Search squid archive

Re: Squid Websocket Issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2017-01-03 05:49, Hardik Dangar wrote:
Hey Eliezer,

The issue was with whatsapp web socket was not working, here is
detailed information about issue
------------

Here is some information about my squid version,

Squid Cache: Version 3.5.22-20161115-r14113
Service Name: squid
configure options:  '--prefix=/usr' '--localstatedir=/var/squid'
'--libexecdir=/lib/squid' '--srcdir=.' '--datadir=/share/squid'
'--sysconfdir=/etc/squid' '--with-default-user=proxy'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
'--with-openssl' '--enable-ssl-crtd' '--enable-inline'
'--disable-arch-native' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-follow-x-forwarded-for' '--enable-url-rewrite-helpers=fake'
'--enable-ecap'

My squid config file is located at, http://pastebin.com/raw/LvDxEF4x

Now the issue is whenever someone requests a page which contains web
socket requests response is always bad request.
Here is an example,

Request URL:wss://w4.web.whatsapp.com/ws [1]
Request Method:GET
Status Code:400 Bad Request

Response Headers
#################
Connection:keep-alive
Date:Sat, 17 Dec 2016 09:05:36 GMT
Transfer-Encoding:chunked
X-Cache:MISS from Proxy

Request Headers
#################
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8
Cache-Control:no-cache
Connection:Upgrade
Host:w4.web.whatsapp.com [2]
Origin:https://web.whatsapp.com
Pragma:no-cache
Sec-WebSocket-Extensions:permessage-deflate; client_max_window_bits
Sec-WebSocket-Key:kzrB2ZcMHDAqvjDNXnjL/w==
Sec-WebSocket-Version:13
Upgrade:websocket
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/55.0.2883.75 Safari/537.36

My question is how we can work with web socket requests in squid or if
not by pass them squid. My squid instance is in interception mode and
requests are intercepted at instance via iptables and forwarded to
squid using below rules,

WebSockets has several ways to initiate connections:

1) native WebSocket port
 - requires any intermediary has native Websocket support

2) CONNECT tunnel (maybe with Upgrade)
 - requires only that the intermediary has HTTP CONNECT support

3) GET request with Upgrade
- requires that the intermediary has both HTTP Upgrade and WebSockets native support


Squid supports method #2.

The transaction you are showing as broken is mechanism #3. Both the Upgrade and WebSockets support requirements are not existing in Squid.

That particular request going through a non-WebSockets proxy is supposed to be passed to the server as a regular GET request (without Upgrade). Exactly what Squid does. The server itself is producing the 400 response instead of using alternative things like HTTP long-polling in place of WebSockets. That is its choice, nothing to do with Squid and a perfectly valid choice on the servers part.

If WhatsApp tried the supported #2 mechanism it would work through Squid.



----------------------------------------------------------

SOLUTION TO ABOVE PROBLEM WAS,


... to splice instead of bump.


So basically websockets are connected as normal https request( i think
this is a very nature of Web sockets and define somewhere in web
socket standards).

No, that is the nature of HTTPS when not being bump'ed. Squid is not involved in the encrypted request when splicing. So it does not matter if it really is HTTPS or actually encrypted WebSockets.

The HTTPS goes through Squid as a CONNECT tunnel. Which for WebSockets is connection method #2 above - which is supported and works.


I think your problem is that you are expecting unrealistic things from decrypted HTTPS. *HTTPS* being the critical word there. Bumping decrypts HTTPS, it does not decrypt other protocols - including WebSockets.

Since the WhatsApp traffic is/was intercepted the client software has no knowledge of the proxy existing so it is not realistic to expect it to attempt the CONNECT method, even as a failover.

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux