Search squid archive

Re: Squid and WCCP v1 (squid-2.5.STABLE11-3.FC3) on Fedora Core 3 (2.6.9-1.667smp) -- SOS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I have a RHELv4 cache  + Cisco IOS Software, C1700
Software (C1700-K9O3SY7-M), Version 12.3(14)T2,
RELEASE SOFTWARE (fc4).

I have applied your suggestions, but it's still not
working. Please take a lookt at my Router's + Squid
config.

Am I missing something ?
-----------------
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password xxxxxxxx
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip wccp version 1
ip wccp web-cache
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
interface Ethernet0
 ip address x.x.x.x 255.255.255.x
 no ip route-cache cef
 full-duplex
!
interface FastEthernet0
 ip address y.y.y.y 255.255.255.x
 ip wccp web-cache redirect out
 speed auto
 full-duplex
!
interface Serial0
 no ip address
 shutdown
 no fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 y.y.y.5
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 password xxxxxxxx
 login
!
end
--------------------

/etc/sysctl.conf
-----------
[root@server conf]# cat gre0/rp_filter
1
[root@server conf]# cat bond0/rp_filter
1




Squid.conf
------------
http_port [Server IP]:3128
icp_port 3130
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 256 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
cache_dir ufs /usr/local/squid/var/cache 20240 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
mime_table /usr/local/squid/etc/mime.conf
pid_filename /var/run/squid.pid
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl Local src [My Local Network]
http_access allow Local
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src [my network]
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
icp_access allow all
tcp_outgoing_address [Server IP]
cache_mgr postmaster@xxxxxxxxxxxx
cache_effective_user squid
cache_effective_group squid
visible_hostname cache.mydomain.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
logfile_rotate 10
forwarded_for on
cachemgr_passwd xxxxxxxxxxxx shutdown
snmp_port 3401
snmp_access deny all
wccp_router [Router IP]
wccp_outgoing_address [Server IP]
coredump_dir /usr/local/squid/var/cache



Much regards,

Waiting for answers

Daniel

--- Oliver Chato <ovchato@xxxxxxxxxxxx> wrote:

> Hi.
> 
> Just for the sake of others who are looking to make 
> Transparent/Interception caching with Squid, WCCP v1
> and Fedora Core 3, 
> this is what we did to get it working:
> 
> On the router (IOS 12.3(2)T):
> 
>     ip cef
>     ip wccp version 1
>     ip wccp web-cache
>     interface <interface either directly or
> indirectly connected to the 
> Internet>
>     ip wccp web-cache redirect out
>     end
> 
> Also, we did:
> 
>     conf t
>     ip cef          # some systems may already have
> 'ip cef global'
>     int <interface directly or indirectly connected
> to the Squid Server>      (or int FastEthernet 0/0
> or other internal interface)
>     no ip route-cache cef
>     CTRL Z
> 
> That's it. For debugging, we used:
>     show ip wccp
>     show ip wccp web-caches
>     show ip wccp web-cache detail
>     show ip wccp web-cache view (or: show ip wccp 99
> detail)
> 
> On the Linux Server (Fedora Core 3
> (2.6.9-1.667smp)):
>     In squid.conf:
>         http_port 3128
>         httpd_accel_host virtual
>         httpd_accel_port 80
>         httpd_accel_with_proxy on
>         httpd_accel_uses_host_header on
>         tcp_outgound_address <ip address of your
> interface connected to 
> the WCCP router>
>         wccp_outgoing_address <ip address of your
> interface connected to 
> the WCCP router>
>         wccp_router <ip address of the WCCP router
> itself>
>         wccp_version 4
> 
>     In /etc/sysconfig/network-scripts/ifcfg-gre0:
>         DEVICE=gre0
>         BOOTPROTO=static
>         IPADDR=172.16.1.6
>         NETMASK=255.255.255.252
>         ONBOOT=yes
>         IPV6INIT=no
> 
>     For netfilter:
>        iptables -t nat -A PREROUTING -p tcp --dport
> 80 -j REDIRECT 
> --to-port 3128
>        service iptables save
>     You also might want to limit this in a way so
> that you specify 
> source addresses and limit it to only those
> networks/hosts you want to 
> proxy for. I think this would mean one entry (or
> line) per configured 
> network
> 
>     For ip forwarding:
>        echo 0 > /proc/sys/net/ipv4/ip_forward
>     You might even want to do the following in
> /etc/sysctl.conf:
>        net.ipv4.ip_forward = 1
> 
>     For rp_filter, which must be turned off:
>         echo 0 >
> /proc/sys/net/ipv4/conf/eth0/rp_filter
>         echo 0 >
> /proc/sys/net/ipv4/conf/gre0/rp_filter
>     You might even want to do the following in
> /etc/sysctl.conf:
>        net.ipv4.conf.default.rp_filter = 0
> 
> **** This last one was where our problem was. We
> have turned off 
> rp_filter for eth0 but not for gre0. Once we turned
> it off for gre0, it 
> worked.
> 
> Also, for debugging:
>     For WCCP connection with the router:
>        tethereal -V -s 1500 port 2048
>     You should see here_i_am and i_see_you packets
> going through.
> 
>     For redirected connections coming from the
> router:
>        tcpdump -i gre0
>     or
>        tcpdump -i gre0 port 80
>     You should see http requests redirected through
> the gre interface.
> 
>     For squid:
>        tail -f  <your squid log files
> location>/access.log
>     You should see requests from clients.
> 
> Hope this helps.
> 
> -- Oliver --
> 
> 
> 
> ovchato@xxxxxxxxxxxx wrote:
> 
> > Greetings.
> >
> > Sorry for the long message. We are trying to
> implement 
> > Transparent/Interception caching using the
> following:
> > -- Squid 2.5 Stable 11 (We were able to obtain an
> RPM for Fedora Core 
> > 3) with WCCP v1
> > -- Fedora Core 3 (64-bit, 2.6.9-1.667smp)
> > -- Cisco Router (IOS 12.2)
> > in the following configuration (not real IP
> addresses and interface 
> > designations used):
> >
> >                                                   
>                     
> >                           
> |-----------------------|
> >                                                   
>                     
> >                            |     Squid (2.5 S11)  
>   |
> >                                                   
>                     
> >                            |      Fedora Core 3   
>   |
> >                                                   
>                     
> >                           
> |-----------------------|
> >                                                   
>                                                     
>    
> > eth 0  | 201. 1.1.2/255.255.255.252
> >                                                   
>                                                     
>             
> > |
> >                                                   
>                                                     
>             
> > |
> >                                                   
>                                                     
>             
> > |
> >                                                   
>                              
> >                         int 0/0 |
> 201.1.1.1/255.255.255.252
> >                                                   
>                                                     
>             
> > |                        int 0/1
> >                                                   
>                     
> >                     
> |------------------------------| 
> > ------------------------- to Internet  *
> > Networks of                                       
>             ATM 
> > interface |                                       
>      |  
> > 203.1.1.1/255.255.255.224
> > Dial Up Users via various 
> ------------------------------------|    
> > Cisco Router (IOS 12.2)   |                       
>                     
> > Terminal Servers                        
> 202.1.1.1/255.255.255.252 
> > |                                             |  
> > 203.1.1.2/255.255.255.224
> >                                                   
>                                            
> >
>
|------------------------------|--------------------------
> to Internet *
> >                                                   
>                                                     
>                                       
> > int 0/2
> > * The two network interfaces (int 0/1 and int 0/2)
> are connected to 
> > the same network and load balanced via OSPF.
> > (Please pardon the interface designations on the
> router as I am not 
> > too familiar with it and we have no administrative
> control of the router)
> >
> > On the router (IOS 12.2):
> > -- As mentioned above, connections to the internet
> (int 0/1 and int 
> > 0/2) are load balanced over OSPF
> > -- An access list has been defined on ATM
> interface for various 
> > networks (dialups, DSL, etc.)
> > -- We have turned CEF off on the interface
> connected to the Squid 
> > CACHE (we actually tried it with CEF as well).
> > -- WCCP v1 is enabled and applied at the 2
> outbound internet 
> > connections (int 0/1 and int 0/2) with "redirect
> out" option
> > -- We have also tried to apply WCCP v1 at the ATM
> interface with  
> > "redirect in" option.
> > -- WCCP v1 was enabled and applied to the various
> interfaces as 
> > detailed above with access lists (as specified
> above, defined for the 
> > ATM interface)
> >
> > On the Linux Box (FC3, 2.6.9-1.667smp):
> > -- We used the WCCP v1 module on Squid as
> pre-compiled with the RPM.
> > -- We are using GRE instead of WCCP patch as we
> have read in the FAQs 
> > and lists that this is the implementation to use
> for kernel versions 
> > >= 2.6.9.
> > -- We are also using iptables to redirect traffic
> coming in from port 
> > 80 to 3128 (the squid port we are using)..
> > -- We specified and enabled the appropriate
> variables in squid.conf 
> > for both transparent/interception caching  and
> WCCP v1.
> >
> > Configurations used:
> > We have tried the various setups as detailed in
> the following URLs:
> > --
>
http://www.squid-cache.org/mail-archive/squid-users/200505/0678.html
> > -- http://www.sublime.com.au/squid-wccp/
> > -- http://www.reub.net/node/3
> > -- http://www.spc.int/it/TechHead/Wccp-squid.html
> >
> > Symptoms:
> > We were able to configure it so that the Cisco
> Router WCCP v1 
> > configuration actually registers the Squid Server
> as a usable Cache 
> > Engine. We also traced the GRE connections via the
> following Linux 
> > commands:
> > -- tethereal -V -s 1500 port 2048
> > -- tcpdump -lenx -s 1500 port 2048
> > and we see the "Here I Am" and "I See You" packets
> and observed the 
> > following:
> > -- the "Here I Am" packets specify that 0 to 255
> buckets ARE NOT 
> > ASSIGNED.
> > -- the "I See You" packets specify that 0 to 255
> buckets ARE  
> > ASSIGNED. Also, we can see the router
> configuration specifying our 
> > squid server registered in the web cache.
> > On the router, using the "show ip wccp" command,
> we see the counter 
> > "Total Packets Redirected" being incremented. When
> we issue the "show 
> > ip wccp web-caches" command, the "Web Cache ID:"
> parameter displays 
> > 0.0.0.0. Also, when we issue the "show ip wccp
> web-cache view" 
> > command, the "WCCP Routers Informed of:" parameter
> and the "WCCP Cache 
> > Engines NOT Visible:" parameter show "-- none --"
> and "WCCP Cache 
> > Engines Visible:" parameter shows the IP address
> of the squid server 
> > (201. 1.1.2). We are unable to issue any debug
> commands on the router 
> > as this is a production router (we have no other
> router to implement 
> > on) and this might make the router hang.
> >
> > Problems:
> > -- On the squid server, we see nothing coming
> through port 80 (using 
> > the "tcpdump -n port 80" linux command)
> eventhough, as mentioned 
> > above, we are registered with the Cisco WCCP
> configuration and the 
> > "Total Packets Redirected" is incrementing.
> > -- We do not see anything being recorded on the
> squid server's 
> > access.log.
> >
> >
> > Some Questions:
> > -- Is there a definitive how-to on implementing
> WCCP v1 on Linux for 
> > kernels 2.6.9 and above?
> > -- Has anyone had a successful installtation of
> Squid 2.5 Stable 11 
> > with WCCPv1 connected to a Cisco router (IOS 12.1
> or 12.2) on Fedora 
> > Core 3(kernel version 2.6.9 smp)?
> > -- How can we further see that is happening or
> debug without using the 
> > router's debug commands (if there are any other
> ways)?
> > -- Do we need to switch to WCCP v2 using the patch
> available from the 
> > squid developer site 
> >
>
(http://devel.squid-cache.org/projects.html#visolve_wccpv2)
> in order 
> > for Transparent/Interception caching to work?
> > -- Any word on if (or when) full WCCP v2 (with
> multiple router and 
> > multiple cache) will be or has been  implemented
> (either as a patch or 
> > part of the distribution)? Will this support load
> balancing protocols 
> > on the router (OSPF, HSRP, VRRP)?
> > -- Just in case anybody knows, how are the access
> lists implemented 
> > with regards to the WCCP v1 setting? I read in one
> article 
> > (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html)
> that this list should 
> > contain IP addresses that should be excluded from
> transparent caching, 
> > or something to that effect (the exact words were
> "IP addresses which 
> > you do not wish to be transparently redirected to
> your cache"). I just 
> > wanted to confirm if this was correct.
> >
> > We would appreciate any help you could give on the
> matter.
> >
> > Thank you and good day.
> >
> > -- Oliver --
> >
> 



-----------------------------------------------------------------------------
T O    G O D       B E        T H E         G L O R Y     :)
------------------------------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux