.. Its going to take a couple more posts for me to finish this up, enjoy the article and comment.

Buy a couple USB Mini Drives

The first thing to do, is purchase a USB thumb drive.. My favorite store, TigerDirect.com, has over 104 tiny usb drives for under $24.. I've used them since the late 90's.

I bought some 4GB PNY's the size of a fingernail at a gas station and they are amazing, way faster than say a dvd drive. Just try to do some research of the differences between the 16GB vs the $4 1GB drives.. You want speed because the whole drive will be encrypted. If you can afford the super excellent and crazy fast ones, hey send me one! Buying cheap means you can buy 3 or 4 so you can always have backups. This device will make you Internationally mobile, untethered from a box, maybe getting some work done at a cafe in Florenze, or at a beach hotel in Miami. Keep dreaming, but that is more possible with a better organized system.

Backup the USB Drive

You only need to know 1 way that works, there are several. The way I do backups is to copy the entire disk image of the usb, that way I can always access it in case of usb key failure, which does happen. Free software like CloneZilla live CD with its crazy cluster computing power, or Self Image, which is free for both linux and Windows. And you could never go wrong with GHOST, one of the first to make mega bucks in the market.. it's some seriously impressive software but not open-source. Even easier for some is to just set a cron job for dd to pipe the entire drive image to a remote computer using netcat, or sshfs, or curlftpfs, or just simple ssh like below. Once setup (without stupid, bulky, dangerous software), the files on your encrypted usb don't change often, otherwise I would want to sync a backup to happen automatically every X number of logins or days (test logfile time in bash_profile?)..

SSH Back-ups To Remote Server

Files and data on your drives slow it down tremendously, meaning a web server storing backups locally is slower than one storing them externally.

Notice how much safer this command is by optimizing both the CPU and DISK I/O.. Though it's much smarter to create a new separate ssh user, one with no shell and a passwordless safer key-based encryption. Then in your /etc/security/limits.conf file or your initscript you can cause that user to have nice -19 and ionice -c2 -n7 priority set all the time automatically, since sshd, compression, and disk writing are this accounts only job. turboslow is an alias defined in a ssh_config file so you don't have to type the host, port, and settings each time.

#
# much better ways to do this on google!!!!!!!
#
ionice -c2 -n7 nice -n 19 dd if=/dev/sdb2 bs=1k conv=sync,noerror | gzip -c | ssh turboslow "dd of=sdb2.gz bs=1k"

Note that you may decide it would be better to configure the ssh connection to a less CPU intensive algorithm, perhaps even protocol 1 and DES. That's perfectly alright, but the tradeoff is that the encryption can be broken much quicker, and so you would have to implement a cron job to create new keys on both ends of the tunnel every few hours.. It's really not a big deal to setup, kind of sweet way to use key-based encryption. Also, important files ( those containing passwords, any database ) are encrypted before transport using private GPG keys, which don't need to be changed. The other thing to think about too is only letting your main PC send/write on the backup host, so the backup host is only authorized to rx and can never login back to yours.

Hey! the Internet is a dangerous place you better believe it! And it's only going to get more interesting with cloud computing's breakthrough's... More people who know they're way around... I can always use an extra server, I'd love to expand my network another node without having to pay for it (free cloud computing?), so make sure your servers are locked up strenuously. Not super perfect, just a little unique or creative in your defense to avoid any coming super-worm's that may be employing vast arsenals of the deadliest attack-engines like metasploit.. Scarry rumors.

Compression Speeds: PBZip2, Rzip, Lzop, Gzip

Probably the fastest is to use rsync over ssh, which is what I'm doing, since the algorithms used by rsync are much faster and safer. Rsync also lets you specify a compression program, so depending on your machine you will want pbzip2 (for multi processors) or rzip which are the 2 fastest I know of, though I have had some reliability issues with rzip for gigabyte transfers. Pbzip2 is amazing, blew me away the first time being 8x faster (8 CPUs) then anything. You can get it and compile a static binary for your thumb drive if want at Parallel BZIP2 (PBZIP2). Heavy code, re: this note by Jeff Gilchrist

NOTE: If you are looking for a parallel BZIP2 that works on cluster machines, you should check out MPIBZIP2 which was designed for a distributed-memory message-passing architecture.

tar cpf "$G" --use-compress-prog=pbzip2 ./

Benchmarking for Performance

Finally a couple tips, you should get an idea what the device can do, format it a few times for linux and test it on windows, and vice versa.. Some drives are too small or too old and can only support fat32 filesystems on winblows, you DO NOT want fat32 because this drive is going to be 100% encrypted and then 100% transparently decrypted as you use it,

# note this is 512MB
dd if=/dev/sda1 of=/dev/null bs=512 count=1000000
512000000 bytes (512 MB) copied, 5.16588 s, 99.1 MB/s

Part II: Encrypted AutoRunning USB Key with TrueCrypt

Now this section anyone can do, it's so easy on Windows. What I'm going to show you how to do is get setup the right way super-fast. There are many ways to use TrueCrypt, it's one of the nicest built software programs's I've ever used... Sadly, it is not licensed open-source, and that is often a deal-breaker for security-conscious folks or anti-pirate anarchists. From the very helpful TrueCrypt web site:

Creates a virtual encrypted disk within a file and mounts it as a real disk.

Encrypts an entire partition or storage device such as USB flash drive or hard drive.

Encrypts a partition or drive where Windows is installed (pre-boot authentication).

Encryption is automatic, real-time (on-the-fly) and transparent.

Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.

Provides plausible deniability, in case an adversary forces you to reveal the password: Hidden volume (steganography) and hidden operating system.

Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS.

Serve External Javascript Files locally for Increased Speed

AskApache — Wed, 01 Oct 2008 06:55:46 +0000

AskApache.com

One of the ways I speed up AskApache.com is by downloading all the external javascript files to my server and then serve them from my own server instead of the external site. Currently I'm using this method to serve the Google Analytics javascript file, and the Quantcast javascript file.

Speed Benefit

The speed benefit occurs because normally a site visitor has to perform a DNS query for both the google-analytics.com and quantcast.com servers, create a connection to each server, and then download the files. By hosting these scripts on your own server you remove all the extra DNS queries, and by hosting all the files on your single server you enable advanced HTTP 1/1 protocol features like Pipelining the requests, which means a single connection for multiple files.

Cache and Compression Control

Serving these javascript files from your own server gives you complete control over the caching and compression settings of those files, which may not seem like a big deal... unless you know about the advanced caching and compression techniques available to make your site super-fast.

Caching Control

By using the mod_rewrite cache hack like I do, you can make sure that a fresh version of the .js file is used by your visitors.

Compression Control

You can also specify advanced compression for these files, which could mean using Apache's mod_deflate or mod_gzip modules, or you can even use a compression tool like Dojo's Shrinksafe, Packer, JSMin, or YUICompressor to further compress the javascript files.

Automated Downloading with Crontab

Using crontab I tell my web server to run this shell script every day, to make sure I have updated versions of all the files. Here's the crontab entry I use to run this shell script every day.

@daily /bin/sh /home/cron-scripts/grab_javascripts.sh 2>&1 &>/dev/null

Shell Script to Download JS

I created a simple Bash shell-script to download the javascript files. All you need to do is modify the variables to save to your directory and send your site as the Referring URL and you are good to go. You can add as many files as you want by adding them to the JSFILE array.

You can also download the shell-script: grab_javascripts.sh

#!/bin/bash
# 2008-09-30
umask 022
VER="2.0"
 
### Set as the referring url for downloads
SITE=http://www.askapache.com/
 
### Directory to save the downloaded files
JSD=$HOME/j/
 
### The files to download
JSFILE[0]=http://www.google-analytics.com/ga.js
 
### run script with args to turn on debugging
[[ $# -ne 0 ]] && set -o xtrace && set -o verbose
 
### SHELL OPTIONS
set +o noclobber # allowed to clobber files
set +o noglob # globbing on
set -e # abort on first error
shopt -s extglob
 
#--=--=--=--=--=--=--=--=--=--=--#
# pt
#==-==-==-==-==-==-==-==-==-==-==#
function pt(){
  case ${1:-d} in
   i) echo -e "${C6}=> ${C4}${2} ${C0}"; ;;
   m) echo -en "\n\n${C2}>>> ${C4}${2} ${C0}\n\n"; ;;
   *) echo -e "\n${C8} DONE ${C0} \n"; ;;
  esac
}
 
#=# CATCH SCRIPT KILLED BY USER
trap 'kill -9 $$' SIGHUP SIGINT SIGTERM
 
#=# MAKE MAIN SCRIPT NICE AS POSSIBLE SINCE IT DOESNT DO MUCH
renice 19 -p $$ &>/dev/null
 
#=# TURNS ON COLORING ONLY FOR TERMS THAT CAN SUPPORT IT
C="\033[";C0=;C1=;C2=;C3=;C4=;C5=;C6=;C7=;C8=;C9=;
  C0="${C}0m";C1="${C}1;30m";C2="${C}1;32m";C3="${C}0;32m";C4="${C}1;37m"
  C5="${C}0;36m";C6="${C}1;35m";C7="${C}0;37m";C8="${C}30;42m";C9="${C}1;36m";
clear
echo -e "${C1} __________________________________________________________________________ "
echo -e "| ${C2}             ___       __    ___                 __             ${C1}         |"
echo -e "| ${C2}            / _ | ___ / /__ / _ | ___  ___ _____/ /  ___        ${C1}         |"
echo -e "| ${C2}           / __ |(_-/dev/null && pt i "CREATED $JSD" && pt
 
#=# DOWNLOAD JAVASCRIPT FILES
cd $JSD && pt m "DOWNLOADING JAVASCRIPT FILES"
for theurl in "${JSFILE[@]}"; do
pt i "${theurl}"
curl -m 60 --connect-timeout 10 --retry 10 --retry-delay 180 -s -S -L -e '${SITE}' -A 'Mozilla/5.0' -O "${theurl}"
done
pt && cd $OLDPWD
 
######## curl options
# -S Show error. With -s, make curl show errors when they occur
# -s Silent mode. Don't output anything
# -e  Referer URL (H)
# -H  Custom header to pass to server (H)
# -L  Follow Location: hints (H)
# -A  User-Agent to send to server (H)
# -m  Maximum time allowed for the transfer
# --connect-timeout  Maximum time allowed for connection
# --globoff  Disable URL sequences and ranges using {} and []
# -O  Write output to a file named as the remote file
# --retry   Retry request  times if transient problems occur
# --retry-delay  When retrying, wait this many seconds between each
# --retry-max-time  Retry only within this period
#############################################################################
 
exit 0

Serve External Javascript Files locally for Increased Speed originally appeared on AskApache.com

Fsockopen Power Plays

AskApache — Wed, 02 Jul 2008 11:42:56 +0000

AskApache.com

PHP's function fsockopen lets you open an Internet or Unix domain socket connection for connecting to a resource, and is one of the most powerful functions. fsockopen could be described as creating a direct link to the wire connected to a resource, which means you can send any information (EBCDIC, ASCII, Hex, C arrays, Raw) directly to the target server.

A Socket is like /dev/null

In unix you can send anything to the /dev/null device, for Windows think Recycle Bin, and likewise you can send anything to a socket created with fsockopen. I've seen fsockopen code that sends custom exploits to cisco routers, including being used by the metasploit framework. I've seen fsockopen telnet emulation, smtp/pop3 login, and a lot of other advanced raw networking that is exciting for me see.

Some Definitions for Fsockopen

client: A program that establishes connections for the purpose of sending requests.
server: An application program that accepts connections in order to service requests by sending back responses.

Simple Socket Explantion

A web server host listens on TCP port 80. When a client host wishes to view a resource on the web server, it establishes a TCP connection with the server host by opening a socket to send the request for the resource. When the connection is established, the client and server exchange requests and responses (respectively) until the connection is closed or aborted.

HTTP and fsockopen

The Snoopy class is bundled with WordPress distributions and uses fsockopen to achieve most of its cool features. WordPress core, plugins, and other included files and classes also use the fsockopen function to communicate via HTTP.

Fsockopen Examples

Note the warning sign, fsockopen is dangerous in the sense that you can crash your server, perform a DOS against your own server or other site, use up all your servers available sockets and fd descriptors, use up your bandwidth, etc.. Shouldn't be a problem unless you are being malicious or careless.

Here are some BOSS fsockopen functions I hacked together yesterday for use in my AskApache Crazy Cache WordPress Plugin. I've used code and ideas from 100's of authors, projects, and docs to try to make this the very best I can.

Intro

This is a working example employing as many of the best-practices, tips, and tricks for using fsockopen on remote streams that I could find.

100megs */
function askapache_txrx($fp,$request,$chunk=1024){
  $rec=$buf='';
  if(!@fwrite($fp, $request, strlen($request)))die('fwrite error');
  while ( !@feof($fp) && askapache_time_ok(askapache_time_passed())){
    $buf = @fread($fp, $chunk);
    $rec .= $buf;
  }
  if(!@fclose($fp))die('fclose error');
  return $rec;
}
 
/* initiates the socket and download for the passed url.
   automatically handles gzip, chunked, both, and plain downloads.
   uses the long2ip/ip2long for ip validation, uses gethostbyname to
   get the ipv4 address which saves fsockopen from having to do the lookup
   final data is saved to $rbody but currently only displays headers.*/
function aa_dl($url=NULL){
  global $aa_time;
  $ub = @parse_url($url);
  if(!isset($ub['host'])||empty($ub['host'])) die("bad url $url");
  $proto   = ($ub['scheme']=='https')?'ssl://':'';
  $port   = (isset($ub['port'])&&!empty($ub['port'])) ? $ub['port']:($proto!='')?443:80;
  $path   = (isset($ub['path'])&&!empty($ub['path'])) ? $ub['path']:'/';
  $query   = (isset($ub['query'])&&!empty($ub['query'])) ? '?'.$ub['query'] : '';
  $host   = $ub['host'];
  $ipp     = @gethostbyname($host);
  $ip     = ($ipp!=$host) ? long2ip(ip2long($ipp)) : $host;
 
  $headers=array(
   "GET {$path}{$query} HTTP/1.1",
   "Host: {$host}",
   'User-Agent: Mozilla/5.0 (AskApache/; +http://www.askapache.com/)',
   'Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,*/*;q=0.5',
   'Accept-Language: en-us,en;q=0.5',
   'Accept-Encoding: gzip,deflate',
   'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7',
   'Connection: close','Referer: http://www.askapache.com'
  );
  $request=join(AA_LF,$headers).AA_LF.AA_LF;
 
  $fp=askapache_get_sock($proto.$ip, $port);
  if($fp){
    $rbody=$rec='';$resp_headers=array();
    $rec=askapache_txrx($fp,$request);
    list($resp_headers, $rbody) = explode(AA_LF.AA_LF, trim($rec), 2);
  echo "\n$request
\n$resp_headers\n";
    $gzip2=(stripos($resp_headers,'Content-Encoding')!==false &&
        stripos($resp_headers,'gzip')!==false)?1:0;
    $chunk=(stripos($resp_headers,'Transfer-Encoding')!==false &&
        stripos($resp_headers,'chunked')!==false)?1:0;
    $rbody=aa_decode_body($rbody,$chunk,$gzip2);
    unset($rbody);
  }
}
 
/* based on http://us.php.net/manual/en/function.fsockopen.php#75175
   ungzips and/or re-assembles transfer-encoded:chunked responses
   returns the good response on success */
function aa_decode_body ($str, $chunked, $gzipped){
  if($gzipped && !$chunked) return aa_gzdecode($str);
  if(!$gzipped && !$chunked) return $str;
  $tmp = $str; $str = '';
  do {
    $tmp = ltrim($tmp);
    $pos = strpos($tmp,AA_LF);
    $len = hexdec(substr($tmp, 0, $pos));
    if($gzipped) $str .= gzinflate(substr($tmp,($pos+12),$len));
    else $str .=substr($tmp,($pos+2),$len);
    $tmp = substr($tmp,($len+$pos+2));
  $chk=trim($tmp);
  } while (!empty($chk));
  return $str;
}
 
/*  based on http://us2.php.net/manual/en/function.gzencode.php#82520
  saves the gzipped data to a tempfile, then outputs the decoded
  data to the output buffer using readgzfile, returning the decoded
  buffer and deleting the tempfile on success */
function aa_gzdecode($data){
  $g=tempnam('/tmp','ff');
  @file_put_contents($g,$data);
  ob_start(); readgzfile($g); $d=ob_get_clean(); @unlink($g);
  return $d;
}
 
/*  very cool!  this is run during socket reads and checks whether the script
  execution time limit or the socket read time limit has been met, killing
  the script if so, otherwise returns true.  Run with a cron-like process */
function askapache_time_ok($sock_time=0) {
  global $aa_time;
  if (time()-$aa_time>AA_MAX_TIME)
    die('killed script.. time exceeded '.AA_MAX_TIME.' Total: '.$total);
  if ($sock_time>AA_RECV_TIME)
    die('Killed socket.. time exceeded '.AA_RECV_TIME.' Total: '.$sock_time);
  return true;
}
 
/* input for askapache_time_ok to keep track of each socket read time time. */
function askapache_time_passed() {
  global $aa_time_start;
  return (time() - $aa_time_start);
}
 
/*  handles fsockopen errors, printing them out though you may want to die on err */
function askapache_sock_strerror($errno,$errstr){
  switch($errno){
    case -3:  $err="Socket creation failed"; break;
    case -4:  $err="DNS lookup failure"; break;
    case -5:  $err="Connection refused or timed out"; break;
    case 111: $err="Connection refused"; break;
    case 113: $err="No route to host"; break;
    case 110: $err="Connection timed out"; break;
    case 104: $err="Connection reset by client"; break;
    default:  $err="Connection failed"; break;
  }
  echo 'Fsockopen failed!'."\n[".$errno."] ".$err." (".$errstr.")";
  return false;
}
?>

Debugging Fsockopen

If you really want to know more about fsockopen, you can do what I did and read all the relevant php source files, your OS sys, lib, and user files relevant to fsockopen, and of course you can always trace php using the fsockopen function to get an under-the-hood look at what in the world fsockopen is doing. Personally, I was trying to find more error codes and error strings to display when an fsockopen call failed, and I ended up finding over 50..

fsockopen Errors

function fsockopen_err($errnum)
{
   static $fsockopen_errors;
   is_null($fsockopen_errors) && $fsockopen_errors = array(
  0 => 'Success',
  1 => 'Operation not permitted',
  2 => 'No such file or directory',
  3 => 'No such process',
  4 => 'Interrupted system call - DNS lookup failure',
  5 => 'Input/output error - Connection refused or timed out',
  6 => 'No such device or address',
  7 => 'Argument list too long',
  8 => 'Exec format error',
  9 => 'Bad file descriptor',
  10 => 'No child processes',
  11 => 'Resource temporarily unavailable',
  12 => 'Cannot allocate memory',
  13 => 'Permission denied',
  14 => 'Bad address',
  15 => 'Block device required',
  16 => 'Device or resource busy',
  17 => 'File exists',
  18 => 'Invalid cross-device link',
  19 => 'No such device',
  20 => 'Not a directory',
  21 => 'Is a directory',
  22 => 'Invalid argument',
  23 => 'Too many open files in system',
  24 => 'Too many open files',
  25 => 'Inappropriate ioctl for device',
  26 => 'Text file busy',
  27 => 'File too large',
  28 => 'No space left on device',
  29 => 'Illegal seek',
  30 => 'Read-only file system',
  31 => 'Too many links',
  32 => 'Broken pipe',
  33 => 'Numerical argument out of domain',
  34 => 'Numerical result out of range',
  35 => 'Resource deadlock avoided',
  36 => 'File name too long',
  37 => 'No locks available',
  38 => 'Function not implemented',
  39 => 'Directory not empty',
  40 => 'Too many levels of symbolic links',
  41 => 'Unknown error 41',
  42 => 'No message of desired type',
  43 => 'Identifier removed',
  44 => 'Channel number out of range',
  45 => 'Level 2 not synchronized',
  46 => 'Level 3 halted',
  47 => 'Level 3 reset',
  48 => 'Link number out of range',
  49 => 'Protocol driver not attached',
  50 => 'No CSI structure available',
  51 => 'Level 2 halted',
  52 => 'Invalid exchange',
  53 => 'Invalid request descriptor',
  54 => 'Exchange full',
  55 => 'No anode',
  56 => 'Invalid request code',
  57 => 'Invalid slot',
  58 => 'Unknown error 58',
  59 => 'Bad font file format',
  60 => 'Device not a stream',
  61 => 'No data available',
  62 => 'Timer expired',
  63 => 'Out of streams resources',
  64 => 'Machine is not on the network',
  65 => 'Package not installed',
  66 => 'Object is remote',
  67 => 'Link has been severed',
  68 => 'Advertise error',
  69 => 'Srmount error',
  70 => 'Communication error on send',
  71 => 'Protocol error',
  72 => 'Multihop attempted',
  73 => 'RFS specific error',
  74 => 'Bad message',
  75 => 'Value too large for defined data type',
  76 => 'Name not unique on network',
  77 => 'File descriptor in bad state',
  78 => 'Remote address changed',
  79 => 'Can not access a needed shared library',
  80 => 'Accessing a corrupted shared library',
  81 => '.lib section in a.out corrupted',
  82 => 'Attempting to link in too many shared libraries',
  83 => 'Cannot exec a shared library directly',
  84 => 'Invalid or incomplete multibyte or wide character',
  85 => 'Interrupted system call should be restarted',
  86 => 'Streams pipe error',
  87 => 'Too many users',
  88 => 'Socket operation on non-socket',
  89 => 'Destination address required',
  90 => 'Message too long',
  91 => 'Protocol wrong type for socket',
  92 => 'Protocol not available',
  93 => 'Protocol not supported',
  94 => 'Socket type not supported',
  95 => 'Operation not supported',
  96 => 'Protocol family not supported',
  97 => 'Address family not supported by protocol',
  98 => 'Address already in use',
  99 => 'Cannot assign requested address',
  100 => 'Network is down',
  101 => 'Network is unreachable',
  102 => 'Network dropped connection on reset',
  103 => 'Software caused connection abort',
  104 => 'Connection reset by peer',
  105 => 'No buffer space available',
  106 => 'Transport endpoint is already connected',
  107 => 'Transport endpoint is not connected',
  108 => 'Cannot send after transport endpoint shutdown',
  109 => 'Too many references: cannot splice',
  110 => 'Connection timed out',
  111 => 'Connection refused',
  112 => 'Host is down',
  113 => 'No route to host',
  114 => 'Operation already in progress',
  115 => 'Operation now in progress',
  116 => 'Stale NFS file handle',
  117 => 'Structure needs cleaning',
  118 => 'Not a XENIX named type file',
  119 => 'No XENIX semaphores available',
  120 => 'Is a named type file',
  121 => 'Remote I/O error',
  122 => 'Disk quota exceeded',
  123 => 'No medium found',
  124 => 'Wrong medium type',
  125 => 'Operation canceled'
  );
    return (isset($fsockopen_errors[$errnum])) ? $fsockopen_errors[$errnum] : $errnum;
}

If you would like to see all the errors on your particular machine:

for($i=0, $s=""; $i<250; $s=socket_strerror($i), $i++)
  !empty($s) && ('Unknown error' != (substr($s,0,13)) ) && print "{$i} => {$s}\n";

Which outputs:

1 => Success
2 => Operation not permitted
3 => No such file or directory
4 => No such process
5 => Interrupted system call
6 => Input/output error
7 => No such device or address
8 => Argument list too long
9 => Exec format error
10 => Bad file descriptor
11 => No child processes
12 => Resource temporarily unavailable
13 => Cannot allocate memory
14 => Permission denied
15 => Bad address
16 => Block device required
17 => Device or resource busy
18 => File exists
19 => Invalid cross-device link
20 => No such device
21 => Not a directory
22 => Is a directory
23 => Invalid argument
24 => Too many open files in system
25 => Too many open files
26 => Inappropriate ioctl for device
27 => Text file busy
28 => File too large
29 => No space left on device
30 => Illegal seek
31 => Read-only file system
32 => Too many links
33 => Broken pipe
34 => Numerical argument out of domain
35 => Numerical result out of range
36 => Resource deadlock avoided
37 => File name too long
38 => No locks available
39 => Function not implemented
40 => Directory not empty
41 => Too many levels of symbolic links
43 => No message of desired type
44 => Identifier removed
45 => Channel number out of range
46 => Level 2 not synchronized
47 => Level 3 halted
48 => Level 3 reset
49 => Link number out of range
50 => Protocol driver not attached
51 => No CSI structure available
52 => Level 2 halted
53 => Invalid exchange
54 => Invalid request descriptor
55 => Exchange full
56 => No anode
57 => Invalid request code
58 => Invalid slot
60 => Bad font file format
61 => Device not a stream
62 => No data available
63 => Timer expired
64 => Out of streams resources
65 => Machine is not on the network
66 => Package not installed
67 => Object is remote
68 => Link has been severed
69 => Advertise error
70 => Srmount error
71 => Communication error on send
72 => Protocol error
73 => Multihop attempted
74 => RFS specific error
75 => Bad message
76 => Value too large for defined data type
77 => Name not unique on network
78 => File descriptor in bad state
79 => Remote address changed
80 => Can not access a needed shared library
81 => Accessing a corrupted shared library
82 => .lib section in a.out corrupted
83 => Attempting to link in too many shared libraries
84 => Cannot exec a shared library directly
85 => Invalid or incomplete multibyte or wide character
86 => Interrupted system call should be restarted
87 => Streams pipe error
88 => Too many users
89 => Socket operation on non-socket
90 => Destination address required
91 => Message too long
92 => Protocol wrong type for socket
93 => Protocol not available
94 => Protocol not supported
95 => Socket type not supported
96 => Operation not supported
97 => Protocol family not supported
98 => Address family not supported by protocol
99 => Address already in use
100 => Cannot assign requested address
101 => Network is down
102 => Network is unreachable
103 => Network dropped connection on reset
104 => Software caused connection abort
105 => Connection reset by peer
106 => No buffer space available
107 => Transport endpoint is already connected
108 => Transport endpoint is not connected
109 => Cannot send after transport endpoint shutdown
110 => Too many references: cannot splice
111 => Connection timed out
112 => Connection refused
113 => Host is down
114 => No route to host
115 => Operation already in progress
116 => Operation now in progress
117 => Stale NFS file handle
118 => Structure needs cleaning
119 => Not a XENIX named type file
120 => No XENIX semaphores available
121 => Is a named type file
122 => Remote I/O error
123 => Disk quota exceeded
124 => No medium found
125 => Wrong medium type
126 => Operation canceled

Tracing fsockopen using Strace

Once you save the above file on your site, you can use the strace tool to debug it. This is a tad overboard but way cool nevertheless!

strace -e trace=connect php -nef fsockopen-test.php

connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("66.33.216.129")}, 28) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("192.87.106.226")}, 16) = -1 EINPROGRESS (Operation now in progress)

strace -e trace=network php -nef fsockopen-test.php

socket(PF_FILE, SOCK_STREAM, 0)         = 3
connect(3, {sa_family=AF_FILE, path="/var/run/.nscd_socket"}, 110) = -1 ENOENT (No such file or directory)
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("66.33.216.129")}, 28) = 0
send(3, "\274\221\1\0\0\1\0\0\0\0\0\0\5httpd\6apache\3org\0\0\1"..., 34, 0) = 34
recvfrom(3, "\274\221\201\200\0\1\0\1\0\0\0\0\5httpd\6apache\3org\0"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("66.33.216.129")}, [16]) = 50
socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = -1 EAFNOSUPPORT (Address family not supported by protocol)
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("192.87.106.226")}, 16) = -1 EINPROGRESS (Operation now in progress)
getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
send(3, "GET / HTTP/1.1\r\nHost: httpd.apac"..., 356, MSG_DONTWAIT) = 356
recv(3, "HTTP/1.1 200 OK\r\nDate: Wed, 02 J"..., 8192, MSG_DONTWAIT) = 2609
recv(3, "", 8192, MSG_DONTWAIT)         = 0

strace -q -e trace=all php -nef fsockopen-test.php

mmap2(NULL, 266240, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76ba000
munmap(0xb76ba000, 266240)              = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
connect(3, {sa_family=AF_FILE, path="/var/run/.nscd_socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
open("/etc/hosts", O_RDONLY)            = 3
fcntl64(3, F_GETFD)                     = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=948, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f6e000
read(3, "# /etc/hosts - dh2 generated\n127"..., 4096) = 948
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb7f6e000, 4096)                = 0
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("66.33.216.129")}, 28) = 0
send(3, "X~\1\0\0\1\0\0\0\0\0\0\2en\twikipedia\3org\0\0\1"..., 34, 0) = 34
gettimeofday({1214998196, 656179}, NULL) = 0
poll([{fd=3, events=POLLIN, revents=POLLIN}], 1, 5000) = 1
ioctl(3, FIONREAD, [100])               = 0
recvfrom(3, "X~\201\200\0\1\0\3\0\0\0\0\2en\twikipedia\3org\0\0\1"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("66.33.216.129")}, [16]) = 100
close(3)                                = 0
time(NULL)                              = 1214998196
gettimeofday({1214998196, 656754}, NULL) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
fcntl64(3, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("208.80.152.2")}, 16) = -1 EINPROGRESS (Operation now in progress)
poll([{fd=3, events=POLLIN|POLLOUT|POLLERR|POLLHUP, revents=POLLOUT}], 1, 10000) = 1
getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
fcntl64(3, F_SETFL, O_RDWR)             = 0
send(3, "GET /wiki/Main_Page HTTP/1.1\r\nHo"..., 370, MSG_DONTWAIT) = 370
poll([{fd=3, events=POLLIN|POLLPRI|POLLERR|POLLHUP}], 1, 0) = 0
time(NULL)                              = 1214998196
poll([{fd=3, events=POLLIN|POLLERR|POLLHUP, revents=POLLIN}], 1, 30000) = 1
recv(3, "HTTP/1.0 200 OK\r\nDate: Wed, 02 J"..., 8192, MSG_DONTWAIT) = 2896
time(NULL)                              = 1214998196
poll([{fd=3, events=POLLIN|POLLERR|POLLHUP, revents=POLLIN}], 1, 30000) = 1
recv(3, "\214!\337i\307\336\23w\253wy\215\26EL\227;\227\253\261"..., 8192, MSG_DONTWAIT) = 5792
time(NULL)                              = 1214998196
poll([{fd=3, events=POLLIN|POLLERR|POLLHUP, revents=POLLIN}], 1, 30000) = 1
recv(3, "4\201\273\214\17yI\347\257\371\373\344\332\330\227\245"..., 8192, MSG_DONTWAIT) = 7487
time(NULL)                              = 1214998197
poll([{fd=3, events=POLLIN|POLLERR|POLLHUP, revents=POLLIN}], 1, 30000) = 1
recv(3, "", 8192, MSG_DONTWAIT)         = 0
close(3)                                = 0
write(1, "\nGET /wiki/Main_Page HTTP/1"..., 1300







More Fsockopen Info

TCP Multiplexing
RFC 793: To allow for many processes within a single Host to use TCP communication facilities simultaneously, the TCP provides a set of addresses or ports within each host.  Concatenated with the network and host addresses from the internet communication layer, this forms a socket.  A pair of sockets uniquely identifies each connection. That is, a socket may be simultaneously used in multiple connections.
The binding of ports to processes is handled independently by each Host.  However, it proves useful to attach frequently used processes (e.g., a "logger" or timesharing service) to fixed sockets which are made known to the public.  These services can then be accessed through the known addresses.  Establishing and learning the port addresses of other processes may involve more dynamic mechanisms.

TCP Connections
The reliability and flow control mechanisms described above require that TCPs initialize and maintain certain status information for each data stream.  The combination of this information, including sockets, sequence numbers, and window sizes, is called a connection. Each connection is uniquely specified by a pair of sockets identifying its two sides.
When two processes wish to communicate, their TCP's must first establish a connection (initialize the status information on each side).  When their communication is complete, the connection is terminated or closed to free the resources for other uses.
Since connections must be established between unreliable hosts and over the unreliable internet communication system, a handshake mechanism with clock-based sequence numbers is used to avoid erroneous initialization of connections.

Fsockopen Practical Uses

Download Web Pages, Files, etc.
Upload a file
Send POST data to a form
Emulate cron
Download plugin updates
Scan sites for exploits
Auto Login to Google
Pass wp-nonces via cookie headers, and more



Transfer-Encoding
RFC 2068
19.4.6 Introduction of Transfer-Encoding
 
   HTTP/1.1 introduces the Transfer-Encoding header field (section
   14.40).  Proxies/gateways MUST remove any transfer coding prior to
   forwarding a message via a MIME-compliant protocol.
 
   A process for decoding the "chunked" transfer coding (section 3.6)
   can be represented in pseudo-code as:
 
          length := 0
          read chunk-size, chunk-ext (if any) and CRLF
          while (chunk-size > 0) {
             read chunk-data and CRLF
             append chunk-data to entity-body
             length := length + chunk-size
             read chunk-size and CRLF
          }
          read entity-header
          while (entity-header not empty) {
             append entity-header to existing header fields
             read entity-header
          }
          Content-Length := length
          Remove "chunked" from Transfer-Encoding


Socket-Related Man Pages
DESCRIPTION
This  manual  page  describes the Linux networking socket layer user interface. The BSD compatible sockets are the uniform interface between
the user process and the network protocol stacks in the kernel.  The protocol modules are  grouped  into  protocol  families  like  PF_INET,
PF_IPX, PF_PACKET and socket types like SOCK_STREAM or SOCK_DGRAM.  See socket(2) for more information on families and types.
 
SOCKET LAYER FUNCTIONS
These  functions  are  used by the user process to send or receive packets and to do other socket operations. For more information see their
respective manual pages.
 
socket(2) creates a socket, connect(2) connects a socket to a remote socket address, the bind(2) function binds a socket to a  local  socket
address,  listen(2)  tells  the socket that new connections shall be accepted, and accept(2) is used to get a new socket with a new incoming
connection.  socketpair(2) returns two connected anonymous sockets (only implemented for a few local families like PF_UNIX)
 
send(2), sendto(2), and sendmsg(2) send data over a socket, and recv(2), recvfrom(2), recvmsg(2) receive data from a  socket.   poll(2)  and
select(2)  wait  for  arriving  data  or a readiness to send data.  In addition, the standard I/O operations like write(2), writev(2), send-
file(2), read(2), and readv(2) can be used to read and write data.
 
getsockname(2) returns the local socket address and getpeername(2) returns the remote socket address.  getsockopt(2) and  setsockopt(2)  are
used to set or get socket layer or protocol options.  ioctl(2) can be used to set or read some other options.
 
close(2) is used to close a socket.  shutdown(2) closes parts of a full duplex socket connection.
 
Seeking, or calling pread(2) or pwrite(2) with a non-zero position is not supported on sockets.
 
It  is possible to do non-blocking IO on sockets by setting the O_NONBLOCK flag on a socket file descriptor using fcntl(2).  Then all opera-
tions that would block will (usually) return with EAGAIN (operation should be retried later); connect(2) will return EINPROGRESS error.  The
user can then wait for various events via poll(2) or select(2).

From the FreeBSD man page for socket(2)
Sockets of type SOCK_STREAM are full-duplex byte streams, similar to
pipes.  A stream socket must be in a connected state before any data may
be sent or received on it.  A connection to another socket is created
with a connect(2) system call.  Once connected, data may be transferred
using read(2) and write(2) calls or some variant of the send(2) and
recv(2) functions.  (Some protocol families, such as the Internet family,
support the notion of an ``implied connect'', which permits data to be
sent piggybacked onto a connect operation by using the sendto(2) system
call.)  When a session has been completed a close(2) may be performed.
Out-of-band data may also be transmitted as described in send(2) and
received as described in recv(2).
 
The communications protocols used to implement a SOCK_STREAM insure that
data is not lost or duplicated.  If a piece of data for which the peer
protocol has buffer space cannot be successfully transmitted within a
reasonable length of time, then the connection is considered broken and
calls will indicate an error with -1 returns and with ETIMEDOUT as the
specific code in the global variable errno.  The protocols optionally
keep sockets ``warm'' by forcing transmissions roughly every minute in
the absence of other activity.  An error is then indicated if no response
can be elicited on an otherwise idle connection for an extended period
(e.g. 5 minutes).  A SIGPIPE signal is raised if a process sends on a
broken stream; this causes naive processes, which do not handle the sig-
nal, to exit.

Have Fun   ;)




define ('SOCKET_EPERM', 1);
define ('SOCKET_ENOENT', 2);
define ('SOCKET_EINTR', 4);
define ('SOCKET_EIO', 5);
define ('SOCKET_ENXIO', 6);
define ('SOCKET_E2BIG', 7);
define ('SOCKET_EBADF', 9);
define ('SOCKET_EAGAIN', 11);
define ('SOCKET_ENOMEM', 12);
define ('SOCKET_EACCES', 13);
define ('SOCKET_EFAULT', 14);
define ('SOCKET_ENOTBLK', 15);
define ('SOCKET_EBUSY', 16);
define ('SOCKET_EEXIST', 17);
define ('SOCKET_EXDEV', 18);
define ('SOCKET_ENODEV', 19);
define ('SOCKET_ENOTDIR', 20);
define ('SOCKET_EISDIR', 21);
define ('SOCKET_EINVAL', 22);
define ('SOCKET_ENFILE', 23);
define ('SOCKET_EMFILE', 24);
define ('SOCKET_ENOTTY', 25);
define ('SOCKET_ENOSPC', 28);
define ('SOCKET_ESPIPE', 29);
define ('SOCKET_EROFS', 30);
define ('SOCKET_EMLINK', 31);
define ('SOCKET_EPIPE', 32);
define ('SOCKET_ENAMETOOLONG', 36);
define ('SOCKET_ENOLCK', 37);
define ('SOCKET_ENOSYS', 38);
define ('SOCKET_ENOTEMPTY', 39);
define ('SOCKET_ELOOP', 40);
define ('SOCKET_EWOULDBLOCK', 11);
define ('SOCKET_ENOMSG', 42);
define ('SOCKET_EIDRM', 43);
define ('SOCKET_ECHRNG', 44);
define ('SOCKET_EL2NSYNC', 45);
define ('SOCKET_EL3HLT', 46);
define ('SOCKET_EL3RST', 47);
define ('SOCKET_ELNRNG', 48);
define ('SOCKET_EUNATCH', 49);
define ('SOCKET_ENOCSI', 50);
define ('SOCKET_EL2HLT', 51);
define ('SOCKET_EBADE', 52);
define ('SOCKET_EBADR', 53);
define ('SOCKET_EXFULL', 54);
define ('SOCKET_ENOANO', 55);
define ('SOCKET_EBADRQC', 56);
define ('SOCKET_EBADSLT', 57);
define ('SOCKET_ENOSTR', 60);
define ('SOCKET_ENODATA', 61);
define ('SOCKET_ETIME', 62);
define ('SOCKET_ENOSR', 63);
define ('SOCKET_ENONET', 64);
define ('SOCKET_EREMOTE', 66);
define ('SOCKET_ENOLINK', 67);
define ('SOCKET_EADV', 68);
define ('SOCKET_ESRMNT', 69);
define ('SOCKET_ECOMM', 70);
define ('SOCKET_EPROTO', 71);
define ('SOCKET_EMULTIHOP', 72);
define ('SOCKET_EBADMSG', 74);
define ('SOCKET_ENOTUNIQ', 76);
define ('SOCKET_EBADFD', 77);
define ('SOCKET_EREMCHG', 78);
define ('SOCKET_ERESTART', 85);
define ('SOCKET_ESTRPIPE', 86);
define ('SOCKET_EUSERS', 87);
define ('SOCKET_ENOTSOCK', 88);
define ('SOCKET_EDESTADDRREQ', 89);
define ('SOCKET_EMSGSIZE', 90);
define ('SOCKET_EPROTOTYPE', 91);
define ('SOCKET_ENOPROTOOPT', 92);
define ('SOCKET_EPROTONOSUPPORT', 93);
define ('SOCKET_ESOCKTNOSUPPORT', 94);
define ('SOCKET_EOPNOTSUPP', 95);
define ('SOCKET_EPFNOSUPPORT', 96);
define ('SOCKET_EAFNOSUPPORT', 97);
define ('SOCKET_EADDRINUSE', 98);
define ('SOCKET_EADDRNOTAVAIL', 99);
define ('SOCKET_ENETDOWN', 100);
define ('SOCKET_ENETUNREACH', 101);
define ('SOCKET_ENETRESET', 102);
define ('SOCKET_ECONNABORTED', 103);
define ('SOCKET_ECONNRESET', 104);
define ('SOCKET_ENOBUFS', 105);
define ('SOCKET_EISCONN', 106);
define ('SOCKET_ENOTCONN', 107);
define ('SOCKET_ESHUTDOWN', 108);
define ('SOCKET_ETOOMANYREFS', 109);
define ('SOCKET_ETIMEDOUT', 110);
define ('SOCKET_ECONNREFUSED', 111);
define ('SOCKET_EHOSTDOWN', 112);
define ('SOCKET_EHOSTUNREACH', 113);
define ('SOCKET_EALREADY', 114);
define ('SOCKET_EINPROGRESS', 115);
define ('SOCKET_EISNAM', 120);
define ('SOCKET_EREMOTEIO', 121);
define ('SOCKET_EDQUOT', 122);
define ('SOCKET_ENOMEDIUM', 123);
define ('SOCKET_EMEDIUMTYPE', 124);



Hypertext Transfer Protocol — HTTP/1.1, RFC 2616.  R. Fielding et al.
 Hypertext ransport Protocol HTTP/1.1.  J. Gettys. (slides)
What's wrong with HTTP (and why it doesn't matter).J. C. Mogul. (PDF slides)
Network Performance Effects of HTTP/1.1, CSS1, and PNG.H. F. Nielsen, J. Gettys et al.
Mozilla's HTTP/1.1 Pipelining FAQ. D. Fisher.
Wikipedia: HTTP proxy.
Fsockopen Power Plays originally appeared on AskApache.com