Hi.
Just for the sake of others who are looking to make
Transparent/Interception caching with Squid, WCCP v1 and Fedora Core 3,
this is what we did to get it working:
On the router (IOS 12.3(2)T):
ip cef
ip wccp version 1
ip wccp web-cache
interface <interface either directly or indirectly connected to the
Internet>
ip wccp web-cache redirect out
end
Also, we did:
conf t
ip cef # some systems may already have 'ip cef global'
int <interface directly or indirectly connected to the Squid Server> (or int FastEthernet 0/0 or other internal interface)
no ip route-cache cef
CTRL Z
That's it. For debugging, we used:
show ip wccp
show ip wccp web-caches
show ip wccp web-cache detail
show ip wccp web-cache view (or: show ip wccp 99 detail)
On the Linux Server (Fedora Core 3 (2.6.9-1.667smp)):
In squid.conf:
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
tcp_outgound_address <ip address of your interface connected to
the WCCP router>
wccp_outgoing_address <ip address of your interface connected to
the WCCP router>
wccp_router <ip address of the WCCP router itself>
wccp_version 4
In /etc/sysconfig/network-scripts/ifcfg-gre0:
DEVICE=gre0
BOOTPROTO=static
IPADDR=172.16.1.6
NETMASK=255.255.255.252
ONBOOT=yes
IPV6INIT=no
For netfilter:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
--to-port 3128
service iptables save
You also might want to limit this in a way so that you specify
source addresses and limit it to only those networks/hosts you want to
proxy for. I think this would mean one entry (or line) per configured
network
For ip forwarding:
echo 0 > /proc/sys/net/ipv4/ip_forward
You might even want to do the following in /etc/sysctl.conf:
net.ipv4.ip_forward = 1
For rp_filter, which must be turned off:
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter
You might even want to do the following in /etc/sysctl.conf:
net.ipv4.conf.default.rp_filter = 0
**** This last one was where our problem was. We have turned off
rp_filter for eth0 but not for gre0. Once we turned it off for gre0, it
worked.
Also, for debugging:
For WCCP connection with the router:
tethereal -V -s 1500 port 2048
You should see here_i_am and i_see_you packets going through.
For redirected connections coming from the router:
tcpdump -i gre0
or
tcpdump -i gre0 port 80
You should see http requests redirected through the gre interface.
For squid:
tail -f <your squid log files location>/access.log
You should see requests from clients.
Hope this helps.
-- Oliver --
ovchato@xxxxxxxxxxxx wrote:
Greetings.
Sorry for the long message. We are trying to implement
Transparent/Interception caching using the following:
-- Squid 2.5 Stable 11 (We were able to obtain an RPM for Fedora Core
3) with WCCP v1
-- Fedora Core 3 (64-bit, 2.6.9-1.667smp)
-- Cisco Router (IOS 12.2)
in the following configuration (not real IP addresses and interface
designations used):
|-----------------------|
| Squid (2.5 S11) |
| Fedora Core 3 |
|-----------------------|
eth 0 | 201. 1.1.2/255.255.255.252
|
|
|
int 0/0 | 201.1.1.1/255.255.255.252
| int 0/1
|------------------------------|
------------------------- to Internet *
Networks of ATM
interface | |
203.1.1.1/255.255.255.224
Dial Up Users via various ------------------------------------|
Cisco Router (IOS 12.2) |
Terminal Servers 202.1.1.1/255.255.255.252
| |
203.1.1.2/255.255.255.224
|------------------------------|-------------------------- to Internet *
int 0/2
* The two network interfaces (int 0/1 and int 0/2) are connected to
the same network and load balanced via OSPF.
(Please pardon the interface designations on the router as I am not
too familiar with it and we have no administrative control of the router)
On the router (IOS 12.2):
-- As mentioned above, connections to the internet (int 0/1 and int
0/2) are load balanced over OSPF
-- An access list has been defined on ATM interface for various
networks (dialups, DSL, etc.)
-- We have turned CEF off on the interface connected to the Squid
CACHE (we actually tried it with CEF as well).
-- WCCP v1 is enabled and applied at the 2 outbound internet
connections (int 0/1 and int 0/2) with "redirect out" option
-- We have also tried to apply WCCP v1 at the ATM interface with
"redirect in" option.
-- WCCP v1 was enabled and applied to the various interfaces as
detailed above with access lists (as specified above, defined for the
ATM interface)
On the Linux Box (FC3, 2.6.9-1.667smp):
-- We used the WCCP v1 module on Squid as pre-compiled with the RPM.
-- We are using GRE instead of WCCP patch as we have read in the FAQs
and lists that this is the implementation to use for kernel versions
>= 2.6.9.
-- We are also using iptables to redirect traffic coming in from port
80 to 3128 (the squid port we are using)..
-- We specified and enabled the appropriate variables in squid.conf
for both transparent/interception caching and WCCP v1.
Configurations used:
We have tried the various setups as detailed in the following URLs:
-- http://www.squid-cache.org/mail-archive/squid-users/200505/0678.html
-- http://www.sublime.com.au/squid-wccp/
-- http://www.reub.net/node/3
-- http://www.spc.int/it/TechHead/Wccp-squid.html
Symptoms:
We were able to configure it so that the Cisco Router WCCP v1
configuration actually registers the Squid Server as a usable Cache
Engine. We also traced the GRE connections via the following Linux
commands:
-- tethereal -V -s 1500 port 2048
-- tcpdump -lenx -s 1500 port 2048
and we see the "Here I Am" and "I See You" packets and observed the
following:
-- the "Here I Am" packets specify that 0 to 255 buckets ARE NOT
ASSIGNED.
-- the "I See You" packets specify that 0 to 255 buckets ARE
ASSIGNED. Also, we can see the router configuration specifying our
squid server registered in the web cache.
On the router, using the "show ip wccp" command, we see the counter
"Total Packets Redirected" being incremented. When we issue the "show
ip wccp web-caches" command, the "Web Cache ID:" parameter displays
0.0.0.0. Also, when we issue the "show ip wccp web-cache view"
command, the "WCCP Routers Informed of:" parameter and the "WCCP Cache
Engines NOT Visible:" parameter show "-- none --" and "WCCP Cache
Engines Visible:" parameter shows the IP address of the squid server
(201. 1.1.2). We are unable to issue any debug commands on the router
as this is a production router (we have no other router to implement
on) and this might make the router hang.
Problems:
-- On the squid server, we see nothing coming through port 80 (using
the "tcpdump -n port 80" linux command) eventhough, as mentioned
above, we are registered with the Cisco WCCP configuration and the
"Total Packets Redirected" is incrementing.
-- We do not see anything being recorded on the squid server's
access.log.
Some Questions:
-- Is there a definitive how-to on implementing WCCP v1 on Linux for
kernels 2.6.9 and above?
-- Has anyone had a successful installtation of Squid 2.5 Stable 11
with WCCPv1 connected to a Cisco router (IOS 12.1 or 12.2) on Fedora
Core 3(kernel version 2.6.9 smp)?
-- How can we further see that is happening or debug without using the
router's debug commands (if there are any other ways)?
-- Do we need to switch to WCCP v2 using the patch available from the
squid developer site
(http://devel.squid-cache.org/projects.html#visolve_wccpv2) in order
for Transparent/Interception caching to work?
-- Any word on if (or when) full WCCP v2 (with multiple router and
multiple cache) will be or has been implemented (either as a patch or
part of the distribution)? Will this support load balancing protocols
on the router (OSPF, HSRP, VRRP)?
-- Just in case anybody knows, how are the access lists implemented
with regards to the WCCP v1 setting? I read in one article
(http://www.squid-cache.org/Doc/FAQ/FAQ-17.html) that this list should
contain IP addresses that should be excluded from transparent caching,
or something to that effect (the exact words were "IP addresses which
you do not wish to be transparently redirected to your cache"). I just
wanted to confirm if this was correct.
We would appreciate any help you could give on the matter.
Thank you and good day.
-- Oliver --
