Re: [squid-users] WCCP+Squid not working. Could use some of your experience. from Richard Wall on 2009-01-24 (squid-users)

From: Richard Wall <richard.wall_at_appliansys.com>
Date: Sat, 24 Jan 2009 12:52:24 +0000

2009/1/23 Anthony DeMatteis <adematteis_at_commspeed.net>:
> Greetings Group,
> I'm new to this group...
> We're an ISP trying to control some of our bandwidth issues. I've never
> set up squid before. I have a working squid server, working very well,
> including caching youtube vids. However, this is via setting up the
> proxy settings in the browser and pointing to the caching server's ip
> address:3128 or using acl's on the router and redirecting traffic to the
> caching server. I would like to set it up transparently using wccp. I
> would rather go the wccp route to allow traffic to continue to flow in
> the event the caching server(s) die. I understand wccpv2 provides this
> feature.
>
> My problem is getting the gre tunnel to work. I've been googling for two
> days. I've used info from pages 143-149 of Squid: The Definitive Guide.
> No luck getting wccp tunnel working. I've managed to get this:

Hello Tony,

The following commands are useful for debugging WCCP problems.

* CISCO IOS
debug ip wccp events
debug ip wccp packets

This two commands will make the router log useful WCCP debug info.

* squid.conf
debug_options 80,3

This will log detailed wccp info to the squid cachelog.
See http://squid.cvs.sourceforge.net/viewvc/squid/squid/doc/debug-sections.txt?view=markup

* Use tcpdump on the physical and gre interfaces to watch packets
arriving from the Cisco router.
* Configure your firewall to log dropped packets, and search for any
dropped packets originating from the Cisco router.

Perhaps this recent blog will be helpful:
http://fakrul.wordpress.com/2008/12/11/transparent-squid-proxy-server-with-wccp-support/

You should be aware that if you are deploying a standard transparent
Squid proxy, all your web traffic will appear to come from the IP
address of the Squid box. For an ISP this can cause problems for users
if they are accessing sites (eg download sites) that limit concurrent
access based on client source IP.

To get round this, there is a patch for Squid called TPROXY which
allows it to spoof the source IP address of the original user. This is
well supported on Linux, but I'm not sure about FreeBSD (see
http://cacheboy.blogspot.com/2009/01/freebsd-tproxy-works.html)

Hope that helps.

-RichardW.

-- 
Richard Wall
ApplianSys Ltd
http://www.appliansys.com

Received on Sat Jan 24 2009 - 12:52:27 MST

This archive was generated by hypermail 2.2.0 : Sat Jan 24 2009 - 12:00:03 MST