Re: [squid-users] help needed on WCCP2 with squid 3.1.10

From: AZHAR CHOWDHURY <azhar_at_banglalion.com.bd>
Date: Mon, 18 Apr 2011 18:17:58 +0600

Hi Amos,
At first big thanks. By putting "forwarded_for transparent" and "via
off", the host info at www.whatismyip.com removed and also no email
view
problem at hotmail or live.com. All this configuration working
perfectly with Squid as router.

But problem not solved with Router using Wccp2.
At Linux box, I can see gre_ip module loaded.

Module Size Used by
ip_gre 10986 0
sit 8531 0
tunnel4 2005 1 sit
xt_TPROXY 1722 0
nf_tproxy_core 1791 1 xt_TPROXY,[permanent]
......
iptables configuration as follows:

ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev lo table 100
ip -f inet route add local 0.0.0.0/0 dev eth0 table 100

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
ptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3129
...............
/etc/squid.conf

wccp2_router 203.x.x.x
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service dynamic 80
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80

==============================================================================
Please find the following router configuration for WCCP

Global wccp command for router:
!
ip wccp 80
ip wccp 90
!
Interfacing facing towards customers
!
interface GigabitEthernet6/9
ip address x.x.x.x 255.255.255.248 secondary
ip address x.x.x.23 255.255.255.0
ip access-group 125 in
ip access-group 173 out
no ip redirects
no ip unreachables
no ip proxy-arp

ip wccp 80 redirect in
ip wccp 90 redirect out
ip route-cache flow
no ip mroute-cache
!
interface connected to proxy
!
interface GigabitEthernet6/7
ip address 203.x.x.x 255.255.255.252
ip access-group 125 in
ip access-group 173 out
no ip redirects
no ip unreachables
no ip proxy-arp

ip wccp redirect exclude in
ip route-cache flow
no ip mroute-cache
no cdp enable

After above configuration, sh ip wccp results as follows:

Citechco#sh ip wccp
Global WCCP information:
  Router information:
      Router Identifier: 203.x.x.x
      Protocol Version: 2.0

  Service Identifier: 80
      Number of Cache Engines: 1
      Number of routers: 1
      Total Packets Redirected: 9175
      Redirect access-list: -none-
      Total Packets Denied Redirect: 0
      Total Packets Unassigned: 0
      Group access-list: -none-
      Total Messages Denied to Group: 0
      Total Authentication failures: 0

  Service Identifier: 90
      Number of Cache Engines: 1
      Number of routers: 1
      Total Packets Redirected: 1354
      Redirect access-list: -none-
      Total Packets Denied Redirect: 0
      Total Packets Unassigned: 0
      Group access-list: -none-
      Total Messages Denied to Group: 0
      Total Authentication failures: 0

myco#

Any clue where is the problem?

TIA,

Azhar
On Mon, Apr 18, 2011 at 9:37 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On Sun, 17 Apr 2011 23:21:44 +0600, AZHAR CHOWDHURY wrote:
>>
>> Hi Amos,
>> OK, it was my fault that I posted before run in real network with
>> WCCP. We are running Squid+tproxy under Policy Based routing without
>> any major trouble (pls see below of problem are we facing).
>> This week we will move squid from PBR to  Wccp. The mentioned example
>> based on vlan dot1q, let me dig with cisco and will raise if face any
>> problem.
>>
>> 1. If we run squid with default conf file, we got cache host name in
>> "www.whatismyip.com", to avoid that we added following in squid.conf
>> file:
>> forwarded_for off
>
> I think "forwarded_for" should be enough.
>
> Possibly also "via off". Though that is not usually required for hotmail
> (may have changed, the last good analysis was a year or so ago).
>
> <snip>
>>
>> Now, there is no cache/squid host name in "whatismyip.com", but in
>> hotmail/live.com's email service inbox no message open, it's shown
>> a error that another ip  accessing the same page.
>
> Does it say which one? Are you absolutely certain that TPROXY is working?
> (this error will appear when WCCP is active but TPROXY fails).
>
>> I guess we need to add another "request_header_access" rule, any clue on
>> it.
>>  Is "http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html" the final
>> list of all HEADER LIST?
>
> Hotmail with WCCP pretty much requires TPROXY to be working.
>
> Alternatively if your client machine is a Windows box using IPv6 to talk to
> Squid-3.1. Windows will by default choose to use "privacy" IPs which rotate
> through time-based cryptographic hashes embeded in the IP address. As often
> as every 15 minutes, not retaining one for more than 90 minutes at a
> stretch. That will show up in the X-Forwarded-For.
>  Setting "forwarded_for transparent" will prevent the proxy IP being
> inserted.
>  Setting "forwarded_for delete" will erase the header entirely and prevent
> the "privacy" address from breaking the hotmail-end checks.
>
>
> Other things to check:
>  * Check that "balance_on_multiple_ip" is turned OFF in squid.conf. In 3.1
> this is the default, but you may have an older config from when it was
> default to being in the file and set on.
>  What that does is make Squid send each request to a different remote server
> hosting the website. Hotmail require all traffic to arrive at consistent
> receiving servers. They appear not to care of HTTPS and HTTP go to different
> ones, but it has to be consistently going to the same place.
>
>>
>> 2. What  is safe filedescriptors value I should use?
>>
>
> Depends on you and your OS. Anything below 16 million appears safe on Linux.
>
> Amos
>
>
Received on Mon Apr 18 2011 - 12:18:08 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 18 2011 - 12:00:03 MDT