|
Hi Squid Community, I am relatively new to Squid and I am facing the following issue, would truly appreciate if you could help.
Squid4.6 is used as a forward proxy to convert all traffic to secure traffic.
The configuration of squid is very simple, it allows all traffic and uses urlrewrite.pl to replace "http" to "https".(SSL-BUMP is NOT used) Squid proxy has tls_outgoing_options set, so the following works: client(http) -----> Squid ------> Server(https) Now, I am trying to replicate the same with websockets. There are 3 test cases, 1. client(ws)------> Squid -----> Server(ws) 2. client(wss) ------> Squid -----> Server(wss)
3 client(ws) ------> Squid -----> Server(wss) The first two cases work with squid, but the third one does not work. And I only need the third option.
I have given debug logs for urlrewrite.pl to show the exact request received for a websocket connection, and the following is the log:
Here port 8080: is server and port 3128: is squid DEBUG:root:localhost:8080 127.0.0.1/localhost - CONNECT myip=127.0.0.1 myport=3128 Even wireshark shows the same, 1. CONNECT HTTP 1.1 2. GET 3. upgrade protocol. Question: 1.Is there any way to upgrade a websocket connection to secure websocket using squid4.6? 2.Or say I use wss-client (without certificate) and a wss-server(with certificates), is there a way to inform squid to use its own certificates even mentioned in "tls_outgoing_options" to establish the connection? REQUIRED: Client will always send a unsecure traffic HTTP/WS
and Squid should upgrade it to HTTPS/WSS. In our application setup, we use our own openssl libraries to create certificates - which cannot be included in the (client.go) go-tls package, so we use squid proxy to use the certificates generated by our
own openssl libraries. Client and Forward-Proxy (Squid) are both in our specific environment, so squid.conf is very simple and allows all traffic. And we need mutual cert authentication. SQUID CONF CODE # # Recommended minimum configuration: # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localhost src 127.0.0.1 acl SSL_ports port 443 acl Safe_ports port 443 # https acl Safe_ports port 80 # http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all # Squid normally listens to port 3128 http_port 3128 url_rewrite_program /etc/squid/urlrewrite.pl url_rewrite_access allow all tls_outgoing_options cert=/etc/squid/proxy.crt tls_outgoing_options key=/etc/squid/proxy.key tls_outgoing_options cafile=/etc/squid/serverauth.crt urlrewrite CODE #!/usr/bin/perl select(STDOUT); $| = 1; while (<>) { #print STDOUT "OK rewrite-url=""> if (/^(|\d+\s+)((\w+):\/+)([^\/:]+)(|:(\d+))(|\/\S*)(|\s.*)$/) { my $channel = $1; my $protocolClean = $3; my $domain = $4; my $port = $5; my $portClean = $6; my $urlPath = $7; if ($protocolClean eq 'http' ){#&& ($port eq '' || $portClean eq '80')) { print STDOUT "${channel}OK rewrite-url=""> #print STDOUT "${channel}OK rewrite-url=""> } else { print STDOUT "${channel}ERR\n"; } } } Thank you, |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
