LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-13-2014, 02:35 PM   #1
Mark007
Member
 
Registered: Apr 2004
Location: Sussex, UK
Distribution: Centos, Cisco IOS, Win<n>X64
Posts: 34

Rep: Reputation: 15
https over WCCP and Squid.


Hi,

I've been using a cisco adsl router with WCCP to centos box with Squid.

I'm proxying port 80 fine, works like a dream.

However, I've now decided to proxy https as well.

Looking around, I've not come across a definative guide on how to do this.

I've set up the cisco box, and it shows thus;


Code:
sh ip wccp sum
WCCP version 2 enabled, 2 services                                              
                                                                                
Service     Clients   Routers   Assign      Redirect   Bypass                   
-------     -------   -------   ------      --------   ------                   
Default routing table (Router Id: 192.168.4.254):                               
web-cache   1         1         MASK        GRE        GRE                      
70          1         1         MASK        GRE        GRE
and
Code:
Global WCCP information:                                                        
    Router information:                                                         
        Router Identifier:                   192.168.4.254                      
                                                                                
    Service Identifier: web-cache                                               
        Protocol Version:                    2.00                               
        Number of Service Group Clients:     1                                  
        Number of Service Group Routers:     1                                  
        Total Packets Redirected:            191111                             
          Process:                           107                                
          CEF:                               191004                             
        Service mode:                        Open                               
        Service Access-list:                 -none-                             
        Total Packets Dropped Closed:        0                                  
        Redirect access-list:                -none-                             
        Total Packets Denied Redirect:       0                                  
        Total Packets Unassigned:            22                                 
        Group access-list:                   -none-                             
        Total Messages Denied to Group:      0                                  
        Total Authentication failures:       0                                  
        Total GRE Bypassed Packets Received: 0                                  
          Process:                           0                                  
          CEF:                               0                                  
        GRE tunnel interface:                Tunnel0                            
                                                                                
    Service Identifier: 70                                                      
        Protocol Version:                    2.00                               
        Number of Service Group Clients:     1                                  
        Number of Service Group Routers:     1                                  
        Total Packets Redirected:            0                                  
          Process:                           0                                  
          CEF:                               0                                  
        Service mode:                        Open                               
        Service Access-list:                 -none-                             
        Total Packets Dropped Closed:        0                                  
        Redirect access-list:                -none-                             
        Total Packets Denied Redirect:       0                                  
        Total Packets Unassigned:            0                                  
        Group access-list:                   -none-                             
        Total Messages Denied to Group:      0                                  
        Total Authentication failures:       0                                  
        Total GRE Bypassed Packets Received: 0                                  
          Process:                           0                                  
          CEF:                               0                                  
        GRE tunnel interface:                Tunnel1

Now, something I spotted but not sure of this..

Do I have to set up another GRE tunnel, and then do another IP tables entry to direct 443 to the normal 3128 ?


MarkA
 
Old 01-14-2014, 12:34 PM   #2
Mark007
Member
 
Registered: Apr 2004
Location: Sussex, UK
Distribution: Centos, Cisco IOS, Win<n>X64
Posts: 34

Original Poster
Rep: Reputation: 15
Further update; it's looking more like a cisco issue..

I'm on an 887 with a 15x IOS

If I enable ip wccp web-cache rediret in global and on the interface, everything works fine..

If I then add ip wccp 70 in global and ip wccp 70 redirect out on the interface, nothing.

this is confirmed doing a tcp dump of the gre tunnel, all I see is http.

I've either not set something quite right. or ??


MarkA
 
Old 02-08-2014, 12:18 PM   #3
Mark007
Member
 
Registered: Apr 2004
Location: Sussex, UK
Distribution: Centos, Cisco IOS, Win<n>X64
Posts: 34

Original Poster
Rep: Reputation: 15
Sorted.

After a lot of reading and chat with the nice people at Cisco who ran some diags to help me spot the problem.

This has now been resolved.

The Cisco needs to be told where/what etc, so the wccp_service_info is very important, and all the examples I found didn't work....

Learning all the time. now wccp in the arsenal!

MarkA
 
Old 02-08-2014, 07:14 PM   #4
Mark007
Member
 
Registered: Apr 2004
Location: Sussex, UK
Distribution: Centos, Cisco IOS, Win<n>X64
Posts: 34

Original Poster
Rep: Reputation: 15
p.s.

If anyone wants to know what I did to get this working, just pling me and I will write it up.


MarkA
 
Old 02-17-2014, 02:37 PM   #5
kc1978
LQ Newbie
 
Registered: Feb 2014
Posts: 1

Rep: Reputation: Disabled
Hi MarkA, I'm interested in seeing the solution as I'm faced with the problem. Thanks
 
Old 03-05-2014, 11:46 AM   #6
ging0023
LQ Newbie
 
Registered: Mar 2014
Posts: 1

Rep: Reputation: Disabled
I need help with this too

I'm struggling with this same issue. Can someone post the magic Squid config that makes ASA/wccp/Squid work with https? Mark007 help?
 
Old 12-03-2014, 12:02 AM   #7
thejimmahknows
LQ Newbie
 
Registered: Dec 2014
Posts: 3

Rep: Reputation: Disabled
Quote:
Originally Posted by ging0023 View Post
I'm struggling with this same issue. Can someone post the magic Squid config that makes ASA/wccp/Squid work with https? Mark007 help?
There are quite a few steps involved with getting WCCP to work with https, at least getting Squid to pass traffic. Most articles I've read involve SSL decryption, which is possible, but requires many more pieces of infrastructure to work properly. I would try to get the WCCP dynamic service 70 working and have Squid pass that traffic type first.
The next steps involve ssl-bump which inspects the SSL traffic by man-in-middle. For this to work you will need to sign a sub CA from a trust root CA, can be 3rd party, but if in Windows Domain usually internal root CA does this. Squid will dynamic sign certs to SSL web sites by this sub CA which needs to be trusted by each user. Easier when under windows domain and can push it out to all the users automatically. Else you will get a certificate untrusted or mismatch.

I've written an article that goes into depth the relationship between Cisco ASA and Squid Proxy server using WCCP forwarding.
http://thejimmahknows.com/proxy-wccp...asa-squid-3-4/

Let me know if you get this going and if you are looking for SSL inspection/decryption.

Hope this helps..cheers.

Last edited by thejimmahknows; 12-04-2014 at 10:36 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid + WCCP + Port filtering? joker20 Linux - Networking 1 10-14-2010 05:42 AM
Transparent Squid + WCCP + Cisco max_2000i Linux - Networking 0 11-15-2008 09:35 AM
How does squid with wccp redirection work? dablew Linux - Server 1 10-24-2007 09:37 AM
WCCP and Transparent Proxy with Squid tech-ninja Linux - Networking 4 03-29-2005 10:25 AM
WCCP on Squid vwhk Linux - General 3 01-28-2002 02:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration