Hi, I have a RHELv4 cache + Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(14)T2, RELEASE SOFTWARE (fc4). I have applied your suggestions, but it's still not working. Please take a lookt at my Router's + Squid config. Am I missing something ? ----------------- ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable password xxxxxxxx ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip wccp version 1 ip wccp web-cache ! ! no ip dhcp use vrf connected ! ! ip cef no ip ips deny-action ips-interface ! no ftp-server write-enable ! interface Ethernet0 ip address x.x.x.x 255.255.255.x no ip route-cache cef full-duplex ! interface FastEthernet0 ip address y.y.y.y 255.255.255.x ip wccp web-cache redirect out speed auto full-duplex ! interface Serial0 no ip address shutdown no fair-queue ! ip classless ip route 0.0.0.0 0.0.0.0 y.y.y.5 no ip http server no ip http secure-server ! control-plane ! line con 0 line aux 0 line vty 0 4 password xxxxxxxx login ! end -------------------- /etc/sysctl.conf ----------- [root@server conf]# cat gre0/rp_filter 1 [root@server conf]# cat bond0/rp_filter 1 Squid.conf ------------ http_port [Server IP]:3128 icp_port 3130 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 256 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB cache_dir ufs /usr/local/squid/var/cache 20240 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log mime_table /usr/local/squid/etc/mime.conf pid_filename /var/run/squid.pid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl Local src [My Local Network] http_access allow Local http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src [my network] http_access allow our_networks http_access deny all http_reply_access allow all icp_access allow all icp_access allow all tcp_outgoing_address [Server IP] cache_mgr postmaster@xxxxxxxxxxxx cache_effective_user squid cache_effective_group squid visible_hostname cache.mydomain.com httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on logfile_rotate 10 forwarded_for on cachemgr_passwd xxxxxxxxxxxx shutdown snmp_port 3401 snmp_access deny all wccp_router [Router IP] wccp_outgoing_address [Server IP] coredump_dir /usr/local/squid/var/cache Much regards, Waiting for answers Daniel --- Oliver Chato <ovchato@xxxxxxxxxxxx> wrote: > Hi. > > Just for the sake of others who are looking to make > Transparent/Interception caching with Squid, WCCP v1 > and Fedora Core 3, > this is what we did to get it working: > > On the router (IOS 12.3(2)T): > > ip cef > ip wccp version 1 > ip wccp web-cache > interface <interface either directly or > indirectly connected to the > Internet> > ip wccp web-cache redirect out > end > > Also, we did: > > conf t > ip cef # some systems may already have > 'ip cef global' > int <interface directly or indirectly connected > to the Squid Server> (or int FastEthernet 0/0 > or other internal interface) > no ip route-cache cef > CTRL Z > > That's it. For debugging, we used: > show ip wccp > show ip wccp web-caches > show ip wccp web-cache detail > show ip wccp web-cache view (or: show ip wccp 99 > detail) > > On the Linux Server (Fedora Core 3 > (2.6.9-1.667smp)): > In squid.conf: > http_port 3128 > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > tcp_outgound_address <ip address of your > interface connected to > the WCCP router> > wccp_outgoing_address <ip address of your > interface connected to > the WCCP router> > wccp_router <ip address of the WCCP router > itself> > wccp_version 4 > > In /etc/sysconfig/network-scripts/ifcfg-gre0: > DEVICE=gre0 > BOOTPROTO=static > IPADDR=172.16.1.6 > NETMASK=255.255.255.252 > ONBOOT=yes > IPV6INIT=no > > For netfilter: > iptables -t nat -A PREROUTING -p tcp --dport > 80 -j REDIRECT > --to-port 3128 > service iptables save > You also might want to limit this in a way so > that you specify > source addresses and limit it to only those > networks/hosts you want to > proxy for. I think this would mean one entry (or > line) per configured > network > > For ip forwarding: > echo 0 > /proc/sys/net/ipv4/ip_forward > You might even want to do the following in > /etc/sysctl.conf: > net.ipv4.ip_forward = 1 > > For rp_filter, which must be turned off: > echo 0 > > /proc/sys/net/ipv4/conf/eth0/rp_filter > echo 0 > > /proc/sys/net/ipv4/conf/gre0/rp_filter > You might even want to do the following in > /etc/sysctl.conf: > net.ipv4.conf.default.rp_filter = 0 > > **** This last one was where our problem was. We > have turned off > rp_filter for eth0 but not for gre0. Once we turned > it off for gre0, it > worked. > > Also, for debugging: > For WCCP connection with the router: > tethereal -V -s 1500 port 2048 > You should see here_i_am and i_see_you packets > going through. > > For redirected connections coming from the > router: > tcpdump -i gre0 > or > tcpdump -i gre0 port 80 > You should see http requests redirected through > the gre interface. > > For squid: > tail -f <your squid log files > location>/access.log > You should see requests from clients. > > Hope this helps. > > -- Oliver -- > > > > ovchato@xxxxxxxxxxxx wrote: > > > Greetings. > > > > Sorry for the long message. We are trying to > implement > > Transparent/Interception caching using the > following: > > -- Squid 2.5 Stable 11 (We were able to obtain an > RPM for Fedora Core > > 3) with WCCP v1 > > -- Fedora Core 3 (64-bit, 2.6.9-1.667smp) > > -- Cisco Router (IOS 12.2) > > in the following configuration (not real IP > addresses and interface > > designations used): > > > > > > > > |-----------------------| > > > > > | Squid (2.5 S11) > | > > > > > | Fedora Core 3 > | > > > > > > |-----------------------| > > > > > > eth 0 | 201. 1.1.2/255.255.255.252 > > > > > > | > > > > > > | > > > > > > | > > > > > int 0/0 | > 201.1.1.1/255.255.255.252 > > > > > > | int 0/1 > > > > > > |------------------------------| > > ------------------------- to Internet * > > Networks of > ATM > > interface | > | > > 203.1.1.1/255.255.255.224 > > Dial Up Users via various > ------------------------------------| > > Cisco Router (IOS 12.2) | > > > Terminal Servers > 202.1.1.1/255.255.255.252 > > | | > > 203.1.1.2/255.255.255.224 > > > > > > |------------------------------|-------------------------- > to Internet * > > > > > > int 0/2 > > * The two network interfaces (int 0/1 and int 0/2) > are connected to > > the same network and load balanced via OSPF. > > (Please pardon the interface designations on the > router as I am not > > too familiar with it and we have no administrative > control of the router) > > > > On the router (IOS 12.2): > > -- As mentioned above, connections to the internet > (int 0/1 and int > > 0/2) are load balanced over OSPF > > -- An access list has been defined on ATM > interface for various > > networks (dialups, DSL, etc.) > > -- We have turned CEF off on the interface > connected to the Squid > > CACHE (we actually tried it with CEF as well). > > -- WCCP v1 is enabled and applied at the 2 > outbound internet > > connections (int 0/1 and int 0/2) with "redirect > out" option > > -- We have also tried to apply WCCP v1 at the ATM > interface with > > "redirect in" option. > > -- WCCP v1 was enabled and applied to the various > interfaces as > > detailed above with access lists (as specified > above, defined for the > > ATM interface) > > > > On the Linux Box (FC3, 2.6.9-1.667smp): > > -- We used the WCCP v1 module on Squid as > pre-compiled with the RPM. > > -- We are using GRE instead of WCCP patch as we > have read in the FAQs > > and lists that this is the implementation to use > for kernel versions > > >= 2.6.9. > > -- We are also using iptables to redirect traffic > coming in from port > > 80 to 3128 (the squid port we are using).. > > -- We specified and enabled the appropriate > variables in squid.conf > > for both transparent/interception caching and > WCCP v1. > > > > Configurations used: > > We have tried the various setups as detailed in > the following URLs: > > -- > http://www.squid-cache.org/mail-archive/squid-users/200505/0678.html > > -- http://www.sublime.com.au/squid-wccp/ > > -- http://www.reub.net/node/3 > > -- http://www.spc.int/it/TechHead/Wccp-squid.html > > > > Symptoms: > > We were able to configure it so that the Cisco > Router WCCP v1 > > configuration actually registers the Squid Server > as a usable Cache > > Engine. We also traced the GRE connections via the > following Linux > > commands: > > -- tethereal -V -s 1500 port 2048 > > -- tcpdump -lenx -s 1500 port 2048 > > and we see the "Here I Am" and "I See You" packets > and observed the > > following: > > -- the "Here I Am" packets specify that 0 to 255 > buckets ARE NOT > > ASSIGNED. > > -- the "I See You" packets specify that 0 to 255 > buckets ARE > > ASSIGNED. Also, we can see the router > configuration specifying our > > squid server registered in the web cache. > > On the router, using the "show ip wccp" command, > we see the counter > > "Total Packets Redirected" being incremented. When > we issue the "show > > ip wccp web-caches" command, the "Web Cache ID:" > parameter displays > > 0.0.0.0. Also, when we issue the "show ip wccp > web-cache view" > > command, the "WCCP Routers Informed of:" parameter > and the "WCCP Cache > > Engines NOT Visible:" parameter show "-- none --" > and "WCCP Cache > > Engines Visible:" parameter shows the IP address > of the squid server > > (201. 1.1.2). We are unable to issue any debug > commands on the router > > as this is a production router (we have no other > router to implement > > on) and this might make the router hang. > > > > Problems: > > -- On the squid server, we see nothing coming > through port 80 (using > > the "tcpdump -n port 80" linux command) > eventhough, as mentioned > > above, we are registered with the Cisco WCCP > configuration and the > > "Total Packets Redirected" is incrementing. > > -- We do not see anything being recorded on the > squid server's > > access.log. > > > > > > Some Questions: > > -- Is there a definitive how-to on implementing > WCCP v1 on Linux for > > kernels 2.6.9 and above? > > -- Has anyone had a successful installtation of > Squid 2.5 Stable 11 > > with WCCPv1 connected to a Cisco router (IOS 12.1 > or 12.2) on Fedora > > Core 3(kernel version 2.6.9 smp)? > > -- How can we further see that is happening or > debug without using the > > router's debug commands (if there are any other > ways)? > > -- Do we need to switch to WCCP v2 using the patch > available from the > > squid developer site > > > (http://devel.squid-cache.org/projects.html#visolve_wccpv2) > in order > > for Transparent/Interception caching to work? > > -- Any word on if (or when) full WCCP v2 (with > multiple router and > > multiple cache) will be or has been implemented > (either as a patch or > > part of the distribution)? Will this support load > balancing protocols > > on the router (OSPF, HSRP, VRRP)? > > -- Just in case anybody knows, how are the access > lists implemented > > with regards to the WCCP v1 setting? I read in one > article > > (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html) > that this list should > > contain IP addresses that should be excluded from > transparent caching, > > or something to that effect (the exact words were > "IP addresses which > > you do not wish to be transparently redirected to > your cache"). I just > > wanted to confirm if this was correct. > > > > We would appreciate any help you could give on the > matter. > > > > Thank you and good day. > > > > -- Oliver -- > > > ----------------------------------------------------------------------------- T O G O D B E T H E G L O R Y :) ------------------------------------------------------------------------------ __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
