Configure WCCP protocol in Squid

In order to enable WCCP protocol in Squid we need to enable the Cisco WCCP redirect transparent proxy mode. To do that, navigate to Squid Proxy / Settings / Network and select the combo box as indicated on the following screenshot. Fill in the WCCP router IP address as 192.168.6.1 and provide arbitrary password, like cisco.

../../_images/wccp.png

Note

There were some reports that WCCP does not work if password specified is too complex. It is recommended to first try with default simple password like cisco and after you are sure everything works as expected use the more complex password instead.

Click Save Changes at the bottom of the page and then Save and Restart from the top right corner of Web UI. After Squid is restarted, open the Squid Proxy / Settings / Network and check if the generated configuration looks ok.

../../_images/wccp_restart.png

The Web UI will make the following changes to Squid configuration.

  • Generated file /opt/websafety/etc/squid/wccp.conf will contain IP address of Cisco firewall and WCCP directives to filter HTTP and HTTPS protocols. If default values do not suit you or you need to additionally put something into the generated file, please edit the template at /opt/websafety/var/console/squid/templates/squid/conf/wccp.conf.

    wccp2_router 192.168.6.1
    wccp2_rebuild_wait on
    wccp2_forwarding_method gre
    wccp2_return_method gre
    wccp2_assignment_method hash
    wccp2_service standard 0 password=cisco
    wccp2_service dynamic 70 password=cisco
    wccp2_service_info 70 protocol=tcp flags=dst_ip_hash priority=240 ports=443
    wccp2_weight 10000
    
  • Generated file /opt/websafety/etc/squid/network.conf will be adjusted to contain port definitions for explicit proxy and WCCP redirected HTTP and HTTPS ports. Please note, intercepted https_port and http_port are different!

    http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
    http_port 3126 intercept
    https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/websafety/etc/myca.pem
    

Important

You MUST click Apply Settings / Save and Restart in the top right corner of the UI at least once before continuing to the next step. Failure to do so may result into wccp router identifier not yet determined output in the Cisco console (see screenshot below). This happens because Squid needs to be restarted with new WCCP related configuration in order to register itself into Cisco ASA which in turn will generate the required router identifier.

../../_images/not_yet_determined.png