Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency steps.

From: Adrian Chadd <adrian_at_squid-cache.org>
Date: Sat, 27 Jun 2009 14:13:07 +0800

Good writeup!

I'm rapidly coming to the conclusion that the problem with
transparency setups is not just a lack of documentation and examples,
but a lack of clear explanation and understanding of what is actually
going on.

I had one user try to manually configure GRE interfaces on the Cisco
side because that is how they thought WCCP worked. Another policy
routed TCP to the proxy and didn't quite get why some connections
where hanging (ICMP doesn't make it to the proxy, so PMTU is
guaranteed to break without blackhole detection in one or more
participants end-nodes/proxy.) Combined with all of the crazy IOS
related bugs and crackery that is going on and I'm not really
surprised the average joe doesn't have much luck. :)

I reckon what would be really, really useful is a writeup of all of
the related technologies involved in all parts of "transparent
interception", including a writeup on what WCCPv2 actually is and how
it works; what the various interception options are and do (especially
TPROXY4, which AFAICT is severely lacking in -actual- documentation
about what it is, how it works and how to code for it) so there is at
least a small chance that someone with a bit of clue can easily figure
all the pieces out and debug stuff.

I also see people doing TPROXY4/Linux hackery involving -bridging-
proxies instead of routed/WCCPv2 proxies. That is another fun one.

Finally, figuring out how to tie all of that junk into a cache
hierarchy is also hilariously amusing to get right.

Just for the record, the kernel and iptables binary shipping with the
latest Debian unstable supports TPROXY4 fine. I didn't have to
recompile my kernel or anything - I just had to tweak a few things
(disable pmtu, for example) and add some iptables rules. Oh, and
compile Squid "right".

2c,

Adrian
Received on Sat Jun 27 2009 - 06:13:09 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 27 2009 - 12:00:03 MDT