Re: WCCP with https redirection on ASA - Page 2

mrbzumrbzu · ‎05-18-2010

Hi All,

I have tried the wccp http redirection on firewall with squid server and it runs ok then i have tried the wccp https redirection on firewall, its not working. the request goes straight through the firewall. Is the wccp supports https redirection or is only working for http only... your answer will be appriciated.

Regards

priceminister_exploit · ‎07-10-2012

If I have well understood, it can be possible in next version of squid:

http://www.squid-cache.org/Versions/v3/3.2/cfgman/http_port.html

http://blog.davidvassallo.me/2012/07/05/update-squid-transparent-ssl-interception-squid-v3-2/

Panos Kampanakis · ‎06-04-2010

You are right, it will not work, for the reason that you mentioned.

PK

NeverOutofTune · ‎06-05-2010

I will be looking into using the VPN Tunnel Default Gateway feature as discussed here: https://cisco-support.hosted.jivesoftware.com/thread/2011160

I should be able to set an internal layer 3 switch as the Tunne Default Gateway and have all VPN traffic go inside then be routed back out and subjected to the web filter (either inline or WCCP). I'll post my result in a few weeks.

Panos Kampanakis · ‎06-09-2010

It should work fine.

Make sure you squid service that the PIX is using has https and ftp ports in it.

PK

contik · ‎06-09-2010

ok, here is what PIX respond:

pix# show wccp

Global WCCP information:
    Router information:
        Router Identifier:                   192.168.1.1
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            1890789
        Redirect access-list:                wccp_redirect
        Total Connections Denied Redirect:   1
        Total Packets Unassigned:            68
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

    Service Identifier: 70
        Number of Cache Engines:             1
        Number of routers:                   1
        Total Packets Redirected:            0
        Redirect access-list:                wccp_redirect
        Total Connections Denied Redirect:   0
        Total Packets Unassigned:            0
        Group access-list:                   -none-
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

and some strings from squid.conf:

wccp2_router 123.45.67.89

wccp2_service standard 0
wccp2_service dynamic 70

wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source priority=240 port=443

brquinn · ‎06-09-2010

and some strings from squid.conf:

wccp2_router 123.45.67.89

wccp2_service standard 0
wccp2_service dynamic 70

wccp2_service_info 70 protocol=tcp flags=src_ip_hash,ports_source priority=240 port=443

The ASA is recognizing the squid server for service 70, but not redirecting anything. I'm not sure if this is the only problem, but I do see one mistake in your squid config.

The Format is:

wccp2_service_info protocol= flags=,..

priority= ports=,..

You are missing the "S" in "ports=443".

Thanks,

Brendan

Panos Kampanakis · ‎06-09-2010

Is the https hitting the web-cache service redirect ACL?

If it is matching on this one that it will not move to the service 70.

PK

contik · ‎06-09-2010

no, how i can check this? on the squid server no any activity for https-requests.

ssantosh1978 · ‎08-01-2011

Vladimir,

you need to configure SSL on squid n order to support https on squid.. Note- Squid transparent mode will not work if you are going to use SSL on squid..

http://www.vmwareandme.com/2013/10/guide-how-to-redirect-http-traffic-from_23.html

tej bahadur bhandari · ‎06-30-2016

did you figure it out ?

i have the same issue, can you help me on this case ?

thanks.

/

LukeRosenthal · ‎03-23-2017

To intercept SSL connections, you need to have the following:

Cisco device (router, switch, pix, whatever) configured for service 70.
Squid also configured for service 70.
https_port configured in Squid, set to transparent mode.
Get the traffic coming down the GRE tunnel into Squid.

Regarding step 1, there's plenty of config around, on a router mine looks like this:

ip wccp 70 redirect-list 102

Step 2 is where you tell Squid that it needs to register with the router, so the router adds it to the list of available caches it can send traffic to. The config to do this for service 70 looks like this:

wccp2_service dynamic 70
wccp2_service_info 70 protocol=tcp flags=src_ip_hash,src_port_alt_hash priority=240 ports=443

That handles the WCCP side of things, but Squid needs a port set up to handle the traffic. Here's what I've got:

https_port 3129 intercept ssl-bump cert=/var/squid/sslbump/localhost.crt key=/var/squid/sslbump/localhost.key

I'm not sure but I think any https_port running in intercept mode also needs ssl-bump specified, which means you need to generate a self-signed CA certificate/key pair before you can apply that part of the config. Instructions on how to do this are pretty common so I won't repeat here.

Then lastly you need to get the traffic into Squid somehow. Here's how I've done it in iptables, with traffic egressing the tun0 interface:

iptables -t nat -A PREROUTING -i tun0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.159.192.24:3129

There are some clever tricks required to make all this work, mostly around what Squid does with the SSL connections that it sees. It's (mostly) not compatible with upstream proxies. You also need to stop it trying to bump connections if your clients aren't prepared to accept the forged certificate it returns when doing so.

I know your original question was around how to get SSL working on the Cisco side of things, but it is vital to understand how Squid handles this. Check this guide for info: http://wiki.squid-cache.org/Features/SslPeekAndSplice

Good luck :)