enterprise-support team mailing list archive
-
enterprise-support team
-
Mailing list archive
-
Message #09191
[Bug 2017460] [NEW] `http_upgrade_request_protocols WebSocket deny all` does not block websocket
Public bug reported:
I want to block all WebSocket connections using Squid. Here are the
configurations:
a) a WebSocket server is running on port 8765 by Python on 10.5.2.132/16 [1]
b) a WebSocket client is running on 10.5.0.204/16 [2]
c) Squid (Jammy 5.2-1ubuntu4.3) is running on 10.5.1.201/16 with configs as [3]
I expected that `http_upgrade_request_protocols WebSocket deny all`
would block all WebSocket connections, but it did not work.
squid still can allow upgrade to websocket
access.log:
1682301945.941 14 10.5.0.204 TCP_TUNNEL/200 285 CONNECT
10.5.2.132:8765 - HIER_DIRECT/10.5.2.132 -
When I executed a WebSocket connection from the client to the server and
did a tcpdump on the client, I can see the tcpdump results are as [4].
"
GET / HTTP/1.1
Upgrade: websocket
Host: 10.5.2.132:8765
Origin: http://10.5.2.132:8765
Sec-WebSocket-Key: N8tBxe1BeAIoxuP0J6A3bA==
Sec-WebSocket-Version: 13
Connection: Upgrade
2V.4HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: loR4dW7PF7ylnYzp92wOrA2fyr0=
Date: Mon, 24 Apr 2023 02:00:59 GMT
Server: Python/3.6 websockets/9.1
"
Also, the cache.log is as shown in [5].
This should not be a cache issue because the result is the same whether
or not I stop Squid or remove `/var/spool/squid/netdb.state`.
[1] https://paste.ubuntu.com/p/jD3BnfmDPZ/
[2] https://paste.ubuntu.com/p/qhxj8s32t4/
[3] https://paste.ubuntu.com/p/YZnY8n64nG/
[4] https://paste.ubuntu.com/p/ZZTdfTFDmk/
[5] https://paste.ubuntu.com/p/CkPtncXwFx/
** Affects: squid (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
I want to block all WebSocket connections using Squid. Here are the
configurations:
a) a WebSocket server is running on port 8765 by Python on 10.5.2.132/16 [1]
b) a WebSocket client is running on 10.5.0.204/16 [2]
- c) Squid (Focal 5.2-1ubuntu4.3) is running on 10.5.1.201/16 with configs as [3]
+ c) Squid (Jammy 5.2-1ubuntu4.3) is running on 10.5.1.201/16 with configs as [3]
I expected that `http_upgrade_request_protocols WebSocket deny all`
would block all WebSocket connections, but it did not work.
squid still can allow upgrade to websocket
access.log:
1682301945.941 14 10.5.0.204 TCP_TUNNEL/200 285 CONNECT
10.5.2.132:8765 - HIER_DIRECT/10.5.2.132 -
-
- When I executed a WebSocket connection from the client to the server and did a tcpdump on the client, I can see the tcpdump results are as [4].
+ When I executed a WebSocket connection from the client to the server and
+ did a tcpdump on the client, I can see the tcpdump results are as [4].
"
GET / HTTP/1.1
Upgrade: websocket
Host: 10.5.2.132:8765
Origin: http://10.5.2.132:8765
Sec-WebSocket-Key: N8tBxe1BeAIoxuP0J6A3bA==
Sec-WebSocket-Version: 13
Connection: Upgrade
2V.4HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: loR4dW7PF7ylnYzp92wOrA2fyr0=
Date: Mon, 24 Apr 2023 02:00:59 GMT
Server: Python/3.6 websockets/9.1
"
Also, the cache.log is as shown in [5].
This should not be a cache issue because the result is the same whether
or not I stop Squid or remove `/var/spool/squid/netdb.state`.
-
[1] https://paste.ubuntu.com/p/jD3BnfmDPZ/
[2] https://paste.ubuntu.com/p/qhxj8s32t4/
[3] https://paste.ubuntu.com/p/YZnY8n64nG/
[4] https://paste.ubuntu.com/p/ZZTdfTFDmk/
[5] https://paste.ubuntu.com/p/CkPtncXwFx/
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to squid in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/2017460
Title:
`http_upgrade_request_protocols WebSocket deny all` does not block
websocket
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid/+bug/2017460/+subscriptions
Follow ups
