Re: [squid-users] Intercepting HTTPS with WCCPv2

From: Adrian Chadd <adrian@dont-contact.us>
Date: Wed, 20 Dec 2006 14:22:39 +0800

On Wed, Dec 20, 2006, Jason Taylor wrote:
> Hi all,
>
> Is it possible to intercept https traffic with wccpv2 and squid 2.6?
> The Cisco documentation leads me to believe that it is possible, at
> least with the Cisco Web Cache Engine.
>
> I have heard that transparent proxying of https does not work, but
> what about intercept proxying?

The trouble is breaking the end-to-end-ness. I think it'd be fine
if you ran Squid in TPROXY mode and had all the SSL connections redirected
and spoofed accordingly. Then both ends think they're talking directly
to each other.

Things might only partially break if TPROXY isn't enabled. The server
would see the conection from the Squid IP, not the client IP, but the client
wouldn't know the connection was being redirected. Unless, of course,
the server is doing some kind of IP based authentication or whatnot.

Its a good idea if only to enable ACL processing on the source/destination
IPs.

I could always whip up something for Squid-2.6 if there's enough interest.

> WCCP2 works just fine for port 80 as I am using the "standard" config.
> If I wish to add in more http ports, I will have to move to a
> "dynamic" config and create all my service-definitions.
> Do these service-ids have to map to anything specific or are the
> numbers more or less arbitrary?

Nope, dynamic service id's are arbitrary.

Adrian
Received on Tue Dec 19 2006 - 23:20:20 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 30 2006 - 12:00:04 MST