<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
Sure.<br>
<br>
Squid 3 WCCP key config part:<br>
<br>
# WCCPv2 parameters<br>
wccp2_router 192.168.200.2<br>
wccp2_forwarding_method l2<br>
wccp2_return_method l2<br>
wccp2_service standard 0<br>
wccp2_rebuild_wait off<br>
wccp2_service standard 0<br>
wccp2_service dynamic 70<br>
wccp2_service_info 70 protocol=tcp
flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=240
ports=443<br>
<br>
Cisco config key parts:<br>
<br>
!<br>
ip wccp web-cache redirect-list 120<br>
ip wccp 70 redirect-list 121<br>
!<br>
!<br>
! This interface look to Squid proxy (internal networks on another
interface)<br>
interface GigabitEthernet0/1<br>
ip address 192.168.200.2 255.255.255.0<br>
ip wccp web-cache redirect out<br>
ip wccp 70 redirect out<br>
ip nbar protocol-discovery<br>
ip virtual-reassembly in<br>
duplex auto<br>
speed auto<br>
!<br>
access-list 120 remark ACL for HTTP WCCP<br>
access-list 120 remark Squid proxies bypass WCCP<br>
access-list 120 deny ip host 192.168.200.3 any<br>
access-list 120 remark LAN clients proxy port 80<br>
access-list 120 permit tcp 192.168.0.0 0.0.255.255 any eq www<br>
access-list 120 remark all others bypass WCCP<br>
access-list 120 deny ip any any<br>
!<br>
access-list 121 remark ACL for HTTPS WCCP<br>
access-list 121 remark Squid proxies bypass<br>
access-list 121 deny ip host 192.168.200.3 any<br>
access-list 121 remark LAN clients proxy port 443<br>
access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443<br>
access-list 121 remark all others bypass WCCP<br>
access-list 121 deny ip any any<br>
!<br>
<br>
That's all. :)<br>
<br>
31.12.2014 2:10, Rafael Akchurin пишет:<br>
<span style="white-space: pre;">><br>
> Glad that it worked.<br>
><br>
> May be useful to dump here your squid.conf to better
understand how to configure squid to transparently work with wccp
traffic coming from your Cisco router?<br>
><br>
> Raf<br>
><br>
> <br>
><br>
> *From:*Yuri Voinov [<a class="moz-txt-link-freetext" href="mailto:yvoinov@gmail.com">mailto:yvoinov@gmail.com</a>]<br>
> *Sent:* Tuesday, December 30, 2014 8:48 PM<br>
> *To:* Rafael Akchurin; <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> *Subject:* Re: [squid-users] Squid 3 SSL bump: Google drive
application could not connect<br>
><br>
> <br>
><br>
><br>
> Already found this lonely right post ;) I have Google-Fu too
:) And it longer than you :)<br>
><br>
> Anyway,<br>
><br>
> all of these issues solved.<br>
><br>
> I have snoop (not Windoze wireshark - all great things makes
in console, ya!) and take a look on single client traffic during
bumping.<br>
><br>
> As I haven't iptables (no penguins, please!), but I have
Cisco 2911, I pass some Windows Update, Symantec Update (which is
not work too) bypassing Squid.<br>
><br>
> Cisco is greatest. All others are probably suxx :)<br>
><br>
> The complete solution looks like:<br>
><br>
> access-list 121 remark ACL for HTTPS WCCP<br>
> access-list 121 remark Squid proxies bypass<br>
> access-list 121 deny ip host 192.168.200.3 any<br>
> access-list 121 remark WU bypass<br>
> access-list 121 deny tcp any 191.232.0.0 0.7.255.255<br>
> access-list 121 deny tcp any 65.52.0.0 0.3.255.255<br>
> access-list 121 remark Symantec bypass<br>
> access-list 121 deny tcp any host 195.215.221.99<br>
> access-list 121 deny tcp any host 195.215.221.104<br>
> access-list 121 deny tcp any host 213.248.114.172<br>
> access-list 121 deny tcp any host 213.248.114.173<br>
> access-list 121 deny tcp any host 213.248.114.174<br>
> access-list 121 deny tcp any host 213.248.114.175<br>
> access-list 121 deny tcp any host 77.67.22.168<br>
> access-list 121 deny tcp any host 77.67.22.171<br>
> access-list 121 deny tcp any host 77.67.22.173<br>
> access-list 121 deny tcp any host 213.248.114.171<br>
> access-list 121 remark LAN clients proxy port 443<br>
> access-list 121 permit tcp 192.168.0.0 0.0.255.255 any eq 443<br>
> access-list 121 remark all others bypass WCCP<br>
> access-list 121 deny ip any any<br>
><br>
> So, all others issue solves similar.<br>
><br>
> Want to do something good - do it yourself!<br>
><br>
> That's the way. :)<br>
><br>
> 30.12.2014 23:39, Rafael Akchurin пишет:<br>
><br>
><br>
> > Hello Yuri,<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > Luckily the same topic was just discussed on our
forum –<br>
><br>
> please see if this can help<br>
><br>
>
<a class="moz-txt-link-freetext" href="https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ">https://groups.google.com/d/msg/quintolabs-content-security-for-squid-proxy/GKIV3FpYSBE/9IET-4hg_tEJ</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > It describes the iptables settings for successful
SSL bump<br>
><br>
> exclusions for Dropbox clients / Google Drive / iTunes
(bypassing<br>
><br>
> SSL Bump because of SSL Pinning).<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > Best regards,<br>
><br>
><br>
><br>
> > Raf<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > *From:*squid-users<br>
><br>
> [<a class="moz-txt-link-freetext" href="mailto:squid-users-bounces@lists.squid-cache.org">mailto:squid-users-bounces@lists.squid-cache.org</a>] *On
Behalf Of<br>
><br>
> *Rafael Akchurin<br>
><br>
> > *Sent:* Tuesday, December 30, 2014 4:23 PM<br>
><br>
> > *To:* Yuri Voinov;
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
> > *Subject:* Re: [squid-users] Squid 3 SSL bump:
Google drive<br>
><br>
> application could not connect<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > Only exclusion from SSL Bump as far as I know.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > raf<br>
><br>
><br>
><br>
> > -------------------------<br>
><br>
><br>
><br>
> > *From:*Yuri Voinov <<a class="moz-txt-link-abbreviated" href="mailto:yvoinov@gmail.com">yvoinov@gmail.com</a>
<a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a><br>
><br>
> <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a>><br>
><br>
> > *Sent:* Tuesday, December 30, 2014 3:19 PM<br>
><br>
> > *To:* Rafael Akchurin;
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
> <a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
> > *Subject:* Re: [squid-users] Squid 3 SSL bump:
Google drive<br>
><br>
> application could not connect<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > May be.<br>
><br>
><br>
><br>
> > Does workaround exists?<br>
><br>
><br>
><br>
> > 30.12.2014 20:09, Rafael Akchurin ?????:<br>
><br>
> > > SSL Pinning? (I know Dropbox does this)<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > my two cents only :)<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > Raf<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > ________________________________________<br>
><br>
><br>
><br>
> > > From: squid-users<br>
><br>
>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><mailto:squid-users-bounces@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><mailto:squid-users-bounces@lists.squid-cache.org></a><br>
><br>
><br>
><br>
> > <a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><squid-users-bounces@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><mailto:squid-users-bounces@lists.squid-cache.org></a><br>
><br>
>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><mailto:squid-users-bounces@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><mailto:squid-users-bounces@lists.squid-cache.org></a>on behalf<br>
><br>
> of Yuri Voinov <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a><br>
><br>
><br>
><br>
> > <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><yvoinov@gmail.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a> <a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a>
<a class="moz-txt-link-rfc2396E" href="mailto:yvoinov@gmail.com"><mailto:yvoinov@gmail.com></a><br>
><br>
><br>
><br>
> > > Sent: Tuesday, December 30, 2014 2:12 PM<br>
><br>
><br>
><br>
> > > To:
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
><br>
><br>
> > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
> <a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
><br>
><br>
> > > Subject: [squid-users] Squid 3 SSL bump:
Google drive<br>
><br>
> application could not connect<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > Hi gents,<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > I found strange issue.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > Squid 3.4.10. Intercept. HTTPS bumping. All
works fine.<br>
><br>
> All configs correct.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > Whenever all web https sites works perfectly
-<br>
><br>
> especially in Chrome,<br>
><br>
><br>
><br>
> > > most cloud clients works like charm
(SpiderOak is!),<br>
><br>
> Google Drive client<br>
><br>
><br>
><br>
> > > application (PC) could not work.<br>
><br>
><br>
><br>
> > > Note: Web Google Docs works. Web Google drive
works.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > Note: Google support info - even I if pass
dozen Google<br>
><br>
> URL's without<br>
><br>
><br>
><br>
> > > bump - cannot help. It doesn't work when
server-first<br>
><br>
> bumping is on and<br>
><br>
><br>
><br>
> > > works othervise.<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > So, the Serious Question is: Why? :)<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > > Any idea?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> > >
_______________________________________________<br>
><br>
><br>
><br>
> > > squid-users mailing list<br>
><br>
><br>
><br>
> > >
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
><br>
><br>
> > <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
> <a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users@lists.squid-cache.org"><mailto:squid-users@lists.squid-cache.org></a><br>
><br>
><br>
><br>
> > ><br>
><br>
>
<a class="moz-txt-link-rfc2396E" href="http://lists.squid-cache.org/listinfo/squid-users"><http://lists.squid-cache.org/listinfo/squid-users></a>
<a class="moz-txt-link-rfc2396E" href="http://lists.squid-cache.org/listinfo/squid-users"><http://lists.squid-cache.org/listinfo/squid-users></a><br>
><br>
><br>
><br>
> > <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br>
><br>
><br>
><br>
><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBAgAGBQJUowlmAAoJENNXIZxhPexG1ygH/RWXJIeFp4G/B39Ba/4yQ5XS
<br>
R/JmIkMaafDabBe5sPYVdwH7u25cIS7nKvVssme5TVmzcFAZuancr3ZV/ue9OtsH
<br>
jYwWSz/uHz76T6hKHmYB9uq3ESHQrasZ9WC2vfhYd0XR0mHxsn+zjPz34cKqlN5P
<br>
daeTbZGcrw/WyzJxMPRqjBX4nHNnvwb0mpo1htm3KS//yVdZMrNYMwqRR9DcBilE
<br>
rX5bkEjegnqmc7DM73XHu1Lz5SSeKCXttkcz2UAkP6aqRzAazjNBlObHASO9wYgq
<br>
RCsH/GvbNjJWyw7ZrvqxOnwOiMyJhV6L9h3uVM02NxsLzhnNutVl4dymzZHZf3Y=
<br>
=Ls1G
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>