Re: [squid-users] squid on debian, amongst other clients (cisco router)

I have Squid which is later stable version on lenny (newest debian
release). Here's full output according to my version:

Squid Cache: Version 3.0.STABLE8
configure options: '--build=i486-linux-gnu' '--prefix=/usr'
'--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
'--infodir=${prefix}/share/info' '--sysconfdir=/etc'
'--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man' '--with-cppunit-basedir=/usr'
'--enable-inline' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,coss,diskd,null'
'--enable-removal-policies=lru,heap' '--enable-delay-pools'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-auth=basic,digest,ntlm'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,getpwnam,multi-domain-NTLM'
'--enable-ntlm-auth-helpers=SMB'
'--enable-digest-auth-helpers=ldap,password'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--with-filedescriptors=65536' '--with-default-user=proxy'
'--enable-epoll' '--enable-linux-netfilter'
'build_alias=i486-linux-gnu' 'CC=cc' 'CFLAGS=-g -O2 -g -Wall -O2'
'LDFLAGS=' 'CPPFLAGS=' 'CXX=g++' 'CXXFLAGS=-g -O2 -g -Wall -O2'
'FFLAGS=-g -O2'

W dniu 15 sierpnia 2009 04:40 użytkownik Amos Jeffries
<squid3_at_treenet.co.nz> napisał:
> Sławomir Kozłowski wrote:
>>
>> Hi,
>> I have one little problem with squid. I use squid now as configured
>> manually, but can't force it to work in transparent mode.
>
> So first Q: __what version of squid__ ???
>
> Debian has somewhere between 9 and a few hundred Squid versions currently
> in-use depending on how recently you upgraded and which Debian release you
> have.
>
> "squid -v" should give some indication what version it is.
>
>
>> My whole config is:
>> 1. network
>>
>> {internet} -> router cisco 2821 (with 2 vlans) -> switch -> client is
>> on vlan 201, squid is on vlan 2
>>
>> 2. cisco config: FastEthernet0/0 is external interface with direct
>> connection to the Internet, with external IP address (77.77.77.12 is
>> fake), FastEthernet0/1.201 is vlan interface with all clients,
>> FastEthernet0/1.2 is vlan interface with squid machine in it
>>
>> ip wccp web-cache
>> ip cef
>>
>> interface FastEthernet0/0
>>  ip address 77.77.77.12 255.255.255.224
>>  ip nat outside
>>  ip virtual-reassembly
>>  duplex auto
>>  speed auto
>>
>> interface FastEthernet0/1.2
>>  encapsulation dot1Q 201
>>  ip address 192.168.2.1 255.255.255.0
>>  ip nat inside
>>  ip virtual-reassembly
>>  no ip mroute-cache
>>  no snmp trap link-status
>>
>> interface FastEthernet0/1.201
>>  encapsulation dot1Q 201
>>  ip address 192.168.201.1 255.255.255.0
>>  ip wccp web-cache redirect out
>>  ip wccp web-cache redirect in
>>  ip nat inside
>>  ip virtual-reassembly
>>  no ip mroute-cache
>>  no snmp trap link-status
>>
>> 3. network config on machine with squid
>>
>> iface eth0 inet static
>>        address 192.168.2.243
>>        netmask 255.255.255.0
>>        network 192.168.2.0
>>        broadcast 192.168.2.255
>>        gateway 192.168.2.1
>>
>> 4. squid config
>>
>> wccp2_router 77.77.77.12
>> wccp2_forwarding_method 1
>> wccp2_return_method 1
>> wccp2_service standard 0
>> access_log /var/log/squid3/access.log
>> http_port 3128 transparent
>> acl blocksites url_regex "/etc/squid3/blocked-sites.acl"
>> http_access deny blocksites
>
> You life will be easier, and your log emptier if you place the "transparent"
> option on a different port to which you get normal proxy requests.
> I recommend 3129 or such. Then firewall that port from any direct contact
> with devices other than the router. (but do the firewall bit later once you
> have WCCP working to be sure).
>
>>
>> 5. iptables config
>>
>> $iptables -F
>> $iptables -X
>> $iptables -F -t nat
>> $iptables -F -t mangle
>> $iptables -t nat -A PREROUTING -i wccp0 -p tcp -m tcp --dport 80 -j
>> REDIRECT --$
>
> You may also need a POSTROUTING -j MASQUERADE rule to unwind the reply
> packets Squid->Client.
>
>>
>> 6. tunnel config
>>
>> /sbin/ip tunnel add wccp0 mode gre remote 77.77.77.12 local
>> 192.168.2.243 dev eth0;
>> /sbin/ifconfig wccp0 192.168.2.243 netmask 255.255.255.255 up
>> /sbin/sysctl -w net.ipv4.conf.wccp0.rp_filter=0 ;
>> /sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0 ;
>>
>> Now, the problem. If I configure manually proxy on client all is
>> working fine. When I remove the proxy configuration from the browser,
>> then I cannot access any webpage.
>> I did some debug, and when I run tccpdump for wccp0 interface, and try
>> to access some webpage on client (squid in transparent mode) then I
>> see that some packets on the wccp0 interface, but no page is loading.
>> Also on cisco router, when I run: sh ip wccp web-cache i get:
>>
>> Global WCCP information:
>>    Router information:
>>        Router Identifier:                   192.168.201.1
>>        Protocol Version:                    2.0
>>
>>    Service Identifier: web-cache
>>        Number of Cache Engines:             1
>>        Number of routers:                   1
>>        Total Packets Redirected:            2089
>>        Process:                             116
>>        Fast:                                0
>>        CEF:                                 1973
>>        Redirect access-list:                -none-
>>        Total Packets Denied Redirect:       0
>>        Total Packets Unassigned:            139
>>        Group access-list:                   -none-
>>        Total Messages Denied to Group:      0
>>        Total Authentication failures:       0
>>        Total Bypassed Packets Received:     0
>>
>> and when I run: sh ip wccp web-cache detail i get:
>> WCCP Cache-Engine information:
>>        Web Cache ID:          192.168.2.243
>>        Protocol Version:      2.0
>>        State:                 Usable
>>        Initial Hash Info:     00000000000000000000000000000000
>>                               00000000000000000000000000000000
>>        Assigned Hash Info:    FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>                               FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>        Hash Allotment:        256 (100.00%)
>>        Packets Redirected:    5
>>        Connect Time:          05:42:44
>>        Bypassed Packets
>>          Process:             0
>>          Fast:                0
>>          CEF:                 0
>>
>> So, please help me set this up as transparent proxy.
>> Thanks in advance,
>> Slawek
>
> In 4. squid config you specify:
>
>> wccp2_router 77.77.77.12
>
> In 6. tunnel config you specify:
>  gre remote 77.77.77.12
>
> yet WCCP indicates:
>  Router Identifier: 192.168.201.1
>
> I think your gre tunnel is probably going to the wrong IP.
> To check, try adding a gre tunnel from the Squid box to all of the router
> IPs and seeing which one gets traffic.
>
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>  Current Beta Squid 3.1.0.13
>

-- 
http://www.torli.pl/
email: kozlowski_at_torli.pl, tel.: 605-529-500
- zarządzane serwisy www - analiza ruchu stron www - analiza treści -
technologie Google -