Re: [squid-users] How do i update
Tarak Ranjan wrote: Hi List, i have as running SQUID 2.6.STABLE6 , and i want to update to SQUID 3.0 STABLE11 for SSL bump. Is it possible to do the upgrade ? /\ Tarak Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/ Hi Tarak, If compiling from source you could setup a new copy of squid without immediately affecting your current deployment. If using a package management system things could neccesitate some downtime. As indicated by yonghua the configs are rather similar. After the upgrade you can run a squid -k parse to get an indication of compatibility between your current squid config and the requirements of v3. Regardt
Re: [squid-users] load balancing
Hi Remy, Just a couple of comments. 1) As per your response, if DNS is down squid is not going to be much happier as it needs that DNS resolution in order to be able to function ;-) 2) WCCP would/could work very nicely for you in a fully transparent configuration. Cost of wccp capable routers plays a role 3) A true load balancer front end like Cisco's content director could also do the job but also runs into cost issues. Methods I've used: 1) Running squid in an LVS (linux virtual server) environment - works but can get fun to configure 2) Add another squid box to the configuration. - Setup this squid so that 10.200.1.2 and 10.200.1.1 are parent caches with CARP enabled - Do not enable any disk storage on this front-end cache This gives you an environment where the parent caches will determine load between them and handle requests as needed. Setting dead_peer_timeout and peer_connect_timeout will also allow relatively quick responses to caches that die. I know this last option is not fully redundant but is a cost effective way of handling the load balancing issue cleanly. Regardt Mario Remy Almeida wrote: Hi All, What I mean to say is.. E.G:- SP 1 = 10.200.2.1 SP 2 = 10.200.2.2 LAN USERS = 10.200.2.x All lan users should connect to SP1 or SP2 depending upon the load and if one of the SP is down the other should take the load. One way of achieving load balance is with DNS proxy1.example.com IN A 10.200.2.1 proxy1.example.com IN A 10.200.2.2 And what if the DNS Server is down and also how to do fail over //Remy On Tue, 2008-12-23 at 09:05 -0600, Luis Daniel Lucio Quiroz wrote: Just remember when using load balancing, if you use digest auth, then you MUST use source persistence. On Tuesday 23 December 2008 08:38:27 Ken Peng wrote: Hi All, any links on how to configure load balancing of squid See the default squid.conf, :)
Re: [squid-users] problema with de cache
Leonel Flor�n Selles wrote: Problem with the cache Web friends: I am new in this list I, install the squid and it work ok, but does not store me the Web in the squid's spool, and I know that because when I see the traces it tells me tcp-miss to each URL, Also I check /var/spool/squid and it has the spool's structure created but it's empty Also I use the command squid -z but nothing at all What I can do Greetings Borrar y Atrás | Borrar y Adelante Mover a: Babelfish: Hi Leonel, Welcome to the list. First off, which version of squid? What is your configuration? Are there ANY TCP/IMS HITS ? The squid -z should really only be used 1st time round to create the required swap structures. Regardt
Re: [squid-users] squid restarts itself
Hello again and Happy New Year to all. Today I decided to review the cache.log file to see how things were running after receiving some complaints from users that there hasnt' been Internet a couple of times. I noticed that squid is restarting itself every once in a while. I dont know what' going on with squid or my configuration but, I'm getting a lot of errors and is not working properly. Please help me figure out what's wrong. Thank you in advanced for your help. Correct your squid is crashing. The symptom has been shown with several bugs, some of which are fixed by the most recent Squid 3.0 releases. Please try an upgrade and see if the problem persists. Amos Heres my squid.conf file: # Port Squid listens on http_port 192.168.2.1:3128 transparent # Access-lists (ACLs) will permit or deny hosts to access the proxy #acl lan-access src 192.168.1.0/255.255.255.0 acl lan-access src 192.168.2.0/255.255.255.0 acl localhost src 127.0.0.1 acl all src 0.0.0.0/0.0.0.0 # Access rule http_access allow localhost http_access allow lan-access http_access deny all maximum_object_size 100 MB cache_mem 100 MB access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log cache_dir ufs /var/log/squid/cache 10 255 255 htcp_port 0 icp_port 0 extension_methods SEARCH NICK - Now, here's part of the cache.log file: 2008/12/19 12:32:53| Done reading /var/log/squid/cache swaplog (426776 entries) 2008/12/19 12:32:53| Finished rebuilding storage from disk. 2008/12/19 12:32:53|419973 Entries scanned 2008/12/19 12:32:53| 0 Invalid entries. 2008/12/19 12:32:53| 0 With invalid flags. 2008/12/19 12:32:53|418997 Objects loaded. 2008/12/19 12:32:53| 0 Objects expired. 2008/12/19 12:32:53| 640 Objects cancelled. 2008/12/19 12:32:53| 5918 Duplicate URLs purged. 2008/12/19 12:32:53| 192 Swapfile clashes avoided. 2008/12/19 12:32:53| Took 46.1 seconds (9096.9 objects/sec). 2008/12/19 12:32:53| Beginning Validation Procedure 2008/12/19 12:32:54| 262144 Entries Validated so far. 2008/12/19 12:32:54| storeLateRelease: released 45 objects 2008/12/19 12:32:56| Completed Validation Procedure 2008/12/19 12:32:56| Validated 826549 Entries 2008/12/19 12:32:56| store_swap_size = 24545080 2008/12/19 12:49:23| clientParseRequestMethod: Unsupported method in request '^C' 2008/12/19 12:49:23| clientProcessRequest: Invalid Request 2008/12/19 12:53:19| WARNING: unparseable HTTP header field {POST /mortalfm/ HTTP/1.0} 2008/12/19 13:01:32| WARNING: 1 swapin MD5 mismatches 2008/12/19 13:08:19| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:08:35| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:08:55| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:09:23| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:09:36| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed: (2) No such file or directory 2008/12/19 13:09:44| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:10:00| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:10:37| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed: (2) No such file or directory 2008/12/19 13:10:37| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:11:02| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:11:18| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:11:34| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:11:50| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:12:06| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:12:22| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:12:38| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:12:54| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:13:22| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:13:38| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:13:55| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:14:13| client_side.cc(2699) WARNING! Your cache is running out of filedescriptors 2008/12/19 13:14:36| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed: (2) No such file or directory 2008/12/19 13:14:36| client_side.cc(2699) WARNING! Your cache is running out of
RE: [squid-users] Extra Squid process?
Thanks for the description of that squid process. I was able to change the listen interface it was listening on by setting, udp_incoming_address 10.6.7.0
Re: [squid-users] How do i update
Tarak Ranjan wrote: Hi List, i have as running SQUID 2.6.STABLE6 , and i want to update to SQUID 3.0 STABLE11 for SSL bump. Is it possible to do the upgrade ? /\ Tarak Hi Tarak, If compiling from source you could setup a new copy of squid without immediately affecting your current deployment. If using a package management system things could neccesitate some downtime. As indicated by yonghua the configs are rather similar. After the upgrade you can run a squid -k parse to get an indication of compatibility between your current squid config and the requirements of v3. Regardt You will need to upgrade to 3.1.0.3 http://www.squid-cache.org/Versions/v3/3.1/ Upgrade should not have too many differences from that early 2.6. Amos
[squid-users] transparent proxy not working!! any advice?
i've just created a new box with the following options: but wccp with router is still not working! any advice? using centos 5.2 and squid 2.6 firewall enabled SElinux permissive --- done the following: yum update yum yum install squid squid -z --- gedit /etc/rc.d/init.d/rc.local #added: modprobe ip_gre ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up #this is the same ip as my eth0 gedit /etc/sysconfig/iptables #added: -A INPUT -i gre0 -j ACCEPT -A INPUT -i gre0 -j ACCEPT -A INPUT -p gre -j ACCEPT #my routers lan interface 192.168.0.1 -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j ACCEPT --- service iptables condrestart gedit /etc/squid/squid.conf #edited/added the follwoing: http_port 80 transparent http_access allow all wccp2_router 192.168.0.1 wccp_version 4 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 -- Cisco router 2811 side: conf t ip wccp version 2 ip wccp web-cache int f0/1 (Lan interface) ip wccp 80 redirect in ip wccp 90 redirect out -- service squid restart then sh ip wccp on router gave me all hits as 0 no hits from squid to router!! -- service iptables status [r...@localhost ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4ACCEPT 47 -- 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 icmp type 255 3ACCEPT esp -- 0.0.0.0/00.0.0.0/0 4ACCEPT ah -- 0.0.0.0/00.0.0.0/0 5ACCEPT udp -- 0.0.0.0/0224.0.0.251 udp dpt:5353 6ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:631 7ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:631 8ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 9ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:22 10 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 11 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:5900 12 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:2048 13 REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited --- lsmod: Module Size Used by ip_conntrack_netbios_ns 6977 0 xt_state6209 4 ip_conntrack 53025 2 ip_conntrack_netbios_ns,xt_state nfnetlink 10713 1 ip_conntrack iptable_filter 7105 1 ip_tables 17029 1 iptable_filter ip6table_filter 6849 1 ip6_tables 18053 1 ip6table_filter nls_utf86208 1 ip_gre 16737 0 autofs424517 2 hidp 23105 2 rfcomm 42457 0 l2cap 29505 10 hidp,rfcomm bluetooth 53797 5 hidp,rfcomm,l2cap sunrpc144893 1 ipt_REJECT 9537 1 ip6t_REJECT 9409 1 xt_tcpudp 7105 15 x_tables 17349 6 xt_state,ip_tables,ip6_tables,ipt_REJECT,ip6t_REJECT,xt_tcpudp dm_multipath 22089 0 video 21193 0 sbs18533 0 backlight 10049 1 video i2c_ec 9025 1 sbs button 10705 0 battery13637 0 asus_acpi 19289 0 ac 9157 0 ipv6 258273 17 ip6t_REJECT xfrm_nalgo 13765 1 ipv6 crypto_api 11969 1 xfrm_nalgo lp 15849 0 floppy 57125 0 i2c_piix4
Re: [squid-users] Extra Squid process?
There is a squid process listening on a random port with protocol udp each time I start squid and I'm not sure what it does. I do a ps -ef | grep squid and get root 22110 1 0 18:24 ?00:00:00 /usr/sbin/squid3 -D -sYC proxy22113 22110 0 18:24 ?00:00:00 (squid) -D -sYC I do a sudo netstat -tlnup | grep squid and get tcp0 0 10.6.7.0:3128 0.0.0.0:* LISTEN 22113/(squid) udp0 0 0.0.0.0:36947 0.0.0.0:* 22113/(squid) I'm ok with the one listening on 10.6.7.0:3128, but what does the process do that's listening on 0.0.0.0:36947? I checked syslog and found, DNS Socket created at 0.0.0.0, port 36947, FD 8. Is this a DNS process of some sort? Can I disable it? If not, is there a way for me to make it listen on a specific ip or interface instead of 0.0.0.0? I already disabled the icp process so it doesn't show up. This last random port is the one used for DNS. It's required for squid to send DNS requests securely. It's has several levels of security on it, first is its randomness, to reduce the chance of attack. And second, unless squid is configured to accept any DNS packets, it will only accept from the DNS servers configured in squid.conf or from the OS configured servers (/etc/resolv.conf). Amos
Re: [squid-users] Squid config / transparent proxy questions
Kishore Venkat wrote: Hello, I have the following 2 questions: 1. I have setup Squid 3.0 STABLE 9 without https / transparent proxy options (i.e., configure WITHOUT --with-openssl=/usr/local/openssl, --enable-ssl and --enable--transparent options) and it appears to work fine using the squidclient. But after I rerun configure with the --with-openssl=/usr/local/openssl and --enable-ssl options, squid -k parse squid.conf gives me the following errors: 2008/12/26 06:42:07| Processing Configuration File: /usr/local/squid/etc/squid.conf (depth 0) 2008/12/26 06:42:07| aclParseAccessLine: ACL name 'manager' not found. FATAL: Bungled squid.conf line 629: http_access allow manager localhost Squid Cache (Version 3.0.STABLE9): Terminated abnormally. I would like to be able to get past the above mentioned errors before I modify the config file further. The squid.conf is the one that make install generated - the only line I added was for the visible_hostname to set to the name of the machine where I have squid installed. As the squid.conf is pretty large, I have pasted the relevant lines below -- acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports http_access allow localnet If I comment out the following lines (just to see what happens): #http_access allow manager localhost #http_access deny manager then it gives me the error: 2008/12/26 06:52:49| Processing Configuration File: /usr/local/squid/etc/squid.conf (depth 0) 2008/12/26 06:52:49| aclParseAccessLine: ACL name 'Safe_ports' not found. FATAL: Bungled squid.conf line 632: http_access deny !Safe_ports Squid Cache (Version 3.0.STABLE9): Terminated abnormally. Could someone please tell what I could be doing wrong here. If you need the entire squid.conf file (or other relevant entries within the squid.conf file), please let me know. Looks like the line definition order was wrong in the config file. The lines need to be ordered in the way you posted them here. It's highly strange to have that occur in the default file. Maybe a build error. 2. Where I work, we have an equipment from F5 for load balancing and certificate management - so I guess it will decrypt the https request and send it off to the Squid server (after the F5 rules are in place). In this scenario, do we even need to worry about setting up Squid with https or transparent proxying enabled (as I understand it, https will not work with transparent proxying), but in our scenario, I guess the F5 rules will take care of transparent proxying and since the F5 will decrypt and send the request to the Squid server, I suppose I don't need to worry about https either. Am I correct in saying that if we have Squid setup to work with http requests alone without transparent proxy, it will able to handle https requests as well, given our setup? Squid will handle multiple modes of input just fine by default. Just have one http_port configured for intercept ('transparent') and one without. If I need transparent proxy with http, do I would have to run configure with one of the following options (i.e., it is not enabled by default, yeah?): --enable-ipfw-transparent --enable-ipf-transparent --enable-pf-transparent --enable-linux-netfilter --enable-linux-tproxy Yes, but only the one relevant to the machine OS doing the NAT intercept. Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE11 Current Beta Squid 3.1.0.3
Re: [squid-users] transparent proxy not working!! any advice?
Roland Roland wrote: i've just created a new box with the following options: but wccp with router is still not working! any advice? using centos 5.2 and squid 2.6 firewall enabled SElinux permissive --- done the following: yum update yum yum install squid squid -z --- gedit /etc/rc.d/init.d/rc.local #added: modprobe ip_gre ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up #this is the same ip as my eth0 gedit /etc/sysconfig/iptables #added: -A INPUT -i gre0 -j ACCEPT -A INPUT -i gre0 -j ACCEPT -A INPUT -p gre -j ACCEPT #my routers lan interface 192.168.0.1 -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j ACCEPT --- service iptables condrestart gedit /etc/squid/squid.conf #edited/added the follwoing: http_port 80 transparent http_access allow all wccp2_router 192.168.0.1 wccp_version 4 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 -- Cisco router 2811 side: conf t ip wccp version 2 ip wccp web-cache int f0/1 (Lan interface) ip wccp 80 redirect in ip wccp 90 redirect out -- service squid restart then sh ip wccp on router gave me all hits as 0 no hits from squid to router!! -- service iptables status [r...@localhost ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4ACCEPT 47 -- 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 icmp type 255 3ACCEPT esp -- 0.0.0.0/00.0.0.0/0 4ACCEPT ah -- 0.0.0.0/00.0.0.0/0 5ACCEPT udp -- 0.0.0.0/0224.0.0.251 udp dpt:5353 6ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:631 7ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:631 8ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 9ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:22 10 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 11 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:5900 12 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:2048 13 REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited --- lsmod: Module Size Used by ip_conntrack_netbios_ns 6977 0 xt_state6209 4 ip_conntrack 53025 2 ip_conntrack_netbios_ns,xt_state nfnetlink 10713 1 ip_conntrack iptable_filter 7105 1 ip_tables 17029 1 iptable_filter ip6table_filter 6849 1 ip6_tables 18053 1 ip6table_filter nls_utf86208 1 ip_gre 16737 0 autofs424517 2 hidp 23105 2 rfcomm 42457 0 l2cap 29505 10 hidp,rfcomm bluetooth 53797 5 hidp,rfcomm,l2cap sunrpc144893 1 ipt_REJECT 9537 1 ip6t_REJECT 9409 1 xt_tcpudp 7105 15 x_tables 17349 6 xt_state,ip_tables,ip6_tables,ipt_REJECT,ip6t_REJECT,xt_tcpudp dm_multipath 22089 0 video 21193 0 sbs18533 0 backlight 10049 1 video i2c_ec 9025 1 sbs button 10705 0 battery13637 0 asus_acpi 19289 0 ac 9157 0 ipv6 258273 17 ip6t_REJECT xfrm_nalgo 13765 1 ipv6 crypto_api 11969 1 xfrm_nalgo lp 15849 0 floppy
Re: [squid-users] transparent proxy not working!! any advice?
Hello, the output of the debugging is as such: *Jan 4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183: service not active *Jan 4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183: service not active what service is that?! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Sunday, January 04, 2009 9:33 PM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: i've just created a new box with the following options: but wccp with router is still not working! any advice? using centos 5.2 and squid 2.6 firewall enabled SElinux permissive --- done the following: yum update yum yum install squid squid -z --- gedit /etc/rc.d/init.d/rc.local #added: modprobe ip_gre ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up #this is the same ip as my eth0 gedit /etc/sysconfig/iptables #added: -A INPUT -i gre0 -j ACCEPT -A INPUT -i gre0 -j ACCEPT -A INPUT -p gre -j ACCEPT #my routers lan interface 192.168.0.1 -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j ACCEPT --- service iptables condrestart gedit /etc/squid/squid.conf #edited/added the follwoing: http_port 80 transparent http_access allow all wccp2_router 192.168.0.1 wccp_version 4 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 -- Cisco router 2811 side: conf t ip wccp version 2 ip wccp web-cache int f0/1 (Lan interface) ip wccp 80 redirect in ip wccp 90 redirect out -- service squid restart then sh ip wccp on router gave me all hits as 0 no hits from squid to router!! -- service iptables status [r...@localhost ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4ACCEPT 47 -- 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 icmp type 255 3ACCEPT esp -- 0.0.0.0/00.0.0.0/0 4ACCEPT ah -- 0.0.0.0/00.0.0.0/0 5ACCEPT udp -- 0.0.0.0/0224.0.0.251 udp dpt:5353 6ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:631 7ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:631 8ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 9ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:22 10 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 11 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:5900 12 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:2048 13 REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited --- lsmod: Module Size Used by ip_conntrack_netbios_ns 6977 0 xt_state6209 4 ip_conntrack 53025 2 ip_conntrack_netbios_ns,xt_state nfnetlink 10713 1 ip_conntrack iptable_filter 7105 1 ip_tables 17029 1 iptable_filter ip6table_filter 6849 1 ip6_tables 18053 1 ip6table_filter nls_utf86208 1 ip_gre 16737 0 autofs424517 2 hidp 23105 2 rfcomm 42457 0 l2cap 29505 10 hidp,rfcomm bluetooth 53797 5 hidp,rfcomm,l2cap sunrpc144893 1 ipt_REJECT 9537 1 ip6t_REJECT 9409 1 xt_tcpudp 7105 15 x_tables 17349 6
Re: [squid-users] transparent proxy not working!! any advice?
Roland Roland wrote: Hello, the output of the debugging is as such: *Jan 4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183: service not active *Jan 4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183: service not active what service is that?! -- From: Regardt van de Vyver sq...@vdvyver.net Sent: Sunday, January 04, 2009 9:33 PM Cc: squid-users@squid-cache.org Subject: Re: [squid-users] transparent proxy not working!! any advice? Roland Roland wrote: i've just created a new box with the following options: but wccp with router is still not working! any advice? using centos 5.2 and squid 2.6 firewall enabled SElinux permissive --- done the following: yum update yum yum install squid squid -z --- gedit /etc/rc.d/init.d/rc.local #added: modprobe ip_gre ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up #this is the same ip as my eth0 gedit /etc/sysconfig/iptables #added: -A INPUT -i gre0 -j ACCEPT -A INPUT -i gre0 -j ACCEPT -A INPUT -p gre -j ACCEPT #my routers lan interface 192.168.0.1 -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j ACCEPT --- service iptables condrestart gedit /etc/squid/squid.conf #edited/added the follwoing: http_port 80 transparent http_access allow all wccp2_router 192.168.0.1 wccp_version 4 wccp2_rebuild_wait on wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service dynamic 90 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 -- Cisco router 2811 side: conf t ip wccp version 2 ip wccp web-cache int f0/1 (Lan interface) ip wccp 80 redirect in ip wccp 90 redirect out -- service squid restart then sh ip wccp on router gave me all hits as 0 no hits from squid to router!! -- service iptables status [r...@localhost ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT all -- 0.0.0.0/00.0.0.0/0 3ACCEPT all -- 0.0.0.0/00.0.0.0/0 4ACCEPT 47 -- 0.0.0.0/00.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1RH-Firewall-1-INPUT all -- 0.0.0.0/00.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/00.0.0.0/0 2ACCEPT icmp -- 0.0.0.0/00.0.0.0/0 icmp type 255 3ACCEPT esp -- 0.0.0.0/00.0.0.0/0 4ACCEPT ah -- 0.0.0.0/00.0.0.0/0 5ACCEPT udp -- 0.0.0.0/0224.0.0.251 udp dpt:5353 6ACCEPT udp -- 0.0.0.0/00.0.0.0/0 udp dpt:631 7ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:631 8ACCEPT all -- 0.0.0.0/00.0.0.0/0 state RELATED,ESTABLISHED 9ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:22 10 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:80 11 ACCEPT tcp -- 0.0.0.0/00.0.0.0/0 state NEW tcp dpt:5900 12 ACCEPT udp -- 192.168.0.0/24 0.0.0.0/0 udp dpt:2048 13 REJECT all -- 0.0.0.0/00.0.0.0/0 reject-with icmp-host-prohibited --- lsmod: Module Size Used by ip_conntrack_netbios_ns 6977 0 xt_state6209 4 ip_conntrack 53025 2 ip_conntrack_netbios_ns,xt_state nfnetlink 10713 1 ip_conntrack iptable_filter 7105 1 ip_tables 17029 1 iptable_filter ip6table_filter 6849 1 ip6_tables 18053 1 ip6table_filter nls_utf86208 1 ip_gre 16737 0 autofs424517 2 hidp 23105 2 rfcomm 42457 0 l2cap 29505 10 hidp,rfcomm bluetooth 53797 5 hidp,rfcomm,l2cap sunrpc144893 1 ipt_REJECT 9537 1 ip6t_REJECT 9409 1 xt_tcpudp 7105 15 x_tables 17349