I am using the next ontop of squid 3.5.23 in non intercept mode: ##STARTOF SNIPPET acl DiscoverSNIHost at_step SslBump1 acl NoSSLIntercept ssl::server_name_regex -i "/etc/squid/url.nobump" ssl_bump splice NoSSLIntercept ssl_bump peek DiscoverSNIHost ssl_bump bump all ##END OF SNIPPPET And the content of url.nobump is:##START OF QUOTE # WU (Squid 3.5.x and above with SSL Bump) # Only this sites must be spliced. update\.microsoft\.com$ update\.microsoft\.com\.akadns\.net$ v10\.vortex\-win\.data\.microsoft.com$ settings\-win\.data\.microsoft\.com$ # The next are trusted SKYPE addresses a\.config\.skype\.com$ pipe\.skype\.com$ w[0-9]+\.web\.whatsapp\.com$ ##END OF QUOTE And whatsapp web sockets works for me. Please be more specific whats not working and on what platform.. If it works for me and not for you there is a difference between our clients or systems. Try using latest 3.5.23. If you are using an RPM based system you can use one of my RPMS. Let me know if my rules helps you and if there is a specific site that doesn’t work for you, Eliezer ---- http://ngtech.co.il/lmgtfy/ Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx From: hardikdangar@xxxxxxxxx [mailto:hardikdangar@xxxxxxxxx] On Behalf Of Hardik Dangar Sent: Monday, January 2, 2017 6:50 PM To: Eliezer Croitoru <eliezer@xxxxxxxxxxxx> Cc: Squid Users <squid-users@xxxxxxxxxxxxxxxxxxxxx> Subject: Re: Squid Websocket Issue Hey Eliezer, The issue was with whatsapp web socket was not working, here is detailed information about issue ------------ Here is some information about my squid version, Squid Cache: Version 3.5.22-20161115-r14113 Service Name: squid configure options: '--prefix=/usr' '--localstatedir=/var/squid' '--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-openssl' '--enable-ssl-crtd' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-follow-x-forwarded-for' '--enable-url-rewrite-helpers=fake' '--enable-ecap' My squid config file is located at, http://pastebin.com/raw/LvDxEF4x Now the issue is whenever someone requests a page which contains web socket requests response is always bad request. Here is an example, Request URL:wss://http://w4.web.whatsapp.com/ws Request Method:GET Status Code:400 Bad Request Response Headers ################# Connection:keep-alive Date:Sat, 17 Dec 2016 09:05:36 GMT Transfer-Encoding:chunked X-Cache:MISS from Proxy Request Headers ################# Accept-Encoding:gzip, deflate, sdch, br Accept-Language:en-US,en;q=0.8 Cache-Control:no-cache Connection:Upgrade Host:http://w4.web.whatsapp.com Origin:https://web.whatsapp.com Pragma:no-cache Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits Sec-WebSocket-Key:kzrB2ZcMHDAqvjDNXnjL/w== Sec-WebSocket-Version:13 Upgrade:websocket User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36 My question is how we can work with web socket requests in squid or if not by pass them squid. My squid instance is in interception mode and requests are intercepted at instance via iptables and forwarded to squid using below rules, SQUIDIP=192.168.1.1 # your proxy listening port SQUIDHTTPPORT=3128 SQUIDHTTPSPORT=3129 iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDHTTPPORT iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 443 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port $SQUIDHTTPSPORT iptables -t nat -A POSTROUTING -j MASQUERADE iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDHTTPPORT -j DROP iptables -t mangle -A PREROUTING -p tcp --dport $SQUIDHTTPSPORT -j DROP If anyone can help me with this it would be really awesome. Thanks for your support. ---------------------------------------------------------- Solution to above problem was, acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$ acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice serverIsws ssl_bump bump !serverIsws all [ above is a feature of whatsapp which allows you to connect to http://web.whatsapp.com/ from browser] now what happens at request level is following, Request URL:wss://http://w8.web.whatsapp.com/ws Request Method:GET Status Code:101 Switching Protocols ---------------------------------- Response Headers Connection:Upgrade Sec-WebSocket-Accept:Z6CC+QVdvB0cCHPbJAQMaHKL2uQ= Upgrade:websocket ---------------------------------- Request Headers Accept-Encoding:gzip, deflate, sdch, br Accept-Language:en-US,en;q=0.8 Cache-Control:no-cache Connection:Upgrade Host:http://w8.web.whatsapp.com/ Origin:https://web.whatsapp.com/ Pragma:no-cache Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits Sec-WebSocket-Key:mbCFLN/Q1KMt58t6DoQI9Q== Sec-WebSocket-Version:13 Upgrade:websocket User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36 So basically websockets are connected as normal https request( i think this is a very nature of Web sockets and define somewhere in web socket standards). Now the problem statement is, ssl_bump bump !serverIsws all If i remove !serverIsws then it stops working. as per alex it shoudn't happen and its a bug most probably. On Mon, Jan 2, 2017 at 7:17 PM, Eliezer Croitoru <mailto:eliezer@xxxxxxxxxxxx> wrote: Can we start from 0. Currently when squid knows about the Connection being a one with websocket support it is already too late to do anything about this specific connection. The only option for now is to identify these using some ICAP service that will for example redirect the request after a small delay that will add the destination domain ip address to a bypass list. It’s not trivial but I have seen such implementation on ssl bump. Can you please redirect me to the specific email with the bug details? Eliezer ---- http://ngtech.co.il/lmgtfy/ Linux System Administrator Mobile: +972-5-28704261 Email: mailto:eliezer@xxxxxxxxxxxx From: squid-users [mailto:mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Hardik Dangar Sent: Monday, January 2, 2017 8:47 AM To: Alex Rousskov <mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx> Cc: Squid Users <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> Subject: Re: Squid Websocket Issue @amos or anyone else from dev team Can you confirm this is intentional behavior or bug ? On Mon, Jan 2, 2017 at 9:18 AM, Alex Rousskov <mailto:mailto:rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: On 12/27/2016 04:50 AM, Hardik Dangar wrote: > If i remove !serverIsws somehow websockets will not work. Then there is a bug somewhere AFAICT. It is your call whether to find out what that bug is [while continuing to use a potentially dangerous workaround]. Alex. > On Tue, Dec 20, 2016 at 10:27 PM, Alex Rousskov wrote: > > On 12/20/2016 02:42 AM, Hardik Dangar wrote: > > Following changes in config works and whatsapp starts working, > > > > acl serverIsws ssl::server_name_regex ^w[0-9]+\.web\.whatsapp\.com$ > > > > acl step1 at_step SslBump1 > > ssl_bump peek step1 > > ssl_bump splice serverIsws > > ssl_bump bump !serverIsws all > > You do not need the "!serverIsws" part because if serverIsws matches, > then the splice rule wins, and Squid does not reach the bump rule. This > configuration is sufficient: > > ssl_bump peek step1 > ssl_bump splice serverIsws > ssl_bump bump all > > In theory, adding "!serverIsws" does not hurt. However, negating complex > ACLs is tricky/dangerous and should be avoided when possible. > > Alex. > > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users