On 06/11/10 04:50, Leonardo wrote:
Hi all,
I have compiled and installed Squid 3.1.7 on a Linux 2.6.26 (Debian
5.0.5), and successfully tested it as a non-transparent proxy (i.e.
the proxy address:port is explicitly specified in the web browser).
Now I need to use it to do transparent proxying. For this, I'm
following the example at
http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2 .
The clients will be on subnet 10.11.1.0/24. $ROUTER_IP and $SQUID_IP
are both on the subnet 10.8.0.0/16.
Squid has been compiled as follows:
configure options: '--enable-linux-netfilter' '--enable-wccp'
'--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid'
'--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid'
'CPPFLAGS=-I../libltdl' --with-squid=/root/squid-3.1.7
--enable-ltdl-convenience
======= Squid configuration: =======
File /etc/rc.local :
modprobe ip_gre
ip tunnel add wccp0 mode gre remote $ROUTER_IP local $SQUID_IP dev eth0
ifconfig wccp0 $SQUID_IP netmask 255.255.255.255 up
echo 0>/proc/sys/net/ipv4/conf/wccp0/rp_filter
echo 0>/proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1>/proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
iptables -t nat -A POSTROUTING -j MASQUERADE
File /etc/squid/squid.conf : I am basically using the default config,
adding only the commands for transparent proxying:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Transparent proxying
http_port 3128 transparent
http_port 3128 intercept
You will also need a separate port for the normal browser-configured and
management requests. 3.1 will reject these if sent to a NAT interception
port.
wccp2_router $ROUTER_IP
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/cache 50000 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/cache
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
======= =======
======= Configuration of the router, a Cisco ASA 5520 firewall: =======
access-list wccp_redirect extended deny ip host $SQUID_IP any
access-list wccp_redirect extended permit tcp 10.11.1.0 255.255.255.0 any eq www
wccp web-cache redirect-list wccp_redirect
wccp interface inside web-cache redirect in
======= =======
This does not work. The browser gives an error "Unable to connect to
remote server" after a timeout.
Here is is the output of "tcpdump -vvnn -i eth0 port 2048" on the Squid machine:
15:05:01.279896 IP (tos 0x0, ttl 64, id 22913, offset 0, flags [none],
proto UDP (17), length 172) $SQUID_IP.2048> $ROUTER_IP.2048: UDP,
length 144
15:05:01.280090 IP (tos 0x0, ttl 255, id 5011, offset 0, flags [none],
proto UDP (17), length 168) $ROUTER_IP.2048> $SQUID_IP.2048: UDP,
length 140
15:05:11.279893 IP (tos 0x0, ttl 64, id 22914, offset 0, flags [none],
proto UDP (17), length 172) $SQUID_IP.2048> $ROUTER_IP.2048: UDP,
length 144
15:05:11.280083 IP (tos 0x0, ttl 255, id 20123, offset 0, flags
[none], proto UDP (17), length 168) $ROUTER_IP.2048> $SQUID_IP.2048:
UDP, length 140
This is what I see on the Cisco ASA when I turn debugging on with
"debug ip wccp packets":
WCCP-PKT:S00: Received valid Here_I_Am packet from $SQUID_IP w/rcv_id 000001ED
WCCP-PKT:S00: Sending I_See_You packet to $SQUID_IP w/ rcv_id 000001EE
WCCP-PKT:S00: Received valid Here_I_Am packet from $SQUID_IP w/rcv_id 000001EE
WCCP-PKT:S00: Sending I_See_You packet to $SQUID_IP w/ rcv_id 000001EF
So the WCCP updates are working.
Also check the squid access.log. This will determine whether it is the
ASA side or the Internet side of Squid which then needs to be tcpdumped
for port 80 to find out whats going on.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.9
Beta testers wanted for 3.2.0.2