[squid-dev] [RFC] "Splicing" bumped requests to resolve\workaround WebSockets issues.
Amos Jeffries
squid3 at treenet.co.nz
Sun Jul 17 12:04:49 UTC 2016
On 15/07/2016 10:29 p.m., Eliezer Croitoru wrote:
> I want to understand the way a WebSocket Splice would work.
>
> The issue:
>
> Clients are issuing secured connections which contains WebSockets internally
> and squid HTTP parsing breaks these connections.
WebSockets is explicitly designed to:
a) wrap the port 80 WS requests in HTTP messages so intermediaries like
Squid can process them as regular HTTP(S) connections.
b) wrap the port 443 WS-over-TLS traffic with WebSockets ALPN value.
Squid on_unsupported_protocol. **
Now, there appear to be some applications which are not able to handle
(a) type HTTP responses coming back from sending that HTTP request and
are saying "you broke my traffic". Well no, you broken your traffic.
The Squid on_unsupported_protocol mechanism/feature needs to be checked
whether it handles the (b) type connections properly. If not that is a
bug that needs fixing.
NP: Skype and other *-over-TLS protocol issues might be able to be
fixed as a side effect of the same change.
>
> From a security aspect of things, many companies would not like the idea of
> the options to "smuggle" data using http through a proxy.
>
That is an argument against allowing WebSockets through at all.
>
> Another related issue which deserves attention:
>
> Certificate pinning and connection breakage.
>
> Currently we cannot determine for many connections what is the "issue", is
> it the bumping itself of the breakage of a WebSocket http connection.
>
Squid not implementing HTTP Upgrade feature is severely limiting what
behaviour of WebSocket will work. **
Squid not implementing re-CONNECT to upstream servers is also severely
restricting what behaviour of WebSocket will work. **
The inability of the WebSocket applications to actually implement all of
the required bits of WebSocket protocol leaves them vulnerable to the
above being unavailable.
... the combination of all three is fatal to some applications which for
whatever reason are not able to handle the remaining behaviour. Which is
ironically why those implementation-ignored parts of WS are required in
the first place.
For Squid all we can do is implement the items marked "**" above.
Amos
More information about the squid-dev
mailing list