Re: [squid-users] squid in load balanced wccpv2 configuration

On Wed, 12 May 2010 07:03:59 -0700 (PDT), Jiffy 1111 <jiffy1111_at_yahoo.com>
wrote:
> --- On Sun, 5/9/10, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>
>> From: Amos Jeffries <squid3_at_treenet.co.nz>
>> Subject: Re: [squid-users] squid in load balanced wccpv2 configuration
>> To: squid-users_at_squid-cache.org
>> Date: Sunday, May 9, 2010, 6:55 AM
>> Jiffy 1111 wrote:
>> > Hi, all,
>> >
>> > In a nutshell, I am trying to install squid as a third
>> proxy to alleviate some pressure from our two Bluecoat
>> proxies into a currently working wccpv2 configuration.
>> > We now have 5000+ users.
>> >
>> > My current squid configuration works perfectly fine in
>> explicit mode.
>> > The problem I am having, is that squid can't seem to
>> join the wccp service groups.
>> > I've tried the configuration examples from
>> > http://wiki.squid-cache.org/ConfigExamples/ to no
>> avail.
>> >
>> > We have two Cisco 6513's in our core and we are using
>> wccp to load balance between the proxies.
>> >
>> > I'm posting my sanitized configs hoping someone can
>> shed some light on this and show me what my squid.conf,
>> iptables and network interfaces should look like.
>> > I would also appreciate any recommended settings for
>> memory and disk use based on the hardware spec I am posting.
>> This server will be dedicated to squid.
>> >
>> > Server:
>> > cat /etc/redhat-release
>> > Fedora release 12 (Constantine)
>> >
>> > rpm -qa squid
>> > squid-3.1.1-1.fc12.i686
>> >
>> > 4 x Intel(R) Xeon(R) CPU 5160 @ 3.00GHz
>> >
>> > free -m
>> > total
>> > Mem: 7991
>> > 600 Gig on /var
>> >
>> > ip tunnel add wccp1 mode gre remote x.x.0.1 local
>> x.x.1.77 dev eth0
>> > ifconfig wccp1 inet x.x.1.76 netmask 255.255.255.192
>> up
>> >
>> > ifconfig
>> > eth0
>> > inet addr:x.x.1.77 Bcast:x.x.1.127
>> Mask:255.255.255.192
>> >
>> > wccp1
>> > inet addr:x.x.1.76 P-t-P:x.x.1.76
>> Mask:255.255.255.192
>> >
>> > iptables:
>> > echo 1 > /proc/sys/net/ipv4/ip_forward
>> > echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
>> > echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
>> > echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
>> > echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
>> > echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
>> > echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter
>> > iptables -F -t nat
>> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
>> --dport 80 -j DNAT --to-destination x.x.1.77:55555
>> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
>> --dport 20 -j DNAT --to-destination x.x.1.77:20
>> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
>> --dport 21 -j DNAT --to-destination x.x.1.77:21
>> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
>> --dport 443 -j DNAT --to-destination x.x.1.77:443
>> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
>> --dport 1755 -j DNAT --to-destination x.x.1.77:1755
>> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
>> --dport 7070 -j DNAT --to-destination x.x.1.77:7070
>> >
>>
>> DNAT used on TCP links (only) with no sign of a matching
>> source fix-up. (MASQUERADE or SNAT).
>>
>> Everything else looks good at a quick glance.
>>
>> Amos
>> -- Please be using
>> Current Stable Squid 2.7.STABLE9 or 3.1.3
>>
>
> Hi, Amos,
>
> Thank you for the hint, but, I guess you are speaking about iptables. I
am
> not overly familiar with that. Would you be so kind as to provide an
> example or an explanation for this set up?
>
> I am in training this week and will be back in the office on Monday
ready
> and willing to try this and if it works, provide a working config for
> others to reference.
>
> Thanks again,
> Jeff

http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

Your use of "-i wccp1" effectively implements line 1 and 2 of the iptables
config in one entry.

You seem to be missing line 3 for the nat POSTROUTING part.

Amos
Received on Wed May 12 2010 - 23:13:05 MDT