On Mon, 22 Mar 2004, David Stout wrote: > The problem came from the fact we could no longer connect to any > websites requiring a HTTPS connection. No yahoo mail no hotmail would > work.
This is usually not related to https, but to certain web sites requiring that the user comes from the same IP address on HTTP and HTTPS. When you use WCCP you intercept the HTTP requests and send them to the proxy, but HTTPS (or other non-port-80 traffic) is still sent out directly with the clients original IP. > So originally I noticed that our firewall was sending HTTP traffic > to the internet using it's management public IP address, and all HTTPS > traffic was going via the NAT rules in the firewall. This would mean the > web server would seen HTTP and HTTPS from different public IP's and > close the connection. I have since corrected this minor issue so that > the authenticating web servers will see the HTTP and HTTPS traffic from > the same public IP address. PLease doublecheck this is the case. Your proxy server is not at all invovled on HTTPS traffic, only HTTP. > I am unable to find out from the Cisco web site if the router is > forwarding the HTTPS to the cache (I am installing a sniffer today so > I'll get back to you on that). It is not, and it must not. WCCP is not a substitute for proxy settings in the browser. It is just a dirty hack to still surive even if the browser is not configured correctly. > Now it stikes me as odd that this would happen on every WCCP + Squid > install but there seems no immediate solution (I am trawling the > archives as well though in case I missed it (although search didn't > throw up too much)). For all installations I know of this problem has been solved by NAT to make direct client accesses and accesses via the proxy use the same IP. In a few very rare cases exceptions is needed to have certain sites bypass the proxy completely, but none of the sites you mentioned fall into this category. Regards Henrik
