Re: [squid-users] CentOS/Squid/Tproxy but no transfer

From: Behnam B.Marandi <blixbox_at_gmail.com>
Date: Fri, 10 Jul 2009 18:01:55 +0430

#show ip wccp 80 detail
WCCP Cache-Engine information:
        IP Address: xx.xx.241.40
        Protocol Version: 2.0
        State: Usable
        Initial Hash Info: 00000000000000000000000000000000
                               00000000000000000000000000000000
        Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment: 256 (100.00%)
        Packets Redirected: 0
        Connect Time: 1d05h

#show ip wccp 90 detail
WCCP Cache-Engine information:
        IP Address: xx.xx.241.40
        Protocol Version: 2.0
        State: Usable
        Initial Hash Info: 00000000000000000000000000000000
                               00000000000000000000000000000000
        Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
        Hash Allotment: 256 (100.00%)
        Packets Redirected: 0
        Connect Time: 1d05h

Adrian Chadd wrote:

> "show ip wccp"
>
> and since you're using groups 80 and 90, not the default web-cache type, also
>
> "show ip wccp 80 detail"
> "show ip wccp 90 detail"
>
>
> 2009/7/10 Behnam B.Marandi <blixbox_at_gmail.com>:
>
>> Thanks for quick replay.
>>
>> I did set "ip wccp web-cache" in the router config but;
>>
>> #sh ip wccp web-cache detail
>> No information is available for the service.
>>
>>
>> In case of access-list, what I got from step 35 is that access-list just
>> used for excluding specific web sites from redirecting to cache. Otherwise I
>> don't know how and where (in router config or squid config) to put an
>> access-list.
>>
>> Behnam.
>>
>>
>>
>>
>> Tom Penndorf wrote:
>>
>>
>>> Hi,
>>>
>>>
>>> Am 10.07.2009 um 07:29 schrieb Behnam B.Marandi:
>>>
>>>
>>>> I did setup a full transparent caching machine based on Nicholas Ritter's
>>>> guide:
>>>> http://www.mail-archive.com/squid-users@squid-cache.org/msg65056.html
>>>> Cache machine is a Cent OS 5.3
>>>> Router is;
>>>> IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(11)T8, RELEASE
>>>> SOFTWARE (fc1)
>>>>
>>>> Squid config is;
>>>> http_port 194.225.241.40:5119 tproxy disable-pmtu-discovery=always
>>>> wccp2_router xx.xx.241.39
>>>> wccp_version 4
>>>> wccp2_rebuild_wait off
>>>> wccp2_forwarding_method 1
>>>> wccp2_return_method 1
>>>> wccp2_assignment_method 1
>>>> wccp2_service dynamic 80
>>>> wccp2_service dynamic 90
>>>> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
>>>> ports=80
>>>> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
>>>> priority=240 ports=80
>>>> acl manager proto cache_object
>>>> acl localhost src 127.0.0.1/32
>>>> acl to_localhost dst 127.0.0.0/8
>>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>> acl localnet src xx.xx.240.0/20
>>>> acl SSL_ports port 443
>>>> acl Safe_ports port 80 # http
>>>> acl Safe_ports port 21 # ftp
>>>> acl Safe_ports port 443 # https
>>>> acl Safe_ports port 70 # gopher
>>>> acl Safe_ports port 210 # wais
>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>> acl Safe_ports port 280 # http-mgmt
>>>> acl Safe_ports port 488 # gss-http
>>>> acl Safe_ports port 591 # filemaker
>>>> acl Safe_ports port 777 # multiling http
>>>> acl CONNECT method CONNECT
>>>> http_access allow manager localhost
>>>> http_access deny manager
>>>> http_access deny !Safe_ports
>>>> http_access deny CONNECT !SSL_ports
>>>> http_access allow localnet
>>>> http_access deny all
>>>> cache_dir ufs /var/spool/squid 4000 16 256
>>>> hierarchy_stoplist cgi-bin ?
>>>> refresh_pattern ^ftp: 1440 20% 10080
>>>> refresh_pattern ^gopher: 1440 0% 1440
>>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>>> refresh_pattern . 0 20% 4320
>>>> coredump_dir /usr/local/squid/var/cache
>>>> visible_hostname tco53
>>>>
>>>> I'm not sure IOS version is critical or not, and in case of
>>>> "wccp2_rebuild_wait" I had to set it "off" so the router can see the cache
>>>> machine;
>>>>
>>>> 6#sh ip wccp
>>>> Global WCCP information:
>>>> Router information:
>>>> Router Identifier: xx.xx.241.39
>>>> Protocol Version: 2.0
>>>>
>>>> Service Identifier: web-cache
>>>> Number of Cache Engines: 0
>>>> Number of routers: 0
>>>> Total Packets Redirected: 0
>>>> Redirect access-list: -none-
>>>> Total Packets Denied Redirect: 0
>>>> Total Packets Unassigned: 0
>>>> Group access-list: -none-
>>>> Total Messages Denied to Group: 0
>>>> Total Authentication failures: 0
>>>>
>>>> Service Identifier: 80
>>>> Number of Cache Engines: 1
>>>> Number of routers: 1
>>>> Total Packets Redirected: 0
>>>> Redirect access-list: -none-
>>>> Total Packets Denied Redirect: 0
>>>> Total Packets Unassigned: 0
>>>> Group access-list: -none-
>>>> Total Messages Denied to Group: 0
>>>> Total Authentication failures: 0
>>>>
>>>> Service Identifier: 90
>>>> Number of Cache Engines: 1
>>>> Number of routers: 1
>>>> Total Packets Redirected: 0
>>>> Redirect access-list: -none-
>>>> Total Packets Denied Redirect: 0
>>>> Total Packets Unassigned: 0
>>>> Group access-list: -none-
>>>> Total Messages Denied to Group: 0
>>>> Total Authentication failures: 0
>>>>
>>> As you can see, the router isn't redirecting the traffic to the proxy.
>>> Please send the output of "show ip wccp detail". Also you don't have
>>> defined any access-list for redirecting, so the router don't knows, which
>>> traffic to redirect.
>>>
>>>
>>>
>>>
>>>> Clients can browse web but there is no transfer between router and cache
>>>> machine:
>>>> [root_at_tco53 ~]# ifconfig
>>>> eth0 Link encap:Ethernet HWaddr 00:10:22:FE:6E:EC inet
>>>> addr:xx.xx.241.40 Bcast:194.225.241.63 Mask:255.255.255.192
>>>> inet6 addr: fe80::210:22ff:fefe:6eec/64 Scope:Link
>>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>>> RX packets:83610 errors:0 dropped:0 overruns:1 frame:0
>>>> TX packets:24135 errors:0 dropped:0 overruns:0 carrier:0
>>>> collisions:0 txqueuelen:1000
>>>> RX bytes:7179021 (6.8 MiB) TX bytes:3493119 (3.3 MiB)
>>>> Interrupt:5
>>>>
>>>> gre0 Link encap:UNSPEC HWaddr
>>>> 00-00-00-00-AC-BF-F4-6F-00-00-00-00-00-00-00-00 inet
>>>> addr:xx.xx.241.40 Mask:255.255.255.192
>>>> UP RUNNING NOARP MTU:1476 Metric:1
>>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>>> collisions:0 txqueuelen:0
>>>> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>>>>
>>>> lo Link encap:Local Loopback inet addr:127.0.0.1
>>>> Mask:255.0.0.0
>>>> inet6 addr: ::1/128 Scope:Host
>>>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>>>> RX packets:10097 errors:0 dropped:0 overruns:0 frame:0
>>>> TX packets:10097 errors:0 dropped:0 overruns:0 carrier:0
>>>> collisions:0 txqueuelen:0
>>>> RX bytes:424456 (414.5 KiB) TX bytes:424456 (414.5 KiB)
>>>>
>>>> [root_at_tco53 ~]# cat /etc/rc.local
>>>> ifconfig gre0 194.225.241.40 netmask 255.255.255.192 up
>>>> touch /var/lock/subsys/local
>>>> ip rule add fwmark 1 lookup 100
>>>> ip route add local 0.0.0.0/0 dev lo table 100
>>>> echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
>>>> /usr/local/squid/sbin/squid
>>>>
>>>> I compiled gre in the kernel so there is no need to modprobe it;
>>>> CONFIG_NET_IPGRE=y
>>>> CONFIG_NET_IPGRE_BROADCAST=y
>>>>
>>>> [root_at_tco53 ~]# ip ru sh
>>>> 0: from all lookup 255
>>>> 32765: from all fwmark 0x1 lookup 100
>>>> 32766: from all lookup main
>>>> 32767: from all lookup default
>>>>
>>>> [root_at_tco53 ~]# ip ro sh ta 100
>>>> local default dev lo scope host
>>>>
>>>> [root_at_tco53 ~]# cat /etc/sysconfig/iptables
>>>> # Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
>>>> *filter
>>>> :INPUT ACCEPT [0:0]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [26:3416]
>>>> :RH-Firewall-1-INPUT - [0:0]
>>>> -A INPUT -i gre0 -j ACCEPT
>>>> -A INPUT -p gre -j ACCEPT
>>>> -A INPUT -i eth0 -p gre -j ACCEPT
>>>> -A INPUT -j RH-Firewall-1-INPUT
>>>> -A FORWARD -j RH-Firewall-1-INPUT
>>>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j
>>>> ACCEPT
>>>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 55936
>>>> -j ACCEPT
>>>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>>> -A RH-Firewall-1-INPUT -s xx.xx.241.39/32 -p udp -m udp --dport 2048 -j
>>>> ACCEPT
>>>> COMMIT
>>>> # Completed on Sun Jul 5 17:04:57 2009
>>>> # Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
>>>> *mangle
>>>> :PREROUTING ACCEPT [10:1680]
>>>> :INPUT ACCEPT [38:3760]
>>>> :FORWARD ACCEPT [0:0]
>>>> :OUTPUT ACCEPT [26:3416]
>>>> :POSTROUTING ACCEPT [26:3416]
>>>> :DIVERT - [0:0]
>>>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>>>> -A DIVERT -j ACCEPT
>>>> -A PREROUTING -p tcp -m socket -j DIVERT
>>>> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 5119 --on-ip
>>>> xx.xx.241.40 --tproxy-mark 0x1/0x1 COMMIT
>>>> # Completed on Sun Jul 5 17:04:57 2009
>>>>
>>>> I don't know where this line came from; "-A RH-Firewall-1-INPUT -d
>>>> 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT"
>>>>
>>>> I guess despite identification of cache machine by router, it does not
>>>> qualified by the router to route web traffic trough it.
>>>> Don't know how to debug this, any idea to help this out would be greatly
>>>> appreciated.
>>>> Behnam.
>>>>
>>> Tom
>>>
>>>
>>>
>>
>
>
Received on Fri Jul 10 2009 - 13:32:09 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 10 2009 - 12:00:02 MDT