[squid-users] Pleasen Help with SQUID + WCCP + RHEL ES v4 (kernel 2.6.9-22.ELsmp #1 SMP )
Greetings Everyone, For a week now, I've been trying to get squid + wccpv1 + RHEL ES v4 to work, but it just won't work. Anyone get that working? Please how did u do it ? I wonder if ip_wccp module that I installed, ( http://www.squid-cache.org/WCCP-support/Linux/ip_wccp-1.7.tgz ) is not the problem. The readme file says: The ip_wccp kernel module is a simple implementation of WCCP decapsulation for Linux 2.4 and later. To compile and install the module just run make install Then load the module by modprobe ip_wccp Please note that this module is mutually exclusive with the ip_gre module. Only one of the two may be active at a given time. If you need GRE support in addition to WCCP then you need to use a patched ip_gre module with WCCP support, not ip_wccp (this implementation). -- Where can i find the ip_gre module with WCCP support ? Much Regards, Daniel __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] IOS 12.4 & Squid 2.5.S12 - WCCP Weirdness Ensues
Hi, I have a similar issue with WCCP + RHEL ES v4 and Cisco 1700 Series IOS 12.4(1a), my Router seems to be allright though, but it looks like the problem is with the ip_wccp module that I downloaded from squid-cache.org website, that does not support ip-gre. Therefore I cannot load the ip_gre module in the kernel and create the gre tunnel. Please any hint where to find a patch ip_gre module that support WCCP ? I wondered if it was a problem specific to the kernel 2.6.9-22.ELsmp #1 SMP that I run (RHEL ES v4 Update2). Should I go back to Kernel 2.4 ??? Thanks for your help, Regards, Daniel --- Graham Blake <[EMAIL PROTECTED]> wrote: > Hi there, > I have spent three days beating my head against a > problem that > appears to be a case of dueling Cisco bugs. > > I recently swapped a router out, replacing a 3640 > with IOS 12.2 and > installing a 3845 with 12.4(5) SP Services. We had > WCCP running for > eternity without problem on the 3640, but WCCP died > an ignoble death > on the new router. It appears that WCCP would not > work at all with ip > cef enabled, but with ip cef disabled, various and > sundry websites > would not work - particularly websites requiring > some form of > authenticaion - Slashdot, Hotmail, different web > forums, etc. > > It looks like the warring bugs are akin to > CSCsb89463 (Symptoms: WCCP > doesnt redirect packets with ip cef enabled --- > Workaround: Disable > cef with the global command 'no ip cef') and > CSCdz36099 (Symptoms: > Web sites that require authentication become > unreachable --- > Workaround: Ensure that CEF switching is enabled on > the router). Cute, eh? > > Supposedly CSCsb89463 is fixed in 12.4(5) - but it > seems pretty > non-fixed to me. It seems the only way to get WCCP > to work, and not > fail on authenticating websites, is to force WCCP > through a process > switching path. I am doing this by adding a log > statement to all of > my redirect-list permit statements. This is > obviously an undesireable > solution for CPU reasons, and it has meant I have > had to stop logging > to a remote host. > > I am wondering if anyone has been through this with > similar versions > of IOS, and has either a) found a better workaround > or b) found a > happy working good version of 12.4 IOS. > Cheers, > Graham > > - T OG O D B ET H E G L O R Y :) -- __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] IOS 12.4 & Squid 2.5.S12 - WCCP Anyone using Kernel 2.6.9-22 ??
Hi, I have a similar issue with WCCP + RHEL ES v4 and Cisco 1700 Series IOS 12.4(1a), my Router seems to be allright though, but it looks like the problem is with the ip_wccp module that I downloaded from squid-cache.org website, that does not support ip-gre. Therefore I cannot load the ip_gre module in the kernel and create the gre tunnel. Please any hint where to find a patch ip_gre module that support WCCP ? I wondered if it was a problem specific to the kernel 2.6.9-22.ELsmp #1 SMP that I run (RHEL ES v4 Update2). Should I go back to Kernel 2.4 ??? Thanks for your help, Regards, Daniel --- Graham Blake <[EMAIL PROTECTED]> wrote: > Hi there, > I have spent three days beating my head against a > problem that > appears to be a case of dueling Cisco bugs. > > I recently swapped a router out, replacing a 3640 > with IOS 12.2 and > installing a 3845 with 12.4(5) SP Services. We had > WCCP running for > eternity without problem on the 3640, but WCCP died > an ignoble death > on the new router. It appears that WCCP would not > work at all with ip > cef enabled, but with ip cef disabled, various and > sundry websites > would not work - particularly websites requiring > some form of > authenticaion - Slashdot, Hotmail, different web > forums, etc. > > It looks like the warring bugs are akin to > CSCsb89463 (Symptoms: WCCP > doesnt redirect packets with ip cef enabled --- > Workaround: Disable > cef with the global command 'no ip cef') and > CSCdz36099 (Symptoms: > Web sites that require authentication become > unreachable --- > Workaround: Ensure that CEF switching is enabled on > the router). Cute, eh? > > Supposedly CSCsb89463 is fixed in 12.4(5) - but it > seems pretty > non-fixed to me. It seems the only way to get WCCP > to work, and not > fail on authenticating websites, is to force WCCP > through a process > switching path. I am doing this by adding a log > statement to all of > my redirect-list permit statements. This is > obviously an undesireable > solution for CPU reasons, and it has meant I have > had to stop logging > to a remote host. > > I am wondering if anyone has been through this with > similar versions > of IOS, and has either a) found a better workaround > or b) found a > happy working good version of 12.4 IOS. > Cheers, > Graham > > - T OG O D B ET H E G L O R Y :) -- __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] RHEL v4 + Squid + wccp
hello, I have implemented WCCP on a cisco router, IOS (Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(14)T2, RELEASE SOFTWARE (fc4)) Linux sever : Registered RHEL ES v4 Update 2 Since my CISCO router sends packets through an ip_gre tunnel, and when I load the ip_wccp module into the linux kernel, I cannot push the ip_gre module in the kernel as well. Therefore I cannot created a gre tunel or better a secure gre tunnel for my linux - router communication. How can I fix this ? Thanks for your help. Much regards, Daniel - T OG O D B ET H E G L O R Y :) -- __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] Squid and WCCP v1 (squid-2.5.STABLE11-3.FC3) on Fedora Core 3 (2.6.9-1.667smp) -- SOS
Hi, I have a RHELv4 cache + Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(14)T2, RELEASE SOFTWARE (fc4). I have applied your suggestions, but it's still not working. Please take a lookt at my Router's + Squid config. Am I missing something ? - ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable password ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip wccp version 1 ip wccp web-cache ! ! no ip dhcp use vrf connected ! ! ip cef no ip ips deny-action ips-interface ! no ftp-server write-enable ! interface Ethernet0 ip address x.x.x.x 255.255.255.x no ip route-cache cef full-duplex ! interface FastEthernet0 ip address y.y.y.y 255.255.255.x ip wccp web-cache redirect out speed auto full-duplex ! interface Serial0 no ip address shutdown no fair-queue ! ip classless ip route 0.0.0.0 0.0.0.0 y.y.y.5 no ip http server no ip http secure-server ! control-plane ! line con 0 line aux 0 line vty 0 4 password login ! end /etc/sysctl.conf --- [EMAIL PROTECTED] conf]# cat gre0/rp_filter 1 [EMAIL PROTECTED] conf]# cat bond0/rp_filter 1 Squid.conf http_port [Server IP]:3128 icp_port 3130 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 256 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB cache_dir ufs /usr/local/squid/var/cache 20240 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log mime_table /usr/local/squid/etc/mime.conf pid_filename /var/run/squid.pid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl Local src [My Local Network] http_access allow Local http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src [my network] http_access allow our_networks http_access deny all http_reply_access allow all icp_access allow all icp_access allow all tcp_outgoing_address [Server IP] cache_mgr [EMAIL PROTECTED] cache_effective_user squid cache_effective_group squid visible_hostname cache.mydomain.com httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on logfile_rotate 10 forwarded_for on cachemgr_passwd shutdown snmp_port 3401 snmp_access deny all wccp_router [Router IP] wccp_outgoing_address [Server IP] coredump_dir /usr/local/squid/var/cache Much regards, Waiting for answers Daniel --- Oliver Chato <[EMAIL PROTECTED]> wrote: > Hi. > > Just for the sake of others who are looking to make > Transparent/Interception caching with Squid, WCCP v1 > and Fedora Core 3, > this is what we did to get it working: > > On the router (IOS 12.3(2)T): > > ip cef > ip wccp version 1 > ip wccp web-cache > interface indirectly connected to the > Internet> > ip wccp web-cache redirect out > end > > Also, we did: > > conf t > ip cef # some systems may already have > 'ip cef global' > int to the Squid Server> (or int FastEthernet 0/0 > or other internal interface) > no ip route-cache cef > CTRL Z > > That's it. For debugging, we used: > show ip wccp > show ip wccp web-caches > show ip wccp web-cache detail > show ip wccp web-cache view (or: show ip wccp 99 > detail) > > On the Linux Server (Fedora Core 3 > (2.6.9-1.667smp)): > In squid.conf: > http_port 3128 > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > tcp_outgound_address interface connected to > the WCCP router> > wccp_outgoing_address interface connected to > the WCCP router> > wccp_router itself> > wccp_ve
Re: [squid-users] RHEL v4 + Squid + wccp
Hi, My kernel is 2.6.9-22.ELsmp #1 SMP And I have loaded the ip_gre module. Please can you point out where I do not get it ? Regards, Dan On 2/21/06, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > mån 2006-02-13 klockan 13:31 -0500 skrev Shoebottom, Bryan: > > Hello, > > > > I have not been able to get the ip_gre module and tunnel to work. I > > currently use the ip_wccp module > > (http://www.squid-cache.org/WCCP-support/Linux/) and no configured > > tunnel on the linux box. > > ip_gre is the recommended method, but requires a fairly recent kernel to > work. (Linux 2.6.9 or later I think). > > Regards > Henrik > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2 (GNU/Linux) > > iD8DBQBD+5QG516QwDnMM9sRAiQyAJ9H7jdZEiG0MbFSqp6cNsiSHD9+2QCeMVWe > F+NR0jyncd5ZXYWdIxacIv4= > =ASLH > -END PGP SIGNATURE- > > > -- -- Daniel Epee Lea
Re: [squid-users] RHEL v4 + Squid + wccp
hello, I have a RHELv4 cache + Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.3(14)T2, RELEASE SOFTWARE (fc4). I have applied your suggestions, but it's still not working. Please take a lookt at my Router's + Squid config. Am I missing something ? - ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable password ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip wccp version 1 ip wccp web-cache ! ! no ip dhcp use vrf connected ! ! ip cef no ip ips deny-action ips-interface ! no ftp-server write-enable ! interface Ethernet0 ip address x.x.x.x 255.255.255.x no ip route-cache cef full-duplex ! interface FastEthernet0 ip address y.y.y.y 255.255.255.x ip wccp web-cache redirect out speed auto full-duplex ! interface Serial0 no ip address shutdown no fair-queue ! ip classless ip route 0.0.0.0 0.0.0.0 y.y.y.5 no ip http server no ip http secure-server ! control-plane ! line con 0 line aux 0 line vty 0 4 password login ! end /etc/sysctl.conf --- [EMAIL PROTECTED] conf]# cat gre0/rp_filter 1 [EMAIL PROTECTED] conf]# cat bond0/rp_filter 1 Squid.conf http_port [Server IP]:3128 icp_port 3130 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 256 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB cache_dir ufs /usr/local/squid/var/cache 20240 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log mime_table /usr/local/squid/etc/mime.conf pid_filename /var/run/squid.pid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl Local src [My Local Network] http_access allow Local http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src [my network] http_access allow our_networks http_access deny all http_reply_access allow all icp_access allow all icp_access allow all tcp_outgoing_address [Server IP] cache_mgr [EMAIL PROTECTED] cache_effective_user squid cache_effective_group squid visible_hostname cache.mydomain.com httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on logfile_rotate 10 forwarded_for on cachemgr_passwd shutdown snmp_port 3401 snmp_access deny all wccp_router [Router IP] wccp_outgoing_address [Server IP] coredump_dir /usr/local/squid/var/cache Regards, Waiting for answer Thanks Dan On 2/22/06, Daniel EPEE LEA <[EMAIL PROTECTED]> wrote: > Hi, > My kernel is 2.6.9-22.ELsmp #1 SMP > And I have loaded the ip_gre module. > Please can you point out where I do not get it ? > > Regards, > >
Re: [squid-users] HTTPS & transparent proxy
Hi Guys, I have configured a transparent proxy and I am having a hard time to get it to work, I run RHEL v4 + latest stable Squid 12 + cisco IOS 12.3.(14)T2 when my browser is configured with port 80 or 3128, it works, but it doesn work in transparent mode. Please advise me. Much regards, Dan On 3/9/06, James Gray <[EMAIL PROTECTED]> wrote: > On Friday 10 March 2006 07:03, LinuXKiD wrote: > > There is a way to process HTTPS request > > with IPTABLES as transparent proxy ? > > No - attempting to do so breaks the HTTPS standard. Technically, what you're > proposing is commonly referred to as a "man in the middle" attack. > > -- James > >
Re: [squid-users] HTTPS & transparent proxy
Hello, Thanks for your replies, Much details on my setup. I have : 1- Loaded ip_gre module in the kernel ( I didn't use ip_wccp module) 2- My Iptables redirection entry [EMAIL PROTECTED] ~]# iptables -nL -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination REDIRECT tcp -- 0.0.0.0/00.0.0.0/0 tcp dpt:80 redir ports 3128 3- My /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 0 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 4- I have created enabled CEF on the outbound interface, and desabled cef routing on my router's network local interface (the one in the same net as the transparent proxy) --- resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip wccp version 1 ip wccp web-cache ! ! no ip dhcp use vrf connected ! ! ip cef no ip ips deny-action ips-interface ! interface Ethernet0 ip address default-GW 255.255.255.xx no ip route-cache cef full-duplex ! interface FastEthernet0 ip address external.6 255.255.255.yy ip wccp web-cache redirect out speed auto full-duplex ! I can see through tcpdump -i bond0 port 2048 that all the http packets going outside my network are sent by the router to the squid server, but they are not processed by squid. access.log is empty. It works for one second, and then stop, [EMAIL PROTECTED] ~]# tcpdump -i bond0 port 2048 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes 01:40:23.121220 IP cache.net.com.2048 > .33.2048: UDP, length 52 01:40:23.124210 IP .x.33.2048 > cache.net.com.2048: UDP, length 64 01:40:33.590158 IP cache.net.com.2048 > .33.2048: UDP, length 52 01:40:33.593084 IP .33.2048 > cache.net.com.2048: UDP, length 64 01:40:43.860186 IP cache.net.com.2048 > .33.2048: UDP, length 52 01:40:43.863289 IP .33.2048 > cache.net.com.2048: UDP, length 64 01:40:54.118201 IP cache.net.com.2048 > .33.2048: UDP, length 52 01:40:54.121165 IP .33.2048 > cache.net.com.2048: UDP, length 64 01:41:03.866463 IP cache.net.com.2048 > .33.2048: UDP, length 52 01:41:03.869469 IP .33.2048 > cache.net.com.2048: UDP, length 64 10 packets captured 10 packets received by filter 0 packets dropped by kernel [EMAIL PROTECTED] ~]# tail -f /var/log/squid/access.log 1141763404.652 5 66.219.100.118 TCP_DENIED/403 1442 POST http://66.219.100.118:25/ - NONE/- text/html 1141763404.709 0 66.219.100.118 TCP_DENIED/403 1424 CONNECT mx2.gawab.com:25 - NONE/- text/html 1141765495.830 2 69.93.201.244 TCP_DENIED/403 1484 GET http://195.24.216.45/w00tw00t.at.ISC.SANS.DFind:) - NONE/- text/html 1141769992.613 3 66.219.100.118 TCP_DENIED/403 1442 POST http://66.219.100.118:25/ - NONE/- text/html 1141769992.617 0 66.219.100.118 TCP_DENIED/403 1424 CONNECT mx2.gawab.com:25 - NONE/- text/html 1141783970.867 0 219.136.247.96 TCP_DENIED/403 1471 GET http://www.freeydz.com/proxy/prx1.php - NONE/- text/html 1141807200.078 0 206.113.108.11 TCP_DENIED/403 1484 GET http://195.24.216.45/w00tw00t.at.ISC.SANS.DFind:) - NONE/- text/html 1141825165.692 3 71.96.106.12 TCP_DENIED/403 1433 GET http://195.24.216.45/ - NONE/- text/html 1141834653.550 4 70.169.135.125 TCP_DENIED/403 1433 GET http://195.24.216.45/ - NONE/- text/html 1141839566.108665 220.163.82.38 TCP_DENIED/403 1433 GET http://195.24.216.45/ - NONE/- text/html - Thanks for your much appreciated advice. Regards Dan On 3/10/06, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > fre 2006-03-10 klockan 16:06 -0800 skrev Daniel EPEE LEA: > > Hi Guys, > > > > I have configured a transparent proxy and I am having a hard time to > > get it to work, > > I run RHEL v4 + latest stable Squid 12 + cisco IOS 12.3.(14)T2 > > > > when my browser is configured with port 80 or 3128, it works, but it > > doesn work in transparent mode. Please advise me. > > > Don't break protocols, configure the browser to use the proxy. > > > The Squid FAQ contains howtos on how to set up transparent intercetion > in many different environment. Start by reading that. If you still have > issues please return describing a little more in detail what issues you > have, and what you have done. > > Regards > Henrik > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2.1 (GNU/Linux) > > iD8DBQBEEhfp516QwDnMM9sRAjmSAJ9MADgYBw17OxzWq9sR/JzrmEsFPwCfYLxU > D9sXPqdfU0XIEM6Qg6v4p+w= > =isXW > -END PGP SIGNATURE- > > >
Re: [squid-users] HTTPS & transparent proxy
Hello, I added a gre tunnel and nothing it's still won't work. --- Router#sh ip wccp Global WCCP information: Router information: Router Identifier: router.33 Protocol Version:1.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:312520 Process: 306237 Fast:0 CEF: 6283 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Router# --- These are my interfaces 2: bond0: mtu 1500 qdisc noqueue link/ether 00:11:0a:55:53:44 brd ff:ff:ff:ff:ff:ff inet cache.45/27 brd cache.63 scope global bond0 inet6 fe80::200:ff:fe00:0/64 scope link valid_lft forever preferred_lft forever 3: eth0: mtu 1500 qdisc pfifo_fast master bond0 qlen 1000 link/ether 00:11:0a:55:53:44 brd ff:ff:ff:ff:ff:ff inet6 fe80::211:aff:fe55:5344/64 scope link valid_lft forever preferred_lft forever 6: gre0: mtu 1476 qdisc noqueue link/gre 0.0.0.0 brd 0.0.0.0 inet 172.16.1.6/30 brd 172.16.1.7 scope global gre0 7: [EMAIL PROTECTED]: mtu 1476 qdisc noop link/gre cache.45 peer router.33 [EMAIL PROTECTED] network-scripts]# iptunnel sit0: ipv6/ip remote any local any ttl 64 nopmtudisc gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote router.33 local cache.45 dev bond0 ttl inherit [EMAIL PROTECTED] network-scripts]# On 3/10/06, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > fre 2006-03-10 klockan 16:54 -0800 skrev Daniel EPEE LEA: > > > 1- Loaded ip_gre module in the kernel ( I didn't use ip_wccp module) > > Did you also create the needed GRE tunnel on the linux box? If not > ip_gre won't know what to do with the received GRE packets carrying the > redirected traffic.. > > the purpose of this gre tunnel is access control, authorizing the router > to send encapsulated packets via the Linux box in this manner. > > > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > REDIRECT tcp -- 0.0.0.0/00.0.0.0/0 tcp > > dpt:80 redir ports 3128 > > You should probably add a few rules above this accepting traffic to the > server itself. Not strictly needed, but makes life a little saner if you > indend to run a web server there for cachemgr.cgi, proxy.pac or > whatever.. > > > 3- My /etc/sysctl.conf > > # Controls IP packet forwarding > > net.ipv4.ip_forward = 1 > > Ok. > > > # Controls source route verification > > net.ipv4.conf.default.rp_filter = 0 > > Ok. > > > I can see through tcpdump -i bond0 port 2048 > > that all the http packets going outside my network are sent by the > > router to the squid server, but they are not processed by squid. > > access.log is empty. > > port 2048 is just the WCCP control channel where the proxy and router > agrees on what the traffic should be redirected. The actual redirection > is done using a form of GRE. > > Regards > Henrik > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2.1 (GNU/Linux) > > iD8DBQBEEiEo516QwDnMM9sRAubOAJ9BSqc7yrLXVqpPBMCY4gWBxacEJACeNTaV > hYd4fxKTmi+aXYRB3CrYTLY= > =r7Lx > -END PGP SIGNATURE- > > >
Re: [squid-users] HTTPS & transparent proxy
Henrik, I have created a gre tunnel, without success 6: gre0: mtu 1476 qdisc noqueue link/gre 0.0.0.0 brd 0.0.0.0 inet 172.16.1.6/30 brd 172.16.1.7 scope global gre0 7: [EMAIL PROTECTED]: mtu 1476 qdisc noqueue link/gre cache.45 peer router.33 inet 127.0.0.2/32 scope host gre1 - [EMAIL PROTECTED] ~]# iptunnel sit0: ipv6/ip remote any local any ttl 64 nopmtudisc gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote router.33 local cache.45 dev bond0 ttl inherit [EMAIL PROTECTED] ~]# iptables -t nat -L -v Chain PREROUTING (policy ACCEPT 2212 packets, 195K bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- gre0 any anywhere anywheretcp dpt:http redir ports 3128 - tcp dump 18:23:03.234100 IP cache45.ssh > client.1459: P 49676124:49676432(308) ack 250745 win 16744 18:23:03.234103 IP cache45.ssh > client.1459: P 49676124:49676432(308) ack 250745 win 16744 18:23:03.234162 IP cache45.ssh > client.1459: P 49676432:49676660(228) ack 250745 win 16744 18:23:03.234167 IP cache45.ssh > client.1459: P 49676432:49676660(228) ack 250745 win 16744 18:23:03.234214 IP client.1459 > cache45.ssh: . ack 49676124 win 61591 18:23:03.234225 IP cache45.ssh > client.1459: P 49676660:49676968(308) ack 250745 win 16744 18:23:03.234228 IP cache45.ssh > client.1459: P 49676660:49676968(308) ack 250745 win 16744 18:23:03.234283 IP cache45.ssh > client.1459: P 49676968:49677196(228) ack 250745 win 16744 18:23:03.234289 IP cache45.ssh > client.1459: P 49676968:49677196(228) ack 250745 win 16744 18:23:03.234338 IP client.1459 > cache45.ssh: . ack 49676660 win 61055 18:23:03.234349 IP cache45.ssh > client.1459: P 49677196:49677504(308) ack 250745 win 16744 18:23:03.234352 IP cache45.ssh > client.1459: P 49677196:49677504(308) ack 250745 win 16744 18:23:03.234410 IP cache45.ssh > client.1459: P 49677504:49677732(228) ack 250745 win 16744 18:23:03.234416 IP cache45.ssh > client.1459: P 49677504:49677732(228) ack 250745 win 16744 18:23:03.234463 IP client.1459 > cache45.ssh: . ack 49677196 win 60519 18:23:03.234474 IP cache45.ssh > client.1459: P 49677732:49677944(212) ack 250745 win 16744 18:23:03.234477 IP cache45.ssh > client.1459: P 49677732:49677944(212) ack 250745 win 16744 18:23:03.234537 IP cache45.ssh > client.1459: P 49677944:49678268(324) ack 250745 win 16744 18:23:03.234543 IP cache45.ssh > client.1459: P 49677944:49678268(324) ack 250745 win 16744 18:23:03.234592 IP client.1459 > cache45.ssh: . ack 49677732 win 59983 18:23:03.234591 IP router33 > cache45: gre-proto-0x883e 18:23:03.234610 IP cache45.ssh > client.1459: P 49678268:49678576(308) ack 250745 win 16744 18:23:03.234616 IP cache45.ssh > client.1459: P 49678268:49678576(308) ack 250745 win 16744 18:23:03.234591 IP client.2619 > 62.149.229.189.http: S 4293072232:4293072232(0) win 65535 470495 packets captured 472300 packets received by filter 1750 packets dropped by kernel -- [EMAIL PROTECTED] ~]# tcpdump -i any port 2048 tcpdump: WARNING: Promiscuous mode not supported on the "any" device tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes 18:24:57.618905 IP cache45.2048 > router33.2048: UDP, length 52 18:24:57.619292 IP cache45.2048 > router33.2048: UDP, length 52 18:24:57.620627 IP router33.2048 > cache45.2048: UDP, length 64 18:25:08.572755 IP cache45.2048 > router33.2048: UDP, length 52 18:25:08.572762 IP cache45.2048 > router33.2048: UDP, length 52 18:25:08.574505 IP router33.2048 > cache45.2048: UDP, length 64 18:25:18.603899 IP cache45.2048 > router33.2048: UDP, length 52 18:25:18.603917 IP cache45.2048 > router33.2048: UDP, length 52 18:25:18.605682 IP router33.2048 > cache45.2048: UDP, length 64 18:25:28.627010 IP cache45.2048 > router33.2048: UDP, length 52 18:25:28.627017 IP cache45.2048 > router33.2048: UDP, length 52 18:25:28.628740 IP router33.2048 > cache45.2048: UDP, length 64 18 packets captured 21 packets received by filter 0 packets dropped by kernel -- Total Authentication failures: 0 Router#sh ip wccp Global WCCP information: Router information: Router Identifier: 195.24.216.33 Protocol Version:1.0 Service Identifier: web-cache Number of Cache Engines: 1 Number of routers: 1 Total Packets Redirected:13211 Process: 4598 Fast:0 CEF: 8613 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:0 Group access-list: -none-
Re: [squid-users] WCCP and squid problem !!!! Help me!!
Jason, Please post these outputs, # tcpdump -i any - n # iptables -t nat -L -v Are you using ip_gre module ? Then make sure a gre tunel is configured so then the router <-> cache_server communication can happen. You can get more information from this link that helped me ;) http://www.reub.net/node/3 Also take a look at this post from Henrik, http://www.squid-cache.org/mail-archive/squid-users/200510/0027.html About your Config, I do not see: tcp_outgound_address 192.168.0.5 wccp_outgoing_address 192.168.0.5 Hope this helps, -- Daniel Epee Lea
Re: [squid-users] HTTP & transparent proxy -- It'sworkinnnnnnnnnnnnggggggggggggg
Bryan, I have no pb with Hotmail at this time. Please check the last posts on this list, Mark is addressing that issue. if I learn more, I will let you know. Much regards, Daniel On 3/13/06, Shoebottom, Bryan <[EMAIL PROTECTED]> wrote: > Daniel, > > Thanks for your help, I am using a 2.4 kernel and understand I need to > be at 2.6.x to have the gre module with wccp support... arggg! Right > now I use the wccp module but am running into problems with some sites > like hotmail, ebay and icqmail, I get the main page but login is > intermittent. Are you having any problems with sites like these? I > have heard that using the gre module will resolve these problems. > > Thanks, > Bryan > > > -----Original Message- > From: Daniel EPEE LEA [mailto:[EMAIL PROTECTED] > Sent: March 13, 2006 10:05 AM > To: Shoebottom, Bryan > Subject: Re: [squid-users] HTTP & transparent proxy -- > It'sworkig > > Bryan, > > Linux cache.mydomain.com 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:32:14 EDT > 2005 i686 i686 i386 GNU/Linux > > RHEL ES V4 > > I used ip_gre module instead of wccp_module > > Regards; > > Daniel > -- -- Daniel Epee Lea
[squid-users] WCCP Transparent Proxy on High Volume network
Hi, I had to start squid in prodcution network and to my supprise, it worked for about 1 minute, and then the messages bellow started flowing. In the WCCP router, more 1 requests were forwarded after less than 1 minute (192.x.x.x/19 network) I noticed that cache server ran out of file descriptors, How to fix this ? How do I tune ip_conntack table ? My actual max value is: [EMAIL PROTECTED] ~]# cat /proc/sys/net/ipv4/ip_conntrack_max 65536 Thanks for your answers Dan --- ip_conntrack: table full, dropping packet. ip_conntrack: table full, dropping packet. ip_conntrack: table full, dropping packet. ip_conntrack: table full, dropping packet. ip_conntrack: table full, dropping packet. ip_conntrack: table full, dropping packet. ip_conntrack: table full, dropping packet. ip_conntrack: table full, dropping packet. ip_conntrack: table full, dropping packet. ip_conntrack: table full, dropping packet. ip_conntrack: table full, dropping packet. printk: 23 messages suppressed. ip_conntrack: table full, dropping packet. printk: 26 messages suppressed. ip_conntrack: table full, dropping packet. printk: 29 messages suppressed. ip_conntrack: table full, dropping packet. printk: 47 messages suppressed. ip_conntrack: table full, dropping packet. printk: 40 messages suppressed. ip_conntrack: table full, dropping packet. printk: 53 messages suppressed. ip_conntrack: table full, dropping packet. printk: 64 messages suppressed. ip_conntrack: table full, dropping packet. printk: 51 messages suppressed. ip_conntrack: table full, dropping packet. printk: 62 messages suppressed. ip_conntrack: table full, dropping packet. printk: 74 messages suppressed. ip_conntrack: table full, dropping packet. printk: 74 messages suppressed. ip_conntrack: table full, dropping packet. printk: 60 messages suppressed. ip_conntrack: table full, dropping packet. printk: 76 messages suppressed. ip_conntrack: table full, dropping packet. printk: 65 messages suppressed. ip_conntrack: table full, dropping packet. printk: 92 messages suppressed. ip_conntrack: table full, dropping packet. printk: 68 messages suppressed. ip_conntrack: table full, dropping packet. printk: 66 messages suppressed. ip_conntrack: table full, dropping packet. printk: 70 messages suppressed. ip_conntrack: table full, dropping packet. printk: 86 messages suppressed. ip_conntrack: table full, dropping packet. printk: 55 messages suppressed. ip_conntrack: table full, dropping packet. printk: 68 messages suppressed. ip_conntrack: table full, dropping packet. printk: 59 messages suppressed. ip_conntrack: table full, dropping packet. printk: 65 messages suppressed. ip_conntrack: table full, dropping packet. printk: 77 messages suppressed. ip_conntrack: table full, dropping packet. printk: 86 messages suppressed. ip_conntrack: table full, dropping packet. printk: 75 messages suppressed. ip_conntrack: table full, dropping packet. printk: 75 messages suppressed. ip_conntrack: table full, dropping packet. printk: 62 messages suppressed. ip_conntrack: table full, dropping packet. printk: 55 messages suppressed. ip_conntrack: table full, dropping packet. printk: 85 messages suppressed. ip_conntrack: table full, dropping packet. printk: 79 messages suppressed. ip_conntrack: table full, dropping packet. ip_tables: (C) 2000-2002 Netfilter core team ip_conntrack version 2.1 (8192 buckets, 65536 max) - 340 bytes per conntrack printk: 19 messages suppressed. TCP: drop open request from IP/2930 TCP: drop open request from IP/1194 TCP: drop open request from IP/33930 TCP: drop open request from IP/2009 TCP: drop open request from IP/2854 TCP: drop open request from IP/65478 TCP: drop open request from IP/33084 TCP: drop open request from IP/1556 TCP: drop open request from IP/2291 TCP: drop open request from IP/63561 printk: 24 messages suppressed. TCP: drop open request from IP/2697 TCP: drop open request from IP/1193 printk: 158 messages suppressed. TCP: drop open request from IP/2582 printk: 124 messages suppressed. TCP: drop open request from IP/4681 printk: 35 messages suppressed. -- -- Daniel Epee Lea
Re: [squid-users] WCCP Transparent Proxy on High Volume network
Sorry, Where should I do so ? This box has about 4 Gig of RAM [EMAIL PROTECTED] squid]# dmesg | grep mem Memory: 3958780k/3997664k available (1863k kernel code, 37912k reserved, 753k data, 176k init, 3080160k highmem) At this minute I stopped squid, so I have top - 19:13:44 up 1 day, 23:46, 5 users, load average: 0.00, 0.00, 0.00 Tasks: 86 total, 1 running, 85 sleeping, 0 stopped, 0 zombie Cpu(s): 0.0% us, 0.0% sy, 0.0% ni, 99.8% id, 0.2% wa, 0.0% hi, 0.0% si Mem: 3960588k total, 459048k used, 3501540k free, 124024k buffers Swap: 8388600k total,0k used, 8388600k free, 248816k cached Thanks to point out specifically where. Much regards, Dan
Re: [squid-users] WCCP Transparent Proxy on High Volume network
Hello, I have to rebuild squid because with mu initial setup, my server started "Running out of filedescriptors" . But I need to set the number of file descriptors "I desire to use". What is an acceptable number of file descriptors to allow ? (so then I do not rebuild squid again :( ) How do I determine the right value for my kernel and system ? I run RHEL v4 + 2.6.9-22.ELsmp #1 SMP + squid-2.5 Stable12 RAM 4Gig, Cache Size 40 Gigs and + Thanks for your answers, Regards Daniel On 3/13/06, Mark Elsen <[EMAIL PROTECTED]> wrote: > > Hi, > > > > I had to start squid in prodcution network and to my supprise, it > > worked for about 1 minute, and then the messages bellow started > > flowing. In the WCCP router, more 1 requests were forwarded > > after less than 1 minute (192.x.x.x/19 network) > > > > I noticed that cache server ran out of file descriptors, How to fix this ? > > > > > > http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.4 > > > M. > -- -- Daniel Epee Lea
Re: [squid-users] Transparent caching problem
Kamel, I used 1- For gre tunned, after loading ip_gre module at startup, I have this gre interface. You can copie it exactly the IP address in there doesn't matter. [EMAIL PROTECTED] network-scripts]# cat ifcfg-gre0 DEVICE=gre0 BOOTPROTO=static IPADDR=172.16.1.6 NETMASK=255.255.255.252 ONBOOT=yes IPV6INIT=no and 2- for ip tables -A PREROUTING -s My_Network/20 -d ! My_Network/20 -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination my_cache_server_IP:3128 This is where I was mistaken, after doing this it worked!! 3- Make sure your /etc/sysctl.conf is allright too # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 0 For more details on IP tables and GRE, please check these links ;) http://www.reub.net/node/3 http://www.squid-cache.org/mail-archive/squid-users/200510/0027.html Hope this helps, -- -- Daniel Epee Lea
Re: [squid-users] Transparent caching problem
Everyone, I ran out of file descriptors after putting this config for 1 minute on a high volume network. I'll improve it with iptables REDIRECT and load gre module at startup. Much Regards, Dan On 3/15/06, Henrik Nordstrom <[EMAIL PROTECTED]> wrote: > ons 2006-03-15 klockan 16:56 +0545 skrev arabinda: > > > If the http traffic is very high, is it possible that DNAT can be a bottle > > neck? > > If you run out of iptables/netfilter conntrack entries then performance > will go down the drain. This gets logged in the kernel syslog messages > if it happens.. > > Regards > Henrik > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2.2 (GNU/Linux) > > iD8DBQBEGBCx516QwDnMM9sRAswLAJ9vTz1KJr4pVVzXs4V9jZDSgFWWnACfWSL5 > hThmu9yxZNE9A5tyGuzmKf4= > =aO+b > -----END PGP SIGNATURE- > > > -- -- Daniel Epee Lea
[squid-users] WCCP+ Squid Slowing internet browsing , how to improve it ?
Hi, Squid-2.5-STABLE12 + ip_gre WCCP + RHEL v4 U2 + 4Gigs RAM + Cache Dir to be 45 Gigs, but only 20Gigs now I have a high volume network ( /19) I had to increase the number of file descriptors and rebuild squid. Now it works Ok, But I notice a major slowness in browsing the internet. Plus site with streaming media take too much time to load. From some parts of my network, I get "Unable to reach Website answer" This is my config, --- iptables -nL -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- [MyNet]/19 ![MyNet]/19 tcp dpt:80 to:[Cache IP]:3128 --- http_port [Cache IP]:3128 icp_port 3130 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 256 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB cache_dir ufs /usr/local/squid/var/cache 20240 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log mime_table /usr/local/squid/etc/mime.conf pid_filename /var/run/squid.pid auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl myacl src [MyNET] http_access allow myacl http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl our_networks src [MyNET] http_access allow our_networks http_access deny all http_reply_access allow all icp_access allow all icp_access allow all tcp_outgoing_address [CacheIP] cache_mgr [EMAIL PROTECTED] cache_effective_user squid cache_effective_group squid visible_hostname cache.domain.com httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on logfile_rotate 10 forwarded_for on cachemgr_passwd * snmp_port 3401 snmp_access deny all wccp_router [Router IP] wccp_version 4 wccp_outgoing_address [CacheIP] coredump_dir /usr/local/squid/var/cache How can i improve it ? so the all the serveices ate allowed without restriction ? Thanks for your answers Much regards, -- Dan
[squid-users] Re: WCCP+ Squid Slowing internet browsing , how to improve it ?
Hello, This is my Cache.log info 2006/03/18 22:19:54| clientReadRequest: FD 3476 Invalid Request 2006/03/18 22:19:57| parseHttpRequest: Unsupported method 'recipientid=105&sessionid=2197 ' 2006/03/18 22:19:57| clientReadRequest: FD 148 Invalid Request 2006/03/18 22:20:17| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:17| clientReadRequest: FD 3382 Invalid Request 2006/03/18 22:20:30| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:30| clientReadRequest: FD 2515 Invalid Request 2006/03/18 22:20:38| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:38| clientReadRequest: FD 1091 Invalid Request 2006/03/18 22:20:45| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:45| clientReadRequest: FD 382 Invalid Request 2006/03/18 22:20:52| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:52| clientReadRequest: FD 2548 Invalid Request 2006/03/18 22:21:12| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:21:12| clientReadRequest: FD 3150 Invalid Request 2006/03/18 22:21:36| parseHttpRequest: Unsupported method 'recipientid=155&sessionid=2873 ' 2006/03/18 22:21:36| clientReadRequest: FD 376 Invalid Request 2006/03/18 22:21:36| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:21:36| clientReadRequest: FD 460 Invalid Request 2006/03/18 22:21:38| parseHttpRequest: Unsupported method 'recipientid=155&sessionid=2873 ' 2006/03/18 22:21:38| clientReadRequest: FD 1655 Invalid Request 2006/03/18 22:21:39| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:21:39| clientReadRequest: FD 1655 Invalid Request 2006/03/18 22:22:10| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:10| clientReadRequest: FD 2515 Invalid Request 2006/03/18 22:22:27| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:27| clientReadRequest: FD 251 Invalid Request 2006/03/18 22:22:44| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:44| clientReadRequest: FD 776 Invalid Request 2006/03/18 22:22:51| parseHttpRequest: Unsupported method 'recipientid=114&sessionid=914 2006/03/18 22:22:51| clientReadRequest: FD 1490 Invalid Request 2006/03/18 22:22:55| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:55| clientReadRequest: FD 2858 Invalid Request 2006/03/18 22:23:02| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:23:02| clientReadRequest: FD 674 Invalid Request 2006/03/18 22:23:16| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:23:16| clientReadRequest: FD 45 Invalid Request Regards, Dan On 3/18/06, Daniel EPEE LEA <[EMAIL PROTECTED]> wrote: > Hi, > > Squid-2.5-STABLE12 + ip_gre WCCP + RHEL v4 U2 + 4Gigs RAM + Cache > Dir to be 45 Gigs, but only 20Gigs now > > I have a high volume network ( /19) > I had to increase the number of file descriptors and rebuild squid. > Now it works Ok, > > But I notice a major slowness in browsing the internet. Plus site > with streaming media take too much time to load. From some parts of my > network, I get "Unable to reach Website answer" > > This is my config, > --- > iptables -nL -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- [MyNet]/19 ![MyNet]/19 tcp dpt:80 to:[Cache > IP]:3128 > > --- > http_port [Cache IP]:3128 > icp_port 3130 > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > cache_mem 256 MB > cache_swap_low 90 > cache_swap_high 95 > maximum_object_size 4096 KB > minimum_object_size 0 KB > maximum_object_size_in_memory 8 KB > cache_dir ufs /usr/local/squid/var/cache 20240 16 256 > cache_access_log /var/log/squid/access.log > cache_log /var/log/squid/cache.log > cache_store_log /var/log/squid/store.log > mime_table /usr/local/squid/etc/mime.conf > pid_filename /var/run/squid.pid > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern . 0 20% 4320 > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 563 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 563 # https, snews > acl Safe_ports port 70 # gopher > acl Safe_port
[squid-users] Re: Help, Help, help Squid2.5-Stables13 + WCCP
Hello, I have configured squid-2.5-Statble13 + WCCP + iptables DNAT But I have to many invalid request. I have noticed that the WCCP Router info shows the Router loopback interface intead of the wccp router IP address. Can that be a problem ? How do I get read of the unsupported methods issues that I have ? This is my Cache.log info 2006/03/18 22:19:54| clientReadRequest: FD 3476 Invalid Request 2006/03/18 22:19:57| parseHttpRequest: Unsupported method 'recipientid=105&sessionid=2197 ' 2006/03/18 22:19:57| clientReadRequest: FD 148 Invalid Request 2006/03/18 22:20:17| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:17| clientReadRequest: FD 3382 Invalid Request 2006/03/18 22:20:30| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:30| clientReadRequest: FD 2515 Invalid Request 2006/03/18 22:20:38| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:38| clientReadRequest: FD 1091 Invalid Request 2006/03/18 22:20:45| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:45| clientReadRequest: FD 382 Invalid Request 2006/03/18 22:20:52| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:20:52| clientReadRequest: FD 2548 Invalid Request 2006/03/18 22:21:12| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:21:12| clientReadRequest: FD 3150 Invalid Request 2006/03/18 22:21:36| parseHttpRequest: Unsupported method 'recipientid=155&sessionid=2873 ' 2006/03/18 22:21:36| clientReadRequest: FD 376 Invalid Request 2006/03/18 22:21:36| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:21:36| clientReadRequest: FD 460 Invalid Request 2006/03/18 22:21:38| parseHttpRequest: Unsupported method 'recipientid=155&sessionid=2873 ' 2006/03/18 22:21:38| clientReadRequest: FD 1655 Invalid Request 2006/03/18 22:21:39| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:21:39| clientReadRequest: FD 1655 Invalid Request 2006/03/18 22:22:10| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:10| clientReadRequest: FD 2515 Invalid Request 2006/03/18 22:22:27| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:27| clientReadRequest: FD 251 Invalid Request 2006/03/18 22:22:44| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:44| clientReadRequest: FD 776 Invalid Request 2006/03/18 22:22:51| parseHttpRequest: Unsupported method 'recipientid=114&sessionid=914 2006/03/18 22:22:51| clientReadRequest: FD 1490 Invalid Request 2006/03/18 22:22:55| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:22:55| clientReadRequest: FD 2858 Invalid Request 2006/03/18 22:23:02| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:23:02| clientReadRequest: FD 674 Invalid Request 2006/03/18 22:23:16| parseHttpRequest: Unsupported method 'REGISTER' 2006/03/18 22:23:16| clientReadRequest: FD 45 Invalid Request Much Regards Daniel On 3/18/06, Daniel EPEE LEA <[EMAIL PROTECTED]> wrote: > Hi, > > Squid-2.5-STABLE13 + ip_gre WCCP + RHEL v4 U2 + 4Gigs RAM + Cache > Dir to be 45 Gigs, but only 20Gigs now > > I have a high volume network ( /19) > I had to increase the number of file descriptors and rebuild squid. > Now it works Ok, > > But I notice a major slowness in browsing the internet. Plus site > with streaming media take too much time to load. From some parts of my > network, I get "Unable to reach Website answer" > > This is my config, > --- > iptables -nL -t nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DNAT tcp -- [MyNet]/19 ![MyNet]/19 tcp dpt:80 to:[Cache > IP]:3128 > > --- > http_port [Cache IP]:3128 > icp_port 3130 > hierarchy_stoplist cgi-bin ? > acl QUERY urlpath_regex cgi-bin \? > no_cache deny QUERY > cache_mem 256 MB > cache_swap_low 90 > cache_swap_high 95 > maximum_object_size 4096 KB > minimum_object_size 0 KB > maximum_object_size_in_memory 8 KB > cache_dir ufs /usr/local/squid/var/cache 20240 16 256 > cache_access_log /var/log/squid/access.log > cache_log /var/log/squid/cache.log > cache_store_log /var/log/squid/store.log > mime_table /usr/local/squid/etc/mime.conf > pid_filename /var/run/squid.pid > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > auth_param basic casesensitive off > refresh_pattern ^ftp: 144020% 10080 > refresh_pattern ^gopher:14400% 1440 > refresh_pattern . 0 20% 4320 > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object >
[squid-users] squid + wccp tuning
Hi List, I have implemented WCCP + Squid-2.5 Stable 12 with help from list, and it is working, But it's is so much slowing the network. Please can you share working configurations? Waiting for advice, Much Regards, Dan PS : My cache.log looks like: 2006/03/20 22:21:13| clientReadRequest: FD 1694 Invalid Request 2006/03/20 22:21:32| parseHttpRequest: Unsupported method 'recipientid=165&sessi onid=9731 ' 2006/03/20 22:21:32| clientReadRequest: FD 1842 Invalid Request 2006/03/20 22:21:32| parseHttpRequest: Unsupported method 'recipientid=165&sessi onid=9731 ' 2006/03/20 22:21:32| clientReadRequest: FD 1899 Invalid Request 2006/03/20 22:21:33| httpReadReply: Excess data from "GET http://www.hi5.com/fri end/styles/style.css" 2006/03/20 22:21:38| parseHttpRequest: Unsupported method 'recipientid=200&sessi onid=9913 ' 2006/03/20 22:21:38| clientReadRequest: FD 1945 Invalid Request 2006/03/20 22:21:41| clientReadRequest: FD 1909 Invalid Request 2006/03/20 22:21:42| httpReadReply: Request not yet fully sent "POST http://avew ink.coconia.net/tab/index.php" 2006/03/20 22:21:46| clientReadRequest: FD 2019 Invalid Request 2006/03/20 22:21:50| clientReadRequest: FD 2038 Invalid Request 2006/03/20 22:21:53| clientReadRequest: FD 733 Invalid Request 2006/03/20 22:21:53| clientReadRequest: FD 1424 Invalid Request 2006/03/20 22:22:02| clientReadRequest: FD 1293 Invalid Request 2006/03/20 22:22:07| parseHttpRequest: Unsupported method 'recipientid=105&sessi onid=4000 ' 2006/03/20 22:22:07| clientReadRequest: FD 2110 Invalid Request 2006/03/20 22:22:08| parseHttpRequest: Unsupported method 'recipientid=160&sessi onid=9436 ' 2006/03/20 22:22:08| clientReadRequest: FD 319 Invalid Request 2006/03/20 22:22:08| clientReadRequest: FD 2116 Invalid Request 2006/03/20 22:22:10| parseHttpRequest: Unsupported method 'recipientid=127&sessi onid=7938 ' 2006/03/20 22:22:10| clientReadRequest: FD 1669 Invalid Request 2006/03/20 22:22:16| clientReadRequest: FD 2180 Invalid Request 2006/03/20 22:22:22| clientReadRequest: FD 1252 Invalid Request 2006/03/20 22:22:23| clientReadRequest: FD 64 Invalid Request 2006/03/20 22:22:25| clientReadRequest: FD 1904 Invalid Request 2006/03/20 22:22:29| clientReadRequest: FD 2071 Invalid Request 2006/03/20 22:22:38| clientReadRequest: FD 2207 Invalid Request 2006/03/20 22:22:44| parseHttpRequest: Unsupported method 'recipientid=164&sessi onid=9832 ' 2006/03/20 22:22:44| clientReadRequest: FD 2282 Invalid Request 2006/03/20 22:22:45| clientReadRequest: FD 1244 Invalid Request 2006/03/20 22:22:46| Request header is too large (20489 bytes) 2006/03/20 22:22:46| Config 'request_header_max_size'= 20480 bytes. 2006/03/20 22:22:52| Request header is too large (20489 bytes) 2006/03/20 22:22:52| Config 'request_header_max_size'= 20480 bytes. 2006/03/20 22:22:52| clientReadRequest: FD 2231 Invalid Request 2006/03/20 22:22:56| clientReadRequest: FD 1910 Invalid Request 2006/03/20 22:23:02| clientReadRequest: FD 2159 Invalid Request 2006/03/20 22:23:03| clientReadRequest: FD 2090 Invalid Request 2006/03/20 22:23:10| clientReadRequest: FD 769 Invalid Request 2006/03/20 22:23:12| WARNING: 1 swapin MD5 mismatches 2006/03/20 22:23:17| clientReadRequest: FD 1345 Invalid Request 2006/03/20 22:23:24| clientReadRequest: FD 578 Invalid Request -- -- Daniel Epee Lea
Re: [squid-users] squid + wccp tuning
Bryan, Thanks a lot for the hin. I appreciate that. I wanted to know if you experienced the same problems in your cache.log file, out of the "hotmail issue". Once that patch is applied, is there any change to squid.conf ? Much regards, Daniel On 3/21/06, Shoebottom, Bryan <[EMAIL PROTECTED]> wrote: > Daniel, > > I am still in the middle of testing with a hotmail problem, but what > seems to have resolved it is the wccpv2 patch, maybe it's worth trying > that? > http://devel.squid-cache.org/projects.html#visolve_wccpv2 > > cd squid-2.5.STABLExx > patch -p1 < ../patchname > > ./bootstrap.sh > > You may need autoconf/automake (or if bootstrap gives errors you may > need different versions). I used: > http://ftp.gnu.org/gnu/autoconf/autoconf-2.13.tar.gz > http://ftp.gnu.org/gnu/automake/automake-1.5.tar.gz > > A simple ./configure then make;make install will do for these. > > Thanks, > Bryan > > > -Original Message- > From: Daniel EPEE LEA [mailto:[EMAIL PROTECTED] > Sent: March 21, 2006 6:51 AM > To: squid-users@squid-cache.org > Subject: [squid-users] squid + wccp tuning > > Hi List, > > I have implemented WCCP + Squid-2.5 Stable 12 with help from list, > and it is working, But it's is so much slowing the network. > > Please can you share working configurations? > > Waiting for advice, > > Much Regards, > > Dan > > PS : My cache.log looks like: > > 2006/03/20 22:21:13| clientReadRequest: FD 1694 Invalid Request > 2006/03/20 22:21:32| parseHttpRequest: Unsupported method > 'recipientid=165&sessi > onid=9731 > > ' > 2006/03/20 22:21:32| clientReadRequest: FD 1842 Invalid Request > 2006/03/20 22:21:32| parseHttpRequest: Unsupported method > 'recipientid=165&sessi > onid=9731 > > ' > 2006/03/20 22:21:32| clientReadRequest: FD 1899 Invalid Request > 2006/03/20 22:21:33| httpReadReply: Excess data from "GET > http://www.hi5.com/fri > end/styles/style.css" > 2006/03/20 22:21:38| parseHttpRequest: Unsupported method > 'recipientid=200&sessi > onid=9913 > > ' > 2006/03/20 22:21:38| clientReadRequest: FD 1945 Invalid Request > 2006/03/20 22:21:41| clientReadRequest: FD 1909 Invalid Request > 2006/03/20 22:21:42| httpReadReply: Request not yet fully sent "POST > http://avew > ink.coconia.net/tab/index.php" > 2006/03/20 22:21:46| clientReadRequest: FD 2019 Invalid Request > 2006/03/20 22:21:50| clientReadRequest: FD 2038 Invalid Request > 2006/03/20 22:21:53| clientReadRequest: FD 733 Invalid Request > 2006/03/20 22:21:53| clientReadRequest: FD 1424 Invalid Request > 2006/03/20 22:22:02| clientReadRequest: FD 1293 Invalid Request > 2006/03/20 22:22:07| parseHttpRequest: Unsupported method > 'recipientid=105&sessi > onid=4000 > > ' > 2006/03/20 22:22:07| clientReadRequest: FD 2110 Invalid Request > 2006/03/20 22:22:08| parseHttpRequest: Unsupported method > 'recipientid=160&sessi > onid=9436 > > ' > 2006/03/20 22:22:08| clientReadRequest: FD 319 Invalid Request > 2006/03/20 22:22:08| clientReadRequest: FD 2116 Invalid Request > 2006/03/20 22:22:10| parseHttpRequest: Unsupported method > 'recipientid=127&sessi > onid=7938 > > ' > 2006/03/20 22:22:10| clientReadRequest: FD 1669 Invalid Request > 2006/03/20 22:22:16| clientReadRequest: FD 2180 Invalid Request > 2006/03/20 22:22:22| clientReadRequest: FD 1252 Invalid Request > 2006/03/20 22:22:23| clientReadRequest: FD 64 Invalid Request > 2006/03/20 22:22:25| clientReadRequest: FD 1904 Invalid Request > 2006/03/20 22:22:29| clientReadRequest: FD 2071 Invalid Request > 2006/03/20 22:22:38| clientReadRequest: FD 2207 Invalid Request > 2006/03/20 22:22:44| parseHttpRequest: Unsupported method > 'recipientid=164&sessi > onid=9832 > > ' > 2006/03/20 22:22:44| clientReadRequest: FD 2282 Invalid Request > 2006/03/20 22:22:45| clientReadRequest: FD 1244 Invalid Request > 2006/03/20 22:22:46| Request header is too large (20489 bytes) > 2006/03/20 22:22:46| Config 'request_header_max_size'= 20480 bytes. > 2006/03/20 22:22:52| Request header is too large (20489 bytes) > 2006/03/20 22:22:52| Config 'request_header_max_size'= 20480 bytes. > 2006/03/20 22:22:52| clientReadRequest: FD 2231 Invalid Request > 2006/03/20 22:22:56| clientReadRequest: FD 1910 Invalid Request > 2006/03/20 22:23:02| clientReadRequest: FD 2159 Invalid Request > 2006/03/20 22:23:03| clientReadRequest: FD 2090 Invalid Request > 2006/03/20 22:23:10| clientReadRequest: FD 769 Invalid Request > 2006/03/20 22:23:12| WARNING: 1 swapin MD5 mismatches > 2006/03/20 22:23:17| clientReadRequest: FD 1345 Invalid Request > 2006/03/20 22:23:24| clientReadRequest: FD 578 Invalid Request > > -- > -- > Daniel Epee Lea > -- -- Daniel Epee Lea
Re: [squid-users] Ulimit and File-max value.
ogu, I have almost the same setup and I have et ulimit to 16384 and it works well. the issue of "Running out of FD" is gone. Daniel On 3/23/06, Logu <[EMAIL PROTECTED]> wrote: > Hello all, > I am using squid-2.5.STABLE12 in FC4 with kernel version 2.6. i have a 2GB > of RAM in my machine. I frequently get error message saying running out of > file Descriptors. So i am planning to recompile squid by increasing the > file-max and setting ulimit. I am not clear what value should I set for > them. I am planning to assign 32768. What are the drawbacks if I set it to > very high value. > > Thanks > -ogu > > -- Much Regards, Daniel Epee Lea
[squid-users] Squid options in deamon mode
Hello, What is the best option to start squid in deamon mode and avoid these errors ? I run RHEL V4 + squid stable 13, + wccp. Regards, Running: squid -sY >> /usr/local/squid/var/squid.out 2>&1 /usr/local/squid/bin/RunCache: line 35: 6794 File size limit exceededsquid -NsY $conf >>$logdir/squid.out 2>&1 Running: squid -sY >> /usr/local/squid/var/squid.out 2>&1 /usr/local/squid/bin/RunCache: line 35: 6801 File size limit exceededsquid -NsY $conf >>$logdir/squid.out 2>&1 Running: squid -sY >> /usr/local/squid/var/squid.out 2>&1 /usr/local/squid/bin/RunCache: line 35: 6809 File size limit exceededsquid -NsY $conf >>$logdir/squid.out 2>&1 -- Much Regards, Dan
[squid-users] Squid + Websense
Hello, Does anyone have links about squid + websense integration ? Is there an altenative to Websense in the opensource world ? Thanks for links and advice. Regards, Daniel - T OG O D B ET H E G L O R Y :) -- __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] Squid-2.5 Stable 7 for Solaris 10 sparc
Hello, Please where can I find Solaris 10 package of Squid-2.5Stable 7 Sparc or above 64bits ? or sparc 32 bits ? Thanks a loot!! -- Much Regards, Daniel Epee Lea
[squid-users] The redirector helpers are crashing too rapidly, need help!
Hi Everyone, CSW Squid 2.5 Stable 12 + Solaris 10 sparc zone + Websense 6.2 I have these errors when I start Websense or squid. Please what should I do to get this up and running ? Much regards, /var/adm/messages Output Jul 11 18:18:57 zone3 squid[2631]: [ID 702911 user.alert] The redirector helpers are crashing too rapidly, need help! Jul 11 18:19:01 zone3 squid[2787]: [ID 702911 user.alert] The redirector helpers are crashing too rapidly, need help! Jul 11 18:19:05 zone3 squid[2821]: [ID 702911 user.alert] The redirector helpers are crashing too rapidly, need help! Jul 11 18:19:08 zone3 squid[2855]: [ID 702911 user.alert] The redirector helpers are crashing too rapidly, need help! Jul 11 18:19:12 zone3 squid[2889]: [ID 702911 user.alert] The redirector helpers are crashing too rapidly, need help! Jul 11 18:19:12 zone3 squid[2629]: [ID 567784 local4.alert] Exiting due to repeated, frequent failures Jul 12 20:06:58 zone3 squid[7081]: [ID 702911 user.alert] The redirector helpers are crashing too rapidly, need help! Jul 12 20:07:02 zone3 squid[7123]: [ID 702911 user.alert] The redirector helpers are crashing too rapidly, need help! Jul 12 20:07:06 zone3 squid[7159]: [ID 702911 user.alert] The redirector helpers are crashing too rapidly, need help! Jul 12 20:07:09 zone3 squid[7193]: [ID 702911 user.alert] The redirector helpers are crashing too rapidly, need help! Jul 12 20:07:13 zone3 squid[7227]: [ID 702911 user.alert] The redirector helpers are crashing too rapidly, need help! Jul 12 20:07:13 zone3 squid[7079]: [ID 567784 local4.alert] Exiting due to repeated, frequent failures /opt/csw/var/logs/cache.log entries 2006/07/12 20:07:13| Swap maxSize 2048000 KB, estimated 157538 objects 2006/07/12 20:07:13| Target number of buckets: 7876 2006/07/12 20:07:13| Using 8192 Store buckets 2006/07/12 20:07:13| Max Mem size: 8192 KB 2006/07/12 20:07:13| Max Swap size: 2048000 KB 2006/07/12 20:07:13| Rebuilding storage in /opt/csw/var/cache (DIRTY) 2006/07/12 20:07:13| Using Least Load store dir selection 2006/07/12 20:07:13| Set Current Directory to /opt/csw/var/cache 2006/07/12 20:07:13| Loaded Icons. 2006/07/12 20:07:13| Accepting HTTP connections at 0.0.0.0, port 3128, FD 43. 2006/07/12 20:07:13| Accepting ICP messages at 0.0.0.0, port 3130, FD 44. 2006/07/12 20:07:13| Accepting SNMP messages on port 3401, FD 45. 2006/07/12 20:07:13| WCCP Disabled. 2006/07/12 20:07:13| Pinger socket opened on FD 47 2006/07/12 20:07:13| Ready to serve requests. 2006/07/12 20:07:13| WARNING: redirector #1 (FD 8) exited 2006/07/12 20:07:13| WARNING: redirector #2 (FD 9) exited 2006/07/12 20:07:13| WARNING: redirector #3 (FD 10) exited 2006/07/12 20:07:13| WARNING: redirector #4 (FD 11) exited 2006/07/12 20:07:13| WARNING: redirector #5 (FD 12) exited 2006/07/12 20:07:13| WARNING: redirector #6 (FD 13) exited 2006/07/12 20:07:13| WARNING: redirector #7 (FD 14) exited 2006/07/12 20:07:13| WARNING: redirector #8 (FD 15) exited 2006/07/12 20:07:13| WARNING: redirector #9 (FD 16) exited 2006/07/12 20:07:13| WARNING: redirector #10 (FD 17) exited 2006/07/12 20:07:13| WARNING: redirector #11 (FD 18) exited 2006/07/12 20:07:13| WARNING: redirector #12 (FD 19) exited 2006/07/12 20:07:13| WARNING: redirector #13 (FD 20) exited 2006/07/12 20:07:13| WARNING: redirector #14 (FD 21) exited 2006/07/12 20:07:13| WARNING: redirector #15 (FD 22) exited 2006/07/12 20:07:13| Too few redirector processes are running FATAL: The redirector helpers are crashing too rapidly, need help! Squid Cache (Version 2.5.STABLE12): Terminated abnormally. CPU Usage: 0.101 seconds = 0.040 user + 0.062 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 33192656 -- Thanks & Much Regards, Daniel Epee Lea
