Thanks Amos for your reply. > Hello Everyone! > > I have a query regarding the implementation of WCCPv2 with a Squid > Proxy > (v3.1). We have enabled WCCP on a Cisco 6500 switch. The requirement > is > requests coming from a particular IP need to be redirected to the > Squid > Proxy which would then forward the request to another proxy > (hierarchial > proxies). We have been able to set it up for HTTP requests but are > running > into problems with HTTPS. > > We dont see any HTTPS requests being redirected by the switch to the > squid > Proxy. Network team has verified the WCCP configuration on the switch > with > Cisco forum and that has been confirmed to be correct. > > configuration is: > > Service Identifier 70 and web-cache(http) configured on the switch. > > GRE Tunnel setup between switch and squid Proxy > > Using iptables to redirect traffic to squid port > > Squid Configuration: > > http_port 3128 transparent This port is HTTP-only. Use: https_port 3128 intercept and better yet, use something other than a well-known port 3128 for the high-risk interception port. <Akshay> I tried that with some self signed certs configured but still nothing being redirected by the switch. Will change the port number as well. > > wccp2_router <router_ip> > wccp2_service standard 0 > wccp2_service dynamic 70 > wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source > priority=240 ports=443 > > wccp2_assignment_method mask > wccp2_forwarding_method 1 > wccp2_return_method 1 > > > > I have taken wireshark traces and can see both the "here i am" and "i > see > you" packets being exchanged for http and for port 443.However for > port 443, > i see the service id being sent as unknown. Is that correct? or > should it be > setting it as 70? .. or "0" as configured by "wccp2_service standard 0 " <Akshay> Yes, service id for http is being sent properly but for 443, not sure why it is being sent as unknown. > > Are we missing something in the configuration that is causing the > switch to > not redirect https packets? > > Also, wanted to confirm that if this works, would the https request > be > coming over to squid as HTTP, meaning like a HTTP Connect message to > set up > the connection before the SSL exchange? No. WCCP is just a way of routing particular packets. The packets themselves are completely unchanged when they arrive at the Squid box. You still need the NAT/TPROXY intercept mechanisms (iptables and squid's "intercept" mode flag) and SSL/TLS decryption mechanisms (https_port and its SSL settings) to do anything with them. <Akshay> Thats kind of what i was trying to avoid. Dont want squid to terminate the SSL. Wanted to mock the way it would work as if configured as a proxy on a browser. Amos -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-configuration-for-wccp-https-requests-tp4434613p4435039.html Sent from the Squid - Users mailing list archive at Nabble.com.
