Search squid archive

Re: CentOS/Squid/Tproxy but no transfer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Am 10.07.2009 um 08:19 schrieb Behnam B.Marandi:

Thanks for quick replay.

I did set "ip wccp web-cache" in the router config but;

#sh ip wccp web-cache detail
      No information is available for the service.


try to debug wccp
#debug wccp packet

can you see any packets from your squid engine?


In case of access-list, what I got from step 35 is that access-list just used for excluding specific web sites from redirecting to cache. Otherwise I don't know how and where (in router config or squid config) to put an access-list.


ok, i didn't have to configure a cisco router for some time.



Behnam.




Tom Penndorf wrote:

Hi,


Am 10.07.2009 um 07:29 schrieb Behnam B.Marandi:

I did setup a full transparent caching machine based on Nicholas Ritter's guide: http://www.mail-archive.com/squid-users@xxxxxxxxxxxxxxx/ msg65056.html
Cache machine is a Cent OS 5.3
Router is;
IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(11)T8, RELEASE SOFTWARE (fc1)

Squid config is;
http_port 194.225.241.40:5119 tproxy disable-pmtu-discovery=always
wccp2_router xx.xx.241.39
wccp_version 4
wccp2_rebuild_wait off
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service dynamic 80
wccp2_service dynamic 90
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src xx.xx.240.0/20
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access deny all
cache_dir ufs /var/spool/squid 4000 16 256
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320
coredump_dir /usr/local/squid/var/cache
visible_hostname tco53

I'm not sure IOS version is critical or not, and in case of "wccp2_rebuild_wait" I had to set it "off" so the router can see the cache machine;

6#sh ip wccp
Global WCCP information:
 Router information:
 Router Identifier:                   xx.xx.241.39
 Protocol Version:                    2.0

 Service Identifier: web-cache
 Number of Cache Engines:             0
 Number of routers:                   0
 Total Packets Redirected:            0
 Redirect access-list:                -none-
 Total Packets Denied Redirect:       0
 Total Packets Unassigned:            0
 Group access-list:                   -none-
 Total Messages Denied to Group:      0
 Total Authentication failures:       0

 Service Identifier: 80
 Number of Cache Engines:             1
 Number of routers:                   1
 Total Packets Redirected:            0
 Redirect access-list:                -none-
 Total Packets Denied Redirect:       0
 Total Packets Unassigned:            0
     Group access-list:                   -none-
 Total Messages Denied to Group:      0
 Total Authentication failures:       0

 Service Identifier: 90
 Number of Cache Engines:             1
 Number of routers:                   1
 Total Packets Redirected:            0
 Redirect access-list:                -none-
 Total Packets Denied Redirect:       0
 Total Packets Unassigned:            0
 Group access-list:                   -none-
 Total Messages Denied to Group:      0
 Total Authentication failures:       0

What are the last 2 entries? Is it your squid machine, too?



As you can see, the router isn't redirecting the traffic to the proxy. Please send the output of "show ip wccp detail". Also you don't have defined any access-list for redirecting, so the router don't knows, which traffic to redirect.




Clients can browse web but there is no transfer between router and cache machine:
[root@tco53 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:10:22:FE:6E:EC inet addr:xx.xx.241.40 Bcast:194.225.241.63 Mask:255.255.255.192
       inet6 addr: fe80::210:22ff:fefe:6eec/64 Scope:Link
       UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
       RX packets:83610 errors:0 dropped:0 overruns:1 frame:0
       TX packets:24135 errors:0 dropped:0 overruns:0 carrier:0
       collisions:0 txqueuelen:1000
       RX bytes:7179021 (6.8 MiB)  TX bytes:3493119 (3.3 MiB)
       Interrupt:5

gre0 Link encap:UNSPEC HWaddr 00-00-00-00-AC-BF- F4-6F-00-00-00-00-00-00-00-00 inet addr:xx.xx.241.40 Mask:255.255.255.192
       UP RUNNING NOARP  MTU:1476  Metric:1
       RX packets:0 errors:0 dropped:0 overruns:0 frame:0
       TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
       collisions:0 txqueuelen:0
       RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0
       inet6 addr: ::1/128 Scope:Host
       UP LOOPBACK RUNNING  MTU:16436  Metric:1
       RX packets:10097 errors:0 dropped:0 overruns:0 frame:0
       TX packets:10097 errors:0 dropped:0 overruns:0 carrier:0
       collisions:0 txqueuelen:0
       RX bytes:424456 (414.5 KiB)  TX bytes:424456 (414.5 KiB)

[root@tco53 ~]# cat /etc/rc.local
ifconfig gre0 194.225.241.40 netmask 255.255.255.192 up
touch /var/lock/subsys/local
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
/usr/local/squid/sbin/squid

I compiled gre in the kernel so there is no need to modprobe it;
CONFIG_NET_IPGRE=y
CONFIG_NET_IPGRE_BROADCAST=y

[root@tco53 ~]# ip ru sh
0:    from all lookup 255
32765:    from all fwmark 0x1 lookup 100
32766:    from all lookup main
32767:    from all lookup default

[root@tco53 ~]# ip ro sh ta 100
local default dev lo  scope host

[root@tco53 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.3.2 on Sun Jul  5 17:04:57 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:3416]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i gre0 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 55936 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -s xx.xx.241.39/32 -p udp -m udp --dport 2048 -j ACCEPT
COMMIT
# Completed on Sun Jul  5 17:04:57 2009
# Generated by iptables-save v1.4.3.2 on Sun Jul  5 17:04:57 2009
*mangle
:PREROUTING ACCEPT [10:1680]
:INPUT ACCEPT [38:3760]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:3416]
:POSTROUTING ACCEPT [26:3416]
:DIVERT - [0:0]
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 5119 -- on-ip xx.xx.241.40 --tproxy-mark 0x1/0x1 COMMIT
# Completed on Sun Jul  5 17:04:57 2009

I don't know where this line came from; "-A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT"

I guess despite identification of cache machine by router, it does not qualified by the router to route web traffic trough it. Don't know how to debug this, any idea to help this out would be greatly appreciated.
Behnam.

Tom




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux