I have several clients that cannot be reconfigured to use a PAC file or
proxy, their traffic must be intercepted. They are all behind a Cisco
firewall. I've set up WCCP and am intercepting both the HTTP and
HTTPS traffic, using two different service groups and two different
proxy ports.
One problem I had with the Cisco firewall was that it insisted on having
the Squid proxy on the same network as the other clients. Since I do
not want that network to have direct access to the Internet, I'm chaining
the local squid to another squid process on a different network. It looks
like
client -> squid1 -> squid2 -> internet
where the squid1 process is picking up the traffic via WCCP and squid2
is a cache_peer (parent) of squid1.
It all works well for HTTP traffic, but I have yet to get HTTPS traffic to
work. WCCP is intercepting the traffic and squid1 is seeing it, but an
error page is returned to the client saying "Unsupported Request
Method and Protocol"
I've tried both
https_port 4433 cert=myCA.pem intercept
and
https_port 4433 cert=myCA.pem intercept ssl-bump
but I get the same behaviour with both.
I do have
ssl_bump allow all
never_direct allow all
in the configuration.
Am I missing something simple? Is it just not possible yet with a parent
proxy? I realize the request will have to be converted from a GET to a
CONNECT. It would not surprise me if the conversion hasn't been
implemented yet.
This is with squid 3.2.1.
Mike Mitchell
Mike.Mitchell@xxxxxxx
