RE: [squid-users] WCCP, Squid, ASA, HTTP redirect

We use out squid proxies for 2 things, one of them is minor and can be done without if needed..

1.) We use Smartfilter on it. Content filtering.
2.) Caching (obviously). The biggest thing we cache is an internal tool that a callcenter we have uses. About 400 people bang on an IIS website that lives in another remote site constantly. They bang on this via HTTPS and we found that caching this content on the local squid proxy was saving us about 3-4mb average traffic. A good portion of these requests are images (decent size)

-----Original Message-----
From: Adrian Chadd [mailto:adrian@creative.net.au]
Sent: Friday, April 25, 2008 9:56 AM
To: Nick Duda
Cc: 'Adrian Chadd'; Squid-users
Subject: Re: [squid-users] WCCP, Squid, ASA, HTTP redirect

On Fri, Apr 25, 2008, Nick Duda wrote:
> So it looks like WCCP with an ASA (or some other Cisco WCCP2 supporting device) and Squid (v3?) can only do port 80 interception huh....blah

Squid-3's support is for pulling apart an SSL stream into non-SSL and
re-encrypting it afterwards.

You don't -have- to do that - it'd be mostly trivial to write a basic
TCP tunnel in Squid -just- for intercepting arbitrary TCP ports to do
basic ACLs (eg source/dest IP; throw request into a CONNECT to an upstream
proxy, etc) - but noone's written it for Squid-2.

The big question is - why do you want to intercept port 443?

Adrian

>
>
>
> -----Original Message-----
> From: Adrian Chadd [mailto:adrian@creative.net.au]
> Sent: Thursday, April 24, 2008 11:53 PM
> To: Nick Duda
> Cc: Squid-users
> Subject: Re: [squid-users] WCCP, Squid, ASA, HTTP redirect
>
> On Thu, Apr 24, 2008, Nick Duda wrote:
> > I've googled and saw some stuff but nothing that I can really make sense of.
> >
> > We have successfully designed (and its working) 2 squid transparent proxy servers, both WCCP to an ASA working as failover (if squid dies on one proxy the other one starts taking the redirects from the ASA). The only problem is that we cant figure out how to get HTTPS requests redirected from the ASA to the proxy (using WCCP). Does anyone know how this can happen? Do I need to use dynamic's instead of standards for WCCP? (Ive tried, without success).
> >
> > I really cant imagine that all this WCCP with a web-cache can not work with HTTPS (that would suck)
>
> Squid-2 doesn't support any form of HTTPS "interception".
>
> I could probably be twisted to implement a basic tunnel just for supporting
> intercepted requests (so you can do very basic ACL processing on them.)
>
>
>
> Adrian
>
> --
> - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
> - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -

--
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -