websocket with sslbump

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

websocket with sslbump

Niels Hofmans
Hi guys,

During testing sslbump + icap I noticed that websockets (ws + was) are not supported by squid. (Even if using on_unsupported_protocol)
Are there any plans for supporting this with sslbump?
Thanks.

Regards,
Niels Hofmans

SITE   https://ironpeak.be
BTW   BE0694785660
BANK BE76068909740795


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: websocket with sslbump

Alex Rousskov
On 3/8/21 10:10 AM, Niels Hofmans wrote:

> During testing sslbump + icap I noticed that websockets (ws + was) are
> not supported by squid. (Even if using on_unsupported_protocol)
> Are there any plans for supporting this with sslbump?

Your question can be misinterpreted in many different ways. I will
answer the following related question instead:

Q: Are there any plans for Squid to send tunneled traffic through
adaptation services?

The ICAP and eCAP protocols cannot support opaque/messageless traffic
natively. Squid can be enhanced to wrap tunneled traffic into something
resembling HTTP messages so that it can be analyzed using adaptation
services (e.g., Squid applies similar wrapping to FTP traffic already).

I recall occasional requests for such a feature. I am not aware of
anybody working on that right now.

https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


HTH,

Alex.
P.S. Latest Squids support forwarding websocket tunnels that use HTTP
Upgrade mechanism (see http_upgrade_request_protocols in v5
squid.conf.documented).
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: websocket with sslbump

Niels Hofmans
Hi Alex,

Thank you for your response. I’ll be opening up a Bugzilla ticket for opaque messages through ICAP if it doesn’t exist already.
Related to the squid 5.x, I’ve reached out to the debian package maintainer last week for a binary install in the repos but no response as of yet.

Best regards,
Niels Hofmans

SITE   https://ironpeak.be
BTW   BE0694785660
BANK BE76068909740795

On 9 Mar 2021, at 16:58, Alex Rousskov <[hidden email]> wrote:

On 3/8/21 10:10 AM, Niels Hofmans wrote:

During testing sslbump + icap I noticed that websockets (ws + was) are
not supported by squid. (Even if using on_unsupported_protocol)
Are there any plans for supporting this with sslbump?

Your question can be misinterpreted in many different ways. I will
answer the following related question instead:

Q: Are there any plans for Squid to send tunneled traffic through
adaptation services?

The ICAP and eCAP protocols cannot support opaque/messageless traffic
natively. Squid can be enhanced to wrap tunneled traffic into something
resembling HTTP messages so that it can be analyzed using adaptation
services (e.g., Squid applies similar wrapping to FTP traffic already).

I recall occasional requests for such a feature. I am not aware of
anybody working on that right now.

https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


HTH,

Alex.
P.S. Latest Squids support forwarding websocket tunnels that use HTTP
Upgrade mechanism (see http_upgrade_request_protocols in v5
squid.conf.documented).


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: websocket with sslbump

Eliezer Croitoru-3

Hey Niels,

 

I can help you with this if you need.
I have a pre-compiled version and while it’s not a Debian packaged ie .deb file it’s a matter of unpacking the files into the FS.

Also take a peek at the docker build:

https://github.com/elico/squid-docker-build-nodes

 


Let me know if you need this binaries, I can put them at:

https://ngtech.co.il/repo/bin/debian/10.4/amd64/

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users <[hidden email]> On Behalf Of Niels Hofmans
Sent: Wednesday, March 10, 2021 9:42 AM
To: Alex Rousskov <[hidden email]>
Cc: Squid Users <[hidden email]>
Subject: Re: [squid-users] websocket with sslbump

 

Hi Alex,

 

Thank you for your response. I’ll be opening up a Bugzilla ticket for opaque messages through ICAP if it doesn’t exist already.

Related to the squid 5.x, I’ve reached out to the debian package maintainer last week for a binary install in the repos but no response as of yet.

 

Best regards,
Niels Hofmans

SITE   https://ironpeak.be
BTW   BE0694785660
BANK BE76068909740795

 

On 9 Mar 2021, at 16:58, Alex Rousskov <[hidden email]> wrote:

 

On 3/8/21 10:10 AM, Niels Hofmans wrote:


During testing sslbump + icap I noticed that websockets (ws + was) are
not supported by squid. (Even if using on_unsupported_protocol)
Are there any plans for supporting this with sslbump?


Your question can be misinterpreted in many different ways. I will
answer the following related question instead:

Q: Are there any plans for Squid to send tunneled traffic through
adaptation services?

The ICAP and eCAP protocols cannot support opaque/messageless traffic
natively. Squid can be enhanced to wrap tunneled traffic into something
resembling HTTP messages so that it can be analyzed using adaptation
services (e.g., Squid applies similar wrapping to FTP traffic already).

I recall occasional requests for such a feature. I am not aware of
anybody working on that right now.

https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


HTH,

Alex.
P.S. Latest Squids support forwarding websocket tunnels that use HTTP
Upgrade mechanism (see http_upgrade_request_protocols in v5
squid.conf.documented).

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: websocket with sslbump

Amos Jeffries
Administrator
In reply to this post by Niels Hofmans
On 10/03/21 8:41 pm, Niels Hofmans wrote:
> Hi Alex,
>
> Thank you for your response. I’ll be opening up a Bugzilla ticket for
> opaque messages through ICAP if it doesn’t exist already.
> Related to the squid 5.x, I’ve reached out to the debian package
> maintainer last week for a binary install in the repos but no response
> as of yet.
>

I did not see it on the team tracker. If you tried to contact Luigi
directly he is fairly busy with other software's issues these days.

It's usually me who is preparing the packages for Squid beta series and
adding them to the Debian 'experimental' repository. I just have not had
time this summer to do so. Not sure when I will be able to provide an
ETA either, sorry.

Debian itself is going through its usual preparations for the next
Debian major version. So there will likely only be small changes to the
Debian squid (and now squid-openssl !!) packages for the next months.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users