On 16/01/2023 2:17 am, Ben Goz wrote:
By the help of God.
I'm using the latest squid version built from github sources and the
squid server configured with ssl-bump.
That could mean a lot of things depending on which hour you built it.
Please use the output of "squid -v" to provide details of custom built
squid.
The problem starts when the same URL serves as regular web page and
also for certain web socket communication.
If I bypass this URL it bypasses the whole web site, Is it possible to
configure squid that it'll bypass ssl-bump only when the URL is used
for unsupported protocols (like web sockets)?
The issue you are facing is that TLS is used to wrap entire
communication sequences to a server. There is no way to decrypt/bump
only selective parts of it.
If the initial WebSockets uses HTTP(S) protocol then Squid sees it as
HTTP and treats it as such (eg. reject unsupported URI scheme) until
something invalid in HTTP causes the connection to terminate.
If the WebSockets starts using native WebSocket format from the first
decrypted bytes then Squid on_unsupported_protocol directive behaviour
should occur (I have not tested that, so YMMV).
To resolve this situation Squid will need to grow support for WebSockets
(none working on it) and ability to support more than just a TCP vs TLS
transport layer (under QA discussion, no ETA).
HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
