How to adapt raw bytes inside CONNECT tunnels?

Asked by Kelvin

Hello am a newbie using ecap. Have zero knowledge of how to go about this. And the docs doesn't help much except for removing a particular header. This is my scenario:

USER issues a CONNECT request to Squid Proxy

Squid sends 200 Connection Establish then open a tunnel

From this point communication is bidirectional without interruption. But some very often when i check logs it seems some users also try to prepend HTTP crafted request to this communication taking place. All i want to do is simply strip it off then relay the body as it is. Any ideas how to implement that with ecap please?


Question information

English Edit question
eCAP Edit question
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Alex Rousskov (rousskov) said :

eCAP works on HTTP traffic (and any traffic that the host application converts to HTTP-like messages). After a CONNECT tunnel is established through the proxy, unless the proxy is doing a MitM attack on the tunnel (e.g., SslBump in Squid), the traffic is no longer HTTP. From the proxy point of view, it is just raw bytes being shoveled back-and-forth. There are no HTTP headers. There are no HTTP bodies. There are no HTTP messages. eCAP does not work on raw bytes.

There have been a few half-baked proposals regaring mapping of raw tunnel bytes to HTTP messages so that eCAP can process, but that is a question for your host application, not eCAP itself.

Can you help with this problem?

Provide an answer of your own, or ask Kelvin for more information if necessary.

To post a message you must log in.