I'm trying to get a transparent proxy set up using the following
configuration:
Squid is 2.5STABLE14 (compiled from source, with --enable-linux-netfilter)
Linux is OpenSuse 10.1, which is Kernel 2.6.16, installed from the released
CDs, no custom kernel stuff. Router is Cisco 3620 with IOS Version
12.2(15)T17.
I'm almost there, but even though my router and Squid box see each other and
are communicating (I see you / here I am packets are going through, and good
news in the 'sho ip wccp'), I'm missing something, I believe in the iptables
or ip tunnel configuration, based on the Squid WIKI.
"The most common problem people have is that the router and cache are
talking to each other and traffic is being redirected from the router but
the traffic decapsulation process is either broken or (as is almost always
the case) misconfigured. This is often a case of your traffic rewriting
rules on your cache not being applied correctly"
I've been beating my head against this for a week now, and can't find the
problem.
(NOTE: I can use the squid cache by configuring my browser manually for a
proxy.)
Here's my config info. Perhaps someone wiser could point me in a direction
to try?
--------------------------------------
OpenSuse 10.1 x86 (Kernel 2.6.16) (installed from downloaded CDs, no kernel
customization) Cisco 3620 with IOS Version 12.2(15)T17 Squid
squid-2.5.STABLE14 built from source with '--enable-linux-netfilter'
Instructions I'm following:
====
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
(I've actually been using several sources, but the link above seems pretty
definitive.)
Relevant IPs:
====
172.16.1.254 (the internal router port, where both squid and the clients
reside) 172.16.50.254 (router port that points to the outside world)
172.16.1.171 (squid host, has only a single interface)
squid.conf (relevant stuff):
====
http_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
wccp_router 172.16.1.254
Linux config stuff
====
echo `1` > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128 ip tunnel add wccp0 mode gre remote 172.16.1.254 local
172.16.1.171 dev eth0 ip addr add 172.16.1.171/24 dev wccp0 ip link set
wccp0 up
Cisco router stuff
====
config t
ip wccp version 1
ip wccp web-cache redirect-list 150
access-list 150 permit tcp host 172.16.1.45 any
access-list 150 deny tcp any any
config t int eth1/2 (the 172.16.50.254 interface)
ip wccp web-cache redirect-list 150 (I want to get squid working on a test
workstation, before I point everyone to it)
Wade Guidry, MCSE, Network+
Systems Manager, Coastal Resource Sharing Network
503.801.2073
wade@beachbooks.org
http://crsn.beachbooks.org
Received on Mon Jun 12 2006 - 18:08:56 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Jul 01 2006 - 12:00:01 MDT