[squid-users] Make websockets work without splicing TLS connections
Amos Jeffries
squid3 at treenet.co.nz
Tue Jul 3 12:44:43 UTC 2018
On 04/07/18 00:19, Ahmad, Sarfaraz wrote:
> Guys,
>
>
>
> Can you think of a way to make websockets work without splicing TLS
> connections ?
>
Squid does not understand WebSocket protocol (yet). So splicing is the
only option once the traffic is already going into the proxy.
Squid does support enough WebSockets to trigger the HTTP failover
mechanism sin WebSockets. But many clients and/or servers apparently do
not actually support WebSockets properly and break when that proxy
compatibility mechanism is used.
WebSocket has its own port for native traffic. So letting that through
your firewall should theoretically be enough.
> I don’t think on_unsupported _protocol would work here .// Also would
It may, but I agree that is not expected. WebSockets uses HTTP-like
syntax in its first message to be compatible with HTTPS servers.
> on_unsupported_protocol work where the remote server abuses 443 for
> something other than TLS ?
It should. Weird non-standard crap abusing port 443 is what that
directive was designed to help workaround.
Amos
More information about the squid-users
mailing list