On Mon, 22 Mar 2004, David Stout wrote:
> The problem came from the fact we could no longer connect to any
> websites requiring a HTTPS connection. No yahoo mail no hotmail would
> work.
This is usually not related to https, but to certain web sites requiring
that the user comes from the same IP address on HTTP and HTTPS.
When you use WCCP you intercept the HTTP requests and send them to the
proxy, but HTTPS (or other non-port-80 traffic) is still sent out
directly with the clients original IP.
> So originally I noticed that our firewall was sending HTTP traffic
> to the internet using it's management public IP address, and all HTTPS
> traffic was going via the NAT rules in the firewall. This would mean the
> web server would seen HTTP and HTTPS from different public IP's and
> close the connection. I have since corrected this minor issue so that
> the authenticating web servers will see the HTTP and HTTPS traffic from
> the same public IP address.
PLease doublecheck this is the case.
Your proxy server is not at all invovled on HTTPS traffic, only HTTP.
> I am unable to find out from the Cisco web site if the router is
> forwarding the HTTPS to the cache (I am installing a sniffer today so
> I'll get back to you on that).
It is not, and it must not.
WCCP is not a substitute for proxy settings in the browser. It is just a
dirty hack to still surive even if the browser is not configured
correctly.
> Now it stikes me as odd that this would happen on every WCCP + Squid
> install but there seems no immediate solution (I am trawling the
> archives as well though in case I missed it (although search didn't
> throw up too much)).
For all installations I know of this problem has been solved by NAT to
make direct client accesses and accesses via the proxy use the same IP.
In a few very rare cases exceptions is needed to have certain sites bypass
the proxy completely, but none of the sites you mentioned fall into this
category.
Regards
Henrik
Received on Mon Mar 22 2004 - 04:27:09 MST
This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST