[squid-users] Websockets over HTTPS not working in squid 4

Felipe Arturo Polanco felipeapolanco at gmail.com
Thu Feb 21 21:11:11 UTC 2019 

Hi,

I have been trying to make websockets work over HTTPS but so far I haven't
been able to.

I'm trying the following websites that use websockets and none of them work:
speedtest.net
web.whatsapp.com
https://slack.com/help/test

If I explicitly splice those domain names in squid.conf they work fine.

This is a transparent HTTPS proxy.

Below is my configuration:

=============
acl SSL_ports port 443
acl CONNECT method CONNECT
log_mime_hdrs on
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
https_port 3128 intercept ssl-bump cert=/etc/squid/ssl_cert/proxyCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=256KB
sslcrtd_program /usr/lib64/squid/security_file_certgen -s
/var/spool/squid/ssl_db -M 4MB

acl serverIsws ssl::server_name_regex speedtest\.net$
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump !serverIsws all
on_unsupported_protocol tunnel all

debug_options ALL,1 26,1 33,9 83,9 28,9 81,9 11,2
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3129 intercept
http_port 3130

coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
===================

In the logs I see 400 Bad request :

==================================================
2019/02/21 12:52:38.004 kid1| 11,2| http.cc(723) processReplyHeader: HTTP
Server RESPONSE:
---------
HTTP/1.1 400 Bad Request
Date: Thu, 21 Feb 2019 20:46:34 GMT
Transfer-Encoding: chunked
Connection: keep-alive

----------
2019/02/21 12:52:38.004 kid1| ctx: exit level  0
2019/02/21 12:52:38.004 kid1| 83,3| AccessCheck.cc(42) Start: adaptation
off, skipping
2019/02/21 12:52:38.004 kid1| 33,5| store_client.cc(319) doCopy:
store_client::doCopy: co: 0, hi: 117
2019/02/21 12:52:38.004 kid1| 33,3| Pipeline.cc(35) front: Pipeline
0x1c47830 front 0x17948a0*3
2019/02/21 12:52:38.004 kid1| 33,3| Pipeline.cc(35) front: Pipeline
0x1c47830 front 0x17948a0*3
2019/02/21 12:52:38.004 kid1| 11,2| Stream.cc(266) sendStartOfMessage: HTTP
Client local=31.13.67.52:443 remote=192.168.112.143:46408 FD 14 flags=33
2019/02/21 12:52:38.005 kid1| 11,2| Stream.cc(267) sendStartOfMessage: HTTP
Client REPLY:
---------
HTTP/1.1 400 Bad Request
Date: Thu, 21 Feb 2019 20:46:34 GMT
X-Cache: MISS from squidserver
X-Cache-Lookup: MISS from squidserver:3130
Transfer-Encoding: chunked
Via: 1.1 squidserver (squid/4.1)
Connection: keep-alive


----------
============================================

I'm not interested in bumping the websockets, I just want HTTPS
interception to work as well as websockets.

Any help is welcomed.

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190221/28930079/attachment.html>

More information about the squid-users mailing list