Re: [squid-users] Really transparent proxy
Chris, Is setting via off the same as header_access Via deny all? Thanks, Bryan On Fri, 2007-05-04 at 20:39 -0400, Chris Robertson wrote: omero omero wrote: Hello Facundo, SNIP You want to prevent internet servers from detecting that your are behind a proxy, therefore you need to disable transmission of Via and XFF. To do that, add the following 2 lines to your squid conf file and don't forget to restart the service after you save the file: forwarded_for off via off One last detail. Setting forwarded_for off doesn't disable the transmission of the X-Forwarded-For header. It just removes detail from what it normally transmits. To wit: # TAG: forwarded_for on|off # If set, Squid will include your system's IP address or name # in the HTTP requests it forwards. By default it looks like # this: # # X-Forwarded-For: 192.1.2.3 # # If you disable this, it will appear as # # X-Forwarded-For: unknown # Chris
[squid-users] WCCP and ICP
Hello, I have 2 cache servers and use WCCPv2. I don't think i need to use ICP as WCCP would control what sites go to what servers so that a request for the same URL would always go to the same server, but can someone confirm this? Secondly, if I should be using something like ICP, should I be using HTCP, cache digests, etc? -- Thanks, Bryan
Re: [squid-users] Problem with transparent proxy using WCCP2 + GRE on Linux
Nicolas, Maybe, the packets are getting dropped when they are trying to get back into your system on port 3128, try redirecting to the port only using --to-ports instead of --to-destination. I also use the REDIRECT function as opposed to DNAT. Here is my rule: iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 Finally, i use the IP of my cache server with a /32 mask for the gre0 interface. Hope this helps. Thanks, Bryan On Fri, 2007-02-23 at 04:09 -0500, Nicolas Limage wrote: Hi squid-users, I'm currently trying to replace an old netapp proxy with a squid+linux box. I've some users behind a Cisco 7200 running IOS 12.4(12) using the proxy in transparent mode. The current proxy uses WCCP2+GRE to get the traffic from the router. The aim is to reproduce this behaviour with the squid box. I've set up a box running Linux Debian, with kernel 2.6.18-3-k7 from debian and squid-2.6.STABLE8 compiled with the following options : $ ./configure --prefix=/opt/package/squid-2.6.STABLE8 --enable-storeio=aufs,coss,diskd,null,ufs --enable-removal-policies=heap,lru --enable-useragent-log --enable-referer-log --enable-wccp --enable-wccpv2 --enable-snmp --enable-linux-netfilter --enable-large-cache-files --disable-ident-lookups --with-pthreads my squid.conf file include these lines : http_port 3128 transparent wccp2_router ip_of_the_cisco_router wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service standard 0 I have set up an unnumbered GRE tunnel between the box and the router : # iptunnel del gre0 # iptunnel add gre0 mode gre remote ip_of_the_cisco_router local ip_of_the_linux_box dev eth0 # ifconfig gre0 up I've added these commands to enable routing and disable spoof protection. # echo 1 /proc/sys/net/ipv4/ip_forward # for file in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 $file done To do the redirection, i'm using iptables, with all default policies set to ACCEPT, plus this rule : # iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination ip_of_the_linux_box:3128 The Cisco router has been doing the job for years, so I doubt the problem comes from it. The squid proxy is running, with no error messages. I've tested it by explicitely declaring it in my browser, and it works perfectly. The router can see the proxy (it is in his WCCP list) and it sends the packets to the linux box. I can see the encapsulated packets coming to the linux box, i can see the packets coming out of the GRE tunnel (tcpdump -i gre0), they hit the iptable redirection rule (iptables -t nat -L -v (the couter is increasing)), but afterwards, they seem to disappear. No trace in the squid log. The tcp session is not established. I see no related traffic coming out of the box either. Does someone has an idea of what could be happening ? I'm also very interrested in knowing how (in therory) the answer is supposed to return to the client. Thanks -- Nicolas L.
Re: [squid-users] WCCP issue
Awie, I had a similar problem with only a couple sites, specifically mail ones like hotmail, gmail, etc. I found a lot of documentation to work with the redirect rule in the firewall on the squid server but this didn't make a difference. I finally compiled in WCCPv2 support (into the 2.5S code at the time), and all my problems went away! I am currently using 2.6S9 on one server and 2.6S4 on another with --enable-wccpv2 and have had no complaints. Hope this helps. -- Thanks, Bryan Shoebottom CCNA Network Systems Analyst Network Services Computer Operations Fanshawe College Phone: (519) 452-4430 x4904 Fax:(519) 453-3231 [EMAIL PROTECTED] On Fri, 2007-02-02 at 04:40 -0500, Awie wrote: Dear all, After running for more than 1 year, our proxy cannot serve normally all request to hotmail.com (only, Yahoo mail is OK). Our proxy is running Squid 2.5S14 with WCCPv1 (WCCP module version 1.7). We tried to upgrade to 2.6S9 but we got same result. If we run the proxy as non-transparent or run as transparent by using route map the request to hotmail.com can be served normally. Problem was always happen with WCCP. Would you tell me what I should do to solve the problem? I prefer to use WCCP instead of route map that consume more CPU resource and create problem when our proxy dies. Thanks a lot for your kind help. Thx Rgds, Awie
Re: [squid-users] WCCP issue
Awie, 1. yes 2. use the wccp2_router instead of wccp_router 3. yes 4/5. You'll have to read up on this one, i ended up moving from a 2.4 kernel with a wccp module compiled to a 2.6.9+ kernel with the ip_gre module. I guess try your setup and if it doesn't work you can hopefully upgrade or test on another system. Thanks, Bryan On Fri, 2007-02-02 at 09:24 -0500, Awie wrote: Hi Bryan, Thanks for your suggestion. I will do your suggest but I want to make sure before I do the job. Please correct me. 1. I will compile new version of Squid (ie. 2.6S9) with --enable-wccpv2 option 2. Change the squid.conf to match the setting parameter of new Squid version 3. Change the Cisco Router WCCP from version 1 to version 2. 4. Keep the current Linux kernel 2.4.34 that support WCCPv2 5. Keep the current ip_wccp.o (version 1.7) that already support WCCPv2 Please advise Thx Rgds, Awie - Original Message - From: Bryan Shoebottom [EMAIL PROTECTED] To: Awie [EMAIL PROTECTED] Cc: Squid-users squid-users@squid-cache.org Sent: Friday, February 02, 2007 21:33 Subject: Re: [squid-users] WCCP issue Awie, I had a similar problem with only a couple sites, specifically mail ones like hotmail, gmail, etc. I found a lot of documentation to work with the redirect rule in the firewall on the squid server but this didn't make a difference. I finally compiled in WCCPv2 support (into the 2.5S code at the time), and all my problems went away! I am currently using 2.6S9 on one server and 2.6S4 on another with --enable-wccpv2 and have had no complaints. Hope this helps. -- Thanks, Bryan Shoebottom CCNA Network Systems Analyst Network Services Computer Operations Fanshawe College Phone: (519) 452-4430 x4904 Fax:(519) 453-3231 [EMAIL PROTECTED] On Fri, 2007-02-02 at 04:40 -0500, Awie wrote: Dear all, After running for more than 1 year, our proxy cannot serve normally all request to hotmail.com (only, Yahoo mail is OK). Our proxy is running Squid 2.5S14 with WCCPv1 (WCCP module version 1.7). We tried to upgrade to 2.6S9 but we got same result. If we run the proxy as non-transparent or run as transparent by using route map the request to hotmail.com can be served normally. Problem was always happen with WCCP. Would you tell me what I should do to solve the problem? I prefer to use WCCP instead of route map that consume more CPU resource and create problem when our proxy dies. Thanks a lot for your kind help. Thx Rgds, Awie
Re: [squid-users] Squid and SNMP
SNMP runs on port 161, so to avoid interfering with your system's SNMP daemon, squid's SNMP server runs on port 3401. You'll need to make sure you specify that port when you want to query squid and not your system. If you are running *nix you can actually use the proxy feature of SNMP and forward requests from your system daemon to your SNMP daemon. Here's what i have in my SNMPd config: proxy -v 1 -c communityname localhost:3401 1.3.6.1.4.1.3495.1 With this in my SNMPd config, i can query my system daemon for both system and squid values. Hope this helps. Thanks, Bryan On Wed, 2006-08-16 at 10:52 -0400, Birol AKBAY wrote: Hi, I have an installed version 2.6.STABLE1 with --enable-snmp. I have those lines on squid.conf snmp_port = 3401 acl localhost src 127.0.0.1/255.255.255.255 acl snmpok snmp_community public snmp_access allow snmpok all snmp_access deny all snmpwalk raises an error Failed SNMP agent query from : 127.0.0.1. netstat result # netstat -an | grep 3401 udp0 0 0.0.0.0:34010.0.0.0:* So I think squid is listening port 3401. The question : Are there another config lines or another program like snmpd to achieve a succesfull connection? I have succesfully connected to my FW and router to get data for MRTG. Do you have any suggestions? Thanks. -- Birol AKBAY [EMAIL PROTECTED]
Re: [squid-users] 2.6S1 WCCP2 problems
Tino, Thanks for your config, i added the vhost and vport=80 options to my config, but i am still having the same problems. As for lo0 on the router, i have never had to setup this up in the past but i tried it anyway and it made no difference. When i have talked to the Cisco guys before they stated that WCCP simply needs an IP and will grab any configured IP on the router, it doesn't matter. I think i am going to submit a bug, i don't know why squid is sending back a bad id. Thanks, Bryan On Tue, 2006-07-18 at 20:25 -0400, tino wrote: RE: [squid-users] 2.6S1 WCCP2 problems http_port 3128 transparent vhost vport=80 tcp_outgoing address 10.10.10.1 wccp2_router 10.10.10.2 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 As far I know, kernel 2.6.9 up , you do need bringing up loopback0 at cisco router (this is because wccp will use it as router identifier) #at router : interface lo0 ip address 172.0.0.1 255.255.255.252 no shut #-at squid: insmod ip_gre ifconfig gre0 up ip addr add 172.0.0.2 255.255.255.252 dev gre0 If you shut loopback0, wccp mechanism still alive at router, but no traffic being redirected ( gre_tunnel is established between lo0--gre0 via this tunnel where web-traffic redirected) Also put ip wccp web-cache exclude in in the router interface where squid attached make sure it is not same vlan where traffic redirected regards Tino - Original Message - From: Shoebottom, Bryan To: tino ; squid-users@squid-cache.org Sent: Tuesday, July 18, 2006 7:06 PM Subject: RE: [squid-users] 2.6S1 WCCP2 problems Tino, Our lookback interface is not configured and never has been in the past for caches to work. You do bring up an interesting point of the IP address of the gre interface. In the past i have simply used an IP that is not on our network, maybe i can't do that anymore. What wccp directives do you have configured in your squid.conf? Thanks, Bryan -Original Message- From: tino [mailto:[EMAIL PROTECTED] Sent: Mon 7/17/2006 8:17 PM To: Shoebottom, Bryan; squid-users@squid-cache.org Subject: Re: [squid-users] 2.6S1 WCCP2 problems Hi, Bryan what is your interface loopback0 status ip address at L3 6500 ? It should be in the same subnet with your gre0 ip address. I'm running 6500 earlier version than yours (supervisor engine-1a msfc1), ip cef enable, wccpv2 work ok with squid-2.6S1, I'm using kernel 2.6.15.7 with ip_gre loaded from kernel module. It also work when I put squid-2.6.S1 with 3620 router, ios 12.2(t) as5300, ios 12.0.7(t) also, make sure iptables loaded first before running squid rgds, Tino - Original Message - From: Shoebottom, Bryan mailto:[EMAIL PROTECTED] To: tino mailto:[EMAIL PROTECTED] ; squid-users@squid-cache.org Sent: Monday, July 17, 2006 7:29 PM Subject: RE: [squid-users] 2.6S1 WCCP2 problems -6500 running code 12.1(26)E -ip wccp we redirect in configured on vlans ip wccp web-cache -2.6.17 -/sbin/iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 eth0 Link encap:Ethernet HWaddr 00:14:C2:C3:3B:1D inet addr:10.10.101.3 Bcast:10.10.101.7 Mask:255.255.255.248 inet6 addr: fe80::214:c2ff:fec3:3b1d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:53302 errors:0 dropped:0 overruns:0 frame:0 TX packets:41745 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:7311146 (6.9 MiB) TX bytes:6586185 (6.2 MiB) Interrupt:185 gre0 Link encap:UNSPEC HWaddr 00-00-00-00-BD-BF-A8-4C-00-00-00-00-00-00-00-00 inet addr:10.2.1.1 Mask:255.255.255.252 UP RUNNING NOARP MTU:1476 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:104 errors:0 dropped:0 overruns:0 frame:0 TX packets:104 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:19992 (19.5 KiB) TX bytes:19992 (19.5 KiB) I have enabled wccp2 when configuring squid. Thanks, Bryan -Original Message- From: tino [mailto:[EMAIL
Re: [squid-users] 2.6S1 WCCP2 problems
Henrik, I will give that a shot. Is there any reason why this isn't in the FAQ? This is the first place i checked when my config didn't work. Thanks, Bryan On Wed, 2006-07-19 at 10:04 -0400, Henrik Nordstrom wrote: ons 2006-07-19 klockan 07:25 +0700 skrev tino: RE: [squid-users] 2.6S1 WCCP2 problems http_port 3128 transparent vhost vport=80 why vhost and vport=80? These are for accelerator/reverse proxy mode, not Internet proxies.. The transparent keyword takes care of all which is needed in transparent interception. #-at squid: insmod ip_gre ifconfig gre0 up ip addr add 172.0.0.2 255.255.255.252 dev gre0 I would say it's better to create a new GRE tunnel for the router. ip tunnel add wccp mode gre remote ip.of.router ip addr add proxy.server.ip/32 dev wccp ip link set wccp up and intercepted packets redirected by the router should be coming in on the virtual wccp interface, where they can easily be redirected to Squid iptables -t nat -A PREROUTING -i wccp -p tcp -j REDIRECT --to 3128 You quite likely also need to disable reverse-path lookups on the wccp interface echo 0 /proc/sys/net/ipv4/conf/wccp/rp_filter IP forwarding does not need to be enabled. Regards Henrik