Re: [squid-users] Squid + SLB + Transparent Mode (policy based routing)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 25 Feb 2004 14:41:18 +0100 (CET)

On Wed, 25 Feb 2004, Valton Hashani wrote:

> I have tried using WCCP with Cisco 7200 but I had problems opening SSL
> pages. Sometimes it worked sometimes not.

This is most likely not due to WCCP but due to interception of http
traffic. WCCP is not at all involved on SSL requests, and neither is any
other interception method.

Many web sites dislike https:// requests coming from a different address
than the http:// requests initiating the session.

As https:// is not intercepted but routed like any other traffic the
requests arrives with the real client IP address.

To get around this you have three options

a) NAT the traffic outside the proxy and clients, making sure that both
intercepted and normally routed traffic uses the same source IP address.

b) Have the clients configured to use the proxy.

c) Add access lists to your intercepting routers to not intercept sites
where this is a problem.

> I tried every possibility (using
> different squid directives) to make it work and got various answers from
> this mailing list, but I didn't find any stable solution. So I decided to
> use policy based routing for tranparent mode. This worked and it is still
> working very well.

Then something was seriously wrong in your WCCP setup.

Regards
Henrik
Received on Wed Feb 25 2004 - 06:41:25 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST