Re: [squid-users] Transparent WCCP/GRE HTTPS issue

From: Adrian Chadd <adrian@dont-contact.us>
Date: Sun, 9 Dec 2007 00:17:37 +0900

On Sat, Dec 08, 2007, Jason Gauthier wrote:

> Help me understand the logic (I know you don't have a set up like this
> in practice)
>
> I create a GRE tunnel from linux->ASA.
> I then use iptables to grab everything that hits that GRE tunnel to send
> it the squid proxy.
>
> iptables -t nat -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 192.168.79.2:3129
>
> If I have multiple instances of squid, should I have one GRE tunnel per
> instance? Otherwise, it will not matter how many instances I have..
> they will all be picked up by the one GRE tunnel.

The trouble is that the traffic from the proxy to the ASA will be
returning not via GRE, but via direct next-hop (ie, just normal IP
over ethernet.) This is fine normally but the PIX/ASA is "special".

I'm -guessing- that the root problem is that:

Same interface:

* client -> proxy goes via WCCPv2 and GRE;
* proxy -> client if they're on the same subnet goes straight back to the
  client and not via the ASA itself;

Different interface:

* client -> proxy goes via WCCPv2 and GRE;
* proxy -> client needs to go via the ASA, but with a spoofed source address
  (ie, the "pretend" internet http server address), and the ASA is unhappy
  with this.

I can't be sure without owning a PIX/ASA.

Adrian

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
Received on Sat Dec 08 2007 - 08:11:40 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST