Hi...
One solution:
SPC Information Technology and Communications Unit Wccp-squid cache
[IT Home] [Search]
I have just spent considerable time setting up a transparent web cache to reduce the latency we experience on our satellite link to the Internet
(our minimum ping time is 800ms to the US!!). You can see the statistics of our hit rates here. This method uses wccp to intercept web requests
exiting through a cisco router and is totally transparent to the rest of the network.
I used a Pentium 133 with 64MB RAM and a 4GB disk, running RedHat 6.2. The procedure is not difficult, but the are lots of little 'gotchas' that
catch you out - even if you have read the FAQ 500 times like I did. So many people helped me out, and so many other have asked how to do it since
I succeeded that I am publishing a 'cookbook' of the method that worked for us. Hope it helps.
Al Blake - 3rd October 2000. (alb@spc.int)
================================================================================
Cookbook for setting up transparent wccp caching using squid and a cisco access server:
1.Install RedHat 6.2 selecting the 'server' install setup.
2.After completion check that network card has been discovered, configured and is working (ping something). Check dns is working.
3.Install squid rpm -> squid-2.3.STABLE1-5 (on the RH CD)
4.Get the newer version of linuxconf (linuxconf-1.21r4-1.i386.rpm) which removes the need to create a startup file to load the wccp module.
You now just have to add ip_wccp to the 'Kernel modules + options' section at the bottom of the global firewall configuration module in linuxconf,
which is much neater and easier to understand.
5.Obtain source of the ip_wccp.o patch from: here
OR
5.If you can find it compiled into an object file for EXACTLY the same kernel - use it. Our version (for kernel 2.2.14-5.0 with our options is HERE -
use it at your own risk!)
6.(optional) compile ip_wccp.c if required. It will need to be compiled with the flags that the kernel normally uses for compiling modules.
This is what worked for our kernel.
This should all be on one line(!):
gcc -D__KERNEL__ -I/usr/src/linux-2.2.14/include -Wall -Wstrict-prototypes -O2 -fomit-frame-pointer \
-fno-strict-aliasing -pipe -fno-strength-reduce -m386 -DCPU=386 -DMODULE -DMODVERSIONS -include \
/usr/src/linux-2.2.14/include/linux/modversions.h -c ip_wccp.c
NOTE: You can find out how your kernel compile modules by installing the kernel source rpms and running 'make modules' -
look at the output and you will see what flags your system uses to compile modules.
6.Copy ip_wccp.o to /lib/modules/<kernel-version>/ipv4/ip_wccp.o and then edit /lib/modules/kernel-version/modules.dep to add the line:
/lib/modules/<kernel-version>/ipv4/ip_wccp.o
test the module with:
/sbin/modprobe ip_wccp
/sbin/depmod -a -e
which should report no errors.
7.Edit /etc/sysctl.conf:
# Disables packet forwarding
net.ipv4.ip_forward = 1
# Enables source route verification
net.ipv4.conf.all.rp_filter = 1
# Disables automatic defragmentation (needed for masquerading, LVS)
net.ipv4.ip_always_defrag = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
8.Edit /etc/squid/squid.conf:
(some of these are default settings - some are not - just search through and change them)
httpd_accel_with_proxy on
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_uses_host_header on
http_port 3128
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl spc_nocache srcdomain spc.int spc.org.fj spc.org.nc
no_cache deny spc_nocache
emulate_httpd_log on
acl snmppublic snmp_community public
snmp_port 3401
snmp_access allow snmppublic localhost
snmp_access allow snmppublic all
http_access allow all
http_access allow localhost
icp_access allow all
httpd_accel_uses_host_header on
9.Run the linuxconf program and setup the firewalling so that the access lists are as follows: (the order of the access lists is VERY improtant).
target prot opt source destination ports
ACCEPT all ------ localhost localhost n/a
ACCEPT tcp ------ anywhere webcache.spc.int any -> www
REDIRECT tcp ------ 202.0.157.0/24 anywhere any ->www => squid
ACCEPT all ------ 202.0.157.0/24 anywhere n/a
ACCEPT all ------ 202.0.156.0/24 anywhere n/a
ACCEPT all ------ anywhere 202.0.157.0/24 n/a
ACCEPT all ------ anywhere 202.0.156.0/24 n/a
ACCEPT all ------ localhost localhost n/a
(webcache.spc.int should be substituted with the local host name. 202.0.157.0 should be substituted with the LAN that you want caching access for...
i.e. the LAN the Cisco is on). Don't ask me why we get two identical localhost rules - it seems to be an anomaly of using linuxconf to setup firewalling
- and I'm having to live with it if I don't have to create huge ipchains script files using vi!
NB This may NOT be the complete access lists for your system! This is just the bits that are relevent to the transparent web cache.
You may need to BLOCK other stuff if you are not hiding behind a firewall/router with access lists! You have been warned.
11.Reboot the linux box and make sure it comes up!
12.Log into the cisco and go into enable mode:
ip wccp version 1
ip wccp web-cache redirect
Int (output interface to be cached)
ip wccp web-cache redirect out
14.You should now have a transparent caching squid server! How can you test it:
a.Check the /var/log/squid/access.log file - you should see web requests passing through
b.use the command 'debug ip wccp event' on the cisco. You should 'I see you/here I am' conversations between the cisco and the squid box.
c.Set up mrtg to monitor the hit-rate and other statistics.
Good luck!
On Wed, 3 Oct 2001, Henrik Nordstrom wrote:
> The include files in /usr/include/linux must exacly match the kernel you
> are running. If you cannot find the matching kernelheaders for the
> kernel build you are running then you have no choice but to perform a
> full rebuild of your kernel and install new kernel headers before
> compiling separate kernel modules.
>
> Regards
> Henrik Nordström
> Squid Hacker
>
>
> Babe Meneses Beltran wrote:
> >
> > Hi,
> >
> > How can I the parameter of compilation of My kernel that is runing?
> >
> > Sorry me if this question again.
> >
> > Regards,
>
-- Saludos / Best Regards -- Darcy Roberto Ganga P. mailto:dganga@securities.cl System Administratora GDC Latin America Direct Phone: +562.651.1080 ext 102 Fax: +562.362.1595 ISI Emerging Markets - Internet Securities Inc. A EuroMoney-Institutional Investor Company *********************************************************** This communication contains information which is confidential. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note any distribution, copying or use of this communication or the information in it is strictly prohibited. If you have received this communication in error please notify us by e-mail or by telephone (as above) and then delete the e-mail and all attachments and any copies thereof. **************************************************************Received on Wed Oct 03 2001 - 13:27:22 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:36 MST