Re: Cisco ASA with transparent Squid with HTTP/HTTPS filtering

Yuri Voinov <yvoinov@xxxxxxxxx> · Wed, 14 Dec 2016 22:10:43 +0600



    14.12.2016 21:59, Yuri Voinov пишет:

    
      14.12.2016 21:08, Rafael Akchurin
        пишет:

      
          Hello everyone,
           
          After pulling all my hair out and reading
            every possible howto on the Internet for Cisco ASA
            integration with Squid using WCCP I have decided to write my
            own. The how to is at https://docs.diladele.com/tutorials/web_filter_https_squid_cisco_wccp/index.html.
            Please note it is aimed at those with minimal admin skills
            and contains every single step thoroughly described (mostly
            for myself not to forget anything).
        
      
    Raf, one more note. WCCP is never be easy for junior admins.
    Especially with minimal admin skills. As by ASA ;) And (by my own
    opinion) Squid + WCCP for any infrastructure never been simple task
    and will never be simple task. ;) Warn you readers, not mislead
    them, though it is a very simple task.

    
          May I get your opinions/ideas if what is
            written is good enough for the novice admin?
           
          Moreover several question remain:
           
          1.      Does
            Squid perform fake CONNECT requests with SNI info instead of
            raw IP like I am seeing now?
          2.      Why
            HTTPS redirection only works with “wccp2_service_info 70
            protocol=tcp flags=dst_ip_hash priority=240
            ports=443” (all other flags from wccp configuration section
            in squid.conf do not work).
        
      
      Because of ASA is router. Cisco routers uses HASH as assignment
      method.

      
          3.      How
            to bypass connections from workstations to specific remote
            sites by FQDN on Cisco ASA? 
        
      
      In fact this will occurs by IP anyway. Cisco devices do DNS lookup
      and saves IP's in config instead of FQDN.

      
          4.      Or
            maybe it is better to exclude them (3) from SSL bump on
            Squid using ssl::server_name by splicing?
        
      
      Depending your requirements.

      
          Thanks in advance for everyone who
            responds.
           
          Best regards,
          Rafael Akchurin
          Diladele B.V.
           
          --
          Please take a look at Web Safety - our
            ICAP based web filter server for Squid proxy at https://www.diladele.com
            
        
        _______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

      
      -- 

        Cats - delicious. You just do not know how to cook them.
    
    
    -- 

      Cats - delicious. You just do not know how to cook them.
  

Attachment:
0x613DEC46.asc

Description: application/pgp-keys
Attachment:
signature.asc

Description: OpenPGP digital signature
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users