Re: [squid-users] squid and wccp
I am trying to configure squid wccp and cisco router but with no luck. This is what I have done. Please check my procedure and confoguration: for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178 1. I configure squid with options enable-linux-netfilter 2. in squid.conf http_port 8080 transparent wccp2_router xx.xx.184.177 wccp2_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 wccp2_address 0.0.0.0 3. modprobe ip_gre ip tunnel add wccp0 mode gre remote xx.xx.184.177 local xx.xx.184.178 dev eth1 ip addr add xx.xx.184.178/32 dev wccp0 ip link set wccp0 up 4.echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter 5.iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to-ports 8080 6. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 On Cisco router7206 npe300 with 12.2(31) ip wccp version 2 ip wccp web-cache ! interface fastethernet 1/0 description LAN ip address 192.168.255.6 255.255.255.252 ! interface fastethernet 3/0 description internet connection ip address xx.xx.184.177 ip wccp web-cache redirect out ! ip route 0.0.0.0 0.0.0.0 192.158.255.5 Logs: with linux cache.log I can see messages as: wccp2HereIam: Sending to device id 0 Sending HereIam packet size 144 Incoming WCCPv2 I_SEE_YOU lenth 132 Complete packet receive In Cisco router: sho ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.255.6 Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:201 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 sho ip wccp web-cache detail Web Cache ID: xx.xx.184.178 Protocol Version: 2.0 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment:256 (100.00%) Packets Redirected:201 Connect Time: 01:14:03 It seems everything is working fine but configuring client browser without any proxy it is not browsing. note that if I manually define the Ip address of the transparent proxy I can browse the web. Can anybody help me on my problem? thank you very much, Wennie - Original Message - From: Adrian Chadd [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: Adrian Chadd [EMAIL PROTECTED], squid-users squid-users@squid-cache.org Sent: Saturday, April 26, 2008 8:31:43 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: I have a question, do I need to enable ip_gre, ip_wccp on my system? using kernel 2.6.24, i enable the ip_gre does it mean it aoutmatically enables the ip_wccp? Just ip_gre. the GRE code shipped in linux these days includes WCCPv2 packet decoding. HTH, Adrian thanks - Original Message - From: Adrian Chadd [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: squid-users squid-users@squid-cache.org Sent: Saturday, April 26, 2008 12:38:07 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp http://wiki.squid-cache.org/ConfigExamples/ Adrian On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: Hi all, Can anybody give me a step by step configuration to enable WCCP in both router and squid2.6.stable19. Here are the details: router = cisco7206VXR IOS ver = 12.3 (8) T, RELEASE SOFTWARE (fc2) FE0/0 = xx.xx.184.17/28 squid: OS = FC8 64bit with kernel version 2.6.24.4-64.fc8 #1 SMP squid version = squid-2.6Stable19 eth1 = xx.xx.184.22/28 I am trying to follow the configuration in squid FAQ but it is very hard for me because this my first time to do thus kind of setup. I would highly appreciate if you can provide me a step by step configuration for cisco router and squid box to enable WCCP version 2 Thank you and best regards, wennie -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: [squid-users] Squid and OWA strange problem
Hi with balance_on_multiple_ip off all works fine, thanks for the support! 2008/4/26 Franz Angeli [EMAIL PROTECTED]: I think you'are right! In my squid test environment Telecom OWA works with balance_on_multiple_ip off, On monday i can test on production environment. Thank you Guido! 2008/4/25 Guido Serassio [EMAIL PROTECTED]: Hi, At 10:04 25/04/2008, Franz Angeli wrote: My squid server is only a cache proxy, reverse proxy on remote exchange OWA server is some Microsoft ISA stuff. I think there is something very wrong in this OWA server setup: C:\nslookup mail.telecomitalia.it Server: titano.acmeconsulting.loc Address: 172.30.128.1 Non-authoritative answer: Name:mail.telecomitalia.it Addresses: 156.54.233.103, 156.54.233.102 Adding balance_on_multiple_ip off to your squid.conf should fix your problem. A round robin configuration for a OWA front-end is really a stupid solution because OWA is a session based web application. I love the incompetency of Telecom Italia peoples . Regards Guido - Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: [EMAIL PROTECTED] WWW: http://www.acmeconsulting.it/
Re: [squid-users] squid and wccp
On Mon, 28 Apr 2008, Wennie V. Lagmay wrote: I am trying to configure squid wccp and cisco router but with no luck. This is what I have done. Please check my procedure and confoguration: for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178 1. I configure squid with options enable-linux-netfilter please provide output of squid -v 2. in squid.conf http_port 8080 transparent wccp2_router xx.xx.184.177 wccp2_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 wccp2_address 0.0.0.0 3. modprobe ip_gre ip tunnel add wccp0 mode gre remote xx.xx.184.177 local xx.xx.184.178 dev eth1 ip addr add xx.xx.184.178/32 dev wccp0 ip link set wccp0 up 4.echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter 5.iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to-ports 8080 6. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 On Cisco router7206 npe300 with 12.2(31) ip wccp version 2 ip wccp web-cache ! interface fastethernet 1/0 description LAN ip address 192.168.255.6 255.255.255.252 ! interface fastethernet 3/0 description internet connection ip address xx.xx.184.177 ip wccp web-cache redirect out ! ip route 0.0.0.0 0.0.0.0 192.158.255.5 which interface connects to internet. default route indicates fa1/0 to be connected to internet. if it is fa1/0 the ip wccp web-cache redirect out command should be in fa1/0. Logs: with linux cache.log I can see messages as: wccp2HereIam: Sending to device id 0 Sending HereIam packet size 144 Incoming WCCPv2 I_SEE_YOU lenth 132 Complete packet receive In Cisco router: sho ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.255.6 Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:201 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 sho ip wccp web-cache detail Web Cache ID: xx.xx.184.178 Protocol Version: 2.0 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment:256 (100.00%) Packets Redirected:201 Connect Time: 01:14:03 what about tcpdump on wccp0 interface.. does show any traffic being redirected. does access.log show the connections?? It seems everything is working fine but configuring client browser without any proxy it is not browsing. note that if I manually define the Ip address of the transparent proxy I can browse the web. Can anybody help me on my problem? thank you very much, Wennie - Original Message - From: Adrian Chadd [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: Adrian Chadd [EMAIL PROTECTED], squid-users squid-users@squid-cache.org Sent: Saturday, April 26, 2008 8:31:43 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: I have a question, do I need to enable ip_gre, ip_wccp on my system? using kernel 2.6.24, i enable the ip_gre does it mean it aoutmatically enables the ip_wccp? Just ip_gre. the GRE code shipped in linux these days includes WCCPv2 packet decoding. HTH, Adrian thanks - Original Message - From: Adrian Chadd [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: squid-users squid-users@squid-cache.org Sent: Saturday, April 26, 2008 12:38:07 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp http://wiki.squid-cache.org/ConfigExamples/ Adrian On Sat, Apr 26, 2008, Wennie V. Lagmay wrote: Hi all, Can anybody give me a step by step configuration to enable WCCP in both router and squid2.6.stable19. Here are the details: router = cisco7206VXR IOS ver = 12.3 (8) T, RELEASE SOFTWARE (fc2) FE0/0 = xx.xx.184.17/28 squid: OS = FC8 64bit with kernel version 2.6.24.4-64.fc8 #1 SMP squid version = squid-2.6Stable19 eth1 = xx.xx.184.22/28 I am trying to follow the configuration in squid FAQ but it is very hard for me because this my first time to do thus kind of setup. I would highly appreciate if you can provide me a step by step configuration for cisco router and squid box to enable WCCP version 2 Thank you and best regards, wennie -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available
Re: [squid-users] squid and wccp
A. squid -v Squid Cache: Version 2.6.STABLE19 configure options: '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/sbin' '--libexecdir=/usr/lib/squid' '--localstatedir=/spool/squid' '--sysconfdir=/etc/squid' '--enable-snmp' '--enable-kill-parent-hack' '--enable-delay-pools' '--enable-storeio=aufs,diskd,null' '--enable-removal-policies=heap,lru' '--enable-arp-acl' '--enable-large-files' '--enable-ssl' '--enable-linux-netfilter' '--with-maxfd=16384' B. ip wccp version 2 ip wccp web-cache ! interface fastethernet 1/0 description internet connection ip address 192.168.255.6 255.255.255.252 ! interface fastethernet 3/0 description LAN ip address xx.xx.184.177 ip wccp web-cache redirect out ! ip route 0.0.0.0 0.0.0.0 192.158.255.5 C. [EMAIL PROTECTED] ~]# tcpdump -i wccp0 tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked socket tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes :note that 778 is my ssh port, also there is no log being shown in the access.log tcpdump IP 192.168.255.6 xx.xx.184.178: GREv0, length 56: gre-proto-0x883e STP 802.1d, Config, Flags [none], bridge-id xx, length 43 D. ifconfig wccp0 Link encap:UNSPEC HWaddr 4F-62-B8-B2-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:xx.xx.184.178 P-t-P:xx.xx.184.178 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) :note packets received and send - Original Message - From: Manoj_Rajkarnikar [EMAIL PROTECTED] To: Wennie V. Lagmay [EMAIL PROTECTED] Cc: squid-users squid-users@squid-cache.org Sent: Monday, April 28, 2008 2:22:34 PM (GMT+0300) Asia/Kuwait Subject: Re: [squid-users] squid and wccp On Mon, 28 Apr 2008, Wennie V. Lagmay wrote: I am trying to configure squid wccp and cisco router but with no luck. This is what I have done. Please check my procedure and confoguration: for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178 1. I configure squid with options enable-linux-netfilter please provide output of squid -v 2. in squid.conf http_port 8080 transparent wccp2_router xx.xx.184.177 wccp2_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 wccp2_address 0.0.0.0 3. modprobe ip_gre ip tunnel add wccp0 mode gre remote xx.xx.184.177 local xx.xx.184.178 dev eth1 ip addr add xx.xx.184.178/32 dev wccp0 ip link set wccp0 up 4.echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter 5.iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to-ports 8080 6. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 On Cisco router7206 npe300 with 12.2(31) ip wccp version 2 ip wccp web-cache ! interface fastethernet 1/0 description LAN ip address 192.168.255.6 255.255.255.252 ! interface fastethernet 3/0 description internet connection ip address xx.xx.184.177 ip wccp web-cache redirect out ! ip route 0.0.0.0 0.0.0.0 192.158.255.5 which interface connects to internet. default route indicates fa1/0 to be connected to internet. if it is fa1/0 the ip wccp web-cache redirect out command should be in fa1/0. Logs: with linux cache.log I can see messages as: wccp2HereIam: Sending to device id 0 Sending HereIam packet size 144 Incoming WCCPv2 I_SEE_YOU lenth 132 Complete packet receive In Cisco router: sho ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.255.6 Protocol Version:2.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:201 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 sho ip wccp web-cache detail Web Cache ID: xx.xx.184.178 Protocol Version: 2.0 State: Usable Initial Hash Info: Assigned Hash Info: Hash Allotment:256 (100.00%) Packets Redirected:201 Connect Time: 01:14:03 what about tcpdump on wccp0 interface.. does show any traffic being redirected. does access.log show the
[squid-users] OpenBSD and pf - Transparent proxy
This is how to set up a transparent proxy with OpenBSD, pf, and Squid. A transparent proxy is a proxy that intercepts all connections out of a network on port 80. The reason that I wanted to have a transparent proxy is because I wanted to cache all IPv4 traffic and allow IPv6 traffic to flow unimpeded. I have the OpenBSD box running a NAT with the cable company, serving a web site, and acting as a router for an IPv6 tunnel and my own /64 I was assigned by my tunnel broker. I am using squid-2.6STABLE19 and OpenBSD 4.1, MP kernel. root:openbsd [/root] uname -a OpenBSD maricopacomputer.com 4.1 GENERIC.MP#1225 i386 First, compile and install Squid. I used the following options ./configure --prefix=/var/squid --with-pthreads --enable-pf-transparent obviously prefix is entirely up to the users choice. Then inside squid.conf, all of the options are pretty much boilerplate except for the following: acl our_networks src 192.168.231.0/24 127.0.0.1 http_access allow our_networks You must add 127.0.0.1 to your acl. # Squid normally listens to port 3128 http_port 192.168.231.1:3128 transparent http_port 127.0.0.1:3128 transparent I had to have it listen on two ip addresses, one of which being localhost. Also note the transparent keyword at the end. Then in pf.conf, the following changes need to be made. In the top portion where you set skip on your internal interfaces, remove those lines. Those lines tell the pf filter not to do any processing on packets coming in on an internal interface. #set skip on $int_if These lines commented out #set skip on $wi_if # redirect only IPv4 web traffic to squid rdr pass inet proto tcp from 192.168.231.0/24 to any port 80 - 127.0.0.1 port 3128 block in pass in quick on $int_if pass in quick on $wi_if pass out keep state Some pointers: 1 . Use rdr pass instead of rdr on ... part of the way that pf evaluates packets, it would drop through and be allowed as is instead of redirected if you don't use rdr pass 2 . Make sure and add the pass in quick lines. Myself I have two internal interfaces, one for wired and one for wireless internet. Although there is a bridge configured, strange things happen sometimes when you don't explicitly allow all traffic on both interfaces. If you don't add these lines, you will lose local network connectivity and have to go to the console to figure it out. 3 . If it seems to be ignoring your changes and no redirection is happening, make sure you removed the set skip on ... lines. 4 . To test if it worked, use the nc utility. From the command line type in (as root) nc -l 3128 (with squid stopped of course) and then try to navigate to a page with it running. You should see an output like this: root:openbsd [/root] nc -l 3128 GET /mail/?ui=pb HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; GNotify 1.0.25.0) Host: mail.google.com Connection: Keep-Alive Cache-Control: no-cache Cookie: GV=...You get the picture From there on out, just set your browsers up normally with no proxy server, and you should see the cache fill up and your browsing speed up.
[squid-users] Testing transparent squid in VM
Greetings all! I am currently trying to run a transparent proxy in a testing environment. I have one VM with 2 network cards. 1 is set on vmnet2 the other one NAT to the internet. my server is running squid in transparent mode on the internal IP address of 192.168.0.12/24 and the client is set on 192.168.0.7/24 with it's default gateway pointing towards 0.12. now when I try to open iceweasel I cannot get through to the internet, when I input my proxy settings, it does work. how do I fix this ? I tried redirecting traffic with IPtables but it didn't work, here is the script I used: eth2 is the internal lan eth1 the internet #!/bin/bash iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -A INPUT -i eth2 -j ACCEPT iptables -A OUTPUT -o eth2 -j ACCEPT iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 192.168.0.12:3128 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 best wishes -- View this message in context: http://www.nabble.com/Testing-transparent-squid-in-VM-tp16939142p16939142.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Testing transparent squid in VM
Wundy wrote: Greetings all! I am currently trying to run a transparent proxy in a testing environment. I have one VM with 2 network cards. 1 is set on vmnet2 the other one NAT to the internet. my server is running squid in transparent mode on the internal IP address of 192.168.0.12/24 and the client is set on 192.168.0.7/24 with it's default gateway pointing towards 0.12. now when I try to open iceweasel I cannot get through to the internet, when I input my proxy settings, it does work. how do I fix this ? I tried redirecting traffic with IPtables but it didn't work, here is the script I used: eth2 is the internal lan eth1 the internet #!/bin/bash iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -A INPUT -i eth2 -j ACCEPT iptables -A OUTPUT -o eth2 -j ACCEPT iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 192.168.0.12:3128 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 best wishes You should be able to use just: iptables -t nat -A PREROUTING -s ! 192.168.0.12 -p tcp --dport 80 - REDIRECT -to-port 3128 iptables -t nat -A POSTROUTING -j MASQUERADE squid.conf: http_port 3128 transparent If that still won't work: - Ensure that your squid has ONLY one transparent option (--enable-linux-netfilter) configured. - Check that squid is receiving requests (access.log or cache.log) - Check squid has access outbound (usually cache.log) - Check whether NAT is failing (cache.log) Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Re: [squid-users] OpenBSD and pf - Transparent proxy
Chris Benesch wrote: This is how to set up a transparent proxy with OpenBSD, pf, and Squid. A transparent proxy is a proxy that intercepts all connections out of a network on port 80. The reason that I wanted to have a transparent proxy is because I wanted to cache all IPv4 traffic and allow IPv6 traffic to flow unimpeded. I have the OpenBSD box running a NAT with the cable company, serving a web site, and acting as a router for an IPv6 tunnel and my own /64 I was assigned by my tunnel broker. I am using squid-2.6STABLE19 and OpenBSD 4.1, MP kernel. root:openbsd [/root] uname -a OpenBSD maricopacomputer.com 4.1 GENERIC.MP#1225 i386 First, compile and install Squid. I used the following options ./configure --prefix=/var/squid --with-pthreads --enable-pf-transparent obviously prefix is entirely up to the users choice. Then inside squid.conf, all of the options are pretty much boilerplate except for the following: acl our_networks src 192.168.231.0/24 127.0.0.1 http_access allow our_networks You must add 127.0.0.1 to your acl. # Squid normally listens to port 3128 http_port 192.168.231.1:3128 transparent http_port 127.0.0.1:3128 transparent I had to have it listen on two ip addresses, one of which being localhost. Also note the transparent keyword at the end. Then in pf.conf, the following changes need to be made. In the top portion where you set skip on your internal interfaces, remove those lines. Those lines tell the pf filter not to do any processing on packets coming in on an internal interface. #set skip on $int_if These lines commented out #set skip on $wi_if # redirect only IPv4 web traffic to squid rdr pass inet proto tcp from 192.168.231.0/24 to any port 80 - 127.0.0.1 port 3128 Does it work if you omit the 127.0.0.1 bits? We don't exactly want to recommend people route external 'random' packets into the highly-trusted localhost zones. block in pass in quick on $int_if pass in quick on $wi_if pass out keep state Some pointers: 1 . Use rdr pass instead of rdr on ... part of the way that pf evaluates packets, it would drop through and be allowed as is instead of redirected if you don't use rdr pass 2 . Make sure and add the pass in quick lines. Myself I have two internal interfaces, one for wired and one for wireless internet. Although there is a bridge configured, strange things happen sometimes when you don't explicitly allow all traffic on both interfaces. If you don't add these lines, you will lose local network connectivity and have to go to the console to figure it out. 3 . If it seems to be ignoring your changes and no redirection is happening, make sure you removed the set skip on ... lines. 4 . To test if it worked, use the nc utility. From the command line type in (as root) nc -l 3128 (with squid stopped of course) and then try to navigate to a page with it running. You should see an output like this: root:openbsd [/root] nc -l 3128 GET /mail/?ui=pb HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; GNotify 1.0.25.0) Host: mail.google.com Connection: Keep-Alive Cache-Control: no-cache Cookie: GV=...You get the picture From there on out, just set your browsers up normally with no proxy server, and you should see the cache fill up and your browsing speed up. -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
[squid-users] NO_CACHE
Hi all! I'm trying to use this function but until now I couldn't obtain any success in my tests. I no even will put here the tests that I already made because, actually, I can't remember exactly what I already did. =( There is anybody using it to don't cache pages? Can I see an example? I'm using Squid 2.6.STABLE14... Tks a lot! -- Tiago Durante ,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,., Perseverance is the hard work you do after you get tired of doing the hard work you already did. -- Newt Gingrich
RE: [squid-users] NO_CACHE
For example for my local network 192.168.1.0/24 acl all_cache src 192.168.1.0/24 no_cache deny all_cache -Original Message- From: Tiago Durante [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 28 de Abril de 2008 15:37 To: squid-users@squid-cache.org Subject: [squid-users] NO_CACHE Hi all! I'm trying to use this function but until now I couldn't obtain any success in my tests. I no even will put here the tests that I already made because, actually, I can't remember exactly what I already did. =( There is anybody using it to don't cache pages? Can I see an example? I'm using Squid 2.6.STABLE14... Tks a lot! -- Tiago Durante ,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,., Perseverance is the hard work you do after you get tired of doing the hard work you already did. -- Newt Gingrich
[squid-users] squid 2.4 and support.microsoft.com
I am running squid 2.4 (not by choice), its part of my sidewinder firewall. Am having users complain because they cannot get to support.microsoft.com Found a work around that is good for 2.6 but wont work in 2.4 acl support.microsoft.com dstdomain support.microsoft.com header_access Accept-Encoding deny support.microsoft.com The header_access line isnt supported in 2.4 I am working on getting a separate (and newer squid online), but until then are there any rules I could apply in 2.4 that would solve my problem? Thanks in advance... Les F
Re: [squid-users] squid always missing images
On lör, 2008-04-26 at 09:48 +0930, Jayel Villamin wrote: The problem is that when I clicked on previous to view the previous image, Firefox begins to redownload the image. I checked access.log and I still get a tcp_miss. I did this several time and it seems it's all a miss for the same image. I thought squid is suppose to just retrieved the image from the cache? That's the idea, but not all web masters thinks it's a good idea. Most often due to lack of understanding why caching helps them.. here's a snippet of my access log. Please note the double miss entries. (1st and last lines) 1209124884.112 22063 192.168.1.2 TCP_MISS/200 171857 GET http://www.j-spec.com.au/list/12536/3.jpg - DIRECT/67.15.56.51 image/jpeg 1209124995.393 23141 192.168.1.2 TCP_MISS/200 171857 GET http://www.j-spec.com.au/list/12536/3.jpg - DIRECT/67.15.56.51 image/jpeg This image is not allowed to be cached at all. http://www.ircache.net/cgi-bin/cacheability.py?query=http%3A%2F% 2Fwww.j-spec.com.au%2Flist%2F12536%2F3.jpgdescend=on Regards Henrik
Re: [squid-users] squid and wccp
On mån, 2008-04-28 at 12:03 +0300, Wennie V. Lagmay wrote: for squid version 2.6Stable19 running on Fedora Core 8 64 bit with ip address xx.xx.184.178 1. I configure squid with options enable-linux-netfilter Ok 2. in squid.conf http_port 8080 transparent wccp2_router xx.xx.184.177 [...] 3. modprobe ip_gre ip tunnel add wccp0 mode gre remote xx.xx.184.177 local xx.xx.184.178 dev eth1 ip addr add xx.xx.184.178/32 dev wccp0 ip link set wccp0 up [...] 4.echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter Ok. 5.iptables -t nat -A PREROUTING -p tcp -i wccp0 -j REDIRECT --to-ports 8080 Ok. 6. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 8080 Why? Global WCCP information: Router information: Router Identifier: 192.168.255.6 Hmm.. This does not match your configuration above. The Cisco router identifier is important for WCCP operation. This is the address the Cisco uses for GRE. Regards Henrik
RE: [squid-users] NO_CACHE
On mån, 2008-04-28 at 16:32 +0100, Jorge Bastos wrote: For example for my local network 192.168.1.0/24 acl all_cache src 192.168.1.0/24 no_cache deny all_cache Correct syntax is cache deny all_cache (no_cache was renamed to cache in 2.6)
Re: [squid-users] squid 2.4 and support.microsoft.com
On mån, 2008-04-28 at 12:38 -0400, Les F wrote: I am working on getting a separate (and newer squid online), but until then are there any rules I could apply in 2.4 that would solve my problem? Good question. I don't remember what 2.4 looks like any more.. too many years (6+ years). but look for anonymization in squid.conf.default. header_access came from the anonymization functions in earlier Squid versions.. Regards Henrik
[squid-users] transparent + reverse proxy + server is posible ?
Hello, I am thinking about make a [transparent proxy + http accelerator + server] on the same machine. But I do not know if it is secure this configuration. -Lan to Internet: Transparent proxy using acl LAN, redirected port 80 to squid port in firewall. Destination all. -Intenet to Server. http accelerator. 80 to 3128 redirected on firewall. Destination only server domain names. It's secure? Could work fine in the same machine http accelerator and transparent proxy with the same squid server? acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl Safe_ports port 80 # http acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT acl SSL_ports port 443 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl LAN src 192.168.1.0/24 http_access allow LAN acl XENO dstdomain .my.server.com# Destination server from URL http_access allow XENO # Really I do not understand well how to make the union of two prerequisites, that should be: # (source all acl dstdomain .my.server.com) to allow access from Internet to server. http_access allow localhost http_access deny all -- -- Publicidad http://www.pas-world.com
[squid-users] squid_session
I need display one splash page in the fisrt logon ... I see the helper squid_session and try configuring , but dont working ... with the follow config: external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %LOGIN /usr/lib/squid/squid_session acl session external session http_access deny !session deny_info http://192.168.227.126/index.html session when I access to everone site, always redirect to 192.168.227.126 ... Somebody have the configuration working fine ? I like use to the autentication feature with squid_session this is possible ? I use squid 2.6 tanks ,
Re: [squid-users] transparent + reverse proxy + server is posible ?
F. wrote: Hello, I am thinking about make a [transparent proxy + http accelerator + server] on the same machine. But I do not know if it is secure this configuration. -Lan to Internet: Transparent proxy using acl LAN, redirected port 80 to squid port in firewall. Destination all. -Intenet to Server. http accelerator. 80 to 3128 redirected on firewall. Destination only server domain names. It's secure? Could work fine in the same machine http accelerator and transparent proxy with the same squid server? Using 2.6+ or 3.0+ yes it should work fine. 2.5 and earlier had configuration problems. Security level is all how you set your ACL and access lines in Squid. The Server needs to run on a non-80 port or different IP address on the same box (ie 127.0.0.1) acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl Safe_ports port 80 # http acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT acl SSL_ports port 443 http_access allow manager localhost http_access deny manager http_access deny !Safe_ports I'd advise sticking 443 back in the Safe_ports. The line above will drop all CONECT requests before they get to be allowed. Just because the port is !Safe_ports http_access deny CONNECT !SSL_ports acl LAN src 192.168.1.0/24 http_access allow LAN acl XENO dstdomain .my.server.com# Destination server from URL http_access allow XENO # Really I do not understand well how to make the union of two prerequisites, that should be: # (source all acl dstdomain .my.server.com) to allow access from Internet to server. 'all' has no effect when joined unless you want !all. It's always implied. http_access allow localhost http_access deny all Looks like a good setup there for the Access Controls. Just add 'transparent' and 'accel vhost defaultsite=my.server.com' option to the matching http_port's And some cache_peer to handle the accelerator back-end would be very useful. Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Re: [squid-users] NO_CACHE
Henrik Nordstrom wrote: On mån, 2008-04-28 at 16:32 +0100, Jorge Bastos wrote: For example for my local network 192.168.1.0/24 acl all_cache src 192.168.1.0/24 no_cache deny all_cache Correct syntax is cache deny all_cache (no_cache was renamed to cache in 2.6) Whay are you naming it all_cache? Seems confusing since its the opposite of what you are wanting and not what is inside it either? How about acl localnet src 192.168.1.0/24 ? Amos -- Please use Squid 2.6.STABLE19 or 3.0.STABLE4
[squid-users] Fwd: HTTP Transparent Proxy on OpenBSD 4.2
What command I have to issue to complete this task with PF on OpenBSD 4.2? What should I do? Configuring pf The pf configuration is /etc/pf.conf. The file is documented in pf.conf(5). This is a minimal example of the required rdr rule. Make sure you also allow the redirected connections to pass, they'll have destination address 127.0.0.1 when the filter rules are evaluated. Redirection does not automatically imply passing. Also, the proxy must be able to establish outgoing connections to external web servers. int_if=gem0 ext_if=kue0 rdr on $int_if inet proto tcp from any to any port www - 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state Note that squid needs to open /dev/pf in order to query the packet filter. The default permissions for this file allow access only to root. squid is running as user _squid, group _squid, so one way to allow access to squid is by changing the group ID of the file to _squid and make it group-accessable: # chgrp _squid /dev/pf # chmod g+rw /dev/pf pls click below URL for more http://www.benzedrine.cx/transquid.html -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
Re: [squid-users] squid and wccp
On Mon, 28 Apr 2008, Wennie V. Lagmay wrote:
A. squid -v
Squid Cache: Version 2.6.STABLE19
configure options: '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/sbin'
'--libexecdir=/usr/lib/squid' '--localstatedir=/spool/squid'
'--sysconfdir=/etc/squid' '--enable-snmp' '--enable-kill-parent-hack'
'--enable-delay-pools' '--enable-storeio=aufs,diskd,null'
'--enable-removal-policies=heap,lru' '--enable-arp-acl' '--enable-large-files'
'--enable-ssl' '--enable-linux-netfilter' '--with-maxfd=16384'
B. ip wccp version 2
ip wccp web-cache
!
interface fastethernet 1/0
description internet connection
ip address 192.168.255.6 255.255.255.252
!
interface fastethernet 3/0
description LAN
ip address xx.xx.184.177
ip wccp web-cache redirect out
either change this line to ip wccp web-cache redirect in or
put it in fa1/0.
!
ip route 0.0.0.0 0.0.0.0 192.158.255.5
C. [EMAIL PROTECTED] ~]# tcpdump -i wccp0
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked
socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
:note that 778 is my ssh port, also there is no log being shown in the
access.log
tcpdump
IP 192.168.255.6 xx.xx.184.178: GREv0, length 56: gre-proto-0x883e
STP 802.1d, Config, Flags [none], bridge-id xx, length 43
you should not be seeing the gre packets on wccp0 interface. gre should
already be decrypted in this interface.
D. ifconfig
wccp0 Link encap:UNSPEC HWaddr
4F-62-B8-B2-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:xx.xx.184.178 P-t-P:xx.xx.184.178 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
:note packets received and send
Here's how I've done it.
1. Squid box:
1.1 compile options for squid:
Squid Cache: Version 2.6.STABLE19
configure options: '--enable-snmp' '--prefix=/usr/local/squid'
'--enable-async-io' '--enable-storeio=ufs,aufs,coss,null'
'--enable-removal-policies=lru,heap' '--enable-wccp' '--enable-wccpv2'
'--disable-ident-lookup' '--enable-linux-netfilter' '--enable-epoll'
'--disable-select' '--disable-poll' '--enable-follow-x-forwarded-for'
'--with-maxfd=16384' 'CFLAGS=-march=nocona -O2 -pipe -fomit-frame-pointer
-DNUMTHREADS=150 -funroll-loops -ffast-math -fno-exceptions'
1.2 squid config:
http_port squid port transparent
wccp2_router xxx.xxx.xxx.233
1.3 OS:
CentOS 4.5 64-bit kernel version 2.6.23.9 compiled with ip_gre builtin.
1.4 interface:
create gre0 interface:
[EMAIL PROTECTED] ~]# cat /etc/sysconfig/network-scripts/ifcfg-gre0
DEVICE=gre0
BOOTPROTO=static
BROADCAST=192.168.172.3
IPADDR=192.168.172.2 use any unused ip for this interface, doesn't matter
NETMASK=255.255.255.252
NETWORK=192.168.172.0
ONBOOT=yes
TYPE=Ethernet
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:14:5E:41:FA:A6
inet addr:xxx.xxx.xxx.234 Bcast:xxx.xxx.xxx.239 Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8780435181 errors:0 dropped:0 overruns:0 frame:0
TX packets:9211494941 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4768621410009 (4.3 TiB) TX bytes:6971021118272 (6.3 TiB)
Base address:0x2000 Memory:d012-d014
gre0 Link encap:UNSPEC HWaddr
00-00-00-00-FF-F8-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.172.2 Mask:255.255.255.252
UP RUNNING NOARP MTU:1476 Metric:1
RX packets:4849085060 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:4269 dropped:0 overruns:0 carrier:0
collisions:4269 txqueuelen:0
RX bytes:735923364221 (685.3 GiB) TX bytes:0 (0.0 b)
tcpdump on eth0:
[EMAIL PROTECTED] ~]# tcpdump -nn -i eth0 |grep gre-proto
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:23:58.708759 IP xxx.xxx.xxx.226 xxx.xxx.xxx.234: gre-proto-0x883e
10:23:58.710273 IP xxx.xxx.xxx.226 xxx.xxx.xxx.234: gre-proto-0x883e
tcpdump on gre0:
[EMAIL PROTECTED] ~]# tcpdump -nn -i gre0
tcpdump: WARNING: arptype 778 not supported by libpcap - falling back to cooked
socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gre0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
10:26:18.896768 IP xxx.yyy.zzz.16.1999 208.122.6.235.80: . ack 3193965999 win 65535
nop,nop,sack sack 1 {1461:5841}
10:26:18.897020 IP xxx.yyy.zzz.123.4098 209.216.46.132.80: . ack 586983296
win 17424
10:26:18.897790 IP xxx.yyy.zzz.209.62383 203.84.204.69.80: . ack 1194719072
win 65114
10:26:18.897799 IP xxx.yyy.zzz.209.62383 203.84.204.69.80: F 0:0(0) ack
RE: [squid-users] Fwd: HTTP Transparent Proxy on OpenBSD 4.2
Hi, First of all, you should change any to any to something more restrictive like 10.0.0.0/8 to any. I don't think squid needs to read the packet filter device, I've got a similar setup with 4.1 and it doesn't need to access the packet filter directly. To make OpenBSD reload the configuration file, the easiest way is to just issue a pfctl -e -f /etc/pf.conf and it should reload the rules. Just to make sure you can do pfctl -d; pfctl -e -f /etc/pf.conf. It will stop then start pf again. -Original Message- From: Indunil Jayasooriya [mailto:[EMAIL PROTECTED] Sent: Monday, April 28, 2008 8:38 PM To: squid-users Subject: [squid-users] Fwd: HTTP Transparent Proxy on OpenBSD 4.2 What command I have to issue to complete this task with PF on OpenBSD 4.2? What should I do? Configuring pf The pf configuration is /etc/pf.conf. The file is documented in pf.conf(5). This is a minimal example of the required rdr rule. Make sure you also allow the redirected connections to pass, they'll have destination address 127.0.0.1 when the filter rules are evaluated. Redirection does not automatically imply passing. Also, the proxy must be able to establish outgoing connections to external web servers. int_if=gem0 ext_if=kue0 rdr on $int_if inet proto tcp from any to any port www - 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state Note that squid needs to open /dev/pf in order to query the packet filter. The default permissions for this file allow access only to root. squid is running as user _squid, group _squid, so one way to allow access to squid is by changing the group ID of the file to _squid and make it group-accessable: # chgrp _squid /dev/pf # chmod g+rw /dev/pf pls click below URL for more http://www.benzedrine.cx/transquid.html -- Thank you Indunil Jayasooriya -- Thank you Indunil Jayasooriya
