|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sure. Squid 3 WCCP key config part: # WCCPv2 parameters wccp2_router 192.168.200.2 wccp2_forwarding_method l2 wccp2_return_method l2 wccp2_service standard 0 wccp2_rebuild_wait off wccp2_service standard 0 wccp2_service dynamic 70 wccp2_service_info 70 protocol=tcp flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=240 ports=443 Cisco config key parts: ! ip wccp web-cache redirect-list 120 ip wccp 70 redirect-list 121 ! ! ! This interface look to Squid proxy (internal networks on another interface) interface GigabitEthernet0/1 ip address 192.168.200.2 255.255.255.0 ip wccp web-cache redirect out ip wccp 70 redirect out ip nbar protocol-discovery ip virtual-reassembly in duplex auto speed auto ! access-list 120 remark ACL for HTTP WCCP access-list 120 remark Squid proxies bypass WCCP access-list 120 deny ip host 192.168.200.3 any access-list 120 remark LAN clients proxy port 80 access-list 120 permit tcp 192.168.0.0 0.0.255.255 any eq www access-list 120 remark all others bypass WCCP access-list 120 deny ip any any ! access-list 121 remark ACL for HTTPS WCCP access-list 121 remark Squid proxies bypass access-list 121 deny ip host 192.168.200.3 any access-list 121 remark LAN clients proxy port 443 access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443 access-list 121 remark all others bypass WCCP access-list 121 deny ip any any ! That's all. :) 31.12.2014 2:10, Rafael Akchurin пишет: > > Glad that it worked. > > May be useful to dump here your squid.conf to better understand how to configure squid to transparently work with wccp traffic coming from your Cisco router? > > Raf > > > > *From:*Yuri Voinov [mailto:yvoinov@xxxxxxxxx] > *Sent:* Tuesday, December 30, 2014 8:48 PM > *To:* Rafael Akchurin; squid-users@xxxxxxxxxxxxxxxxxxxxx > *Subject:* Re: Squid 3 SSL bump: Google drive application could not connect > > > > > Already found this lonely right post ;) I have Google-Fu too :) And it longer than you :) > > Anyway, > > all of these issues solved. > > I have snoop (not Windoze wireshark - all great things makes in console, ya!) and take a look on single client traffic during bumping. > > As I haven't iptables (no penguins, please!), but I have Cisco 2911, I pass some Windows Update, Symantec Update (which is not work too) bypassing Squid. > > Cisco is greatest. All others are probably suxx :) > > The complete solution looks like: > > access-list 121 remark ACL for HTTPS WCCP > access-list 121 remark Squid proxies bypass > access-list 121 deny ip host 192.168.200.3 any > access-list 121 remark WU bypass > access-list 121 deny tcp any 191.232.0.0 0.7.255.255 > access-list 121 deny tcp any 65.52.0.0 0.3.255.255 > access-list 121 remark Symantec bypass > access-list 121 deny tcp any host 195.215.221.99 > access-list 121 deny tcp any host 195.215.221.104 > access-list 121 deny tcp any host 213.248.114.172 > access-list 121 deny tcp any host 213.248.114.173 > access-list 121 deny tcp any host 213.248.114.174 > access-list 121 deny tcp any host 213.248.114.175 > access-list 121 deny tcp any host 77.67.22.168 > access-list 121 deny tcp any host 77.67.22.171 > access-list 121 deny tcp any host 77.67.22.173 > access-list 121 deny tcp any host 213.248.114.171 > access-list 121 remark LAN clients proxy port 443 > access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443 > access-list 121 remark all others bypass WCCP > access-list 121 deny ip any any > > So, all others issue solves similar. > > Want to do something good - do it yourself! > > That's the way. :) > > 30.12.2014 23:39, Rafael Akchurin пишет: > > > > Hello Yuri, > > > > > > > > > Luckily the same topic was just discussed on our forum – > > please see if this can help > > https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ > > > > > > > > > It describes the iptables settings for successful SSL bump > > exclusions for Dropbox clients / Google Drive / iTunes (bypassing > > SSL Bump because of SSL Pinning). > > > > > > > > > Best regards, > > > > > Raf > > > > > > > > > *From:*squid-users > > [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] *On Behalf Of > > *Rafael Akchurin > > > *Sent:* Tuesday, December 30, 2014 4:23 PM > > > *To:* Yuri Voinov; squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > > *Subject:* Re: Squid 3 SSL bump: Google drive > > application could not connect > > > > > > > > > Only exclusion from SSL Bump as far as I know. > > > > > > > > > raf > > > > > ------------------------- > > > > > *From:*Yuri Voinov <yvoinov@xxxxxxxxx <mailto:yvoinov@xxxxxxxxx> > > <mailto:yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx>> > > > *Sent:* Tuesday, December 30, 2014 3:19 PM > > > *To:* Rafael Akchurin; squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > > *Subject:* Re: Squid 3 SSL bump: Google drive > > application could not connect > > > > > > > > > > > May be. > > > > > Does workaround exists? > > > > > 30.12.2014 20:09, Rafael Akchurin ?????: > > > > SSL Pinning? (I know Dropbox does this) > > > > > > > > > > my two cents only :) > > > > > > > > > > Raf > > > > > > > > > > ________________________________________ > > > > > > From: squid-users > > <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> > > > > > <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> > > <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx>on behalf > > of Yuri Voinov <mailto:yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx> > > > > > <yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx> <mailto:yvoinov@xxxxxxxxx> > > > > > > Sent: Tuesday, December 30, 2014 2:12 PM > > > > > > To: <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > > > > squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > > > > > Subject: Squid 3 SSL bump: Google drive > > application could not connect > > > > > > > > > > Hi gents, > > > > > > > > > > I found strange issue. > > > > > > > > > > Squid 3.4.10. Intercept. HTTPS bumping. All works fine. > > All configs correct. > > > > > > > > > > Whenever all web https sites works perfectly - > > especially in Chrome, > > > > > > most cloud clients works like charm (SpiderOak is!), > > Google Drive client > > > > > > application (PC) could not work. > > > > > > Note: Web Google Docs works. Web Google drive works. > > > > > > > > > > Note: Google support info - even I if pass dozen Google > > URL's without > > > > > > bump - cannot help. It doesn't work when server-first > > bumping is on and > > > > > > works othervise. > > > > > > > > > > So, the Serious Question is: Why? :) > > > > > > > > > > Any idea? > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > squid-users mailing list > > > > > > <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > > > > squid-users@xxxxxxxxxxxxxxxxxxxxx <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> <mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx> > > > > > > > > <http://lists.squid-cache.org/listinfo/squid-users> <http://lists.squid-cache.org/listinfo/squid-users> > > > > > http://lists.squid-cache.org/listinfo/squid-users > > > > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJUowlmAAoJENNXIZxhPexG1ygH/RWXJIeFp4G/B39Ba/4yQ5XS R/JmIkMaafDabBe5sPYVdwH7u25cIS7nKvVssme5TVmzcFAZuancr3ZV/ue9OtsH jYwWSz/uHz76T6hKHmYB9uq3ESHQrasZ9WC2vfhYd0XR0mHxsn+zjPz34cKqlN5P daeTbZGcrw/WyzJxMPRqjBX4nHNnvwb0mpo1htm3KS//yVdZMrNYMwqRR9DcBilE rX5bkEjegnqmc7DM73XHu1Lz5SSeKCXttkcz2UAkP6aqRzAazjNBlObHASO9wYgq RCsH/GvbNjJWyw7ZrvqxOnwOiMyJhV6L9h3uVM02NxsLzhnNutVl4dymzZHZf3Y= =Ls1G -----END PGP SIGNATURE----- |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
