I want to understand the way a WebSocket Splice would work. The issue:
Clients are issuing secured connections which contains WebSockets internally and squid HTTP parsing breaks these connections. >From a security aspect of things, many companies would not like the idea of the options to "smuggle" data using http through a proxy. Another related issue which deserves attention: Certificate pinning and connection breakage. Currently we cannot determine for many connections what is the "issue", is it the bumping itself of the breakage of a WebSocket http connection. An acceptable solution: Alex mentioned the option to splice a bumped connection. I do not know exactly what Alex meant since not much details were presented. How complex would it be to add an option to "splice"(maybe already done) a bumped http connection? For WebSockets to be supported we just need to dump the request headers into the wire and "splice" everything back. I was thinking about maybe adding if not there already a "Connection: close" to try and verify that in some level the connection would be closed properly by a civil server. It's not "Secure" for many places but I think it could be pretty straight forward to workaround this administrative issue. I assume that the same solution can be applied to both regular sockets\connections and secured. As I understand, it would not be possible to do this kind of splice without bumping first. Another related subject is CONNECT based TCP connections smuggling. The scenario is that a client tries to issue a TCP connection using a CONNECT method while these can be a wrapped HTTP ones. I only would like to get feedback to make sure that my understanding of the complexity of the subject is in the right direction. Thanks, Eliezer ---- Eliezer Croitoru <http://ngtech.co.il/lmgtfy/> Linux System Administrator Mobile: +972-5-28704261 Email: elie...@ngtech.co.il
_______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev