websockets through Squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

websockets through Squid

Vieri
> To allow WebSocket tunnels, you need http_upgrade_request_protocols available since v5.0.4

Thanks for the info.
My distro does not include v. 5 yet as it's still beta, although I could try compiling it.

Just a thought though. What would the easiest way be to allow websockets through in v. 4? That is, for trusted domains, allow a direct connection maybe?

eg.
acl direct_dst_domains dstdomain "/opt/custom/proxy-settings/allowed.direct"
# or:
# acl direct_dst_domains ssl::server_name_regex "/opt/custom/proxy-settings/allowed.direct"
always_direct allow direct_dst_domains

Thanks

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: websockets through Squid

Amos Jeffries
Administrator
On 8/10/20 2:29 am, Vieri wrote:
>> To allow WebSocket tunnels, you need http_upgrade_request_protocols available since v5.0.4
>
> Thanks for the info.
> My distro does not include v. 5 yet as it's still beta, although I could try compiling it.
>
> Just a thought though. What would the easiest way be to allow websockets through in v. 4? That is, for trusted domains, allow a direct connection maybe?
>

No. If the WS client properly supports the HTTP fallback mode of
WebSockets then it should "just work", nothing special needed from
Squid. Otherwise it is requiring Upgrade behaviour and the "error" you
got is not an error at all, just a statement about the WS client (lack
of) feature support.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: websockets through Squid

Alex Rousskov
In reply to this post by Vieri
On 10/7/20 9:29 AM, Vieri wrote:
>> To allow WebSocket tunnels, you need http_upgrade_request_protocols available since v5.0.4

> What would the easiest way be to allow websockets through in v. 4?

Backport (the essential parts of) v5 changes to v4.


> That is, for trusted domains, allow a direct connection maybe?

Direct connections are allowed by default. That is not the issue here.

To proxy a WebSocket handshake, Squid has to, at a minimum, send an
Upgrade header to the origin server, forward the HTTP 101 response from
the origin server to the client, and then become a TCP tunnel. The last
part is impossible to accomplish in v4 with configuration options alone:
There is simply no "become a tunnel" directive that is checked after
forwarding a 1xx control message.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users