`http_upgrade_request_protocols WebSocket deny all` does not block websocket
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squid (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I want to block all WebSocket connections using Squid. Here are the configurations:
a) a WebSocket server is running on port 8765 by Python on 10.5.2.132/16 [1]
b) a WebSocket client is running on 10.5.0.204/16 [2]
c) Squid (Jammy 5.2-1ubuntu4.3) is running on 10.5.1.201/16 with configs as [3]
I expected that `http_upgrade_
squid still can allow upgrade to websocket
access.log:
1682301945.941 14 10.5.0.204 TCP_TUNNEL/200 285 CONNECT 10.5.2.132:8765 - HIER_DIRECT/
When I executed a WebSocket connection from the client to the server and did a tcpdump on the client, I can see the tcpdump results are as [4].
"
GET / HTTP/1.1
Upgrade: websocket
Host: 10.5.2.132:8765
Origin: http://
Sec-WebSocket-Key: N8tBxe1BeAIoxuP
Sec-WebSocket-
Connection: Upgrade
2V.4HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-
Date: Mon, 24 Apr 2023 02:00:59 GMT
Server: Python/3.6 websockets/9.1
"
Also, the cache.log is as shown in [5].
This should not be a cache issue because the result is the same whether or not I stop Squid or remove `/var/spool/
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
description: | updated |
Changed in squid (Ubuntu): | |
status: | Triaged → Invalid |
Hi Chuan,
Thanks for reporting this bug and trying to make Ubuntu better.
First, thank you for providing the scripts/ configs/ logs you were using in your tests, that's really helpful. I took a quick look to see if there is no issue with your config, and apparently (after reading the upstream documentation) your squid config seems correct. After that I tried to reproduce the issue using your scripts. Set up the server and client in separate containers but when executing the code I am getting this traceback:
--- request header --- 10.96.142. 135:8765 SwWPXxg= = Version: 13
GET / HTTP/1.1
Upgrade: websocket
Host: 10.96.142.135:8765
Origin: http://
Sec-WebSocket-Key: YPwIzSwWL9qXAJ/
Sec-WebSocket-
Connection: Upgrade
------- ------- ------- -- connect( "ws://10. 96.142. 135:8765" ) python3/ dist-packages/ websocket/ _core.py" , line 253, in connect handshake_ response = handshake( self.sock, *addrs, **options) python3/ dist-packages/ websocket/ _handshake. py", line 57, in handshake headers( sock) python3/ dist-packages/ websocket/ _handshake. py", line 141, in _get_resp_headers python3/ dist-packages/ websocket/ _http.py" , line 315, in read_headers python3/ dist-packages/ websocket/ _socket. py", line 134, in recv_line python3/ dist-packages/ websocket/ _socket. py", line 113, in recv python3/ dist-packages/ websocket/ _socket. py", line 90, in _recv Error: [Errno 104] Connection reset by peer
--- response header ---
Traceback (most recent call last):
File "/root/2.py", line 17, in <module>
ws.
File "/usr/lib/
self.
File "/usr/lib/
status, resp = _get_resp_
File "/usr/lib/
status, resp_headers, status_message = read_headers(sock)
File "/usr/lib/
line = recv_line(sock)
File "/usr/lib/
c = recv(sock, 1)
File "/usr/lib/
bytes_ = _recv()
File "/usr/lib/
return sock.recv(bufsize)
ConnectionReset
So I was not able to reproduce what you described locally. However, after checking the package, I believe none of the changes in the package should impact the scenario you are trying to implement, if this is a real issue I think you should try to report upstream and see what squid maintainers have to say. In case you do that, please link the upstream bug report here so we can track it.