[squid-users] Re: Squid configuration for wccp https requests

From: akshaygujar <akshaygujar_at_gmail.com>
Date: Thu, 1 Mar 2012 06:02:51 -0800 (PST)

Thanks Amos for your reply.

> Hello Everyone!
>
> I have a query regarding the implementation of WCCPv2 with a Squid
> Proxy
> (v3.1). We have enabled WCCP on a Cisco 6500 switch. The requirement
> is
> requests coming from a particular IP need to be redirected to the
> Squid
> Proxy which would then forward the request to another proxy
> (hierarchial
> proxies). We have been able to set it up for HTTP requests but are
> running
> into problems with HTTPS.
>
> We dont see any HTTPS requests being redirected by the switch to the
> squid
> Proxy. Network team has verified the WCCP configuration on the switch
> with
> Cisco forum and that has been confirmed to be correct.
>
> configuration is:
>
> Service Identifier 70 and web-cache(http) configured on the switch.
>
> GRE Tunnel setup between switch and squid Proxy
>
> Using iptables to redirect traffic to squid port
>
> Squid Configuration:
>
> http_port 3128 transparent
This port is HTTP-only.

Use:
  https_port 3128 intercept

and better yet, use something other than a well-known port 3128 for the
high-risk interception port.

<Akshay> I tried that with some self signed certs configured but still
nothing being redirected by the switch. Will change the port number as well.

>
> wccp2_router <router_ip>
> wccp2_service standard 0
> wccp2_service dynamic 70
> wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source
> priority=240 ports=443
>
> wccp2_assignment_method mask
> wccp2_forwarding_method 1
> wccp2_return_method 1
>
>
>
> I have taken wireshark traces and can see both the "here i am" and "i
> see
> you" packets being exchanged for http and for port 443.However for
> port 443,
> i see the service id being sent as unknown. Is that correct? or
> should it be
> setting it as 70?
.. or "0" as configured by "wccp2_service standard 0 "

<Akshay> Yes, service id for http is being sent properly but for 443, not
sure why it is being sent as unknown.

>
> Are we missing something in the configuration that is causing the
> switch to
> not redirect https packets?
>
> Also, wanted to confirm that if this works, would the https request
> be
> coming over to squid as HTTP, meaning like a HTTP Connect message to
> set up
> the connection before the SSL exchange?
No. WCCP is just a way of routing particular packets. The packets
themselves are completely unchanged when they arrive at the Squid box.
You still need the NAT/TPROXY intercept mechanisms (iptables and
squid's "intercept" mode flag) and SSL/TLS decryption mechanisms
(https_port and its SSL settings) to do anything with them.

<Akshay> Thats kind of what i was trying to avoid. Dont want squid to
terminate the SSL. Wanted to mock the way it would work as if configured as
a proxy on a browser.
Amos

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-configuration-for-wccp-https-requests-tp4434613p4435039.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Thu Mar 01 2012 - 14:02:53 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 12:00:06 MST