websockets through Squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

websockets through Squid

Vieri
Hi,

I think I found something in the cache.log I posted before.

sendRequest: HTTP Server conn* local=PUB_IPv4_ADDR_3
...
sendRequest: HTTP Server conn* local=PUB_IPv4_ADDR_2

It seems that Squid sometimes connects to the remote HTTP server with either one of the available addresses on the Squid box (eg. PUB_IPv4_ADDR_2, PUB_IPv4_ADDR_3, etc). These addresses are on ppp interfaces. In fact, I noticed that if the Firefox client shows this error message in its console as in my previous post:

The connection to wss://ed1lncb62801.webex.com/direct?type=websocket&dtype=binary&rand=1602830016480&uuidtag=5659FGE6-DF29-47A7-859A-G4D5FDC937A2&gatewayip=PUB_IPv4_ADDR_2 was interrupted while the page was loading.

then I see a corresponding 'sendRequest: HTTP Server conn* local=PUB_IPv4_ADDR_3' when trying to connect to the same origin. So I'm deducing that the remote websocket server is expecting a client connection from PUB_IPv4_ADDR_2 when in fact Squid is trying to connect from PUB_IPv4_ADDR_3 -- hence the "interruption" message.

My test Squid instance is running on a multi-ISP router, so I guess I have to figure out how to either force connections out one interface only for the Squid cache or tell Squid to only bind to one interface.

It's only a wild guess though.

Vieri

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: websockets through Squid

Amos Jeffries
Administrator
On 17/10/20 3:07 am, Vieri wrote:

> Hi,
>
> I think I found something in the cache.log I posted before.
>
> sendRequest: HTTP Server conn* local=PUB_IPv4_ADDR_3
> ...
> sendRequest: HTTP Server conn* local=PUB_IPv4_ADDR_2
>
> It seems that Squid sometimes connects to the remote HTTP server with either one of the available addresses on the Squid box (eg. PUB_IPv4_ADDR_2, PUB_IPv4_ADDR_3, etc). These addresses are on ppp interfaces. In fact, I noticed that if the Firefox client shows this error message in its console as in my previous post:
>
> The connection to wss://ed1lncb62801.webex.com/direct?type=websocket&dtype=binary&rand=1602830016480&uuidtag=5659FGE6-DF29-47A7-859A-G4D5FDC937A2&gatewayip=PUB_IPv4_ADDR_2 was interrupted while the page was loading.
>
> then I see a corresponding 'sendRequest: HTTP Server conn* local=PUB_IPv4_ADDR_3' when trying to connect to the same origin. So I'm deducing that the remote websocket server is expecting a client connection from PUB_IPv4_ADDR_2 when in fact Squid is trying to connect from PUB_IPv4_ADDR_3 -- hence the "interruption" message.

That implies a broken server. For new connections through a proxy there
is no guarantee of any particular IP address being used. As you can see
from that behaviour the OS may select any of its available addresses if
it needs to.


>
> My test Squid instance is running on a multi-ISP router, so I guess I have to figure out how to either force connections out one interface only for the Squid cache or tell Squid to only bind to one interface.
>

tcp_outgoing_* directives can send details to the OS to hint at
preferred server connection details. It is up to the OS whether those
are followed or not.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: websockets through Squid

Vieri

On Saturday, October 17, 2020, 5:10:08 AM GMT+2, Amos Jeffries <[hidden email]> wrote:

> tcp_outgoing_* directives can send details to the OS to hint at preferred server connection details. It is up to the OS whether those are followed or not.


Yes, I finally solved my network issue, and now Squid is sending traffic as expected (same interface).

In fact, I know Squid 5.0.4 and websockets are "working" because I can properly test this protocol here:

https://www.websocket.org/echo.html

and elsewhere. The above site did not work with Squid 4, but it's working now with Squid 5.0.4.

However, the webex test site is still failing with the same client error message.

Maybe someone on this list can reproduce the problem or share a squid configuration that actually works with or without sslbump (for the webex test site, that is).

Here's a simple sslbump config that only requires redirecting tcp 443 traffic to the custom Squid port 3130 (tproxy can be ignored in this example):

# cat squid.conf
# optional:
# tcp_outgoing_address 1.2.3.4

http_port 3128
http_port 3129 tproxy
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
sslcrtd_program /usr/libexec/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 40 startup=20 idle=10

acl SSL_ports port 443

acl Safe_ports port 443
acl Safe_ports port 80

acl CONNECT method CONNECT

acl localnet src your.local.net.work

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny all !localnet

http_access allow CONNECT localnet SSL_ports

http_upgrade_request_protocols OTHER allow all

http_access allow localnet all
http_reply_access allow localnet all

debug_options rotate=1 ALL,9

ssl_bump stare all
ssl_bump bump all

http_access allow localhost

http_access deny all

-------------------------------------

You can then go to https://www.webex.com/test-meeting.html to see if the websocket test actually works.

There has to be a glitch there or something I'm overlooking.

Thanks,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users