Re: [squid-users] Connection time out error with tproxy
Hi Amos, Thank you very much. This is ifconfig result of the squid server. But it works in transparent mode. but why not in tproxy ? eth0 Link encap:Ethernet HWaddr inet addr:xx.xx.xx.xx Bcast:xx.xx.xx.xx Mask:255.255.255.252 inet6 addr: fe80::21a:4bff:fe34:9af0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2435572 errors:0 dropped:0 overruns:0 frame:0 TX packets:2694449 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1371738325 (1.2 GiB) TX bytes:1495109099 (1.3 GiB) Interrupt:16 Memory:f800-f8012100 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2715 errors:0 dropped:0 overruns:0 frame:0 TX packets:2715 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:216227 (211.1 KiB) TX bytes:216227 (211.1 KiB) wccp Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:xx.xx.xx.xx P-t-P:xx.xx.xx.xx Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:1298005 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:142161462 (135.5 MiB) TX bytes:0 (0.0 b) WCCP -- GRE tunnel interface. Thanks, vk vivek...@aol.in wrote: Amos, Thanks again for your reply. We have configured squid + Tproxy + WCCP and client ip is redirect to the web server, but browser shows a connection timeout(110) error and it takes a long time even to display this error message. The access.log shows long timestamp value. forward log shows the request has been forwarded. Squid wotks perfectly fine when configured as transparent proxy. Aha. Check MTUs. This type of forwarded and no reply issue is usually seen on links where MTU-discovery is broken. It may be that there are ICMP info packets being sent to the client instead of Squid. Amos We need your valuable advice and if possible can you point out few areas where are all the possibilities for the problems to arise. Thanks, vk vivek...@aol.in wrote: Amos, Thanks for your reply. Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 1.3.8 and linux kernal 2.6.20.21. Cisco IOS 2800 Ver 12.4 (13b) WCCP+Tranparent proxy works good. Trproxy without wccp works well by not revealing the server ip and only displaying the client ip. But once the wccp is enabled with tproxy, the sever ip is revealed instead of the client ip. Please scroll down below to check our previous mails. Any suggestions please. Other than checking your squid is built with --enable-linux-tproxy, none from me sorry. cttproxy was obsolete and officially unsupported before I ever heard of it. Amos VK -Original Message- From: Amos Jeffries To: Ritter, Nicholas Cc: vivek...@aol.in; squid-users@squid-cache.org Sent: Sat, 10 Jan 2009 8:06 am 0ASubject: Re: [squid-users] Re: WCCP configuration Ritter, Nicholas wrote: With TProxy, I think you need to use Squid3-HEAD to reliably fix your issueAmos would know for sure. Nick Yes. Squid-2.* has no support for TPROXY v4.1+ 3.1.0.3 or later is needed. Which is at least an RC beta now, more stable that pure 3.HEAD alpha code. Also the squid.conf and configure details have changed. http://wiki.squid-cache.org/Features/Tproxy4 Amos From: vivek...@aol.in [mailto:vivek...@aol.in] Sent: Fri 1/9/2009 8:39 A M To: hen...@henriknordstrom.net Cc: squid-users@squid-cache.org; squ...@treenet.co.nz Subject: [squid-users] Re: WCCP configuration Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf =0 A wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy iptable: /usr/local/sbin/iptabl
Re: [squid-users] Connection time out error with tproxy
vivek...@aol.in wrote: Amos, Thanks again for your reply. We have configured squid + Tproxy + WCCP and client ip is redirect to the web server, but browser shows a connection timeout(110) error and it takes a long time even to display this error message. The access.log shows long timestamp value. forward log shows the request has been forwarded. Squid wotks perfectly fine when configured as transparent proxy. Aha. Check MTUs. This type of forwarded and no reply issue is usually seen on links where MTU-discovery is broken. It may be that there are ICMP info packets being sent to the client instead of Squid. Amos We need your valuable advice and if possible can you point out few areas where are all the possibilities for the problems to arise. Thanks, vk vivek...@aol.in wrote: Amos, Thanks for your reply. Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 1.3.8 and linux kernal 2.6.20.21. Cisco IOS 2800 Ver 12.4 (13b) WCCP+Tranparent proxy works good. Trproxy without wccp works well by not revealing the server ip and only displaying the client ip. But once the wccp is enabled with tproxy, the sever ip is revealed instead of the client ip. Please scroll down below to check our previous mails. Any suggestions please. Other than checking your squid is built with --enable-linux-tproxy, none from me sorry. cttproxy was obsolete and officially unsupported before I ever heard of it. Amos VK -Original Message- From: Amos Jeffries To: Ritter, Nicholas Cc: vivek...@aol.in; squid-users@squid-cache.org Sent: Sat, 10 Jan 2009 8:06 am 0ASubject: Re: [squid-users] Re: WCCP configuration Ritter, Nicholas wrote: With TProxy, I think you need to use Squid3-HEAD to reliably fix your issueAmos would know for sure. Nick Yes. Squid-2.* has no support for TPROXY v4.1+ 3.1.0.3 or later is needed. Which is at least an RC beta now, more stable that pure 3.HEAD alpha code. Also the squid.conf and configure details have changed. http://wiki.squid-cache.org/Features/Tproxy4 Amos From: vivek...@aol.in [mailto:vivek...@aol.in] Sent: Fri 1/9/2009 8:39 A M To: hen...@henriknordstrom.net Cc: squid-users@squid-cache.org; squ...@treenet.co.nz Subject: [squid-users] Re: WCCP configuration Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf =0 A wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy iptable: /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 We created a gre tunnel based on the router identifier. wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid machine) The following command is assigned at the router interface connected =0 Ato the lan. ip wccp 80 redirect in ip wccp 90 redirect out Following command at the router interface connected to squid. ip wccp redirect exclude in Router : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b) Kernel : linux-2.6.20.21 IPtable : iptables-1.3.8 Os Ver : squid-2.7 Stable 5 #lsmod ip_gre 19616 0 iptable_filter 11136 0 ipt_TPROXY 11136 1 ipt_REDIRECT 10624 0 xt_tcpudp 11904 1 reiserfs 235144 5 iptable_tproxy 23036 2 ipt_TPROXY iptable_nat15492 1 iptable_tproxy ip_nat 24620 3 ipt_REDIRECT,iptable_tproxy,iptable_nat ip_tables 25448 3 iptable_filter,iptable_tproxy,iptable_nat x_tables 23560 5 ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat The internet works, b ut the browsing is dead slow. Temporarily we have bypassed squid to browse the net. Thanks VK -Original Message- From: Henrik Nordstrom To: vivek...@aol.in Cc: squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 8 Jan 2009 12:05 am Subject: Re: WCCP configuration ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: wccp2_router xxx.xx.xxx.xxx wccp_version 4 wccp2_forwarding_method 1 wccp2_ret
[squid-users] Connection time out error with tproxy
Amos, Thanks again for your reply. We have configured squid + Tproxy + WCCP and client ip is redirect to the web server, but browser shows a connection timeout(110) error and it takes a long time even to display this error message. The access.log shows long timestamp value. forward log shows the request has been forwarded. Squid wotks perfectly fine when configured as transparent proxy. We need your valuable advice and if possible can you point out few areas where are all the possibilities for the problems to arise. Thanks, vk vivek...@aol.in wrote: Amos, Thanks for your reply. Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 1.3.8 and linux kernal 2.6.20.21. Cisco IOS 2800 Ver 12.4 (13b) WCCP+Tranparent proxy works good. Trproxy without wccp works well by not revealing the server ip and only displaying the client ip. But once the wccp is enabled with tproxy, the sever ip is revealed instead of the client ip. Please scroll down below to check our previous mails. Any suggestions please. Other than checking your squid is built with --enable-linux-tproxy, none from me sorry. cttproxy was obsolete and officially unsupported before I ever heard of it. Amos VK -Original Message- From: Amos Jeffries To: Ritter, Nicholas Cc: vivek...@aol.in; squid-users@squid-cache.org Sent: Sat, 10 Jan 2009 8:06 am 0ASubject: Re: [squid-users] Re: WCCP configuration Ritter, Nicholas wrote: With TProxy, I think you need to use Squid3-HEAD to reliably fix your issueAmos would know for sure. Nick Yes. Squid-2.* has no support for TPROXY v4.1+ 3.1.0.3 or later is needed. Which is at least an RC beta now, more stable that pure 3.HEAD alpha code. Also the squid.conf and configure details have changed. http://wiki.squid-cache.org/Features/Tproxy4 Amos From: vivek...@aol.in [mailto:vivek...@aol.in] Sent: Fri 1/9/2009 8:39 A M To: hen...@henriknordstrom.net Cc: squid-users@squid-cache.org; squ...@treenet.co.nz Subject: [squid-users] Re: WCCP configuration Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf =0 A wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy iptable: /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 We created a gre tunnel based on the router identifier. wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid machine) The following command is assigned at the router interface connected =0 Ato the lan. ip wccp 80 redirect in ip wccp 90 redirect out Following command at the router interface connected to squid. ip wccp redirect exclude in Router : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b) Kernel : linux-2.6.20.21 IPtable : iptables-1.3.8 Os Ver : squid-2.7 Stable 5 #lsmod ip_gre 19616 0 iptable_filter 11136 0 ipt_TPROXY 11136 1 ipt_REDIRECT 10624 0 xt_tcpudp 11904 1 reiserfs 235144 5 iptable_tproxy 23036 2 ipt_TPROXY iptable_nat15492 1 iptable_tproxy ip_nat 24620 3 ipt_REDIRECT,iptable_tproxy,iptable_nat ip_tables 25448 3 iptable_filter,iptable_tproxy,iptable_nat x_tables 23560 5 ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat The internet works, b ut the browsing is dead slow. Temporarily we have bypassed squid to browse the net. Thanks VK -Original Message- From: Henrik Nordstrom To: vivek...@aol.in Cc: squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 8 Jan 2009 12:05 am Subject: Re: WCCP configuration ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: wccp2_router xxx.xx.xxx.xxx wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 8 0 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_