On Wed, 2007-11-07 at 12:45 +0900, Adrian Chadd wrote: > On Tue, Nov 06, 2007, Dalibor Dukic wrote: > > Hi, > > > > I configured transparent squid box and WCCPv2 with CISCO 6k5. After some > > time I noticed that clients have problems with HTTPS sites. If I > > manually configure proxy setting in browser and bypass WCCP everything > > goes OK. > > > > I'm using standard service group (web-cache). Maybe some web server > > check that HTTP and HTTPS request are coming with same source address > > and block HTTPS access. Clients and squid are on public addresses and > > this requests come with different source IPs. I can't change this and > > put clients and squid boxes behind NAT machine. :( > > Is anyone notice that same behavior? > > Maybe I can setup service-group with 80 and 443 port so I can resolve > > issues with different IPs, is this correct? > > Squid doesn't currently handle transparently intercepting SSL, even for > the situation you require above. OK, but when I put proxy settings manually in browser even for SSL, SQUID will just start passing data from client to server. I can't do this with WCCP ? > You should investigate the TPROXY Squid integration which, when combined > with a correct WCCPv2 implementation and compatible network design, > will allow your requests to look like they're coming from your client > IPs. Does TPROXY functionality requires any modification to kernel code especially netfilter part? I think this would solve the problems I facing with. I'll try this if this is only solution and give info to group. > The other alternative is to write or use a very basic TCP connection proxy > which will handle transparently intercepted connections and just connect > to the original destination server. This will let the requests "come from" > the same IP as the proxy. Thnak You, Adrian
