Search squid archive

Re: Websocket content adaptation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Mon, Jun 27, 2016 at 7:57 PM, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 06/27/2016 10:23 AM, Ozgur Batur wrote:

> ICAP handles plain HTTP very well but it is not possible to
> filter/change or even log content of websocket communication after
> websocket upgrade over HTTP as far as I know. Is there any plan or
> interest in developing some capability for Squid to control websocket
> communication content?

There is interest but no specific plan or sponsor.


> There is no defined request/response protocol since websocket is
> basically a socket but regexp matching in incoming and outgoing
> content(json, xml,raw) with URL and client metadata info may have some
> application like data leak prevention or achieving in corporate environment.

I am not sure regex would be a good idea in general, but passing
tunneled traffic to eCAP/ICAP services is indeed useful in several
environments, including WebSocket tunnels. The adaptation service will
decide whether to use regex or something else to match raw data. Some
existing services simply log (or relay/replay via TCP) received traffic
without analyzing it so regex is just one of many possibilities here.

FWIW, several things are needed to move forward, including:

1. Adequate development time and skills (or sponsorship to pay for
   them). The development of an essentially new adaptation vectoring
   point is not a trivial project.


I have involved in development of several ICAP services around Squid but have not had the chance to work on Squid code base directly. We may attempt implement a proof of concept with a few friends to better specify the task at hand current and learn about adaptation infrastructure of Squid.
 
2. A specific proposal on how to map raw/tunnel data to HTTP messages
   that eCAP and ICAP interfaces expect. The biggest difficulty here
   may be mapping server-speaks-first protocols.

I am not sure if it is possible to map websocket data to current adaptation services. Actually it may or may not be related but I am curious how Squid handles Comet(Ajax/HTTP Server Push) during ICAP processing. Maybe server data push can be mapped like Comet responses. About server first protocols, current ICAP services expecting encapsulated valid HTTP responses for requests will break of course. Maybe a mechanism like Allow 204 negotiation can be implemented between adaptation service and proxy. If adaptation service does not support server first pushes it can be bypassed. 

3. A project lead to organize/manage the project and guide the results
   through the Squid Project review. This person could be the
   primary developer and/or the specs writer, but does not have to be.

Alex.

Thanks,

Ozgur
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux