<div dir="ltr"><p>Hello everyone,</p>
<p>I am currently deploying Squid 3.5.12 on Ubuntu Xenial for URL filtering over multiple VLANs using WCCP.</p>
<p><strong>Context:</strong></p>
<ul>
<li>
<p>HTTP traffic is successfully redirected from my Cisco router to Squid via WCCP (Service 0).</p>
</li>
<li>
<p>HTTPS traffic is redirected via WCCP (Service 70), GRE tunnel works, redirection appears fine on the router side.</p>
</li>
<li>
<p>On my Squid box, iptables properly redirects:</p>
<ul>
<li>
<p>TCP 80 → 3127 (intercept)</p>
</li>
<li>
<p>TCP 443 → 3128 (ssl-bump)</p>
</li>
</ul>
</li>
<li>
<p>My Squid config listens properly on 3127 and 3128 with ssl-bump.</p>
</li>
</ul>
<p><strong>Problem:</strong></p>
<ul>
<li>
<p>HTTP filtering works perfectly via WCCP.</p>
</li>
<li>
<p>HTTPS connections show <strong>no traffic hitting Squid's 3128 port</strong> (confirmed via <code>access.log</code> and <code>ss -tulnp</code>).</p>
</li>
<li>
<p>Yet WCCP router counters show packets being redirected for HTTPS.</p>
</li>
<li>
<p>If I manually configure the proxy on a browser, both HTTP and HTTPS are filtered correctly.</p>
</li>
<li>
<p>If I disable ssl-bump and WCCP for HTTPS, normal navigation resumes.</p>
</li>
</ul>
<p><strong>iptables NAT rules:</strong></p><p>REDIRECT tcp -- gre1 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:80 redir ports 3127 <br>REDIRECT tcp -- gre1 * <a href="http://0.0.0.0/0">0.0.0.0/0</a> <a href="http://0.0.0.0/0">0.0.0.0/0</a> tcp dpt:443 redir ports 3128 <br></p><p>Squid config (extract):</p><p> http_port 3127 intercept</p>http_port 3128 ssl-bump cert=/etc/squid/ssl_sert/myCA.pem key=/etc/squid/ssl_sert/ca-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB<br><br>acl step1 at_step SslBump1<br>ssl_bump peek step1<br>ssl_bump bump all<br><div><br></div><div><p><strong>Questions:</strong></p>
<ol>
<li>
<p>Why does HTTPS via WCCP not reach Squid 3128 (ssl-bump) while HTTP works fine?</p>
</li>
<li>
<p>Is my WCCP setup wrong for HTTPS? I use service ID 70 with destination port 443.</p>
</li>
<li>
<p>Could the lack of DNS resolution or browser certificate trust cause the traffic not to appear at all in Squid logs?</p>
</li>
<li>
<p>Am I missing something obvious between the router WCCP and Squid’s ssl-bump setup?</p>
</li>
</ol>
<p>Thank you in advance for any suggestions or troubleshooting steps.</p>
<p>Best regards,</p><p>Assoham</p></div></div>
<br>
<span style="color:rgb(34,34,34);font-size:10pt;font-family:Arial">******************************<wbr>******************************<wbr>******************<br></span><span style="color:rgb(34,34,34);font-size:8pt;font-family:Arial">The information contained herein may be company confidential and proprietary. The information is intended only for the use of the named individual or entity. If you are not the intended recipient, the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender (and delete it from your systems) immediately. The information herein is not warranted to be free of virus or any other defect that may affect the recipient's computer system and it is your responsibility to carry out appropriate virus checks of this email and attachments (if any).</span><span style="color:rgb(34,34,34);font-size:10pt;font-family:Arial"></span><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small"></span><br style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small"><span style="color:rgb(34,34,34);font-size:10pt;font-family:Arial">******************************<wbr>******************************<wbr>******************</span><span style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small"></span><br style="color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif;font-size:small">