RE: [squid-users] WCCP, Squid, ASA, HTTP redirect

From: Nick Duda <nduda@dont-contact.us>
Date: Fri, 25 Apr 2008 09:56:57 -0400

I know what your saying.....let me inspect the packets for a few minutes, maybe the https requests are also calling http images or something.....but yea, I know what your saying :)

-----Original Message-----
From: Adrian Chadd [mailto:adrian@creative.net.au]
Sent: Friday, April 25, 2008 10:06 AM
To: Nick Duda
Cc: 'Adrian Chadd'; Squid-users
Subject: Re: [squid-users] WCCP, Squid, ASA, HTTP redirect

Hm. How is your squid caching HTTPS? :)

Adrian

On Fri, Apr 25, 2008, Nick Duda wrote:
> We use out squid proxies for 2 things, one of them is minor and can be done without if needed..
>
> 1.) We use Smartfilter on it. Content filtering.
> 2.) Caching (obviously). The biggest thing we cache is an internal tool that a callcenter we have uses. About 400 people bang on an IIS website that lives in another remote site constantly. They bang on this via HTTPS and we found that caching this content on the local squid proxy was saving us about 3-4mb average traffic. A good portion of these requests are images (decent size)
>
>
>
> -----Original Message-----
> From: Adrian Chadd [mailto:adrian@creative.net.au]
> Sent: Friday, April 25, 2008 9:56 AM
> To: Nick Duda
> Cc: 'Adrian Chadd'; Squid-users
> Subject: Re: [squid-users] WCCP, Squid, ASA, HTTP redirect
>
> On Fri, Apr 25, 2008, Nick Duda wrote:
> > So it looks like WCCP with an ASA (or some other Cisco WCCP2 supporting device) and Squid (v3?) can only do port 80 interception huh....blah
>
> Squid-3's support is for pulling apart an SSL stream into non-SSL and
> re-encrypting it afterwards.
>
> You don't -have- to do that - it'd be mostly trivial to write a basic
> TCP tunnel in Squid -just- for intercepting arbitrary TCP ports to do
> basic ACLs (eg source/dest IP; throw request into a CONNECT to an upstream
> proxy, etc) - but noone's written it for Squid-2.
>
> The big question is - why do you want to intercept port 443?
>
>
>
> Adrian
>
> >
> >
> >
> > -----Original Message-----
> > From: Adrian Chadd [mailto:adrian@creative.net.au]
> > Sent: Thursday, April 24, 2008 11:53 PM
> > To: Nick Duda
> > Cc: Squid-users
> > Subject: Re: [squid-users] WCCP, Squid, ASA, HTTP redirect
> >
> > On Thu, Apr 24, 2008, Nick Duda wrote:
> > > I've googled and saw some stuff but nothing that I can really make sense of.
> > >
> > > We have successfully designed (and its working) 2 squid transparent proxy servers, both WCCP to an ASA working as failover (if squid dies on one proxy the other one starts taking the redirects from the ASA). The only problem is that we cant figure out how to get HTTPS requests redirected from the ASA to the proxy (using WCCP). Does anyone know how this can happen? Do I need to use dynamic's instead of standards for WCCP? (Ive tried, without success).
> > >
> > > I really cant imagine that all this WCCP with a web-cache can not work with HTTPS (that would suck)
> >
> > Squid-2 doesn't support any form of HTTPS "interception".
> >
> > I could probably be twisted to implement a basic tunnel just for supporting
> > intercepted requests (so you can do very basic ACL processing on them.)
> >
> >
> >
> > Adrian
> >
> > --
> > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
> > - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
>
> --
> - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
> - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -

--
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Received on Fri Apr 25 2008 - 13:57:04 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT