Re: [squid-users] Squid configuration for wccp https requests from Amos Jeffries on 2012-03-01 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 01 Mar 2012 23:45:44 +1300

On 01.03.2012 23:30, akshaygujar wrote:
> Hello Everyone!
>
> I have a query regarding the implementation of WCCPv2 with a Squid
> Proxy
> (v3.1). We have enabled WCCP on a Cisco 6500 switch. The requirement
> is
> requests coming from a particular IP need to be redirected to the
> Squid
> Proxy which would then forward the request to another proxy
> (hierarchial
> proxies). We have been able to set it up for HTTP requests but are
> running
> into problems with HTTPS.
>
> We dont see any HTTPS requests being redirected by the switch to the
> squid
> Proxy. Network team has verified the WCCP configuration on the switch
> with
> Cisco forum and that has been confirmed to be correct.
>
> configuration is:
>
> Service Identifier 70 and web-cache(http) configured on the switch.
>
> GRE Tunnel setup between switch and squid Proxy
>
> Using iptables to redirect traffic to squid port
>
> Squid Configuration:
>
> http_port 3128 transparent

This port is HTTP-only.

Use:
https_port 3128 intercept

and better yet, use something other than a well-known port 3128 for the
high-risk interception port.

>
> wccp2_router <router_ip>
> wccp2_service standard 0
> wccp2_service dynamic 70
> wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source
> priority=240 ports=443
>
> wccp2_assignment_method mask
> wccp2_forwarding_method 1
> wccp2_return_method 1
>
>
>
> I have taken wireshark traces and can see both the "here i am" and "i
> see
> you" packets being exchanged for http and for port 443.However for
> port 443,
> i see the service id being sent as unknown. Is that correct? or
> should it be
> setting it as 70?

.. or "0" as configured by "wccp2_service standard 0 "

>
> Are we missing something in the configuration that is causing the
> switch to
> not redirect https packets?
>
> Also, wanted to confirm that if this works, would the https request
> be
> coming over to squid as HTTP, meaning like a HTTP Connect message to
> set up
> the connection before the SSL exchange?

No. WCCP is just a way of routing particular packets. The packets
themselves are completely unchanged when they arrive at the Squid box.
You still need the NAT/TPROXY intercept mechanisms (iptables and
squid's "intercept" mode flag) and SSL/TLS decryption mechanisms
(https_port and its SSL settings) to do anything with them.

Amos
Received on Thu Mar 01 2012 - 10:45:49 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 12:00:06 MST