Squid transparent proxy blocks skype calls
-
I have discovered an issue with squid3-dev (3.3.10 pkg 2.2.6) and skype. I have just set it up in transparent mode with SSL intercept enabled; once I got it working for web content, I've found that I am unable to make calls with skype. When I try to do so, the log shows multiple instances of "error:invalid-request" status "NONE/400" (no destination IP). Is there a workaround for this? Google didn't help me this time.
-
So you have discovered a sure-fire way to block skype? Publish it…
-
Har har. Only if I can make money from it somehow.
Further detail: it's not just calls. Skype signs in and I can search the directory for users but I can't make calls or send messages.
-
Its been a while since I ran a transparent proxy, but seem like at the time I was able to exempt certain PCs by putting them in a separate VLAN.
Squid always caused me more pain than it was worth at home. -
Disabling SSL intercept solves the problem. I suspect that what's happening is when Squid gets the decrypted HTTPS traffic, it looks at it and says "this doesn't make any damn sense, get lost". Supporting this theory, when I'm watching the real time URL information when SSL intercept is enabled, when skype is trying to make a call I will occasionally see, instead of normal URLs, strings of gibberish and/or large quantities of encoded characters (e.g. "%3E%A0%E7%95%D2%DE%FE%A3Q%92%FE%B2@%B9%7F%%5D%5BX;%E4%23%EC7@%95%F7%B4%D4%97q%17%E4AJ%BF%5E(%9F%F1%9At")
-
My opinion is that using squid for anything other than HTTP is complete folly.
-
Squid has a Bypass proxy for these destination IPs exemption. Perhaps that would work?
-
Skype appears to use HTTPS for much of its connectivity. I expect that it exchanges keys for the call over HTTPS before switching to UDP with encrypted payloads or something like that to send the audio/video.
Disabling for specific destination IPs isn't practical - I would have to know what IP addresses any of my friends had who I wanted to call/talk to.