Hey Eliezer,
The issue was with whatsapp web socket was not working, here is detailed information about issue
------------
Here is some information about my squid version,
Squid Cache: Version 3.5.22-20161115-r14113
Service Name: squid
configure options: '--prefix=/usr' '--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-url-rewrite-helpers=fake' '--enable-ecap'
My squid config file is located at, http://pastebin.com/raw/LvDxEF4x
Now the issue is whenever someone requests a page which contains web socket requests response is always bad request.
Here is an example,
Request URL:wss://w4.web.whatsapp.com/ws
Request Method:GET
Status Code:400 Bad Request
Response Headers
#################
Connection:keep-alive
Date:Sat, 17 Dec 2016 09:05:36 GMT
Transfer-Encoding:chunked
X-Cache:MISS from Proxy
Request Headers
#################
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:Upgrade
Host:w4.web.whatsapp.com
Origin:https://web.whatsapp.com
Pragma:no-cache
Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits
Sec-WebSocket-Key:kzrB2ZcMHDAqvjDNXnjL/w==
Sec-WebSocket-Version:13
Upgrade:websocket
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36
My question is how we can work with web socket requests in squid or if not by pass them squid. My squid instance is in interception mode and requests are intercepted at instance via iptables and forwarded to squid using below rules,
SQUIDIP=192.168.1.1
# your proxy listening port
SQUIDHTTPPORT=3128
SQUIDHTTPSPORT=3129
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDHTTPPORT
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 443 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port $SQUIDHTTPSPORT
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDHTTPPORT -j DROP
iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDHTTPSPORT -j DROP
If anyone can help me with this it would be really awesome. Thanks for your support.
----------------------------------------------------------
Solution to above problem was,
acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump splice serverIsws
ssl_bump bump !serverIsws all
[ above is a feature of whatsapp which allows you to connect to web.whatsapp.com from browser]
now what happens at request level is following,
Request URL:wss://w8.web.whatsapp.com/ws
Request Method:GET
Status Code:101 Switching Protocols
----------------------------------
Response Headers
Connection:Upgrade
Sec-WebSocket-Accept:Z6CC+QVdvB0cCHPbJAQMaHKL2uQ=
Upgrade:websocket
----------------------------------
Request Headers
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:Upgrade
Host:w8.web.whatsapp.com
Origin:https://web.whatsapp.com
Pragma:no-cache
Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits
Sec-WebSocket-Key:mbCFLN/Q1KMt58t6DoQI9Q==
Sec-WebSocket-Version:13
Upgrade:websocket
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36
So basically websockets are connected as normal https request( i think this is a very nature of Web sockets and define somewhere in web socket standards).
Now the problem statement is,
ssl_bump bump !serverIsws all
If i remove !serverIsws then it stops working. as per alex it shoudn't happen and its a bug most probably.
On Mon, Jan 2, 2017 at 7:17 PM, Eliezer Croitoru <eliezer@xxxxxxxxxxxx> wrote:
Can we start from 0.
Currently when squid knows about the Connection being a one with websocket support it is already too late to do anything about this specific connection.
The only option for now is to identify these using some ICAP service that will for example redirect the request after a small delay that will add the destination domain ip address to a bypass list.
It’s not trivial but I have seen such implementation on ssl bump.
Can you please redirect me to the specific email with the bug details?
Eliezer
----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx
From: squid-users [mailto:squid-users-bounces@lists.squid-cache.org ] On Behalf Of Hardik Dangar
Sent: Monday, January 2, 2017 8:47 AM
To: Alex Rousskov <rousskov@measurement-factory.com >
Cc: Squid Users <squid-users@lists.squid-cache.org >
Subject: Re: Squid Websocket Issue
@amos or anyone else from dev team
Can you confirm this is intentional behavior or bug ?
On Mon, Jan 2, 2017 at 9:18 AM, Alex Rousskov <mailto:rousskov@measurement-factory.com > wrote:
On 12/27/2016 04:50 AM, Hardik Dangar wrote:
> If i remove !serverIsws somehow websockets will not work.
Then there is a bug somewhere AFAICT. It is your call whether to find
out what that bug is [while continuing to use a potentially dangerous
workaround].
Alex.
> On Tue, Dec 20, 2016 at 10:27 PM, Alex Rousskov wrote:
>
> On 12/20/2016 02:42 AM, Hardik Dangar wrote:
> > Following changes in config works and whatsapp starts working,
> >
> > acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$
> >
> > acl step1 at_step SslBump1
> > ssl_bump peek step1
> > ssl_bump splice serverIsws
> > ssl_bump bump !serverIsws all
>
> You do not need the "!serverIsws" part because if serverIsws matches,
> then the splice rule wins, and Squid does not reach the bump rule. This
> configuration is sufficient:
>
> ssl_bump peek step1
> ssl_bump splice serverIsws
> ssl_bump bump all
>
> In theory, adding "!serverIsws" does not hurt. However, negating complex
> ACLs is tricky/dangerous and should be avoided when possible.
>
> Alex.
>
>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
