[squid-users] Websockets over HTTPS not working in squid 4
eliezer at ngtech.co.il
eliezer at ngtech.co.il
Sat Feb 23 18:00:38 UTC 2019
I can think of a way to try and "amend" on an error in the next websocket
connection automatically.
I believe that using an ICAP service or eCAP module that is connected to an
external acl helper you can see if specific requests for specific domains
are trying to use websockets.
Technically the basic request and response can identify such sites with the
upgrade headers.
So if something can see this and decide that a the requested domain will be
spliced next time the clients connect to it, it's possible to do so.
It's risky if you have a secured environment unless you have a set of top
level domains such as ".whatsapp.com".
I believe that we can open a list of services that must have websockets
enabled and/or being spliced and not intercepted.
I can start with vcenter web management services that must support
websockets.
* Slack
* Whatsapp
* Others
If you are willing to share a set of domains that will be added to the wiki
as a "websocket" required for this service or set of domains wiki
I might be able to pull it off and write this ICAP service.
Eliezer
----
<http://ngtech.co.il/main-en/> Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: <mailto:eliezer at ngtech.co.il> eliezer at ngtech.co.il
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of
Felipe Arturo Polanco
Sent: Friday, February 22, 2019 00:20
To: Alex Rousskov <rousskov at measurement-factory.com>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Websockets over HTTPS not working in squid 4
I see.
Are you aware of any unofficial patch or something to tunnel websockets over
HTTPS in squid?
On Thu, Feb 21, 2019 at 5:33 PM Alex Rousskov
<rousskov at measurement-factory.com <mailto:rousskov at measurement-factory.com>
> wrote:
On 2/21/19 2:11 PM, Felipe Arturo Polanco wrote:
> I have been trying to make websockets work over HTTPS but so far I
> haven't been able to.
Official Squid cannot reliably detect and proxy native WebSocket
traffic. Until that support is available, if WebSocket traffic reaches
your intercepting Squid, then splicing suspected WebSocket connections
based on TCP/TLS-level information is your only option. And, yes, that
introduces lots of maintenance headaches, policy violations, and is not
reliable.
A bit more information about the topic is available on this 2018 thread:
http://lists.squid-cache.org/pipermail/squid-users/2018-July/018581.html
Alex.
> I'm trying the following websites that use websockets and none of them
work:
> speedtest.net <http://speedtest.net> <http://speedtest.net>
> web.whatsapp.com <http://web.whatsapp.com> <http://web.whatsapp.com>
> https://slack.com/help/test
>
> If I explicitly splice those domain names in squid.conf they work fine.
>
> I'm not interested in bumping the websockets, I just want HTTPS
> interception to work as well as websockets.
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org <mailto:squid-users at lists.squid-cache.org>
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190223/ec531792/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11295 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190223/ec531792/attachment-0001.png>
More information about the squid-users
mailing list