Re: [squid-users] Squid and WCCP with Centos

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 21 Apr 2011 01:13:11 +1200

On 21/04/11 00:35, Daniel Shelton wrote:
>> One thing that always troubles me. The failure reports always seem
>> to mention an interface. Yet the wiki examples written by people
>> with working configs do not mention one.
>>
>> Your rule appears to be matching packets, so I assume its okay.
>> Just something to be aware of.
>>
>> With GRE you have to be extremely careful where the OS thinks the
>> packet is coming from. It seems to vary between kernel
>> implementations and versions whether the gre or eth NIC is the one
>> seen during NAT. What is the exact message displayed by Squid about
>> that port during startup or reconfigure?
>>
>> Amos
>>
>
>
> I thank you for replying Amos. The part of confusion for me is
> really on a basic level. There is a lack of topology information
> available with Squid that I have noticed. For example, where does
> the traffic come from? Where do the users reside? Which interface
> does what? This is the most important information to know and it can
> be learned very easy from a topology diagram. I haven't seen any.

I understand completely. Been thinking we should add diagrams to the
wiki for a while now. I'll have to remind our wiki admin about it.

Okay, for background. What is generally called "WCCP" is a mix of up to
4 protocols.
  WCCP *protocol* is just a signal between Squid and the Router
consisting of two packets bouncing backward and forward on the eth
interface. Nicely called HERE_I_AM and I_SEE_YOU.
  To avoid altering the TCP/IP protocol details of client packets it
uses a tunnel. Either GRE protocol or a Layer-2 (essentially a NAT of
the MAC address).
  Squid connects out to the Internet via whatever path it has.

I'm not certain myself whether the packets *have* to go back to the
client over the GRE, but there is usually no need. If things work up
that point we usually don't have to care.

>
> Anyhow, the question I have is does the proxy make the connection out
> onto the Internet itself and therefore needs an Internet on the
> public facing side, or does all of this traffic traverse the gre
> tunnel?

Only client->router->Squid traffic traverses the GRE.

Squid->Internet traffic traverse regular networking paths. Whether they
bet via ethN to the same router or to elsewhere.

The topology with one NIC on Squid box is generally:

clients
   \
  router ----Eth(WCCP,HTTP)---- Squid
    | \ <====GRE(HTTP)====> /
    |
  Internet

> The only mention I see about port 3129 is that it is "Ready
> to accept connections at 0.0.0.0:3129".

Hmm. Okay. Must be one of the versions pre-dating the update to say what
type of connections.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.7 and 3.1.12.1
Received on Wed Apr 20 2011 - 13:13:16 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 20 2011 - 12:00:03 MDT