On Wed, Dec 20, 2006, Jason Taylor wrote: > Hi all, > > Is it possible to intercept https traffic with wccpv2 and squid 2.6? > The Cisco documentation leads me to believe that it is possible, at > least with the Cisco Web Cache Engine. > > I have heard that transparent proxying of https does not work, but > what about intercept proxying?
The trouble is breaking the end-to-end-ness. I think it'd be fine if you ran Squid in TPROXY mode and had all the SSL connections redirected and spoofed accordingly. Then both ends think they're talking directly to each other. Things might only partially break if TPROXY isn't enabled. The server would see the conection from the Squid IP, not the client IP, but the client wouldn't know the connection was being redirected. Unless, of course, the server is doing some kind of IP based authentication or whatnot. Its a good idea if only to enable ACL processing on the source/destination IPs. I could always whip up something for Squid-2.6 if there's enough interest. > WCCP2 works just fine for port 80 as I am using the "standard" config. > If I wish to add in more http ports, I will have to move to a > "dynamic" config and create all my service-definitions. > Do these service-ids have to map to anything specific or are the > numbers more or less arbitrary? Nope, dynamic service id's are arbitrary. Adrian
