Hi, all,
In a nutshell, I am trying to install squid as a third proxy to alleviate some pressure from our two Bluecoat proxies into a currently working wccpv2 configuration.
We now have 5000+ users.
My current squid configuration works perfectly fine in explicit mode.
The problem I am having, is that squid can't seem to join the wccp service groups.
I've tried the configuration examples from http://wiki.squid-cache.org/ConfigExamples/ to no avail.
We have two Cisco 6513's in our core and we are using wccp to load balance between the proxies.
I'm posting my sanitized configs hoping someone can shed some light on this and show me what my squid.conf, iptables and network interfaces should look like.
I would also appreciate any recommended settings for memory and disk use based on the hardware spec I am posting. This server will be dedicated to squid.
Server:
cat /etc/redhat-release
Fedora release 12 (Constantine)
rpm -qa squid
squid-3.1.1-1.fc12.i686
4 x Intel(R) Xeon(R) CPU 5160 @ 3.00GHz
free -m
total
Mem: 7991
600 Gig on /var
ip tunnel add wccp1 mode gre remote x.x.0.1 local x.x.1.77 dev eth0
ifconfig wccp1 inet x.x.1.76 netmask 255.255.255.192 up
ifconfig
eth0
inet addr:x.x.1.77 Bcast:x.x.1.127 Mask:255.255.255.192
wccp1
inet addr:x.x.1.76 P-t-P:x.x.1.76 Mask:255.255.255.192
iptables:
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter
iptables -F -t nat
iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.1.77:55555
iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 20 -j DNAT --to-destination x.x.1.77:20
iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 21 -j DNAT --to-destination x.x.1.77:21
iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 443 -j DNAT --to-destination x.x.1.77:443
iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 1755 -j DNAT --to-destination x.x.1.77:1755
iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp --dport 7070 -j DNAT --to-destination x.x.1.77:7070
from server:
ping -c 4 x.x.0.1
PING x.x.0.1 (x.x.0.1) 56(84) bytes of data.
64 bytes from x.x.0.1: icmp_seq=1 ttl=255 time=0.396 ms
64 bytes from x.x.0.1: icmp_seq=2 ttl=255 time=0.363 ms
64 bytes from x.x.0.1: icmp_seq=3 ttl=255 time=0.298 ms
64 bytes from x.x.0.1: icmp_seq=4 ttl=255 time=0.283 ms
ping -c 4 x.x.0.2
PING x.x.0.2 (x.x.0.2) 56(84) bytes of data.
64 bytes from x.x.0.2: icmp_seq=1 ttl=255 time=3.20 ms
64 bytes from x.x.0.2: icmp_seq=2 ttl=255 time=3.06 ms
64 bytes from x.x.0.2: icmp_seq=3 ttl=255 time=3.33 ms
64 bytes from x.x.0.2: icmp_seq=4 ttl=255 time=3.19 ms
squid.conf:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl localnet src x.x.0.0/16 # Our network
acl SSL_ports port 443 # SSL
acl SSL_ports port 8082 # Bluecoat administration
acl SSL_ports port 9443 # Websense administration
acl SSL_ports port 81 # alternate https
acl SSL_ports port 81 # alternate http
acl Safe_ports port 80 # http
acl Safe_ports port 20 # ftp
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080 # Alternate http
acl Safe_ports port 8000 # Alternate http
acl Safe_ports port 7070 # Streaming
acl CONNECT method CONNECT
acl donotscan dstdomain .yahoo.com
acl donotscan dstdomain .google.com
acl donotscan dstdomain .microsoft.com
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port x.x.1.77:55555 transparent vport=80
http_port x.x.1.77:443 transparent vport=443
http_port x.x.1.77:20 transparent vport=20
http_port x.x.1.77:21 transparent vport=21
http_port x.x.1.77:1755 transparent vport=1755
http_port x.x.1.77:7070 transparent vport=7070
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_dir aufs /var/spool/squid 230400 16 256
cache_mem 2 GB
maximum_object_size 32 MB
maximum_object_size_in_memory 2048 KB
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow localnet
visible_hostname xxxx.xxxx.xxxx
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_preview_enable on
icap_preview_size 128
icap_client_username_encode on
icap_client_username_header X-Authenticated-User
icap_log /var/log/squid/icap.log
icap_io_timeout 60 seconds
icap_uses_indirect_client off
icap_persistent_connections on
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/srv_clamav
adaptation_access service_req deny donotscan
adaptation_access service_req allow all
icap_service service_resp respmod_precache routing=on bypass=0 icap://127.0.0.1:1344/srv_clamav
adaptation_access service_resp deny donotscan
adaptation_access service_resp allow all
url_rewrite_children 30
redirector_bypass off
url_rewrite_program /opt/Websense/bin/WsRedtor
wccp2_service dynamic 6
wccp2_service_info 6 protocol=tcp priority=240 ports=20,21,80,443,1755,7070
wccp2_router x.x.0.1
wccp2_forwarding_method gre
wccp2_return_method gre
Network:
2 x cisco WS-C6513
Both routers are the same IOS and hardware.
From router:
ping x.x.1.76
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.1.76, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
show ver
Cisco IOS Software, s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXH5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Thu 16-Apr-09 17:59 by prod_rel_team
ROM: System Bootstrap, Version 12.2(17r)S2, RELEASE SOFTWARE (fc1)
<snipped>
cisco WS-C6513 (R7000) processor (revision 2.0) with 983008K/65536K bytes of memory.
Processor board ID XXXXXXXXXXX
SR71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache
Last reset from power-on
28 Virtual Ethernet interfaces
60 Gigabit Ethernet interfaces
1917K bytes of non-volatile configuration memory.
8192K bytes of packet buffer memory.
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
The x.x.0.x addresses are Loopback1000
Router x.x.0.1
show runn | inc wccp
ip wccp 6 redirect-list webcache
ip wccp 6 redirect out
show runn interface loopback1000
interface Loopback1000
ip address x.x.0.1 255.255.255.255
end
show ip wccp 6 detail
WCCP Client information:
WCCP Client ID: x.x.1.69
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
00000000000000000000000000000000
Hash Allotment: 128 (50.00%)
Packets s/w Redirected: 1238481
Connect Time: 1d22h
Bypassed Packets
Process: 0
CEF: 29778128
Errors: 0
WCCP Client ID: x.x.1.68
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: 00000000000000000000000000000000
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 128 (50.00%)
Packets s/w Redirected: 1745585
Connect Time: 1d22h
Bypassed Packets
Process: 0
CEF: 29778128
Errors: 0
Router x.x.0.2
ping x.x.1.76
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.1.76, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
show runn | inc wccp
ip wccp 60 redirect-list webcache
ip wccp 60 redirect out
show runn interface loopback1000
interface Loopback1000
ip address x.x.0.2 255.255.255.255
end
show ip wccp 60 detail
WCCP Client information:
WCCP Client ID: x.x.1.69
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
00000000000000000000000000000000
Hash Allotment: 128 (50.00%)
Packets s/w Redirected: 1605570
Connect Time: 1d22h
Bypassed Packets
Process: 3
CEF: 36197978
Errors: 0
WCCP Client ID: x.x.1.68
Protocol Version: 2.0
State: Usable
Redirection: GRE
Packet Return: GRE
Assignment: HASH
Initial Hash Info: 00000000000000000000000000000000
00000000000000000000000000000000
Assigned Hash Info: 00000000000000000000000000000000
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment: 128 (50.00%)
Packets s/w Redirected: 2247884
Connect Time: 1d22h
Bypassed Packets
Process: 3
CEF: 36197978
Errors: 0
If I left anything out that can help you help, please just ask.
Thank you,
Jeff
Received on Thu May 06 2010 - 16:36:03 MDT
This archive was generated by hypermail 2.2.0 : Sun May 09 2010 - 12:00:04 MDT