{"id":1958,"date":"2014-12-02T21:23:40","date_gmt":"2014-12-03T02:23:40","guid":{"rendered":"https:\/\/infotechguy.net\/?p=1958"},"modified":"2025-02-22T13:24:33","modified_gmt":"2025-02-22T18:24:33","slug":"proxy-wccp-cisco-asa-squid-3-4","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=1958","title":{"rendered":"Squid Proxy &#8212; Transparent SSL Web Proxy redirection using WCCP, Cisco ASA, and Squid 3.4+"},"content":{"rendered":"<p>I&#8217;ve posted a few articles on how to set up a <a title=\"Squid 3.1 Caching Proxy with SSL\" href=\"https:\/\/infotechguy.net\/squid-3-1-caching-proxy-with-ssl\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forwarding Proxy using Squid<\/a>, and using benefits like caching and content blocking (Ads, adult, gambling, etc). This can bring centralized web security and delivery to you and your users.\u00a0\u00a0However, users need to be expliclty configured to use the Proxy service. This means having their web browser like Firefox or even Internet Explorer set with the DNS or IP address of the Proxy server. This can be an issue if youhave little or no management of the user&#8217;s Web Browsers configuration. \u00a0This is where a content-routing protocol like <a href=\"http:\/\/en.wikipedia.org\/wiki\/Web_Cache_Communication_Protocol\" target=\"_blank\" rel=\"noopener noreferrer\">WCCP(Web Cache Communication Protocol)<\/a> comes into play. With WCCP we can influence specific user traffic to be encapsulated and re-routed to your Proxy server. The difference between this and some of the other ways to force web traffic to your Proxy server(like iptables redirection) is the original Web packet\u00a0generated by the user&#8217;s device is not altered. Instead it is encapsulated when it reaches your WCCP receiver running on an upstream egress\u00a0router(user gateway towards Internet). It is then re-routed via this encapsulation to your Proxy server which is WCCP aware.<\/p>\n<p>Before we begin, you will need a few things:<\/p>\n<ul>\n<li>Squid Proxy Server 3.4+ compiled with WCCP<\/li>\n<li>Router or Security device capable of running the WCCPv2 service(<a href=\"http:\/\/en.wikipedia.org\/wiki\/Web_Cache_Communication_Protocol#Products_that_implement_WCCP\" target=\"_blank\" rel=\"noopener noreferrer\">See vendor list here&#8230;<\/a>)<\/li>\n<li>Some knowledge of Web Proxy Technology.<\/li>\n<li>A Web Browser to test with.<\/li>\n<li>Your favorite beverage and some patients.<\/li>\n<\/ul>\n<h2>Topology<\/h2>\n<p><strong>Notice:<\/strong> Cisco ASA only supports having the user subnet(s) and the cache-engine(Squid Proxy server) behind the same Cisco ASA interface(inside,dmz,outside,etc). The reason for this is the WCCP processing on the ASA happens after interface ACL, meaning for example ACL on your <strong>inside<\/strong> interface are processed before any WCCP manipulation can begin.<\/p>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/wccp-flow.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-3411 aligncenter\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/wccp-flow-300x293.png\" alt=\"\" width=\"600\" height=\"586\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/wccp-flow-300x293.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/wccp-flow.png 643w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<ol>\n<li>User requests a web resource on outside interface(usually the Internet) of Router\/Firewall.<\/li>\n<li>WCCP Server (Router\/Firewall) catches this interesting traffic(traffic we want to redirect) and encapsulates it within a GRE tunnel to the WCCP Client(Squid Proxy Server) on the other end of the tunnel.<\/li>\n<li>WCCP Client (Squid Proxy Server) decapsulates the GRE payload and fetches the original client request just like an ordinary Web Proxy would.<\/li>\n<li>WCCP Client receives a response from the external web server.<\/li>\n<li>WCCP Client (Squid Proxy Server) serves the web page back to the original User by spoofing the source IP address<em>(This is key)<\/em>. Spoofing is done by rewriting the source IP address field of the packet with the External Resource&#8217;s IP address. This makes it look like the packet the user receives is from the external web site.<\/li>\n<\/ol>\n<p><!--more--><\/p>\n<p><em><strong>Note:<\/strong> There are only two(2) content re-routing methods available in WCCPv2 to deliver the user&#8217;s original request to the <strong>cache-engine(Squid Proxy server)<\/strong>. Layer 2 rewrite which rewrites the destination MAC address to push the frame to the <strong>cache-engine<\/strong>, or GRE encapsulation which encapsulates the original IP packet into a GRE tunnel which is routed to the <strong>cache-engine<\/strong>. The Layer 2 method is the fastest and requires less processing power, however the GRE method allows redirection between different subnets. The Cisco ASA only supports the GRE method, however other Cisco products, like the Cisco 6000 catalysis series or Cisco Content Engine support L2 rewrites for WCCPv2.<\/em><\/p>\n<h2>Squid Proxy Section(WCCP Client):<\/h2>\n<p>Our Squid Proxy server is acting as the <strong>WCCP Client<\/strong>, it is responsible for requesting registration to the WCCP Server(Cisco ASA) as a cache-engine and will be used to fetch web content on behalf of the user.<\/p>\n<ol>\n<li>\n<h5>Check Version<\/h5>\n<p>First check your squid version by issuing a <strong>squid -v<\/strong> and look for a line\u00a0<strong>&#8211;enable-wccpv2<\/strong>(<a href=\"http:\/\/www.squid-cache.org\/Doc\/config\/wccp2_service\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>). If you have that you are good to go and can skip the next step(Step 2).<\/li>\n<li>\n<h5>Compile Squid 3.4+ with WCCP support.<\/h5>\n<pre><code>apt-get install libssl-dev build-essentials\r\n\r\ncd \/tmp\r\nwget http:\/\/www.squid-cache.org\/Versions\/v3\/3.4\/squid-3.4.8.tar.gz\r\ntar xzvf squid-3.4.8.tar.gz \r\ncd squid-3.4.8\/\r\n\r\n.\/configure --enable-gnuregex --enable-xmalloc-statistics --enable-async-io --enable-icmp --enable-delay-pools --enable-useragent-log --enable-kill-parent-hack --enable-htpc --enable-forw-via-db --enable-cache-digests --enable-dl-malloc --enable-time-hack --enable-err-language=English --prefix=\/usr --sysconfdir=\/etc\/squid --with-default-user=proxy --with-logdir=\/opt\/squid_logs --enable-ssl --enable-ssl-crtd --with-openssl=\/usr\/include --enable-linux-netfilter --enable-wccpv2\r\n\r\nmake\r\nmake install<\/code><\/pre>\n<\/li>\n<li>\n<h5>Configuring Squid<\/h5>\n<pre><code>#WCCPv2 items\r\nhttp_port 3128 intercept                    #intercept = treat incoming connections as redirects\r\nwccp_version 4\r\nwccp2_router 172.16.0.129\r\n#wccp2_address 172.16.0.135 (only needed in WCCPv1)\r\nwccp2_forwarding_method gre                 #(1=gre,2=l2l)\r\nwccp2_return_method gre                     #(1=gre,2=l2l)\r\nwccp2_service standard 0 password=TEST123   # standard 0 = http, password={7 characters or less}\r\n<\/code><\/pre>\n<p><strong>NOTE:<\/strong> <em>Here is only the WCCP section of Squid. You must allow the subnets and services to proxy. <a title=\"Squid 3.1 Caching Proxy with SSL\" href=\"https:\/\/infotechguy.net\/squid-3-1-caching-proxy-with-ssl\/\" target=\"_blank\" rel=\"noopener noreferrer\">See my other article.<\/a><\/em><\/li>\n<li>\n<h5>Creating a virtual interface and setting up the GRE tunnel<\/h5>\n<p>We need to create the GRE interface on our Squid Proxy server. This interface allows the Squid Proxy server running on Linux to form the other end of the GRE tunnel with the Cisco ASA. Only the phsyical interface is assigned an IP address. The GRE interface does not require one because once it reaches the <strong>eth0<\/strong> interface it will be decapsulated and passed directly to our virtual GRE interface <strong>wccp0<\/strong>.<\/p>\n<pre><code>modprobe ip_gre\r\n\r\nip tunnel add wccp0 mode gre remote 172.16.0.129 local 172.16.0.135 dev eth0\r\n\r\nip link set wccp0 up<\/code><\/pre>\n<ul>\n<li><strong>modprobe &#8212; <\/strong>loads GRE module to be used by Linux<\/li>\n<li><strong>ip tunnel add &#8212;<\/strong> defines a new tunnel interface (wccp0) and what address to use local and remote to form it<\/li>\n<li><strong>ip link set wccp0 up &#8212;<\/strong> activates the virtual interface (<strong>ifconfig wccp0 up<\/strong> works as well)<\/li>\n<\/ul>\n<\/li>\n<li>\n<h5>Local Forwarding<\/h5>\n<p>We need to forward ingress <strong>port 80(http)<\/strong> traffic on interface <strong>wccp0<\/strong> to the <strong>default Squid cache port(3128)<\/strong>.<\/p>\n<pre><code>iptables -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.0.135:3128\r\n\r\necho 1 &gt; \/proc\/sys\/net\/ipv4\/ip_forward\r\n<\/code><\/pre>\n<p><i><strong>NOTE:<\/strong> The first line creates the port forwarding from 80 to the Squid Proxy server port , and the second allows IP forwarding between interfaces in the kernel(wccp &#8211;&gt; eth0). Remember packets inside the <strong>wccp0<\/strong> interface are those already decapsulated.<\/i><\/li>\n<\/ol>\n<h2>Cisco ASA Part(WCCP Server):<\/h2>\n<p>In this section we will configure the <strong>WCCP Server<\/strong> running on a<em> Cisco ASA 5505<\/em>. The WCCP servers responsibility is to maintain a communication channel to the <strong>WCCP Client cache-engine(Squid Proxy Server)<\/strong>. The WCCP Server sends the user&#8217;s original packet via a GRE\u00a0tunnel to the <strong>cache-engine<\/strong>, effectively encapsulating the original packet. This ensures the original packet is not altered, and is re-routed to the WCCP Client cache-engine(Squid Proxy Server) for processing.<\/p>\n<ol>\n<li>\n<h5>ACL to identify WCCP cache-server (Squid Proxy server)<\/h5>\n<pre><code>access-list wccp-servers extended permit ip host 172.16.0.135 any<\/code><\/pre>\n<\/li>\n<li>\n<h5>ACL to identify user traffic to re-route to WCCP Client cache-engine(Squid Proxy Server)<\/h5>\n<pre><code>access-list wccp-traffic-http extended deny ip host 172.16.0.135 any \r\naccess-list wccp-traffic-http extended permit tcp 172.16.0.128 255.255.255.128 any eq www \r\n<\/code><\/pre>\n<p><em><strong>NOTE:<\/strong> The first statement denies our caching server (Squid Proxy Server) from being included in the WCCP redirection ACL\u00a0and prevents\u00a0a looped request. The only reason I needed this statement was because my Squid Proxy Server and my users\u00a0share the same subnet. If your caching server does not, just don&#8217;t add it to the <strong>wccp-traffic-http<\/strong> ACL.<\/em><\/li>\n<li>\n<h5>Ingress traffic will be processed first<\/h5>\n<p>So we have to allow http and any other traffic you want the\u00a0Cisco ASA to allow.<\/p>\n<pre><code>access-list inside-acl extended permit tcp object inside-network any eq www\r\naccess-group inside-acl in interface inside<\/code><\/pre>\n<\/li>\n<li>\n<h5>Configure the redirect-list(ACL with client subnets) and the group-list(WCCP caching engine or Squid Proxy)<\/h5>\n<pre><code>wccp web-cache redirect-list wccp-traffic-http group-list wccp-servers password TEST123\r\n<\/code><\/pre>\n<p><strong>Note:<\/strong> <em>password is optional and has to be 7 characters or less and make sure it matches your cache-engine(Squid Proxy server)<\/em><\/li>\n<\/ol>\n<h2>Wireshark Captures<\/h2>\n<h5>WCCP Registration between WCCP Client(172.16.0.135) and WCCP Server (172.16.0.129)<\/h5>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/wccp-i-see-you.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3413\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/wccp-i-see-you-300x15.png\" alt=\"\" width=\"600\" height=\"30\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/wccp-i-see-you-300x15.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/wccp-i-see-you.png 739w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<h5>Client GET\/ HTTP request redirected to Proxy Server via WCCP<\/h5>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-GET-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3416\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-GET-1-300x74.png\" alt=\"\" width=\"600\" height=\"148\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-GET-1-300x74.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-GET-1-1024x252.png 1024w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-GET-1-768x189.png 768w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-GET-1.png 1280w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<h5>Cache-missed, Proxy server fetches web page<\/h5>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/proxy-GET.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3415\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/proxy-GET-300x78.png\" alt=\"\" width=\"600\" height=\"156\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/proxy-GET-300x78.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/proxy-GET-1024x266.png 1024w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/proxy-GET-768x199.png 768w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/proxy-GET.png 1280w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<h5>Web Page response to Proxy server<\/h5>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/proxy-OK.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3417\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/proxy-OK-300x128.png\" alt=\"\" width=\"600\" height=\"257\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/proxy-OK-300x128.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/proxy-OK-768x329.png 768w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/proxy-OK.png 941w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<h5>Source IP address spoofed and packet sent back directly to originating client<\/h5>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/spoofed-OK.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3418\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/spoofed-OK-300x114.png\" alt=\"\" width=\"600\" height=\"229\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/spoofed-OK-300x114.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/spoofed-OK-1024x391.png 1024w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/spoofed-OK-768x293.png 768w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/spoofed-OK.png 1033w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<h5>Complete Flow<\/h5>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-wccp-convo.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3419\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-wccp-convo-300x57.png\" alt=\"\" width=\"600\" height=\"115\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-wccp-convo-300x57.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-wccp-convo-1024x196.png 1024w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-wccp-convo-768x147.png 768w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/client-wccp-convo.png 1076w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<h2>Optional: https(SSL) redirection<\/h2>\n<p>As I&#8217;ve stated in other <a title=\"Squid 3.1 Caching Proxy with SSL\" href=\"https:\/\/infotechguy.net\/squid-3-1-caching-proxy-with-ssl\/\" target=\"_blank\" rel=\"noopener noreferrer\">Squid articles<\/a>, <strong>https(SSL) redirection<\/strong> <strong>and proxying<\/strong> is a difficult beast to tackle. \u00a0Unlike unencrypted \u00a0http traffic it can&#8217;t\u00a0be manipulated and put back together easily. <strong>https(SSL)<\/strong> prevents us from tampering with anything Layer 4 and above(<a href=\"http:\/\/en.wikipedia.org\/wiki\/OSI_model\" target=\"_blank\" rel=\"noopener noreferrer\">see OSI model<\/a>) without disruption. These disruptions can appear seamless to the user (SSL inspection with trusted CA), but it requires additional infrastructure in place and modification. \u00a0The difficult part about performing <strong>https(SSL) transparent proxying<\/strong> is we cannot touch anything inside the SSL encrypted tunnel. In there is usually were we can\u00a0get to the actual\u00a0content and cache it or filter it. Kinda the point of proxying with Squid. We cannot content filter either, even by domain name. The issue is we can&#8217;t see the original host header values stored in the http stream (Layer 7) because it&#8217;s encrypted. <em>You may have seen this done with Enterprise Web filters like Barracuda or Palo Alto, however they are relying on reverse domain lookups(IP to DNS) to do their filtering, which is why there are so many false positives. But I digress&#8230;<\/em><\/p>\n<h4>Squid Proxy server &#8212; Create CA and additional SSL\u00a0configs<\/h4>\n<p>I am doing everything in<strong> \/opt\/squid_*<\/strong> for the next steps. On our Squid Proxy server we will need to;<\/p>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li>Add a new iptables rule\n<pre><code>iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 443 -j DNAT --to-destination 172.16.0.135:3129\r\n<\/code><\/pre>\n<\/li>\n<li>Create a directory for the sslcrtd (SSL helper) program(<strong>default location is \/usr\/local\/libexec\/ssl_crtd<\/strong>) Mine was in \/usr\/libexec\/ssl_crtd.\n<pre><code>mkdir \/opt\/squid_ssldb\/\r\ncd \/opt\/squid_ssldb\/\r\n\/usr\/libexec\/ssl_crtd -c -s \/opt\/squid_ssldb\/ssl_db -M 40MB\r\nchown -R proxy.proxy \/opt\/squid_ssldb<\/code><\/pre>\n<\/li>\n<li>Create a mock Certificate Authority\n<pre><code>mkdir \/opt\/squid_certs\r\ncd \/opt\/squid_certs\/\r\nopenssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 -keyout proxyCA.pem -out proxyCA.pem\r\nchown -R proxy.proxy \/opt\/squid_certs\/\r\n<\/code>\/pre&gt;<\/pre>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<p>&nbsp;<\/p>\n<ol>\n<li>Add WCCP dyanmic service 70 to SquidProxy server The next steps do not perform inspection or decryption. The Squid proxy receives the original packet via the WCCP GRE tunnel and\n<pre><code>https_port 3129 intercept ssl-bump cert=\/opt\/squid_certs\/proxyCA.pem \r\n\r\n#ssl-bump stuff\r\nssl_bump none all\r\nsslcrtd_program  \/usr\/libexec\/ssl_crtd -s \/opt\/squid_ssldb\/ssl_db -M 40MB\r\nsslcrtd_children 5\r\n\r\n#add this below you other wccp2_service statements\r\nwccp2_service dynamic 70 password=TEST456\r\nwccp2_service_info 70 protocol=tcp flags=src_ip_hash,src_port_alt_hash priority=240 ports=443<\/code><\/pre>\n<ul>\n<li><strong>https_port 3129 intercept ssl-bump cert= &#8212;<\/strong> https_port tells Squid Proxy server to expect SSL type connections, 3129 is the port I picked, intercept tells Squid that the packets were redirected, ssl-bump is the SSL bypass and decryption subfuction, cert= is where our mock CA is<\/li>\n<li><strong>ssl_bump none all &#8212;<\/strong> this sets Squid Proxy to CONNECT(pass everything without inspection)<\/li>\n<li><strong>sslcrtd_program &#8212;<\/strong> This is the SSL helper program that helps Squid Proxy server with the mimicing of SSL Certficates from the actual Web servers your users are trying to connect to. Remember Squid doens&#8217;t have them it&#8217;s just a proxy, so it has to grab them first and generate a mimic certficate to your users so everything matches up.<\/li>\n<li><strong>sslcrtd_children<\/strong> &#8212; How many sslcrtd child process we will allow Squid to open. I chose 5, anything higher than that was to much for my Virtual Machine.<\/li>\n<li><strong>wccp_service dynamic 70 &#8212;<\/strong> Declare a new <strong>dynamic<\/strong> WCCP service. (<a href=\"http:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security\/adaptive-security-appliance-asa-software\/116046-config-wccp-asa-00.html#anc7\" target=\"_blank\" rel=\"noopener noreferrer\">See list of types here<\/a>).<\/li>\n<li><strong>wccp_service_info &#8212; <\/strong>Dyanmic services require you to build out each WCCP parameter manually and register is with the WCCP Client(Squid Proxy Server)<\/li>\n<li>Type = Standard or Dynamic Service<\/li>\n<li>Id = Service idenfier (in our case 70)<\/li>\n<li>Priority = A single interface may contain several Service Groups. Proritize which ones first from 0 -254<\/li>\n<li>Protocol = TCP\/UDP or some other IP protocol number (TCP = IP protocol 6)<\/li>\n<li>Options = Reserved for future use<\/li>\n<li>Hash = Used for distribution in WCCP cluster mode. Some value to use from the original packet hash checking (SrcIP,DstIP,SrcPort,DstPort)<br \/>\n<a href=\"http:\/\/ptgmedia.pearsoncmg.com\/images\/chap4_9781587054945\/elementLinks\/dc470408.gif\" target=\"_blank\" rel=\"noopener noreferrer\">See here &#8230;<\/a><\/li>\n<li>Alt Hash = If the regular Hash can&#8217;t be used because of collisions, use these fields form the original packet in order.<\/li>\n<li>Ports = What OSI Layer 4 port(s) to bind to this dynamic service<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h4>Cisco ASA &#8212; WCCP https service<\/h4>\n<ol>\n<li>Add https dynamic WCCP service to Cisco ASA\n<pre><code>access-list wccp-traffic-https extended deny ip host 172.16.0.135 any\r\naccess-list wccp-traffic-https extended permit tcp 172.16.0.128 255.255.255.128 any eq https<\/code><\/pre>\n<\/li>\n<li>Start the WCCP dynamic service 70\n<pre><code>wccp 70 redirect-list wccp-traffic-https group-list wccp-servers password TEST456\r\nwccp interface guest 70 redirect in<\/code><\/pre>\n<p><strong>NOTE:<\/strong> <em> We have to create new ACL to identify the new https traffic. We can&#8217;t bundle them together because then it will be bundled into the web-cache (standard 0) WCCP service.<\/em><\/li>\n<li>Verify with <strong>show wccp 70<\/strong><br \/>\n<a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/show-wccp-70.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3420\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/show-wccp-70-300x163.png\" alt=\"\" width=\"600\" height=\"325\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/show-wccp-70-300x163.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/show-wccp-70.png 590w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/li>\n<\/ol>\n<h3>Troubleshooting:<\/h3>\n<ul>\n<li>If squid is receiving traffic verified in logs, but it is slow at servicing pages issue a <strong>net.ipv4.ip_forward = 1<\/strong>.This allows IP forwarding from wccp0 to eth0 at kernel level<\/li>\n<li><strong><strong>cisco# show wccp web-cache view<br \/>\n<a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/show-wccp-view.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3421\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/show-wccp-view-300x165.png\" alt=\"\" width=\"531\" height=\"292\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/show-wccp-view-300x165.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/show-wccp-view.png 323w\" sizes=\"auto, (max-width: 531px) 100vw, 531px\" \/><\/a><\/strong><\/strong>&nbsp;<\/p>\n<p>NOTE: If you don&#8217;t see anything in the WCCP Routers Informed Of: Your Cisco device is not announcing or accepting registration of WCCP Cache Engines. If you do not see anything listed under WCCP Cache Engines Visible, means your Cisco device has not receieved any registration reqwuests from your Squid server.<\/li>\n<li>Check Squid has formed a GRE tunnel and the proper modules are loaded\n<pre><code>lsmod | grep gre\r\nip_gre                 22164  0 \r\ngre                    12531  1 ip_gre\r\n\r\nAND\r\nip tunnel show\r\nwccp0: gre\/ip  remote 172.16.0.129  local 172.16.0.135  dev eth0  ttl inherit<\/code><\/pre>\n<\/li>\n<li>Client&#8217;s being blocked before being redirected. Interface ACL are processed first. Make sure you allow www out from your ingress interface ACL where your clients are coming from. If you are afraid to allow entire subnets outside, create a NAT rule only for your proxy server. This will prevent clients from being able to bypass the proxy.<\/li>\n<li><strong>tailf<\/strong> is your friend. <strong>tailf \/var\/log\/squid\/access.log <\/strong>or wherever your Squid logs are. You should see the user&#8217;s IP address here and the GET requests to resources.<\/li>\n<li>My SSL redirection isn&#8217;t working. Users browsers are complaining that the certificate is wrong or unaccepted. Anweser, you cannot do SSL inspection or decryption without manipulating your user&#8217;s trusted CA chains. Impossible. This is the whole point of SSL<\/li>\n<\/ul>\n<h3><strong>Sources:<\/strong><\/h3>\n<ul>\n<li><a href=\"http:\/\/www.reub.net\/node\/3\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.reub.net\/node\/3<\/a><\/li>\n<li><a href=\"http:\/\/wiki.squid-cache.org\/ConfigExamples\/SquidAndWccp2\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/wiki.squid-cache.org\/ConfigExamples\/SquidAndWccp2<\/a><\/li>\n<li><a href=\"https:\/\/supportforums.cisco.com\/document\/48341\/asa-wccp-step-step-configuration\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/supportforums.cisco.com\/document\/48341\/asa-wccp-step-step-configuration<\/a><\/li>\n<li><a href=\"http:\/\/networklessons.com\/network-services\/cisco-wccp-squid-transparent-proxy\/\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/networklessons.com\/network-services\/cisco-wccp-squid-transparent-proxy\/<\/a><\/li>\n<li><a href=\"http:\/\/www.ciscopress.com\/articles\/article.asp?p=1192686&amp;seqNum=2\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.ciscopress.com\/articles\/article.asp?p=1192686&amp;seqNum=2<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve posted a few articles on how to set up a Forwarding Proxy using Squid, and using benefits like caching and content blocking (Ads, adult, gambling, etc). This can bring centralized web security and delivery&#46;&#46;&#46;<\/p>\n","protected":false},"author":2,"featured_media":4240,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[55,86],"class_list":["post-1958","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-cisco","tag-linux"],"_links":{"self":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/1958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1958"}],"version-history":[{"count":2,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/1958\/revisions"}],"predecessor-version":[{"id":4278,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/1958\/revisions\/4278"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/media\/4240"}],"wp:attachment":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}