Public bug reported: I want to block all WebSocket connections using Squid. Here are the configurations:
a) a WebSocket server is running on port 8765 by Python on 10.5.2.132/16 [1] b) a WebSocket client is running on 10.5.0.204/16 [2] c) Squid (Jammy 5.2-1ubuntu4.3) is running on 10.5.1.201/16 with configs as [3] I expected that `http_upgrade_request_protocols WebSocket deny all` would block all WebSocket connections, but it did not work. squid still can allow upgrade to websocket access.log: 1682301945.941 14 10.5.0.204 TCP_TUNNEL/200 285 CONNECT 10.5.2.132:8765 - HIER_DIRECT/10.5.2.132 - When I executed a WebSocket connection from the client to the server and did a tcpdump on the client, I can see the tcpdump results are as [4]. " GET / HTTP/1.1 Upgrade: websocket Host: 10.5.2.132:8765 Origin: http://10.5.2.132:8765 Sec-WebSocket-Key: N8tBxe1BeAIoxuP0J6A3bA== Sec-WebSocket-Version: 13 Connection: Upgrade 2V.4HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: loR4dW7PF7ylnYzp92wOrA2fyr0= Date: Mon, 24 Apr 2023 02:00:59 GMT Server: Python/3.6 websockets/9.1 " Also, the cache.log is as shown in [5]. This should not be a cache issue because the result is the same whether or not I stop Squid or remove `/var/spool/squid/netdb.state`. [1] https://paste.ubuntu.com/p/jD3BnfmDPZ/ [2] https://paste.ubuntu.com/p/qhxj8s32t4/ [3] https://paste.ubuntu.com/p/YZnY8n64nG/ [4] https://paste.ubuntu.com/p/ZZTdfTFDmk/ [5] https://paste.ubuntu.com/p/CkPtncXwFx/ ** Affects: squid (Ubuntu) Importance: Undecided Status: New ** Description changed: I want to block all WebSocket connections using Squid. Here are the configurations: a) a WebSocket server is running on port 8765 by Python on 10.5.2.132/16 [1] b) a WebSocket client is running on 10.5.0.204/16 [2] - c) Squid (Focal 5.2-1ubuntu4.3) is running on 10.5.1.201/16 with configs as [3] + c) Squid (Jammy 5.2-1ubuntu4.3) is running on 10.5.1.201/16 with configs as [3] I expected that `http_upgrade_request_protocols WebSocket deny all` would block all WebSocket connections, but it did not work. squid still can allow upgrade to websocket access.log: 1682301945.941 14 10.5.0.204 TCP_TUNNEL/200 285 CONNECT 10.5.2.132:8765 - HIER_DIRECT/10.5.2.132 - - - When I executed a WebSocket connection from the client to the server and did a tcpdump on the client, I can see the tcpdump results are as [4]. + When I executed a WebSocket connection from the client to the server and + did a tcpdump on the client, I can see the tcpdump results are as [4]. " GET / HTTP/1.1 Upgrade: websocket Host: 10.5.2.132:8765 Origin: http://10.5.2.132:8765 Sec-WebSocket-Key: N8tBxe1BeAIoxuP0J6A3bA== Sec-WebSocket-Version: 13 Connection: Upgrade 2V.4HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: loR4dW7PF7ylnYzp92wOrA2fyr0= Date: Mon, 24 Apr 2023 02:00:59 GMT Server: Python/3.6 websockets/9.1 " Also, the cache.log is as shown in [5]. This should not be a cache issue because the result is the same whether or not I stop Squid or remove `/var/spool/squid/netdb.state`. - [1] https://paste.ubuntu.com/p/jD3BnfmDPZ/ [2] https://paste.ubuntu.com/p/qhxj8s32t4/ [3] https://paste.ubuntu.com/p/YZnY8n64nG/ [4] https://paste.ubuntu.com/p/ZZTdfTFDmk/ [5] https://paste.ubuntu.com/p/CkPtncXwFx/ -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to squid in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2017460 Title: `http_upgrade_request_protocols WebSocket deny all` does not block websocket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2017460/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : [email protected] Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
