Re: [squid-users] squid and wccp2 from Amos Jeffries on 2011-05-26 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 27 May 2011 01:24:24 +1200

On 26/05/11 01:38, Daniel Anliker wrote:
> hi,
>
> we have a problem with squid 3.1.6 (debian 6.0.1) and wccp2.
>
> the normal http traffic works like it should with:
>
> wccp2_router 192.168.200.1
> wccp2_forwarding_method gre
> wccp2_return_method gre
> wccp2_service standard 0
>
> but we also like to have some other ports on the squid.
>
> i tried with:
>
> wccp2_service dynamic 60
> wccp2_service dynamic 61
>
> wccp2_service_info 60 protocol=tcp priority=240 ports=20,21

Squid is an HTTP proxy. It does not accept native FTP traffic. Only
gateway HTTP client browsers to FTP servers.

We recommend frox proxy for FTP interception.

> wccp2_service_info 61 protocol=tcp priority=240 ports=443
>
> the provider has configured Service numbers 60, 61 on the cisco firewall
> and i can see with tcpdum some traffic from the gre interface for this
> ports.
> but the client get a timeout on https sites, is there anything else i
> have do configure on squid ?

HTTPS was created to prevent people intercepting HTTP. Expect major
problems when you try to wire-tap/intercept it.

  * Get yourself a good lawyer.
  * configure an https_port to receive and decrypt the traffic.
  * install CA certificates on all client machines so they will accept
your forged (single) Squid certificate as real for the (many) sites they
visit.
  * do something to the client browsers so they ignore the security
vulnerability errors when your certificate fails to contain the
low-level details about the destination IP:port:domain they think they
are connecting to.

  * Use PAC to take up the failover properties WCCP added.
  * Use WPAD and other methods to automatically configure the client
browsers to use the proxy.
  * ssl-bump their CONNECT requests as they arrive.

This will help:
(http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers)

The Debian default packages are also not built with HTTPS
encrypt/decrypt support. Due to policy reasons. They can relay CONNECT
requests but that is all.

>
> i also tested that it works when i configure the proxy in the browser
> everything works ...

Good.

When configured to be aware of the proxy client browsers will send
HTTPS and FTP URLs through to Squid for handling. They also allow much
more to be done with the traffic.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1

Received on Thu May 26 2011 - 13:24:32 MDT

This archive was generated by hypermail 2.2.0 : Thu May 26 2011 - 12:00:03 MDT