Re: [squid-users] Squid and WCCP v1 (squid-2.5.STABLE11-3.FC3) on Fedora Core 3 (2.6.9-1.667smp) -- SOS

Hi,

I have a RHELv4 cache + Cisco IOS Software, C1700
Software (C1700-K9O3SY7-M), Version 12.3(14)T2,
RELEASE SOFTWARE (fc4).

I have applied your suggestions, but it's still not
working. Please take a lookt at my Router's + Squid
config.

Am I missing something ?
-----------------
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password xxxxxxxx
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip wccp version 1
ip wccp web-cache
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
interface Ethernet0
 ip address x.x.x.x 255.255.255.x
 no ip route-cache cef
 full-duplex
!
interface FastEthernet0
 ip address y.y.y.y 255.255.255.x
 ip wccp web-cache redirect out
 speed auto
 full-duplex
!
interface Serial0
 no ip address
 shutdown
 no fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 y.y.y.5
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 password xxxxxxxx
 login
!
end
--------------------

/etc/sysctl.conf
-----------
[root@server conf]# cat gre0/rp_filter
1
[root@server conf]# cat bond0/rp_filter
1

Squid.conf
------------
http_port [Server IP]:3128
icp_port 3130
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
cache_dir ufs /usr/local/squid/var/cache 20240 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
mime_table /usr/local/squid/etc/mime.conf
pid_filename /var/run/squid.pid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl Local src [My Local Network]
http_access allow Local
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src [my network]
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
icp_access allow all
tcp_outgoing_address [Server IP]
cache_mgr postmaster@mydomain.ocm
cache_effective_user squid
cache_effective_group squid
visible_hostname cache.mydomain.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
logfile_rotate 10
forwarded_for on
cachemgr_passwd xxxxxxxxxxxx shutdown
snmp_port 3401
snmp_access deny all
wccp_router [Router IP]
wccp_outgoing_address [Server IP]
coredump_dir /usr/local/squid/var/cache

Much regards,

Waiting for answers

Daniel

--- Oliver Chato <ovchato@netscape.net> wrote:

> Hi.
>
> Just for the sake of others who are looking to make
> Transparent/Interception caching with Squid, WCCP v1
> and Fedora Core 3,
> this is what we did to get it working:
>
> On the router (IOS 12.3(2)T):
>
> ip cef
> ip wccp version 1
> ip wccp web-cache
> interface <interface either directly or
> indirectly connected to the
> Internet>
> ip wccp web-cache redirect out
> end
>
> Also, we did:
>
> conf t
> ip cef # some systems may already have
> 'ip cef global'
> int <interface directly or indirectly connected
> to the Squid Server> (or int FastEthernet 0/0
> or other internal interface)
> no ip route-cache cef
> CTRL Z
>
> That's it. For debugging, we used:
> show ip wccp
> show ip wccp web-caches
> show ip wccp web-cache detail
> show ip wccp web-cache view (or: show ip wccp 99
> detail)
>
> On the Linux Server (Fedora Core 3
> (2.6.9-1.667smp)):
> In squid.conf:
> http_port 3128
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
> tcp_outgound_address <ip address of your
> interface connected to
> the WCCP router>
> wccp_outgoing_address <ip address of your
> interface connected to
> the WCCP router>
> wccp_router <ip address of the WCCP router
> itself>
> wccp_version 4
>
> In /etc/sysconfig/network-scripts/ifcfg-gre0:
> DEVICE=gre0
> BOOTPROTO=static
> IPADDR=172.16.1.6
> NETMASK=255.255.255.252
> ONBOOT=yes
> IPV6INIT=no
>
> For netfilter:
> iptables -t nat -A PREROUTING -p tcp --dport
> 80 -j REDIRECT
> --to-port 3128
> service iptables save
> You also might want to limit this in a way so
> that you specify
> source addresses and limit it to only those
> networks/hosts you want to
> proxy for. I think this would mean one entry (or
> line) per configured
> network
>
> For ip forwarding:
> echo 0 > /proc/sys/net/ipv4/ip_forward
> You might even want to do the following in
> /etc/sysctl.conf:
> net.ipv4.ip_forward = 1
>
> For rp_filter, which must be turned off:
> echo 0 >
> /proc/sys/net/ipv4/conf/eth0/rp_filter
> echo 0 >
> /proc/sys/net/ipv4/conf/gre0/rp_filter
> You might even want to do the following in
> /etc/sysctl.conf:
> net.ipv4.conf.default.rp_filter = 0
>
> **** This last one was where our problem was. We
> have turned off
> rp_filter for eth0 but not for gre0. Once we turned
> it off for gre0, it
> worked.
>
> Also, for debugging:
> For WCCP connection with the router:
> tethereal -V -s 1500 port 2048
> You should see here_i_am and i_see_you packets
> going through.
>
> For redirected connections coming from the
> router:
> tcpdump -i gre0
> or
> tcpdump -i gre0 port 80
> You should see http requests redirected through
> the gre interface.
>
> For squid:
> tail -f <your squid log files
> location>/access.log
> You should see requests from clients.
>
> Hope this helps.
>
> -- Oliver --
>
>
>
> ovchato@netscape.net wrote:
>
> > Greetings.
> >
> > Sorry for the long message. We are trying to
> implement
> > Transparent/Interception caching using the
> following:
> > -- Squid 2.5 Stable 11 (We were able to obtain an
> RPM for Fedora Core
> > 3) with WCCP v1
> > -- Fedora Core 3 (64-bit, 2.6.9-1.667smp)
> > -- Cisco Router (IOS 12.2)
> > in the following configuration (not real IP
> addresses and interface
> > designations used):
> >
> >
>
> >
> |-----------------------|
> >
>
> > | Squid (2.5 S11)
> |
> >
>
> > | Fedora Core 3
> |
> >
>
> >
> |-----------------------|
> >
>
>
> > eth 0 | 201. 1.1.2/255.255.255.252
> >
>
>
> > |
> >
>
>
> > |
> >
>
>
> > |
> >
>
> > int 0/0 |
> 201.1.1.1/255.255.255.252
> >
>
>
> > | int 0/1
> >
>
> >
> |------------------------------|
> > ------------------------- to Internet *
> > Networks of
> ATM
> > interface |
> |
> > 203.1.1.1/255.255.255.224
> > Dial Up Users via various
> ------------------------------------|
> > Cisco Router (IOS 12.2) |
>
> > Terminal Servers
> 202.1.1.1/255.255.255.252
> > | |
> > 203.1.1.2/255.255.255.224
> >
>
> >
>
|------------------------------|--------------------------
> to Internet *
> >
>
>
> > int 0/2
> > * The two network interfaces (int 0/1 and int 0/2)
> are connected to
> > the same network and load balanced via OSPF.
> > (Please pardon the interface designations on the
> router as I am not
> > too familiar with it and we have no administrative
> control of the router)
> >
> > On the router (IOS 12.2):
> > -- As mentioned above, connections to the internet
> (int 0/1 and int
> > 0/2) are load balanced over OSPF
> > -- An access list has been defined on ATM
> interface for various
> > networks (dialups, DSL, etc.)
> > -- We have turned CEF off on the interface
> connected to the Squid
> > CACHE (we actually tried it with CEF as well).
> > -- WCCP v1 is enabled and applied at the 2
> outbound internet
> > connections (int 0/1 and int 0/2) with "redirect
> out" option
> > -- We have also tried to apply WCCP v1 at the ATM
> interface with
> > "redirect in" option.
> > -- WCCP v1 was enabled and applied to the various
> interfaces as
> > detailed above with access lists (as specified
> above, defined for the
> > ATM interface)
> >
> > On the Linux Box (FC3, 2.6.9-1.667smp):
> > -- We used the WCCP v1 module on Squid as
> pre-compiled with the RPM.
> > -- We are using GRE instead of WCCP patch as we
> have read in the FAQs
> > and lists that this is the implementation to use
> for kernel versions
> > >= 2.6.9.
> > -- We are also using iptables to redirect traffic
> coming in from port
> > 80 to 3128 (the squid port we are using)..
> > -- We specified and enabled the appropriate
> variables in squid.conf
> > for both transparent/interception caching and
> WCCP v1.
> >
> > Configurations used:
> > We have tried the various setups as detailed in
> the following URLs:
> > --
>
http://www.squid-cache.org/mail-archive/squid-users/200505/0678.html
> > -- http://www.sublime.com.au/squid-wccp/
> > -- http://www.reub.net/node/3
> > -- http://www.spc.int/it/TechHead/Wccp-squid.html
> >
> > Symptoms:
> > We were able to configure it so that the Cisco
> Router WCCP v1
> > configuration actually registers the Squid Server
> as a usable Cache
> > Engine. We also traced the GRE connections via the
> following Linux
> > commands:
> > -- tethereal -V -s 1500 port 2048
> > -- tcpdump -lenx -s 1500 port 2048
> > and we see the "Here I Am" and "I See You" packets
> and observed the
> > following:
> > -- the "Here I Am" packets specify that 0 to 255
> buckets ARE NOT
> > ASSIGNED.
> > -- the "I See You" packets specify that 0 to 255
> buckets ARE
> > ASSIGNED. Also, we can see the router
> configuration specifying our
> > squid server registered in the web cache.
> > On the router, using the "show ip wccp" command,
> we see the counter
> > "Total Packets Redirected" being incremented. When
> we issue the "show
> > ip wccp web-caches" command, the "Web Cache ID:"
> parameter displays
> > 0.0.0.0. Also, when we issue the "show ip wccp
> web-cache view"
> > command, the "WCCP Routers Informed of:" parameter
> and the "WCCP Cache
> > Engines NOT Visible:" parameter show "-- none --"
> and "WCCP Cache
> > Engines Visible:" parameter shows the IP address
> of the squid server
> > (201. 1.1.2). We are unable to issue any debug
> commands on the router
> > as this is a production router (we have no other
> router to implement
> > on) and this might make the router hang.
> >
> > Problems:
> > -- On the squid server, we see nothing coming
> through port 80 (using
> > the "tcpdump -n port 80" linux command)
> eventhough, as mentioned
> > above, we are registered with the Cisco WCCP
> configuration and the
> > "Total Packets Redirected" is incrementing.
> > -- We do not see anything being recorded on the
> squid server's
> > access.log.
> >
> >
> > Some Questions:
> > -- Is there a definitive how-to on implementing
> WCCP v1 on Linux for
> > kernels 2.6.9 and above?
> > -- Has anyone had a successful installtation of
> Squid 2.5 Stable 11
> > with WCCPv1 connected to a Cisco router (IOS 12.1
> or 12.2) on Fedora
> > Core 3(kernel version 2.6.9 smp)?
> > -- How can we further see that is happening or
> debug without using the
> > router's debug commands (if there are any other
> ways)?
> > -- Do we need to switch to WCCP v2 using the patch
> available from the
> > squid developer site
> >
>
(http://devel.squid-cache.org/projects.html#visolve_wccpv2)
> in order
> > for Transparent/Interception caching to work?
> > -- Any word on if (or when) full WCCP v2 (with
> multiple router and
> > multiple cache) will be or has been implemented
> (either as a patch or
> > part of the distribution)? Will this support load
> balancing protocols
> > on the router (OSPF, HSRP, VRRP)?
> > -- Just in case anybody knows, how are the access
> lists implemented
> > with regards to the WCCP v1 setting? I read in one
> article
> > (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html)
> that this list should
> > contain IP addresses that should be excluded from
> transparent caching,
> > or something to that effect (the exact words were
> "IP addresses which
> > you do not wish to be transparently redirected to
> your cache"). I just
> > wanted to confirm if this was correct.
> >
> > We would appreciate any help you could give on the
> matter.
> >
> > Thank you and good day.
> >
> > -- Oliver --
> >
>

-----------------------------------------------------------------------------
T O G O D B E T H E G L O R Y :)
------------------------------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Received on Wed Feb 22 2006 - 06:37:57 MST