<div dir="ltr">Hey Eliezer,<div><br></div><div>The issue was with whatsapp web socket was not working, here is detailed information about issue</div><div>------------</div><div><br></div><div><div>Here is some information about my squid version,</div><div><br></div><div>Squid Cache: Version 3.5.22-20161115-r14113</div><div>Service Name: squid</div><div>configure options: '--prefix=/usr' '--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-url-rewrite-helpers=fake' '--enable-ecap'</div><div><br></div><div>My squid config file is located at, <a href="http://pastebin.com/raw/LvDxEF4x">http://pastebin.com/raw/LvDxEF4x</a></div><div><br></div><div>Now the issue is whenever someone requests a page which contains web socket requests response is always bad request. </div><div>Here is an example,</div><div><br></div><div>Request URL:wss://<a href="http://w4.web.whatsapp.com/ws">w4.web.whatsapp.com/ws</a></div><div>Request Method:GET</div><div>Status Code:400 Bad Request</div><div><br></div><div>Response Headers</div><div>#################</div><div>Connection:keep-alive</div><div>Date:Sat, 17 Dec 2016 09:05:36 GMT</div><div>Transfer-Encoding:chunked</div><div>X-Cache:MISS from Proxy</div><div><br></div><div>Request Headers</div><div>#################</div><div>Accept-Encoding:gzip, deflate, sdch, br</div><div>Accept-Language:en-US,en;q=0.8</div><div>Cache-Control:no-cache</div><div>Connection:Upgrade</div><div>Host:<a href="http://w4.web.whatsapp.com">w4.web.whatsapp.com</a></div><div>Origin:<a href="https://web.whatsapp.com">https://web.whatsapp.com</a></div><div>Pragma:no-cache</div><div>Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits</div><div>Sec-WebSocket-Key:kzrB2ZcMHDAqvjDNXnjL/w==</div><div>Sec-WebSocket-Version:13</div><div>Upgrade:websocket</div><div>User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36</div><div><br></div><div><br></div><div>My question is how we can work with web socket requests in squid or if not by pass them squid. My squid instance is in interception mode and requests are intercepted at instance via iptables and forwarded to squid using below rules,</div><div><br></div><div>SQUIDIP=192.168.1.1</div><div><br></div><div># your proxy listening port</div><div>SQUIDHTTPPORT=3128</div><div>SQUIDHTTPSPORT=3129</div><div><br></div><div><br></div><div>iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT</div><div>iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDHTTPPORT</div><div><br></div><div>iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 443 -j ACCEPT</div><div>iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port $SQUIDHTTPSPORT</div><div><br></div><div>iptables -t nat -A POSTROUTING -j MASQUERADE</div><div>iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDHTTPPORT -j DROP</div><div>iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDHTTPSPORT -j DROP</div><div><br></div><div><br></div><div>If anyone can help me with this it would be really awesome. Thanks for your support.</div></div><div><br></div><div>----------------------------------------------------------</div><div><br></div><div><b>Solution to above problem was,</b></div><div><br></div><div><div style="font-size:12.8px"><div>acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$</div><span class="gmail-im"><div><br></div><div>acl step1 at_step SslBump1</div><div>ssl_bump peek step1</div></span><div>ssl_bump splice serverIsws</div><div>ssl_bump bump !serverIsws all</div></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">[ above is a feature of whatsapp which allows you to connect to <a href="http://web.whatsapp.com/" target="_blank">web.whatsapp.com</a> from browser]</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">now what happens at request level is following,</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><div>Request URL:wss://<a href="http://w8.web.whatsapp.com/ws" target="_blank">w8.web.whatsapp.com/<wbr>ws</a></div><div>Request Method:GET</div><div>Status Code:101 Switching Protocols</div><div><br></div><div>------------------------------<wbr>----</div><div><br></div><div>Response Headers</div><div><br></div><div>Connection:Upgrade</div><div>Sec-WebSocket-Accept:Z6CC+<wbr>QVdvB0cCHPbJAQMaHKL2uQ=</div><div>Upgrade:websocket</div><div><br></div><div>------------------------------<wbr>----</div><div>Request Headers<br></div><span class="gmail-im"><div><br></div><div>Accept-Encoding:gzip, deflate, sdch, br</div><div>Accept-Language:en-US,en;q=0.8</div><div>Cache-Control:no-cache</div><div>Connection:Upgrade</div></span><div>Host:<a href="http://w8.web.whatsapp.com/" target="_blank">w8.web.whatsapp.com</a></div><span class="gmail-im"><div>Origin:<a href="https://web.whatsapp.com/" target="_blank">https://web.whatsapp.<wbr>com</a></div><div>Pragma:no-cache</div><div>Sec-WebSocket-Extensions:<wbr>permessage-deflate; client_max_window_bits</div></span><div>Sec-WebSocket-Key:mbCFLN/<wbr>Q1KMt58t6DoQI9Q==</div><span class="gmail-im"><div>Sec-WebSocket-Version:13</div><div>Upgrade:websocket</div><div>User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36</div><div><br></div></span></div></div><div><br></div><div>So basically websockets are connected as normal https request( i think this is a very nature of Web sockets and define somewhere in web socket standards).</div><div><br></div><div><br></div><div>Now the problem statement is,</div><div><br></div><div><div style="font-size:12.8px">ssl_bump bump !serverIsws all</div></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">If i remove !serverIsws then it stops working. as per alex it shoudn't happen and its a bug most probably.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jan 2, 2017 at 7:17 PM, Eliezer Croitoru <span dir="ltr"><<a href="mailto:eliezer@ngtech.co.il" target="_blank">eliezer@ngtech.co.il</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Can we start from 0.<br>
Currently when squid knows about the Connection being a one with websocket support it is already too late to do anything about this specific connection.<br>
The only option for now is to identify these using some ICAP service that will for example redirect the request after a small delay that will add the destination domain ip address to a bypass list.<br>
It’s not trivial but I have seen such implementation on ssl bump.<br>
<br>
Can you please redirect me to the specific email with the bug details?<br>
<br>
Eliezer<br>
<br>
----<br>
<a href="http://ngtech.co.il/lmgtfy/" rel="noreferrer" target="_blank">http://ngtech.co.il/lmgtfy/</a><br>
Linux System Administrator<br>
Mobile: +972-5-28704261<br>
Email: <a href="mailto:eliezer@ngtech.co.il">eliezer@ngtech.co.il</a><br>
<br>
<br>
From: squid-users [mailto:<a href="mailto:squid-users-bounces@lists.squid-cache.org">squid-users-bounces@<wbr>lists.squid-cache.org</a>] On Behalf Of Hardik Dangar<br>
Sent: Monday, January 2, 2017 8:47 AM<br>
To: Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.<wbr>com</a>><br>
Cc: Squid Users <<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-<wbr>cache.org</a>><br>
Subject: Re: [squid-users] Squid Websocket Issue<br>
<span class="im HOEnZb"><br>
@amos or anyone else from dev team<br>
<br>
Can you confirm this is intentional behavior or bug ?<br>
<br>
</span><div class="HOEnZb"><div class="h5">On Mon, Jan 2, 2017 at 9:18 AM, Alex Rousskov <mailto:<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-<wbr>factory.com</a>> wrote:<br>
On 12/27/2016 04:50 AM, Hardik Dangar wrote:<br>
<br>
> If i remove !serverIsws somehow websockets will not work.<br>
<br>
Then there is a bug somewhere AFAICT. It is your call whether to find<br>
out what that bug is [while continuing to use a potentially dangerous<br>
workaround].<br>
<br>
Alex.<br>
<br>
<br>
> On Tue, Dec 20, 2016 at 10:27 PM, Alex Rousskov wrote:<br>
><br>
> On 12/20/2016 02:42 AM, Hardik Dangar wrote:<br>
> > Following changes in config works and whatsapp starts working,<br>
> ><br>
> > acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$<br>
> ><br>
> > acl step1 at_step SslBump1<br>
> > ssl_bump peek step1<br>
> > ssl_bump splice serverIsws<br>
> > ssl_bump bump !serverIsws all<br>
><br>
> You do not need the "!serverIsws" part because if serverIsws matches,<br>
> then the splice rule wins, and Squid does not reach the bump rule. This<br>
> configuration is sufficient:<br>
><br>
> ssl_bump peek step1<br>
> ssl_bump splice serverIsws<br>
> ssl_bump bump all<br>
><br>
> In theory, adding "!serverIsws" does not hurt. However, negating complex<br>
> ACLs is tricky/dangerous and should be avoided when possible.<br>
><br>
> Alex.<br>
><br>
><br>
<br>
<br>
</div></div></blockquote></div><br></div>