Search squid archive

Re: Squid configuration for wccp https requests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01.03.2012 23:30, akshaygujar wrote:

Hello Everyone!
I have a query regarding the implementation of WCCPv2 with a Squid Proxy (v3.1). We have enabled WCCP on a Cisco 6500 switch. The requirement is requests coming from a particular IP need to be redirected to the Squid Proxy which would then forward the request to another proxy (hierarchial proxies). We have been able to set it up for HTTP requests but are running 
into problems with HTTPS.
We dont see any HTTPS requests being redirected by the switch to the squid Proxy. Network team has verified the WCCP configuration on the switch with 
Cisco forum and that has been confirmed to be correct.

configuration is:

Service Identifier 70 and web-cache(http) configured on the switch.

GRE Tunnel setup between switch and squid Proxy

Using iptables to redirect traffic to squid port

Squid Configuration:

http_port 3128 transparent


This port is HTTP-only.

Use:
 https_port 3128 intercept
and better yet, use something other than a well-known port 3128 for the high-risk interception port. 



wccp2_router <router_ip>
wccp2_service standard 0
wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source
priority=240 ports=443

wccp2_assignment_method mask
wccp2_forwarding_method 1
wccp2_return_method 1
I have taken wireshark traces and can see both the "here i am" and "i see you" packets being exchanged for http and for port 443.However for port 443, i see the service id being sent as unknown. Is that correct? or should it be 
setting it as 70?


.. or "0" as configured by "wccp2_service standard 0 "
Are we missing something in the configuration that is causing the switch to 
not redirect https packets?
Also, wanted to confirm that if this works, would the https request be coming over to squid as HTTP, meaning like a HTTP Connect message to set up 
the connection before the SSL exchange?
No. WCCP is just a way of routing particular packets. The packets themselves are completely unchanged when they arrive at the Squid box. You still need the NAT/TPROXY intercept mechanisms (iptables and squid's "intercept" mode flag) and SSL/TLS decryption mechanisms (https_port and its SSL settings) to do anything with them. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux