[squid-users] Cisco ASA with transparent Squid with HTTP/HTTPS filtering

Rafael Akchurin rafael.akchurin at diladele.com
Wed Dec 14 15:08:24 UTC 2016

Hello everyone,

After pulling all my hair out and reading every possible howto on the Internet for Cisco ASA integration with Squid using WCCP I have decided to write my own. The how to is at https://docs.diladele.com/tutorials/web_filter_https_squid_cisco_wccp/index.html. Please note it is aimed at those with minimal admin skills and contains every single step thoroughly described (mostly for myself not to forget anything).

May I get your opinions/ideas if what is written is good enough for the novice admin?

Moreover several question remain:

1.      Does Squid perform fake CONNECT requests with SNI info instead of raw IP like I am seeing now?

2.      Why HTTPS redirection only works with "wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443" (all other flags from wccp configuration section in squid.conf do not work).

3.      How to bypass connections from workstations to specific remote sites by FQDN on Cisco ASA?

4.      Or maybe it is better to exclude them (3) from SSL bump on Squid using ssl::server_name by splicing?

Thanks in advance for everyone who responds.

Best regards,
Rafael Akchurin
Diladele B.V.

Please take a look at Web Safety - our ICAP based web filter server for Squid proxy at https://www.diladele.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161214/08247ebb/attachment-0001.html>

More information about the squid-users mailing list