[squid-users] websockets through Squid
Vieri
rentorbuy at yahoo.com
Sat Oct 17 15:50:58 UTC 2020
On Saturday, October 17, 2020, 5:10:08 AM GMT+2, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> tcp_outgoing_* directives can send details to the OS to hint at preferred server connection details. It is up to the OS whether those are followed or not.
Yes, I finally solved my network issue, and now Squid is sending traffic as expected (same interface).
In fact, I know Squid 5.0.4 and websockets are "working" because I can properly test this protocol here:
https://www.websocket.org/echo.html
and elsewhere. The above site did not work with Squid 4, but it's working now with Squid 5.0.4.
However, the webex test site is still failing with the same client error message.
Maybe someone on this list can reproduce the problem or share a squid configuration that actually works with or without sslbump (for the webex test site, that is).
Here's a simple sslbump config that only requires redirecting tcp 443 traffic to the custom Squid port 3130 (tproxy can be ignored in this example):
# cat squid.conf
# optional:
# tcp_outgoing_address 1.2.3.4
http_port 3128
http_port 3129 tproxy
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
sslcrtd_program /usr/libexec/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 40 startup=20 idle=10
acl SSL_ports port 443
acl Safe_ports port 443
acl Safe_ports port 80
acl CONNECT method CONNECT
acl localnet src your.local.net.work
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all !localnet
http_access allow CONNECT localnet SSL_ports
http_upgrade_request_protocols OTHER allow all
http_access allow localnet all
http_reply_access allow localnet all
debug_options rotate=1 ALL,9
ssl_bump stare all
ssl_bump bump all
http_access allow localhost
http_access deny all
-------------------------------------
You can then go to https://www.webex.com/test-meeting.html to see if the websocket test actually works.
There has to be a glitch there or something I'm overlooking.
Thanks,
Vieri
More information about the squid-users
mailing list