We Keep Coding

Do webservers service all requests using one port?

If a webserver is handling traffic on port 80, each client must establish a connection between itself and the server on that port. Assuming a client maintains the connection, how is the server able to service other clients in parallel?
Does the server immediately kill the connection with a client after a request? Or do webservers dynamically generate new ports for clients to use such that port 80 is free for new connections?

A port is one end of a communication channel.
The server initials sets up a LISTENing port (80 in the case of an HTTPS server). A client creates a port (the operating system will assign a random, available port number to this) and CONNECTs to the listening port. At that point the communications channel is uniquely described by the IP address of the server, port 80 at the server, and the IP address of the client along with port number of the client. If you look at the output of netstat you'll see lots of sockets/ports in various stages of connection:
symcbean#skynet ~ $ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.202:47206 stackoverflow.com:https ESTABLISHED
tcp 0 1 192.168.1.202:50894 aba1c1ff9d2ec5376.:smtp SYN_SENT
tcp 0 0 192.168.1.202:47210 stackoverflow.com:https ESTABLISHED
tcp 0 0 192.168.1.202:60806 ec2-34-213-90-136:https ESTABLISHED
tcp 0 0 192.168.1.202:51124 151.101.1.69:https ESTABLISHED
tcp 0 0 192.168.1.202:34784 i0.wp.com:https ESTABLISHED
tcp 0 0 192.168.1.202:54082 lhr25s14-in-f10.1:https ESTABLISHED
tcp 0 0 192.168.1.202:38412 172-155-250-212.s:https ESTABLISHED
Exactly how the server handles communicating concurrently on multiple channels varies. I've never come across a server which only handles a single connection at a time.
On the (prefork) Apache webserver, the process which opened the listening socket hands off the connection to a pre-existing child process to deal with. Some servers run as a single process but with multiple threads of execution. Some (such as nginx and lighthttpd) run as a single thread and give their attention to the channel sending data first.

What happens when two clients send UDP packets to a Socket

Lets assume Host X has a UDP Socket running on Port 1337.
Now Host Y and Z both send a UDP Packet to port 1337 of Host X.
Are the packets going to be de-muxed?

UDP is a transfer protocol with no guarantees of delivery and doesn't have much of an implementation.
When both host Y an Z send a UDP packet to port 1337, and assuming both packets arrive, the application listening on port 1337 decides what happens with those packages. The application can choose which packet to demux, to demux both or to demux neither.
Hope this clears things up

TURN server doesn't response TCP relay candidate

I setup turnserver 3.2.5.9 for WebRTC
I'd like to do this.
Client-A-->(TCP)-->TURN-->(UDP)-->TURN-->(TCP)-->Client-B
I have tow problems each Client-A and B ,both in different private network each other.
For the Client-A's issue.
The TURN server responds candidates for host srfix relay.
I'd like have a relay candidate as tcp.
However,I only can have udp .
How can I have a relay candidate as tcp.
For the Client-B's issue.
The TURN server responds only host.
So, the Client-B can't have any access to the TURN server.
FW policy, which Client-B is placed, is strict that it isn't allow to use UDP.
However, I think It should access to the TURN server by TCP.
Does anyone know how to tell the TURN server about Clients' Global IPs and TCP ports in both cases.
Here is turnserver.conf
listening-port=80
listening-ip=my-server-global-ip
external-ip=my-server-global-ip
lt-cred-mech
userdb=/opt/turnserver/etc/turnuserdb.conf
realm=my.server.domain
stale-nonce
no-udp
no-stun
Here is Response from Trickle ICE tool at the Client-A
Time Component Type Foundation Protocol Address Port Priority
0.015 1 host 2508812977 udp 10.2.1.17 53175 126 | 32542 | 255
0.059 1 srflx 3607399481 udp Client-Global-ip 53175 100 | 32542 | 255
0.086 1 relay 1628315121 udp my-server-global-ip 54043 1 | 32542 | 255
0.116 1 host 3674902081 tcp 10.2.1.17 9 90 | 32542 | 255
39.827 Done
39.833
Here is Response from Trickle ICE tool at the Client-B
0.012 1 host 1197209968 udp 192.168.95.131 60019 126 | 30 | 255
39.819 Done
39.823

WebRTC does not support allocation of TCP relay candidates.
Note that you can still have TURN/TCP candidates which use TCP between the client and the TURN server, those will have a local type preference of 1 which you can see in the trickle ice tool output.

You need to re-configure TURN server with TCP protocol option. Kurento and Wowza support TCP protocol for WebRTC.

send UDP to client behind a nat using STUN

I want to test stun client/server and the send udp traffic from server side to client side.
I run stun client in a local machine, I get the following result.1.
Lenovo-Z50-70:~/iop-bb$ stun -v my_stun_server
STUN client version 0.96
Opened port 22948 with fd 3
Opened port 22949 with fd 4
Encoding stun message:
Encoding ChangeRequest: 0
About to send msg of len 28 to 212.227.107.179:3478
Encoding stun message:
Encoding ChangeRequest: 4
About to send msg of len 28 to 212.227.107.179:3478
Encoding stun message:
Encoding ChangeRequest: 2
About to send msg of len 28 to 212.227.107.179:3478
Received stun message: 88 bytes
MappedAddress = 41.224.250.29:22948
SourceAddress = 212.227.107.179:3478
ChangedAddress = 127.0.0.1:3479
XorMappedAddress = 41.224.250.29:22948
ServerName = Vovida.org 0.96
Received message of type 257 id=1
On the server side, I execute the following, echo "hello" | nc -w1 -u 41.224.250.29 22944.
But, in the client side I didn't receive the packet.
Any suggestion?

You would need to match the port on both sides and do a hole punching step after obtaining your public ip and port.
You ran a stun client listening on local port 22948 to the server (listening on port 3478). From that port you sent a stun binding request request to your server.
The server responded back with a response indicating that your public ip:port was
41.224.250.29 22948.
So now you know that your local ip (e.g. 192.168.1.2) maps to 41.224.250.29 and your local port 22948 maps to the public port 22948.
You could in theory start communicating between client port 22948 and server 3478, but 3478 is already in use by the server. You need to do a hole punching step using the same port you obtained from the STUN response.
The hole punching step with your other service goes like this. Client sends from port 22948 to server (port 9876 for example).
echo "hello there" | nc -p 22948 server 9876
The server could respond:
echo "I see you" | nc -p 9876 41.224.250.29 22948

On the server side, I execute the following, echo "hello" | nc -w1 -u 41.224.250.29 22944
Does this received any packet prior from that client or using the address "41.224.250.29 22944"? If not, client end NAT will not allow this incoming traffic unless it's a full-cone NAT. It's also important that client is using a socket which is ready to receive any packet from that external source. Basically, you have to make sure that binding is there for that external source.

Are SSH destination and source ports identical (symmetric ports)?

When I connect to SSH I use port 22 as destination, but when the reply comes back, does it come in on port 22 as well? Or is the client source port randomly assigned as in other TCP communication?
If set up a firewall allowing outbound traffic to port 22 - Do I also need to allow incoming traffic on port 22?

The client SSH port is randomly assigned, as in most client/server systems over TCP/IP.
Were the client port fixed, you would not be able to open multiple SSH connections from the same client IP address, as the connections would be indistinguishable on an IP protocol level. The client port number is the only piece that makes the connection unique (client IP, server IP and server port being the same).
You do not need to allow the incoming traffic though. There is only one outgoing connection in SSH (the responses from the server come over an existing connection).