Hi.
Just for the sake of others who are looking to make
Transparent/Interception caching with Squid, WCCP v1 and Fedora Core 3,
this is what we did to get it working:
On the router (IOS 12.3(2)T):
ip cef
ip wccp version 1
ip wccp web-cache
interface <interface either directly or indirectly connected to the
Internet>
ip wccp web-cache redirect out
end
Also, we did:
conf t
ip cef # some systems may already have 'ip cef global'
int <interface directly or indirectly connected to the Squid Server> (or int FastEthernet 0/0 or other internal interface)
no ip route-cache cef
CTRL Z
That's it. For debugging, we used:
show ip wccp
show ip wccp web-caches
show ip wccp web-cache detail
show ip wccp web-cache view (or: show ip wccp 99 detail)
On the Linux Server (Fedora Core 3 (2.6.9-1.667smp)):
In squid.conf:
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
tcp_outgound_address <ip address of your interface connected to
the WCCP router>
wccp_outgoing_address <ip address of your interface connected to
the WCCP router>
wccp_router <ip address of the WCCP router itself>
wccp_version 4
In /etc/sysconfig/network-scripts/ifcfg-gre0:
DEVICE=gre0
BOOTPROTO=static
IPADDR=172.16.1.6
NETMASK=255.255.255.252
ONBOOT=yes
IPV6INIT=no
For netfilter:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
--to-port 3128
service iptables save
You also might want to limit this in a way so that you specify
source addresses and limit it to only those networks/hosts you want to
proxy for. I think this would mean one entry (or line) per configured
network
For ip forwarding:
echo 0 > /proc/sys/net/ipv4/ip_forward
You might even want to do the following in /etc/sysctl.conf:
net.ipv4.ip_forward = 1
For rp_filter, which must be turned off:
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter
You might even want to do the following in /etc/sysctl.conf:
net.ipv4.conf.default.rp_filter = 0
**** This last one was where our problem was. We have turned off
rp_filter for eth0 but not for gre0. Once we turned it off for gre0, it
worked.
Also, for debugging:
For WCCP connection with the router:
tethereal -V -s 1500 port 2048
You should see here_i_am and i_see_you packets going through.
For redirected connections coming from the router:
tcpdump -i gre0
or
tcpdump -i gre0 port 80
You should see http requests redirected through the gre interface.
For squid:
tail -f <your squid log files location>/access.log
You should see requests from clients.
Hope this helps.
-- Oliver --
ovchato@netscape.net wrote:
> Greetings.
>
> Sorry for the long message. We are trying to implement
> Transparent/Interception caching using the following:
> -- Squid 2.5 Stable 11 (We were able to obtain an RPM for Fedora Core
> 3) with WCCP v1
> -- Fedora Core 3 (64-bit, 2.6.9-1.667smp)
> -- Cisco Router (IOS 12.2)
> in the following configuration (not real IP addresses and interface
> designations used):
>
>
> |-----------------------|
>
> | Squid (2.5 S11) |
>
> | Fedora Core 3 |
>
> |-----------------------|
>
> eth 0 | 201. 1.1.2/255.255.255.252
>
> |
>
> |
>
> |
>
> int 0/0 | 201.1.1.1/255.255.255.252
>
> | int 0/1
>
> |------------------------------|
> ------------------------- to Internet *
> Networks of ATM
> interface | |
> 203.1.1.1/255.255.255.224
> Dial Up Users via various ------------------------------------|
> Cisco Router (IOS 12.2) |
> Terminal Servers 202.1.1.1/255.255.255.252
> | |
> 203.1.1.2/255.255.255.224
>
> |------------------------------|-------------------------- to Internet *
>
> int 0/2
> * The two network interfaces (int 0/1 and int 0/2) are connected to
> the same network and load balanced via OSPF.
> (Please pardon the interface designations on the router as I am not
> too familiar with it and we have no administrative control of the router)
>
> On the router (IOS 12.2):
> -- As mentioned above, connections to the internet (int 0/1 and int
> 0/2) are load balanced over OSPF
> -- An access list has been defined on ATM interface for various
> networks (dialups, DSL, etc.)
> -- We have turned CEF off on the interface connected to the Squid
> CACHE (we actually tried it with CEF as well).
> -- WCCP v1 is enabled and applied at the 2 outbound internet
> connections (int 0/1 and int 0/2) with "redirect out" option
> -- We have also tried to apply WCCP v1 at the ATM interface with
> "redirect in" option.
> -- WCCP v1 was enabled and applied to the various interfaces as
> detailed above with access lists (as specified above, defined for the
> ATM interface)
>
> On the Linux Box (FC3, 2.6.9-1.667smp):
> -- We used the WCCP v1 module on Squid as pre-compiled with the RPM.
> -- We are using GRE instead of WCCP patch as we have read in the FAQs
> and lists that this is the implementation to use for kernel versions
> >= 2.6.9.
> -- We are also using iptables to redirect traffic coming in from port
> 80 to 3128 (the squid port we are using)..
> -- We specified and enabled the appropriate variables in squid.conf
> for both transparent/interception caching and WCCP v1.
>
> Configurations used:
> We have tried the various setups as detailed in the following URLs:
> -- http://www.squid-cache.org/mail-archive/squid-users/200505/0678.html
> -- http://www.sublime.com.au/squid-wccp/
> -- http://www.reub.net/node/3
> -- http://www.spc.int/it/TechHead/Wccp-squid.html
>
> Symptoms:
> We were able to configure it so that the Cisco Router WCCP v1
> configuration actually registers the Squid Server as a usable Cache
> Engine. We also traced the GRE connections via the following Linux
> commands:
> -- tethereal -V -s 1500 port 2048
> -- tcpdump -lenx -s 1500 port 2048
> and we see the "Here I Am" and "I See You" packets and observed the
> following:
> -- the "Here I Am" packets specify that 0 to 255 buckets ARE NOT
> ASSIGNED.
> -- the "I See You" packets specify that 0 to 255 buckets ARE
> ASSIGNED. Also, we can see the router configuration specifying our
> squid server registered in the web cache.
> On the router, using the "show ip wccp" command, we see the counter
> "Total Packets Redirected" being incremented. When we issue the "show
> ip wccp web-caches" command, the "Web Cache ID:" parameter displays
> 0.0.0.0. Also, when we issue the "show ip wccp web-cache view"
> command, the "WCCP Routers Informed of:" parameter and the "WCCP Cache
> Engines NOT Visible:" parameter show "-- none --" and "WCCP Cache
> Engines Visible:" parameter shows the IP address of the squid server
> (201. 1.1.2). We are unable to issue any debug commands on the router
> as this is a production router (we have no other router to implement
> on) and this might make the router hang.
>
> Problems:
> -- On the squid server, we see nothing coming through port 80 (using
> the "tcpdump -n port 80" linux command) eventhough, as mentioned
> above, we are registered with the Cisco WCCP configuration and the
> "Total Packets Redirected" is incrementing.
> -- We do not see anything being recorded on the squid server's
> access.log.
>
>
> Some Questions:
> -- Is there a definitive how-to on implementing WCCP v1 on Linux for
> kernels 2.6.9 and above?
> -- Has anyone had a successful installtation of Squid 2.5 Stable 11
> with WCCPv1 connected to a Cisco router (IOS 12.1 or 12.2) on Fedora
> Core 3(kernel version 2.6.9 smp)?
> -- How can we further see that is happening or debug without using the
> router's debug commands (if there are any other ways)?
> -- Do we need to switch to WCCP v2 using the patch available from the
> squid developer site
> (http://devel.squid-cache.org/projects.html#visolve_wccpv2) in order
> for Transparent/Interception caching to work?
> -- Any word on if (or when) full WCCP v2 (with multiple router and
> multiple cache) will be or has been implemented (either as a patch or
> part of the distribution)? Will this support load balancing protocols
> on the router (OSPF, HSRP, VRRP)?
> -- Just in case anybody knows, how are the access lists implemented
> with regards to the WCCP v1 setting? I read in one article
> (http://www.squid-cache.org/Doc/FAQ/FAQ-17.html) that this list should
> contain IP addresses that should be excluded from transparent caching,
> or something to that effect (the exact words were "IP addresses which
> you do not wish to be transparently redirected to your cache"). I just
> wanted to confirm if this was correct.
>
> We would appreciate any help you could give on the matter.
>
> Thank you and good day.
>
> -- Oliver --
>
Received on Tue Feb 14 2006 - 23:52:06 MST
This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST