[squid-users] Cisco ASA with transparent Squid with HTTP/HTTPS filtering

Yuri Voinov yvoinov at gmail.com
Wed Dec 14 16:10:43 UTC 2016



14.12.2016 21:59, Yuri Voinov пишет:
>
>
>
> 14.12.2016 21:08, Rafael Akchurin пишет:
>>
>> Hello everyone,
>>
>>  
>>
>> After pulling all my hair out and reading every possible howto on the
>> Internet for Cisco ASA integration with Squid using WCCP I have
>> decided to write my own. The how to is at
>> https://docs.diladele.com/tutorials/web_filter_https_squid_cisco_wccp/index.html.
>> Please note it is aimed at those with minimal admin skills and
>> contains every single step thoroughly described (mostly for myself
>> not to forget anything).
>>
Raf, one more note. WCCP is never be easy for junior admins. Especially
with minimal admin skills. As by ASA ;) And (by my own opinion) Squid +
WCCP for any infrastructure never been simple task and will never be
simple task. ;) Warn you readers, not mislead them, though it is a very
simple task.
>>
>>  
>>
>> May I get your opinions/ideas if what is written is good enough for
>> the novice admin?
>>
>>  
>>
>> Moreover several question remain:
>>
>>  
>>
>> 1.      Does Squid perform fake CONNECT requests with SNI info
>> instead of raw IP like I am seeing now?
>>
>> 2.      Why HTTPS redirection only works with “wccp2_service_info 70
>> protocol=tcp flags=*dst_ip_hash* priority=240 ports=443” (all other
>> flags from wccp configuration section in squid.conf do not work).
>>
> Because of ASA is router. Cisco routers uses HASH as assignment method.
>>
>> 3.      How to bypass connections from workstations to specific
>> remote sites by FQDN on Cisco ASA?
>>
> In fact this will occurs by IP anyway. Cisco devices do DNS lookup and
> saves IP's in config instead of FQDN.
>>
>> 4.      Or maybe it is better to exclude them (3) from SSL bump on
>> Squid using ssl::server_name by splicing?
>>
> Depending your requirements.
>>
>>  
>>
>> Thanks in advance for everyone who responds.
>>
>>  
>>
>> Best regards,
>>
>> Rafael Akchurin
>>
>> Diladele B.V.
>>
>>  
>>
>> --
>>
>> Please take a look at Web Safety - our ICAP based web filter server
>> for Squid proxy at https://www.diladele.com
>>
>>
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
> -- 
> Cats - delicious. You just do not know how to cook them.

-- 
Cats - delicious. You just do not know how to cook them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161214/5f8add4c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161214/5f8add4c/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161214/5f8add4c/attachment.sig>


More information about the squid-users mailing list