Search squid archive

Re: squid and wccp2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 26/05/11 01:38, Daniel Anliker wrote:

hi,

we have a problem with squid 3.1.6 (debian 6.0.1) and wccp2.

the normal http traffic works like it should with:

wccp2_router 192.168.200.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

but we also like to have some other ports on the squid.

i tried with:

wccp2_service dynamic 60
wccp2_service dynamic 61

wccp2_service_info 60 protocol=tcp priority=240 ports=20,21
Squid is an HTTP proxy. It does not accept native FTP traffic. Only gateway HTTP client browsers to FTP servers. 

We recommend frox proxy for FTP interception.


wccp2_service_info 61 protocol=tcp priority=240 ports=443

the provider has configured Service numbers 60, 61 on the cisco firewall
and i can see with tcpdum some traffic from the gre interface for this
ports.
but the client get a timeout on https sites, is there anything else i
have do configure on squid ?
HTTPS was created to prevent people intercepting HTTP. Expect major problems when you try to wire-tap/intercept it. 

 * Get yourself a good lawyer.
 * configure an https_port to receive and decrypt the traffic.
* install CA certificates on all client machines so they will accept your forged (single) Squid certificate as real for the (many) sites they visit. * do something to the client browsers so they ignore the security vulnerability errors when your certificate fails to contain the low-level details about the destination IP:port:domain they think they are connecting to. 

OR

 * Use PAC to take up the failover properties WCCP added.
* Use WPAD and other methods to automatically configure the client browsers to use the proxy. 
 * ssl-bump their CONNECT requests as they arrive.

This will help:
 (http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers)
The Debian default packages are also not built with HTTPS encrypt/decrypt support. Due to policy reasons. They can relay CONNECT requests but that is all. 



i also tested that it works when i configure the proxy in the browser
everything works ...


Good.
When configured to be aware of the proxy client browsers will send HTTPS and FTP URLs through to Squid for handling. They also allow much more to be done with the traffic. 

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.12
  Beta testers wanted for 3.2.0.7 and 3.1.12.1
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux