Re: [squid-users] Squid + SLB + Transparent Mode (policy based routing)

From: Valton Hashani <valton@dont-contact.us>
Date: Wed, 25 Feb 2004 16:06:09 +0100

Hi Henrik,

Thanks for the quick reply. I am aware of the three options you listed in
order to make this work.
The problem is that with our existing network design it is impossible to
implement any of those options. I was aware of these options for quite a
while.
I seriously doubt that my WCCP configuration was wrong, since I dedicated it
a lot of time, and the fact that you also list the three options proves that
my WCCP configuration was alright. I am just saying that everything worked
fine with WCCP but with our network setup we couldn't use any of these 3
options (https:// matter). As far as option b) is concerned, due to the fact
that we use transparent cache-s, it doesn't apply.
I had to find a solution for my network setup and with this and previous
email I just wanted to thank you and the entire list for the help that you
have provided me so far.

Regards
Valton Hashani

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Valton Hashani" <valton@ipko.org>
Cc: "Henrik Nordstrom" <hno@squid-cache.org>; <squid-users@squid-cache.org>
Sent: Wednesday, February 25, 2004 2:41 PM
Subject: Re: [squid-users] Squid + SLB + Transparent Mode (policy based
routing)

> On Wed, 25 Feb 2004, Valton Hashani wrote:
>
> > I have tried using WCCP with Cisco 7200 but I had problems opening SSL
> > pages. Sometimes it worked sometimes not.
>
> This is most likely not due to WCCP but due to interception of http
> traffic. WCCP is not at all involved on SSL requests, and neither is any
> other interception method.
>
> Many web sites dislike https:// requests coming from a different address
> than the http:// requests initiating the session.
>
> As https:// is not intercepted but routed like any other traffic the
> requests arrives with the real client IP address.
>
> To get around this you have three options
>
> a) NAT the traffic outside the proxy and clients, making sure that both
> intercepted and normally routed traffic uses the same source IP address.
>
> b) Have the clients configured to use the proxy.
>
> c) Add access lists to your intercepting routers to not intercept sites
> where this is a problem.
>
> > I tried every possibility (using
> > different squid directives) to make it work and got various answers from
> > this mailing list, but I didn't find any stable solution. So I decided
to
> > use policy based routing for tranparent mode. This worked and it is
still
> > working very well.
>
> Then something was seriously wrong in your WCCP setup.
>
> Regards
> Henrik
>
>
Received on Wed Feb 25 2004 - 08:06:08 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST