[squid-users] Squid Websocket Issue
Hardik Dangar
hardikdangar+squid at gmail.com
Tue Dec 27 11:50:08 UTC 2016
Hey Alex,
actually its reverse. If i remove !serverIsws somehow websockets will not
work. conversion does not happen and i get 400 bad request. whereas if i
put !serverIsws then request is converted and status code is 101
acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump !serverIsws all
So above works but if i remove serverIsws then it will not work at all i.e.
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump all
above does not work
This is actually surprising for me too :) I did lot of tests with other
websocket apps used by my network and when i remove rules from bump it will
not work. May be amos could tell us something that we don't understand
about acls.
On Tue, Dec 20, 2016 at 10:27 PM, Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 12/20/2016 02:42 AM, Hardik Dangar wrote:
> > Following changes in config works and whatsapp starts working,
> >
> > acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$
> >
> > acl step1 at_step SslBump1
> > ssl_bump peek step1
> > ssl_bump splice serverIsws
> > ssl_bump bump !serverIsws all
>
> You do not need the "!serverIsws" part because if serverIsws matches,
> then the splice rule wins, and Squid does not reach the bump rule. This
> configuration is sufficient:
>
> ssl_bump peek step1
> ssl_bump splice serverIsws
> ssl_bump bump all
>
> In theory, adding "!serverIsws" does not hurt. However, negating complex
> ACLs is tricky/dangerous and should be avoided when possible.
>
> Alex.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161227/07d902eb/attachment.html>
More information about the squid-users
mailing list