<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Arial Rounded MT Bold";
panose-1:2 15 7 4 3 5 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
text-align:right;
direction:rtl;
unicode-bidi:embed;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
.MsoPapDefault
{mso-style-type:export-only;
text-align:right;
direction:rtl;
unicode-bidi:embed;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>I want to understand the way a WebSocket Splice would work.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>The issue:<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Clients are issuing secured connections which contains WebSockets internally and squid HTTP parsing breaks these connections.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>From a security aspect of things, many companies would not like the idea of the options to "smuggle" data using http through a proxy.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Another related issue which deserves attention:<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Certificate pinning and connection breakage.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Currently we cannot determine for many connections what is the "issue", is it the bumping itself of the breakage of a WebSocket http connection.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>An acceptable solution:<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Alex mentioned the option to splice a bumped connection.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>I do not know exactly what Alex meant since not much details were presented.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>How complex would it be to add an option to "splice"(maybe already done) a bumped http connection?<br>For WebSockets to be supported we just need to dump the request headers into the wire and "splice" everything back.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>I was thinking about maybe adding if not there already a "Connection: close" to try and verify that in some level the connection would be closed properly by a civil server.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>It's not "Secure" for many places but I think it could be pretty straight forward to workaround this administrative issue.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>I assume that the same solution can be applied to both regular sockets\connections and secured.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>As I understand, it would not be possible to do this kind of splice without bumping first.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Another related subject is CONNECT based TCP connections smuggling.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>The scenario is that a client tries to issue a TCP connection using a CONNECT method while these can be a wrapped HTTP ones.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>I only would like to get feedback to make sure that my understanding of the complexity of the subject is in the right direction.<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Thanks,<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'>Eliezer<o:p></o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><o:p> </o:p></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-family:"Arial Rounded MT Bold","sans-serif"'>----<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><span style='font-family:"Arial Rounded MT Bold","sans-serif"'><a href="http://ngtech.co.il/lmgtfy/">Eliezer Croitoru</a><br>Linux System Administrator<br>Mobile: +972-5-28704261<br>Email: eliezer@ngtech.co.il<o:p></o:p></span></p><p class=MsoNormal style='text-align:left;direction:ltr;unicode-bidi:embed'><img border=0 width=183 height=69 id="Picture_x0020_1" src="cid:image001.png@01D1DE9C.EB37C460"><o:p></o:p></p><p class=MsoNormal dir=RTL><span dir=LTR><o:p> </o:p></span></p></div></body></html>