Search squid archive

RE: WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Thanks for this. I have put the acls... but what to do with them?

header_access Accept-Encoding deny Hotmail
header_access Accept-Encoding deny Gmail
header_access Accept-Encoding deny GmailUrlRegExp???

I noticed one thing, gmail/msn does open up eventually after about 5mins or so... but cant work inside any of the pages, yahoo is also starting to behave *almost* similar too...

Could my problem just be freebsd? Or squid 2.6?

Kind regards,

Miraj Shah.

-----Original Message-----
From: Davan Wong [mailto:davan@xxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, February 14, 2008 9:11 PM
To: Miraj Shah; squid-users@xxxxxxxxxxxxxxx
Subject: RE:  WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail not working

I required the following to allow Hotmail and Gmail:

acl Hotmail dstdomain .hotmail.com .hotmail.msn.com .login.live.com
.mail.live.com .passport.com calendar.msn.com g.live.com 
acl Gmail dstdomain .gmail.com mail.google.com ssl.google-analytics.com 
acl GmailUrlRegExp url_regex -i .google.com/accounts .google.ca/accounts 

These were used in combination with a couple other lines to allow Gmail
without allowing Google, and allowing Hotmail without allowing MSN or
Microsoft sites.

Davan Wong
World Health Club
Information Technology Department

 

> -----Original Message-----
> From: Miraj Shah [mailto:Miraj.Shah@xxxxxxxx] 
> Sent: February 13, 2008 11:38 PM
> To: squid-users@xxxxxxxxxxxxxxx
> Subject:  WCCP2 + Cisco ASA + FreeBSD 6.3, gmail 
> and hotmail not working
> 
> Hello All,
> 
> I have run into some problems with a the two websites not 
> able to load when squid is configured with wccp2. I have 
> followed the example by Adrian Chadd, and the wiki:
> 
> http://wiki.squid-cache.org/ConfigExamples/FreeBsdAndWccp2?hig
> hlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29
> 
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
> 
> 
> Everything is working great until when we open up 
> http://mail.google.com and http://www.hotmail.com, the 
> websites open up ok, and you can enter the login credentials, 
> goes pass the https stage and just before getting to the 
> emails. The page goes quiet, and blank. Have tested this on 
> different computers and different browsers but get the same problem.
> 
> If I disable the squid, and let the users browse thru NAT on 
> the ASA, they are able to get thru to these two sites, also 
> when I reconfigure the squid to be non-transparent and change 
> the settings on my browser to point to the proxy, am able to 
> open the two sites in question.
> 
> I don't see anything unusual in cache.log or access.log
> 
> After googleing around for a bit, I came across a site that 
> mentioned lowering the MTU size on the GRE tunnel, which I 
> did to 1400 and 1390 but had no effect. (ifconfig gre0 mtu 1400)
> 
> For hotmail, the intercepting proxy guide mentions to put the 
> following entries on squid.conf, but that did not help:
> 
> acl hotmail_domains dstdomain .hotmail.msn.com header_access 
> Accept-Encoding deny hotmail_domains
> 
> I know this is probably a repeated problem, though I hope 
> someone can assist. Do let me know if there are any other 
> details that you might need.
> 
> Many thanks, and kind regards,
> 
> Miraj Shah.
> 
> 
> 
> 
> here is a quick network diagram;
>  
> LAN - ASA - Router - Internet
>    |
>  Squid
>  
> below is the config i have set up:
>  
>  
> asa-firewall# sh run int vlan 10
> !
> interface Vlan10
>  description Internet Interface
>  nameif internet
>  security-level 0
>  ip address xxx.xxx.179.86 255.255.255.252
> 
> asa-firewall# sh run interface vlan 40
> !
> interface Vlan40
>  description Inside Interface
>  nameif inside
>  security-level 100
>  ip address 10.110.150.252 255.255.254.0
> 
> route internet 0.0.0.0 0.0.0.0 xxx.xxx.179.85 1 access-list 
> inside_nat0_outbound extended permit ip any 10.110.150.0 
> 255.255.0.0 nat (inside) 0 access-list inside_nat0_outbound 
> nat (inside) 1 10.110.150.0 255.255.254.0 wccp web-cache wccp 
> interface inside web-cache redirect in
>  
> asa-firewall# sh wccp web-cache detail
> WCCP Cache-Engine information:
>         Web Cache ID:          10.110.150.253
>         Protocol Version:      2.0
>         State:                 Usable
>         Initial Hash Info:     00000000000000000000000000000000
>                                00000000000000000000000000000000
>         Assigned Hash Info:    00000000000000000000000000000000
>                                00000000000000000000000000000000
>         Hash Allotment:        0 (0.00%)
>         Packets Redirected:    113242
>         Connect Time:          00:00:12
> 
> asa-firewall# sh wccp web-cache
> Global WCCP information:
>     Router information:
>         Router Identifier:                   xxx.xxx.179.86
>         Protocol Version:                    2.0
>     Service Identifier: web-cache
>         Number of Cache Engines:             1
>         Number of routers:                   1
>         Total Packets Redirected:            113242
>         Redirect access-list:                -none-
>         Total Connections Denied Redirect:   0
>         Total Packets Unassigned:            241
>         Group access-list:                   -none-
>         Total Messages Denied to Group:      0
>         Total Authentication failures:       0
>         Total Bypassed Packets Received:     0
> 
> 
> asa-firewall# sh ver
> 
> Cisco Adaptive Security Appliance Software Version 7.2(2) 
> Device Manager Version 5.2(2)
> 
> Compiled on Wed 22-Nov-06 14:16 by builders System image file 
> is "disk0:/asa722-k8.bin"
> Config file at boot was "startup-config"
> 
> sarova-firewall up 3 days 3 hours
> 
> Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz Internal 
> ATA Compact Flash, 128MB BIOS Flash M50FW080 @ 0xffe00000, 1024KB
> 
> Encryption hardware device : Cisco ASA-5505 on-board 
> accelerator (revision 0x0)
>                              Boot microcode   : 
> CNlite-MC-Boot-Cisco-1.2
>                              SSL/IKE microcode: 
> CNlite-MC-IPSEC-Admin-3.03
>                              IPSec microcode  : 
> CNlite-MC-IPSECm-MAIN-2.04
>  0: Int: Internal-Data0/0    : address is 001b.531b.5bb2, irq 11
>  1: Ext: Ethernet0/0         : address is 001b.531b.5baa, irq 255
>  2: Ext: Ethernet0/1         : address is 001b.531b.5bab, irq 255
>  3: Ext: Ethernet0/2         : address is 001b.531b.5bac, irq 255
>  4: Ext: Ethernet0/3         : address is 001b.531b.5bad, irq 255
>  5: Ext: Ethernet0/4         : address is 001b.531b.5bae, irq 255
>  6: Ext: Ethernet0/5         : address is 001b.531b.5baf, irq 255
>  7: Ext: Ethernet0/6         : address is 001b.531b.5bb0, irq 255
>  8: Ext: Ethernet0/7         : address is 001b.531b.5bb1, irq 255
>  9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
> 10: Int: Not used            : irq 255
> 11: Int: Not used            : irq 255
> 
> Licensed features for this platform:
> Maximum Physical Interfaces : 8
> VLANs                       : 20, DMZ Unrestricted Inside 
> Hosts                : Unlimited Failover                    
> : Active/Standby VPN-DES                     : Enabled 
> VPN-3DES-AES                : Enabled VPN Peers               
>     : 25 WebVPN Peers                : 2 Dual ISPs            
>        : Enabled VLAN Trunk Ports            : 8
> 
> This platform has an ASA 5505 Security Plus license.
> 
> Serial Number: JMX1111Z0QV
> Running Activation Key: 0xffffffff 0xffffffff 0xfffffffff 
> 0xfffffffff 0xfffffffff Configuration register is 0x1 
> Configuration last modified by enable_15 at 10:51:03.103 EAT 
> Wed Feb 13 2008
>  
>  
> ###FreeBSD Setup###
>  
> #kernel config (extra)
> proxy# cat /usr/src/sys/i386/conf/TransProxy #---snip---# 
> options IPFIREWALL options IPFIREWALL_VERBOSE #enable logging 
> to syslogd(8) options IPFIREWALL_FORWARD options 
> IPFIREWALL_VERBOSE_LIMIT=500 #limit verbosity options 
> IPSTEALTH #support for stealth forwarding options DUMMYNET 
> options NETGRAPH options DEVICE_POLLING options HZ=1000 
> options SHMSEG=128 options SHMMNI=256 options SHMMAX=50331648 
> # max shared memory segment size (bytes) options SHMALL=16384 
> # max amount of shared memory (pages) options MSGMNB=16384 # 
> max # of bytes in a queue options MSGMNI=48 # number of 
> message queue identifiers options MSGSEG=768 # number of 
> message segments options MSGSSZ=64 # size of a message 
> segment options MSGTQL=4096 # max messages in system options 
> IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT # if you intend 
> to use NAT device          apic                    # I/O APIC 
> device          gre #---snip---#
>  
> proxy# cat /etc/rc.conf
> gateway_enable="YES"
> hostname="proxy.customer.co.ke"
> ifconfig_bge0="inet 10.110.150.253 netmask 255.255.254.0"
> defaultrouter="10.110.150.252"
> keymap="uk.iso"
> linux_enable="YES"
> sshd_enable="YES"
> usbd_enable="YES"
> firewall_enable="YES"
> firewall_type="/etc/firewall.local"
> squid_enable="YES"
> ipfilter_enable="YES"
> ipnat_enable="YES"
> ipmon_enable="YES"
> ipfs_enable="YES"
>  
> proxy# cat /etc/rc.local
> #tunnel to cisco asa for transparent proxy /sbin/ifconfig 
> gre0 plumb /sbin/ifconfig gre0 link2 /sbin/ifconfig gre0 
> tunnel 10.110.150.253 xxx.xxx.179.86 /sbin/ifconfig gre0 inet 
> 1.1.1.1 1.1.1.2
>  
> proxy# ifconfig gre0
> gre0: 
> flags=d051<UP,POINTOPOINT,RUNNING,LINK0,LINK2,MULTICAST> mtu 1476
>         tunnel inet 10.110.150.253 --> xxx.xxx.179.86
>         inet 1.1.1.1 --> 1.1.1.2 netmask 0xff000000
> 
> proxy# cat /etc/firewall.local
> add fwd 127.0.0.1,3128 tcp from any to any 80 recv gre0
> 
> proxy# ipfw show
> 00100  21909   3567762 fwd 127.0.0.1,3128 tcp from any to any 
> dst-port 80 recv gre0
> 65535 836384 314106493 allow ip from any to any
> 
> proxy# cat /etc/sysctl.conf
> net.inet.icmp.icmplim=0
> net.inet.tcp.msl=3000
> kern.maxfilesperproc=65536
> kern.maxfiles=262144
> kern.ipc.maxsockets=131072
> kern.ipc.somaxconn=1024
> net.inet.tcp.recvspace=16384
> net.inet.tcp.sendspace=16384
> kern.ipc.nmbclusters=32768
> net.inet.ip.forwarding=1
> 
> proxy# cat /usr/local/etc/squid/squid.conf #---snip---# 
> http_port 127.0.0.1:3128 transparent always_direct allow all 
> wccp2_router 10.110.150.252 wccp2_rebuild_wait on 
> wccp2_forwarding_method 1 wccp2_return_method 1 
> wccp2_assignment_method 1 wccp2_service standard 0 
> wccp2_weight 10000 wccp2_address 0.0.0.0 debug_options ALL,1 
> visible_hostname proxy.customer.co.ke #---snip---# 
> #---snip---# #ACL's acl my_network src 10.110.150.0/23 
> http_access allow my_network http_access deny all #---snip---#
> 
> proxy# cat /usr/local/squid/logs/cache.log
> 2008/02/13 10:42:01| Starting Squid Cache version 
> 2.6.STABLE18 for i386-portbld-freebsd6.3...
> 2008/02/13 10:42:01| Process ID 6721
> 2008/02/13 10:42:01| With 32768 file descriptors available
> 2008/02/13 10:42:01| Using kqueue for the IO loop
> 2008/02/13 10:42:01| DNS Socket created at 0.0.0.0, port 63552, FD 6
> 2008/02/13 10:42:01| Adding domain sarova.co.ke from /etc/resolv.conf
> 2008/02/13 10:42:01| Adding nameserver xxx.xxx.161.2 from 
> /etc/resolv.conf
> 2008/02/13 10:42:01| Adding nameserver xxx.xxx.161.3 from 
> /etc/resolv.conf
> 2008/02/13 10:42:01| Adding nameserver 10.110.120.11 from 
> /etc/resolv.conf
> 2008/02/13 10:42:01| Adding nameserver 10.110.120.6 from 
> /etc/resolv.conf
> 2008/02/13 10:42:01| Unlinkd pipe opened on FD 11
> 2008/02/13 10:42:01| Swap maxSize 262144 KB, estimated 20164 objects
> 2008/02/13 10:42:01| Target number of buckets: 1008
> 2008/02/13 10:42:01| Using 8192 Store buckets
> 2008/02/13 10:42:01| Max Mem  size: 131072 KB
> 2008/02/13 10:42:01| Max Swap size: 262144 KB
> 2008/02/13 10:42:01| Local cache digest enabled; 
> rebuild/rewrite every 3600/3600 sec
> 2008/02/13 10:42:01| Rebuilding storage in 
> /usr/local/squid/cache (CLEAN)
> 2008/02/13 10:42:01| Using Least Load store dir selection
> 2008/02/13 10:42:01| Set Current Directory to /usr/local/squid/cache
> 2008/02/13 10:42:01| Loaded Icons.
> 2008/02/13 10:42:02| Accepting transparently proxied HTTP 
> connections at 127.0.0.1, port 3128, FD 13.
> 2008/02/13 10:42:02| Accepting proxy HTTP connections at 
> 10.110.150.253, port 3128, FD 14.
> 2008/02/13 10:42:02| Accepting ICP messages at 0.0.0.0, port 
> 3130, FD 15.
> 2008/02/13 10:42:02| Accepting WCCPv2 messages on port 2048, FD 16.
> 2008/02/13 10:42:02| Initialising all WCCPv2 lists
> 2008/02/13 10:42:02| Ready to serve requests.
> 2008/02/13 10:42:02| Configuring Parent proxy.iconnect.co.ke/3128/7
> 2008/02/13 10:42:02| Store rebuilding is 18.6% complete
> 2008/02/13 10:42:02| Done reading /usr/local/squid/cache 
> swaplog (21963 entries)
> 2008/02/13 10:42:02| Finished rebuilding storage from disk.
> 2008/02/13 10:42:02|     21963 Entries scanned
> 2008/02/13 10:42:02|         0 Invalid entries.
> 2008/02/13 10:42:02|         0 With invalid flags.
> 2008/02/13 10:42:02|     21963 Objects loaded.
> 2008/02/13 10:42:02|         0 Objects expired.
> 2008/02/13 10:42:02|         0 Objects cancelled.
> 2008/02/13 10:42:02|         0 Duplicate URLs purged.
> 2008/02/13 10:42:02|         0 Swapfile clashes avoided.
> 2008/02/13 10:42:02|   Took 0.5 seconds (46011.6 objects/sec).
> 2008/02/13 10:42:02| Beginning Validation Procedure
> 2008/02/13 10:42:02|   Completed Validation Procedure
> 2008/02/13 10:42:02|   Validated 21963 Entries
> 2008/02/13 10:42:02|   store_swap_size = 235922k
> 2008/02/13 10:42:02| storeLateRelease: released 0 objects
> 2008/02/13 11:11:41| Preparing for shutdown after 2555 requests
> 2008/02/13 11:11:41| Waiting 30 seconds for active 
> connections to finish
> 2008/02/13 11:11:41| FD 13 Closing HTTP connection
> 2008/02/13 11:11:41| FD 14 Closing HTTP connection
> 2008/02/13 11:11:41| FD 16 Closing WCCP socket
> 2008/02/13 11:12:12| Shutting down...
> 2008/02/13 11:12:12| FD 15 Closing ICP connection
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 
> connection due to lifetime timeout
> 2008/02/13 11:12:12|    
> http://david.marketplace.org/uploadfast.asp?PID=5B4C12BD001E6400
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 
> connection due to lifetime timeout
> 2008/02/13 11:12:12|    
> http://david.marketplace.org/uploadfast.asp?PID=5B47DF2D001E63FF
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 
> connection due to lifetime timeout
> 2008/02/13 11:12:12|    
> http://david.marketplace.org/uploadfast.asp?PID=5B4C12BD001E6400
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.67 
> connection due to lifetime timeout
> 2008/02/13 11:12:12|    
> http://david.marketplace.org/uploadfast.asp?PID=5B47DF2D001E63FF
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.150.55 
> connection due to lifetime timeout
> 2008/02/13 11:12:12|    
> http://b.mail.google.com/mail/channel/bind?at=tfpl7aa80y0xw75x
> evv9065zwg9408&ui=1&RID=rpc&SID=3DAE21FF8E7AAB22&CI=0&AID=60&T
> YPE=html&zx=6216rrq6uixn&DOMAIN=mail.google.com&t=1
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.120.30 
> connection due to lifetime timeout
> 2008/02/13 11:12:12|    
> http://stats.update.microsoft.com/ReportingWebService/Reportin
> gWebService.asmx
> 2008/02/13 11:12:12| WARNING: Closing client 10.110.120.145 
> connection due to lifetime timeout
> 2008/02/13 11:12:12|    
> http://stats.update.microsoft.com/ReportingWebService/Reportin
> gWebService.asmx
> 2008/02/13 11:12:12| Closing unlinkd pipe on FD 11
> 2008/02/13 11:12:12| storeDirWriteCleanLogs: Starting...
> 2008/02/13 11:12:12|   Finished.  Wrote 22081 entries.
> 2008/02/13 11:12:12|   Took 0.0 seconds (3743176.8 entries/sec).
> CPU Usage: 2.019 seconds = 1.140 user + 0.878 sys Maximum 
> Resident Size: 21292 KB Page faults with physical i/o: 0
> 2008/02/13 11:12:12| Squid Cache (Version 2.6.STABLE18): 
> Exiting normally.
> Please note: This email and its content are subject to the 
> disclaimer as displayed at the following link 
> http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Di
> sclaimer.htm. Should you not have Web access, send a mail to 
> disclaimers@xxxxxxxx and a copy will be emailed to you.

Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers@xxxxxxxx and a copy will be emailed to you.


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux