[squid-users] Websocket content adaptation

Ozgur Batur ozgurbtr at gmail.com
Tue Jun 28 12:43:58 UTC 2016

On Mon, Jun 27, 2016 at 7:57 PM, Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 06/27/2016 10:23 AM, Ozgur Batur wrote:
> > ICAP handles plain HTTP very well but it is not possible to
> > filter/change or even log content of websocket communication after
> > websocket upgrade over HTTP as far as I know. Is there any plan or
> > interest in developing some capability for Squid to control websocket
> > communication content?
> There is interest but no specific plan or sponsor.
> > There is no defined request/response protocol since websocket is
> > basically a socket but regexp matching in incoming and outgoing
> > content(json, xml,raw) with URL and client metadata info may have some
> > application like data leak prevention or achieving in corporate
> environment.
> I am not sure regex would be a good idea in general, but passing
> tunneled traffic to eCAP/ICAP services is indeed useful in several
> environments, including WebSocket tunnels. The adaptation service will
> decide whether to use regex or something else to match raw data. Some
> existing services simply log (or relay/replay via TCP) received traffic
> without analyzing it so regex is just one of many possibilities here.
> FWIW, several things are needed to move forward, including:
> 1. Adequate development time and skills (or sponsorship to pay for
>    them). The development of an essentially new adaptation vectoring
>    point is not a trivial project.
I have involved in development of several ICAP services around Squid but
have not had the chance to work on Squid code base directly. We may attempt
implement a proof of concept with a few friends to better specify the task
at hand current and learn about adaptation infrastructure of Squid.

> 2. A specific proposal on how to map raw/tunnel data to HTTP messages
>    that eCAP and ICAP interfaces expect. The biggest difficulty here
>    may be mapping server-speaks-first protocols.

I am not sure if it is possible to map websocket data to current adaptation
services. Actually it may or may not be related but I am curious how Squid
handles Comet(Ajax/HTTP Server Push) during ICAP processing. Maybe server
data push can be mapped like Comet responses. About server first protocols,
current ICAP services expecting encapsulated valid HTTP responses for
requests will break of course. Maybe a mechanism like Allow 204 negotiation
can be implemented between adaptation service and proxy. If adaptation
service does not support server first pushes it can be bypassed.

> 3. A project lead to organize/manage the project and guide the results
>    through the Squid Project review. This person could be the
>    primary developer and/or the specs writer, but does not have to be.
> Alex.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160628/e6f6f7ce/attachment.html>

More information about the squid-users mailing list