On Wed, 2007-11-07 at 12:45 +0900, Adrian Chadd wrote:
> On Tue, Nov 06, 2007, Dalibor Dukic wrote:
> > Hi,
> >
> > I configured transparent squid box and WCCPv2 with CISCO 6k5. After some
> > time I noticed that clients have problems with HTTPS sites. If I
> > manually configure proxy setting in browser and bypass WCCP everything
> > goes OK.
> >
> > I'm using standard service group (web-cache). Maybe some web server
> > check that HTTP and HTTPS request are coming with same source address
> > and block HTTPS access. Clients and squid are on public addresses and
> > this requests come with different source IPs. I can't change this and
> > put clients and squid boxes behind NAT machine. :(
> > Is anyone notice that same behavior?
> > Maybe I can setup service-group with 80 and 443 port so I can resolve
> > issues with different IPs, is this correct?
>
> Squid doesn't currently handle transparently intercepting SSL, even for
> the situation you require above.
OK, but when I put proxy settings manually in browser even for SSL,
SQUID will just start passing data from client to server. I can't do
this with WCCP ?
> You should investigate the TPROXY Squid integration which, when combined
> with a correct WCCPv2 implementation and compatible network design,
> will allow your requests to look like they're coming from your client
> IPs.
Does TPROXY functionality requires any modification to kernel code
especially netfilter part?
I think this would solve the problems I facing with. I'll try this if
this is only solution and give info to group.
> The other alternative is to write or use a very basic TCP connection proxy
> which will handle transparently intercepted connections and just connect
> to the original destination server. This will let the requests "come from"
> the same IP as the proxy.
Thnak You, Adrian
Received on Wed Nov 07 2007 - 02:09:09 MST
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST