Re: [squid-users] Re: Transparent proxying HTTPS through Squid
Adrian, How can this be possible? can you explain? On Jan 4, 2008 10:23 AM, Adrian Chadd <[EMAIL PROTECTED]> wrote: > On Fri, Jan 04, 2008, Bert Moorthaemer wrote: > > Hi Karl, > > > > I already found it ... it's not possible. Thx for the answer though ... > > Pish. Course its possible. Its just not possible the way you think > it should be possible. :) > > > > Adrian > >
[squid-users] Building a Squid Cache Brouter
Hello All, I am trying to build a transparent squid server on a Linux 2.6 kernel using the bridging code (br-nf) INTERNET_GW <== BRIDGE/SQUID <=== Client Nat Router in this setup, the Client Nat router has the entire LAN behind it and the Client nat router will have its default gateway as the INTERNT_GW's IP address. The BRIDGE/SQUID box will have two Ethernet cards, one connecting to the "client Nat Router" and the other connected to the INTERNET_GW. The BRIDGE/SQUID box will have one IP address on which Squid will be listening of connections on. My aim is to transparently redirect http traffic passing from the "Client Nat Router" to the squid process configured on the router without altering the gateway of the Client NAt Router. Here are some of the ebtables/iptables that i have tried out but at this point... i am not sure of how proceed ebtables -t broute -A BROUTING --in-if $BR_IN -p IPv4 --ip-protocol tcp --ip-dport 80 -j redirect --redirect-target ACCEPT ebtables -t broute -A BROUTING --in-if $BR_IN -p IPv4 --ip-protocol tcp --ip-dport 21 -j redirect --redirect-target ACCEPT iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_nat_ftp iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i br0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $BR_IN -j ACCEPT iptables -t nat -A PREROUTING -i br0 -p tcp –-dport 80 -j REDIRECT -–to-port $CACHE_PORT iptables -t nat -A PREROUTING -i br0 -p tcp –-dport 21 -j REDIRECT -–to-port $CACHE_PORT iptables -t nat -A PREROUTING -i $BR_IN -p tcp –dport 80 -j REDIRECT –to-ports $CACHE_PORT iptables -t nat -A PREROUTING -i $BR_IN -p tcp –dport 21 -j REDIRECT –to-ports $CACHE_PORT could anyone out there help me to explain how to progress? is this even possible at all?
[squid-users] WCCP on Squid 2.6 (URGENT)
Hi everyone, or abot a week now, i have been trying to configure WCCP (V2) on Squid to work with a Cisco 3640 router. Squid was able to register with the router (this was aftr i configured gre tunnels, and enable iptables redirect). Now my network administrator says he would like to have WCCP enabled on a layer 2 (because we would be implementing this on a 6509) and also that Squid should be configured to register to a multicats ip address so that several routers withing this group can get the registration request and use the squid box together. i have tested the multicast ip address with the 3640 but the router was unable to register this. i think it has to do with the fact that the Squid box is not enabled for multicast. so 1) is it possible to use Squid's WCCP capabilities with a multicast address? 2) is it possible to register with more than 1 cisco router 3) is it possible to do layer 2 WCCP as against layer 3 ? thanks
Re: [squid-users] WCCP on Squid 2.6 (URGENT)
thanks for the prply, i will keep checking my mail for your feed back On 12/1/06, Adrian Chadd <[EMAIL PROTECTED]> wrote: On Fri, Dec 01, 2006, Dumpolid Exeplish wrote: > Hi everyone, > or abot a week now, i have been trying to configure WCCP (V2) on Squid > to work with a Cisco 3640 router. Squid was able to register with the > router (this was aftr i configured gre tunnels, and enable iptables > redirect). Now my network administrator says he would like to have > WCCP enabled on a layer 2 (because we would be implementing this on a > 6509) and also that Squid should be configured to register to a > multicats ip address so that several routers withing this group can > get the registration request and use the squid box together. > i have tested the multicast ip address with the 3640 but the router > was unable to register this. i think it has to do with the fact that > the Squid box is not enabled for multicast. > > so > > 1) is it possible to use Squid's WCCP capabilities with a multicast address? Hm, I've seen the WCCPv2 multicast support but I don't think there's code in Squid-2.6 to use it. > 2) is it possible to register with more than 1 cisco router Yes; but i haven't yet got an example of how its done up on the Wiki. I'll keep you posted with my progress. There's a few things which may need changing in the WCCPv2 code - specifically to allow one Squid to register L2 -and- GRE depending upon the router. > 3) is it possible to do layer 2 WCCP as against layer 3 ? This is implemeted based on the actual equipement - router routers (eg 2600, 3600, 7200) speak WCCPv2 w/ GRE and not L2. TCAM-based routers (eg 3550, 4500, 6500, 7600) speak WCCPv2 w/ L2. I don't recall there being an option to use L2 redirection on the 2651, 3640 or 7204 I've got here. -- - Xenion - http://www.xenion.com.au/ - Hosting and Commercial Squid Support -
[squid-users] Squid Optimization
hi all, is there a way to cache microsoft updates? so as to ensure that the next time a user requests for these specific updates, it is available off Squid Also, is there any method of enabling prefetc in Squid? i am using Version 2.6 (stable5)
Re: [squid-users] anonymous again...
if you continue giving infos like this, someone may hack u On 12/6/06, Marc-Olivier Meunier <[EMAIL PROTECTED]> wrote: Hi all, Had a look at the Archives before asking but I can't find my answer. I'm living in Finland and I'm trying to access a french VOD site (cause I'm french) but this site don't let me in. So i've set up a squid proxy on a box located in France with a french IP. I've used the forwarded_for off option but still this site detect that I'm using a proxy and since he doesn't know where it comes from, it doesn't let me in. When using a site like http://www.monip.org it says: IP : 88.191.16.144 --- oktober.momeunier.fr --- 1.1 oktober.momeunier.fr:3128 (squid/2.5.STABLE12) --- Proxy detecté / Proxy detected --- ORG_IP : 82.181.61.165 --- cs181061165.pp.htv.fi --- Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1) Gecko/20061010 Firefox/2.0 Here is my squid.conf: hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 1 acl Safe_ports port 80 acl Safe_ports port 21 acl Safe_ports port 443 563 acl Safe_ports port 70 acl Safe_ports port 210 acl Safe_ports port 1025-65535 acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl Safe_ports port 901 acl purge method PURGE acl CONNECT method CONNECT acl LocalNet src 192.168.0.0/255.255.255.0 acl marco src 82.181.61.165 forwarded_for off http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow LocalNet http_access allow marco http_access deny all icp_access allow all log_fqdn on Any idea ? Maybe can I change the IP in X-Forwarded-for ? -- Marc-Olivier Meunier http://blog.momeunier.fr +358 50 4840036
Re: [squid-users] WCCP on Squid 2.6 (URGENT)
After spending almost two weeks in testing different squid WCCP configurations. i am able to post some results. First of all i would like to discuss my setup. We have a clientel bas of about 1000 users simutaneously logged it. We assigned public ip addresses to each of these customers. Network traffic is described below: clients => 6509 (catalyst) => NetEnforcer => 3550 (Switch) => Internet || DMZ switch => Squid Cache Please note that clients, and squid have public/routable IP addresses and no form of NATing is requiered since they can all reach each other. Wccp redirect is done at the Vlan interface configured on the 6509 to redirct traffic to the squid cache. The Squid cache is able to sucessfully register to the 6509 router and a GRE tunnel was formed. During implementation, We had noticed that packets were not being redirected even after Squid was sucessfully registered (with redirect method set to gre). i had noticed that packets were beignredirected via the loopback interface configured on the router. Thus, i had to configure my remote GRE tunnel side with this loopback ip address. thus, my GRE tunnel is as such... iptunnel add gre1 mode gre remote (router's loopback) local (eth0 ip) dev eth0 ifconfig gre1 127.0.0.2 up iptables -t nat -A PREROUTING -i gre1 -d 0/0 -j DNAT --to-destination (eth0 ip) the Squid process has beeen set to listen specifically on the eth0 ip address. Ip routing has been enabled on the system and rp_filter turned off on all interfaces configured (including the gre1 tunnel interface). once this was done, 6509 registered redirects and users were able to browse the internet. CONFUSION The squid system is currently registering an average of 21% hits but the Net Enforcer system is not registering downward bandwidth usage. According to NE, 80% of our customer traffic is HTTP. but there isnt significant reduction on the end of the Squid server. the 6509 has beeen configured in such a way to pass traffic directly if the Squid cache is unavailable. I have done a tcp dump (without listening to any specific host) and i noticed that there were so many packets being dropped by the kernel and very little traffic from the Squid server (this does not tally with the way the squid access logs fly past when i tail -f it). i also noticed that the gre tunnel (gre1) is registering RX packet conts and absolutely no TX cont. the eth0 interface is registering both RX and TX. Can someone help me out? i need to be really sure that i am doing the right thing as far as Linux/Squid is concirned Thanks On 12/3/06, Sean <[EMAIL PROTECTED]> wrote: 3560's operate the same, and 3750's are essentially just 3550's with stacking, so they'd all be the same. On 12/3/06, Adrian Chadd <[EMAIL PROTECTED]> wrote: > On Sun, Dec 03, 2006, Adrian Chadd wrote: > > > You'll want to use the mask assignment method over the default hash > > method - the mask assignment method will allow a lot more traffic to > > be redirected in hardware rather than being punted to the MSFC for > > classification. All the classification is done in hardware rather than > > bugging the MSFC for all/part of it. > > > > wccp2_assignment_method 2 > > What I should've added there is to use the mask assignment for the > switching-based Cisco kit - so 6500 and 7600 at the very least; > maybe later revisions of the 4500 speak it now. Cisco 3550 switches > speak L2 redirection but not mask assignment. No concrete idea on > the 3560/3750 switches but I suspect they'll use hash assignment > for now rather than mask assignment. > > > > > Adrian > > -- > - Xenion - http://www.xenion.com.au/ - Hosting and Commercial Squid Support - >
Re: [squid-users] WCCP on Squid 2.6 (URGENT)
"So your confusion isn't that its working, but Netenforcer isn't reporting any traffic savings? " Precisely, NetEnforcer is not giving a physical (or logical) report on badndidw usage reduction i got these values from the Cache Manager CGI sample_start_time = 1165496653.636038 (Thu, 07 Dec 2006 13:04:13 GMT) sample_end_time = 1165496953.638503 (Thu, 07 Dec 2006 13:09:13 GMT) client_http.requests = 48.112938/sec client_http.hits = 15.986535/sec client_http.errors = 0.00/sec client_http.kbytes_in = 41.296327/sec client_http.kbytes_out = 476.482752/sec i think these are pritty cool figures though and this actually shows that Squid is actievely working About the L2 redirects, how can i cnfigure this? can you please help with configuration linse for both Squid and L2? or is is just as simple as the below: wccp2_router (router public ip) wccp2_address (eth0 Public ip) wccp2_service standard 0 password=*** wccp2_forwarding_method 2 could u please help with Cisco side configs specific for 6509 thanks for your response On 12/7/06, Adrian Chadd <[EMAIL PROTECTED]> wrote: On Thu, Dec 07, 2006, Dumpolid Exeplish wrote: > clients => 6509 (catalyst) => NetEnforcer => 3550 (Switch) => Internet >|| >DMZ Looks right. The netenforcer is going to see the Squid server making all the requests (whilst squid is up, obviously.) > iptunnel add gre1 mode gre remote (router's loopback) local (eth0 ip) dev > eth0 > ifconfig gre1 127.0.0.2 up > iptables -t nat -A PREROUTING -i gre1 -d 0/0 -j DNAT --to-destination (eth0 > ip) I'd just bypass the GRE entirely when using a 6509 and use the L2 redirection method. wccp2_forwarding_method 2 I believe will do it. > CONFUSION > The squid system is currently registering an average of 21% hits but > the Net Enforcer system is not registering downward bandwidth usage. > According to NE, 80% of our customer traffic is HTTP. but there isnt > significant reduction on the end of the Squid server. Whats the byte hit rate show in cachemgr for squid? Whats the 5 minute counters indicate the client http and server http traffic are? > I have done a tcp dump (without listening to any specific host) and i > noticed that there were so many packets being dropped by the kernel > and very little traffic from the Squid server (this does not tally > with the way the squid access logs fly past when i tail -f it). > i also noticed that the gre tunnel (gre1) is registering RX packet > conts and absolutely no TX cont. the eth0 interface is registering > both RX and TX. You won't be returning any packets via the GRE tunnel. Its just to get packets to the Squid server (in the current Squid+WCCPv2 setup, that is.) Again, I'd use the L2 forwarding method over GRE. Its less prone to GRE weirdness and it'll result in less load on the routing side of the 6509. So your confusion isn't that its working, but Netenforcer isn't reporting any traffic savings? adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
