[squid-users] Squid4 forward proxy to upgrade from ws to wss
Amos Jeffries
squid3 at treenet.co.nz
Wed Jun 19 06:31:12 UTC 2019
On 19/06/19 4:13 pm, Satyanarayana, Shekhar wrote:
> Hi Squid Community,
>
> I am relatively new to Squid and I am facing the following issue, would
> truly appreciate if you could help.
>
> Squid4.6 is used as a forward proxy to convert all traffic to secure
> traffic.
>
> The configuration of squid is very simple, it allows all traffic and
> uses urlrewrite.pl to replace "http" to "https".
What you are doing is actually the opposite to secure. Letting the
server think the traffic is secure so it passes on confidential or
privacy sensitive information - then exposing all that within clear-text
HTTP and again within the client itself.
>
> Question:
>
> 1.Is there any way to upgrade a websocket connection to secure websocket
> using squid4.6?
>
No. Squid does not support WebSockets natively.
> 2.Or say I use wss-client (without certificate) and a wss-server(with
> certificates), is there a way to inform squid to use its own
> certificates even mentioned in "tls_outgoing_options" to establish the
> connection?
>
What Squid does is enact the CONNECT or GET request of the HTTP messages
you see with wireshark - excluding the Upgrade HTTP feature you may see
being attempted.
For the CONNECT WebSockets happens inside the tunnel. With no
interference by Squid.
For the GET either the server accepts the fallback to HTTP response. Or
rejects it and the client is expected to fallback itself to another
method of communication. eg WebSockets native port or a CONNECT tunnel.
You cannot simply turn a GET request onto a bi-directional binary
tunnel. Nor a bi-directional tunnel into a GET response. They are
entirely different syntax and incompatible concepts / semantics.
Amos
More information about the squid-users
mailing list