[squid-dev] [RFC] "Splicing" bumped requests to resolve\workaround WebSockets issues.

Eliezer Croitoru eliezer at ngtech.co.il
Fri Jul 15 10:29:31 UTC 2016 

I want to understand the way a WebSocket Splice would work.

The issue:

Clients are issuing secured connections which contains WebSockets internally
and squid HTTP parsing breaks these connections.

>From a security aspect of things, many companies would not like the idea of
the options to "smuggle" data using http through a proxy.

 

Another related issue which deserves attention:

Certificate pinning and connection breakage.

Currently we cannot determine for many connections what is the "issue", is
it the bumping itself of the breakage of a WebSocket http connection.

 

An acceptable solution:

Alex mentioned the option to splice a bumped connection.

 

I do not know exactly what Alex meant since not much details were presented.

How complex would it be to add an option to "splice"(maybe already done) a
bumped http connection?
For WebSockets to be supported we just need to dump the request headers into
the wire and "splice" everything back.

I was thinking about maybe adding if not there already a "Connection: close"
to try and verify that in some level the connection would be closed properly
by a civil server.

It's not "Secure" for many places but I think it could be pretty straight
forward to workaround this administrative issue.

I assume that the same solution can be applied to both regular
sockets\connections and secured.

 

As I understand, it would not be possible  to do this kind of splice without
bumping first.

 

Another related subject is CONNECT based TCP connections smuggling.

The scenario is that a client tries to issue a TCP connection using a
CONNECT method while these can be a wrapped HTTP ones.

 

I only would like to get feedback to make sure that my understanding of the
complexity of the subject is in the right direction.

 

Thanks,

Eliezer

 

----

Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> 
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160715/178b3e17/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 11317 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20160715/178b3e17/attachment-0001.png>

More information about the squid-dev mailing list