On Tue, Nov 06, 2007, Dalibor Dukic wrote:
> Hi,
>
> I configured transparent squid box and WCCPv2 with CISCO 6k5. After some
> time I noticed that clients have problems with HTTPS sites. If I
> manually configure proxy setting in browser and bypass WCCP everything
> goes OK.
>
> I'm using standard service group (web-cache). Maybe some web server
> check that HTTP and HTTPS request are coming with same source address
> and block HTTPS access. Clients and squid are on public addresses and
> this requests come with different source IPs. I can't change this and
> put clients and squid boxes behind NAT machine. :(
> Is anyone notice that same behavior?
> Maybe I can setup service-group with 80 and 443 port so I can resolve
> issues with different IPs, is this correct?
Squid doesn't currently handle transparently intercepting SSL, even for
the situation you require above.
You should investigate the TPROXY Squid integration which, when combined
with a correct WCCPv2 implementation and compatible network design,
will allow your requests to look like they're coming from your client
IPs.
The other alternative is to write or use a very basic TCP connection proxy
which will handle transparently intercepted connections and just connect
to the original destination server. This will let the requests "come from"
the same IP as the proxy.
(Yes, I've done the above in the lab and verified the concept works fine.)
Adrian
-- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -Received on Tue Nov 06 2007 - 20:42:22 MST
This archive was generated by hypermail pre-2.1.9 : Sat Dec 01 2007 - 12:00:02 MST