Re: [squid-users] Re: WCCP configuration

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 11 Jan 2009 03:24:15 +1300

viveksnv_at_aol.in wrote:
> Amos,
>
> Thanks for your reply.
>
> Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 1.3.8
> and linux kernal 2.6.20.21.
> Cisco IOS 2800 Ver 12.4 (13b)
>
> WCCP+Tranparent proxy works good. Trproxy without wccp works well by not
> revealing the server ip and only displaying the client ip. But once the
> wccp is enabled with tproxy, the sever ip is revealed instead of the
> client ip.
>
> Please scroll down below to check our previous mails.
>
> Any suggestions please.

Other than checking your squid is built with --enable-linux-tproxy, none
from me sorry.
cttproxy was obsolete and officially unsupported before I ever heard of it.

Amos

>
>
> VK
>
>
>
> -----Original Message-----
> From: Amos Jeffries <squid3_at_treenet.co.nz>
> To: Ritter, Nicholas <Nicholas.Ritter_at_americantv.com>
> Cc: viveksnv_at_aol.in; squid-users_at_squid-cache.org
> Sent: Sat, 10 Jan 2009 8:06 am
> 0ASubject: Re: [squid-users] Re: WCCP configuration
>
>
>
> Ritter, Nicholas wrote:
>
>> With TProxy, I think you need to use Squid3-HEAD to reliably fix your
> issue....Amos would know for sure.
>
>>
>> Nick
>
>>
>
> Yes. Squid-2.* has no support for TPROXY v4.1+
>
>
> 3.1.0.3 or later is needed. Which is at least an RC beta now, more
> stable that pure 3.HEAD alpha code.
>
>
> Also the squid.conf and configure details have changed.
>
> http://wiki.squid-cache.org/Features/Tproxy4
>
>
> Amos
>
>
>>
>> ________________________________
>
>>
>> From: viveksnv_at_aol.in [mailto:viveksnv_at_aol.in]
>
>> Sent: Fri 1/9/2009 8:39 A
> M
>
>> To: henrik_at_henriknordstrom.net
>
>> Cc: squid-users_at_squid-cache.org; squid3_at_treenet.co.nz
>
>> Subject: [squid-users] Re: WCCP configuration
>
>>
>>
>>
>> Hi,
>
>>
>> Thanks for the reply. It did help us solve the problem.
>
>>
>> But there is a new issue.
>
>>
>> We have configured as squid+tproxy. The squid ip is not displayed and
>
>> only the client ip is displayed when we do the proxy test. But after
>
>> configuring wccp we find that the server ip is displayed in the proxy
>
>> test instead of the client ip.
>
>>
>> We also find that the http request is pathetically slow.
>
>>
>> squid.conf
> =0
> A
>>
>> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
>
>> ports=80
>
>> wccp2_service dynamic 90
>
>> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
>
>> priority=240 ports=80
>
>>
>> http_port 3128 transparent tproxy
>
>>
>> iptable:
>
>> /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m
> tcp
>
>> --dport 80 -j TPROXY --on-port 3128
>
>>
>>
>> We created a gre tunnel based on the router identifier.
>
>>
>> wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid
>
>> machine)
>
>>
>> The following command is assigned at the router interface connected
> =0
> Ato
>
>> the lan.
>
>> ip wccp 80 redirect in
>
>> ip wccp 90 redirect out
>
>>
>> Following command at the router interface connected to squid.
>
>> ip wccp redirect exclude in
>
>>
>> Router : Cisco IOS Software, 2800 Software
> (C2800NM-ADVIPSERVICESK9-M),
>
>> Version 12.4(13b)
>
>> Kernel : linux-2.6.20.21
>
>> IPtable : iptables-1.3.8
>
>> Os Ver : squid-2.7 Stable 5
>
>>
>> #lsmod
>
>>
>> ip_gre 19616 0
>
>> iptable_filter 11136 0
>
>> ipt_TPROXY 11136 1
>
>> ipt_REDIRECT 10624
> 0
>
>> xt_tcpudp 11904 1
>
>> reiserfs 235144 5
>
>> iptable_tproxy 23036 2 ipt_TPROXY
>
>> iptable_nat 15492 1 iptable_tproxy
>
>> ip_nat 24620 3
> ipt_REDIRECT,iptable_tproxy,iptable_nat
>
>> ip_tables 25448 3
>
>> iptable_filter,iptable_tproxy,iptable_nat
>
>> x_tables 23560 5
>
>> ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables
>
>> ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat
>
>>
>>
>> The internet works, b
> ut the browsing is dead slow. Temporarily we have
>
>> bypassed squid to browse the net.
>
>>
>>
>> Thanks
>
>> VK
>
>>
>>
>> -----Original Message-----
>
>> From: Henrik Nordstrom <henrik_at_henriknordstrom.net>
>
>> To: viveksnv_at_aol.in
>
>> Cc: squid3_at_treenet.co.nz; squid-users_at_squid-cache.org
>
>> Sent: Thu, 8 Jan 2009 12:05 am
>
>> Subject: Re: WCCP configuration
>
>>
>>
>> ons 2009-01-07 klockan 08:46 -0500 skrev viveksnv_at_aol.in:
>
>>
>>> wccp2_router xxx.xx.xxx.xxx
>
>>> wccp_version 4
>
>>> wccp2_forwarding_method 1
>
>>> wccp2_return_method 1
>
>>> wccp2_assignment_method 1
>
>>> wccp2_service dynamic 8
> 0
>
>>> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
>
>>> ports=80
>
>>> wccp2_service dynamic 90
>
>>> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
>
>>> priority=240 ports=80
>
>>>
>
>>>
>
>>> Router Eth0 - connected to lan. Eth1 - connecte to squid.
>
>>
>> Have you also configured
>
>> * A loopback address on the router, giving it a easily identified
> router
>
>> ID
>
>>
>> * the required GRE/WCCP tunnel interface on the Squid server
>
>>
>> * disabled rp_filter on the above GRE/WCCP interface.
>
>>
>> * And adjusted the REDIRECT/NAT rules to act on traffic=2
> 0received on the
>
>> GRE/WCCP interface configured above?
>
>>
>>
>>> Service Identifier: web-cache
>
>>> Number of Service Group Clients: 1
>
>>> Number of Service Group Routers: 1
>
>>> Total Packets s/w Redirected: 11336
>
>>> Process: 0
>
>>> Fast: 0
>
>>> CEF: 11336
>
>>
>> Looks fine.
> =0
> A
>>
>>> Is there any simple way of configuring WCCP. We have beating round
>
>> the
>
>>> bush all day long to configure wccp.
>
>>
>> WCCP as such is configured. But something is missing in the
> interception
>
>> at the proxy. Most likely the GRE interface mentioned above.
>
>>
>> Regards
>
>> Henrik
>
>>
>>
>>
>>
>>
>>
>>
>>
> ________________________________________________________________________
>
>
>> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
> <http://webmail.aol.in/>
>>
>>
>>
>>
>
>
> --
> Please be using
>
> Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
>
> Current Beta Squid 3.1.0.3
>
>
>
>
>
>
> ________________________________________________________________________
> You are invited to Get a Free AOL Email ID. - http://webmail.aol.in

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11
   Current Beta Squid 3.1.0.3
Received on Sat Jan 10 2009 - 14:25:58 MST

This archive was generated by hypermail 2.2.0 : Wed Jan 14 2009 - 12:00:03 MST