[squid-users] Squid Websocket Issue

Eliezer Croitoru eliezer at ngtech.co.il
Mon Jan 2 20:49:59 UTC 2017 

I am using the next ontop of squid 3.5.23 in non intercept mode:
##STARTOF SNIPPET
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump"

ssl_bump splice NoSSLIntercept

ssl_bump peek DiscoverSNIHost
ssl_bump bump all
##END OF SNIPPPET

And the content of url.nobump is:##START OF QUOTE
# WU (Squid 3.5.x and above with SSL Bump)
# Only this sites must be spliced.
update\.microsoft\.com$
update\.microsoft\.com\.akadns\.net$
v10\.vortex\-win\.data\.microsoft.com$
settings\-win\.data\.microsoft\.com$
# The next are trusted SKYPE addresses
a\.config\.skype\.com$
pipe\.skype\.com$
w[0-9]+\.web\.whatsapp\.com$
##END OF  QUOTE

And whatsapp web sockets works for me.

Please be more specific whats not working and on what platform..
If it works for me and not for you there is a difference between our clients or systems.
Try using latest 3.5.23.
If you are using an RPM based system you can use one of my RPMS.

Let me know if my rules helps you and if there is a specific site that doesn’t work for you,
Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


From: hardikdangar at gmail.com [mailto:hardikdangar at gmail.com] On Behalf Of Hardik Dangar
Sent: Monday, January 2, 2017 6:50 PM
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: Squid Users <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] Squid Websocket Issue

Hey Eliezer,

The issue was with whatsapp web socket was not working, here is detailed information about issue
------------

Here is some information about my squid version,

Squid Cache: Version 3.5.22-20161115-r14113
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-url-rewrite-helpers=fake' '--enable-ecap'

My squid config file is located at, http://pastebin.com/raw/LvDxEF4x

Now the issue is whenever someone requests a page which contains web socket requests response is always bad request. 
Here is an example,

Request URL:wss://http://w4.web.whatsapp.com/ws
Request Method:GET
Status Code:400 Bad Request

Response Headers
#################
Connection:keep-alive
Date:Sat, 17 Dec 2016 09:05:36 GMT
Transfer-Encoding:chunked
X-Cache:MISS from Proxy

Request Headers
#################
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:Upgrade
Host:http://w4.web.whatsapp.com
Origin:https://web.whatsapp.com
Pragma:no-cache
Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits
Sec-WebSocket-Key:kzrB2ZcMHDAqvjDNXnjL/w==
Sec-WebSocket-Version:13
Upgrade:websocket
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36


My question is how we can work with web socket requests in squid or if not by pass them squid. My squid instance is in interception mode and requests are intercepted at instance via iptables and forwarded to squid using below rules,

SQUIDIP=192.168.1.1

# your proxy listening port
SQUIDHTTPPORT=3128
SQUIDHTTPSPORT=3129


iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDHTTPPORT

iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port $SQUIDHTTPSPORT

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDHTTPPORT -j DROP
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDHTTPSPORT -j DROP


If anyone can help me with this it would be really awesome. Thanks for your support.

----------------------------------------------------------

Solution to above problem was,

acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump !serverIsws all

[ above is a feature of whatsapp which allows you to connect to http://web.whatsapp.com/ from browser]


now what happens at request level is following,

Request URL:wss://http://w8.web.whatsapp.com/ws
Request Method:GET
Status Code:101 Switching Protocols

----------------------------------

Response Headers

Connection:Upgrade
Sec-WebSocket-Accept:Z6CC+QVdvB0cCHPbJAQMaHKL2uQ=
Upgrade:websocket

----------------------------------
Request Headers

Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:Upgrade
Host:http://w8.web.whatsapp.com/
Origin:https://web.whatsapp.com/
Pragma:no-cache
Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits
Sec-WebSocket-Key:mbCFLN/Q1KMt58t6DoQI9Q==
Sec-WebSocket-Version:13
Upgrade:websocket
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36


So basically websockets are connected as normal https request( i think this is a very nature of Web sockets and define somewhere in web socket standards).


Now the problem statement is,

ssl_bump bump !serverIsws all

If i remove !serverIsws then it stops working. as per alex it shoudn't happen and its a bug most probably.


On Mon, Jan 2, 2017 at 7:17 PM, Eliezer Croitoru <mailto:eliezer at ngtech.co.il> wrote:
Can we start from 0.
Currently when squid knows about the Connection being a one with websocket support it is already too late to do anything about this specific connection.
The only option for now is to identify these using some ICAP service that will for example redirect the request after a small delay that will add the destination domain ip address to a bypass list.
It’s not trivial but I have seen such implementation on ssl bump.

Can you please redirect me to the specific email with the bug details?

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: mailto:eliezer at ngtech.co.il


From: squid-users [mailto:mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Hardik Dangar
Sent: Monday, January 2, 2017 8:47 AM
To: Alex Rousskov <mailto:rousskov at measurement-factory.com>
Cc: Squid Users <mailto:squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] Squid Websocket Issue

@amos or anyone else from dev team

Can you confirm this is intentional behavior or bug ?
On Mon, Jan 2, 2017 at 9:18 AM, Alex Rousskov <mailto:mailto:rousskov at measurement-factory.com> wrote:
On 12/27/2016 04:50 AM, Hardik Dangar wrote:

> If i remove !serverIsws somehow websockets will not work.

Then there is a bug somewhere AFAICT. It is your call whether to find
out what that bug is [while continuing to use a potentially dangerous
workaround].

Alex.


> On Tue, Dec 20, 2016 at 10:27 PM, Alex Rousskov wrote:
>
>     On 12/20/2016 02:42 AM, Hardik Dangar wrote:
>     > Following changes in config works and whatsapp starts working,
>     >
>     > acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$
>     >
>     > acl step1 at_step SslBump1
>     > ssl_bump peek step1
>     > ssl_bump splice serverIsws
>     > ssl_bump bump !serverIsws all
>
>     You do not need the "!serverIsws" part because if serverIsws matches,
>     then the splice rule wins, and Squid does not reach the bump rule. This
>     configuration is sufficient:
>
>       ssl_bump peek step1
>       ssl_bump splice serverIsws
>       ssl_bump bump all
>
>     In theory, adding "!serverIsws" does not hurt. However, negating complex
>     ACLs is tricky/dangerous and should be avoided when possible.
>
>     Alex.
>
>

More information about the squid-users mailing list