[squid-users] Bypass ssl-bump urls that using web sockets
Amos Jeffries
squid3 at treenet.co.nz
Sun Jan 15 15:36:11 UTC 2023
On 16/01/2023 2:17 am, Ben Goz wrote:
> By the help of God.
>
> I'm using the latest squid version built from github sources and the
> squid server configured with ssl-bump.
That could mean a lot of things depending on which hour you built it.
Please use the output of "squid -v" to provide details of custom built
squid.
> The problem starts when the same URL serves as regular web page and
> also for certain web socket communication.
>
> If I bypass this URL it bypasses the whole web site, Is it possible to
> configure squid that it'll bypass ssl-bump only when the URL is used
> for unsupported protocols (like web sockets)?
The issue you are facing is that TLS is used to wrap entire
communication sequences to a server. There is no way to decrypt/bump
only selective parts of it.
If the initial WebSockets uses HTTP(S) protocol then Squid sees it as
HTTP and treats it as such (eg. reject unsupported URI scheme) until
something invalid in HTTP causes the connection to terminate.
If the WebSockets starts using native WebSocket format from the first
decrypted bytes then Squid on_unsupported_protocol directive behaviour
should occur (I have not tested that, so YMMV).
To resolve this situation Squid will need to grow support for WebSockets
(none working on it) and ability to support more than just a TCP vs TLS
transport layer (under QA discussion, no ETA).
HTH
Amos
More information about the squid-users
mailing list