How to adapt raw bytes inside CONNECT tunnels?

Asked by Kelvin on 2016-08-06

Hello am a newbie using ecap. Have zero knowledge of how to go about this. And the docs doesn't help much except for removing a particular header. This is my scenario:

USER issues a CONNECT request to Squid Proxy

Squid sends 200 Connection Establish then open a tunnel

From this point communication is bidirectional without interruption. But some very often when i check logs it seems some users also try to prepend HTTP crafted request to this communication taking place. All i want to do is simply strip it off then relay the body as it is. Any ideas how to implement that with ecap please?

Thanks

Question information

Language:
English Edit question
Status:
Answered
For:
eCAP Edit question
Assignee:
No assignee Edit question
Last query:
2016-08-06
Last reply:
2016-08-08
Alex Rousskov (rousskov) said : #1

eCAP works on HTTP traffic (and any traffic that the host application converts to HTTP-like messages). After a CONNECT tunnel is established through the proxy, unless the proxy is doing a MitM attack on the tunnel (e.g., SslBump in Squid), the traffic is no longer HTTP. From the proxy point of view, it is just raw bytes being shoveled back-and-forth. There are no HTTP headers. There are no HTTP bodies. There are no HTTP messages. eCAP does not work on raw bytes.

There have been a few half-baked proposals regaring mapping of raw tunnel bytes to HTTP messages so that eCAP can process, but that is a question for your host application, not eCAP itself.

Can you help with this problem?

Provide an answer of your own, or ask Kelvin for more information if necessary.

To post a message you must log in.