[squid-users] Make websockets work without splicing TLS connections

Ahmad, Sarfaraz Sarfaraz.Ahmad at deshaw.com
Tue Jul 3 12:59:18 UTC 2018


>> Squid does not understand WebSocket protocol (yet).
Is supporting Websockets on the roadmap ? 



-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Tuesday, July 3, 2018 6:15 PM
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Make websockets work without splicing TLS connections

On 04/07/18 00:19, Ahmad, Sarfaraz wrote:
> Guys,
> 
>  
> 
> Can you think of a way to make websockets work without splicing TLS 
> connections ?
> 

Squid does not understand WebSocket protocol (yet). So splicing is the only option once the traffic is already going into the proxy.

Squid does support enough WebSockets to trigger the HTTP failover mechanism sin WebSockets. But many clients and/or servers apparently do not actually support WebSockets properly and break when that proxy compatibility mechanism is used.

WebSocket has its own port for native traffic. So letting that through your firewall should theoretically be enough.



> I don’t think on_unsupported _protocol would work here .// Also would

It may, but I agree that is not expected. WebSockets uses HTTP-like syntax in its first message to be compatible with HTTPS servers.


> on_unsupported_protocol work where the remote server abuses 443 for 
> something other than TLS ?

It should. Weird non-standard crap abusing port 443 is what that directive was designed to help workaround.

Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


More information about the squid-users mailing list