RE: [squid-users] WCCP transparent proxy

[Ritter, Nicholas]

With current versions of TPROXY you should not do REDIRECTs. You should
do something like this:

-A DIVERT -j MARK --set-xmark 0x1/0x
-A DIVERT -j ACCEPT
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip
 --tproxy-mark 0x1/0x1

Redirects will work in some cases, but should not be used with WCCP and
recent versions of TPROXY.

My experience has been that doing a redirect alone will not always work
depending on the version of TPROXY/IPTABLES, and Cisco IOS.

YMMV,

Nick



-Original Message-
From: Horacio H. [mailto:pokehor...@gmail.com] 
Sent: Wednesday, October 05, 2011 9:12 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] WCCP transparent proxy

Hi,

You're missing a few things. Please review the FAQ again, here are some
hints:

1) Make sure there are no firewalls between your Squid and router
(WCCP).

2) Make sure the GRE module is loaded:

   modprobe ip_gre
   echo ip_gre >> /etc/modules

3) Create a GRE interface:

   ip tunnel add gre1 mode gre local 
   ip addr add /32 dev gre1
   ip link set gre1 up

4) Add a redirect rule in iptables:

   iptables -t nat -A PREROUTING -i gre1 -j REDIRECT --redirect-to


5) Make sure Squid was compiled with WCCP-v2 support.

6) WCCP-v2 squid's configuration:

   wccp2_router 

7) WCCP-v2 router's configuration:

   access-list 160 deny   ip  host  any
   access-list 160 permit tcp   any eq 80

   ip wccp version 2
   ip wccp web-cache redirect-list 160

   interface FastEthernet0/0
   ip wccp web-cache redirect in

Regards,
Horacio.

RE: [squid-users] Tproxy time

[Ritter, Nicholas]

What kernel/iptables/distro are you using?

 I am getting this exact same problem and I copied the iptables rules
from my working TPROXY/SQUID setup and the only difference was the
kernel and iptables version.

I think there is some TPROXY breakage somewhere in the later kernels,
and/or iptables, and/or squid. I have been testing this with RHEL v6
kernel and iptables rpms with squid 3.1.14. I know the problem is
somewhere with iptables/kernel because a packet sniffer shows something
odd with the outgoing traffic from the squid software to the origin web
servers.

Nicholas

-Original Message-
From: User User [mailto:netwotkstud...@yahoo.com] 
Sent: Saturday, August 20, 2011 10:16 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Tproxy time

Hi,
I have a linux box which I installed Squid. I used steps from wiki links
(http://wiki.squid-cache.org/Features/Tproxy4) to compile kernel ,
iptables ,...
The box working normal on 3128 when I set manual proxy on client , but
for tproxy tranparnet mode I am getting timeout on client after some
minutes.
I am routing traffic from client to this box and try to catch the but
iptables (tproxy).I am seeing requests on access log too.


http_port 3128
http_port 3129 tproxy

ip rule add fwmark 1 lookup 100
ip -f inet route add local 0.0.0.0/0 dev eth0 table 100 iptables -t
mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING
-p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp
--dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

thanks for your help.

[squid-users] tproxy and "disable-pmtu-discovery=always"

[Ritter, Nicholas]

Back when I first setup TPROXY/SQUID, I was told to use
"disable-pmtu-discovery=always" after the http_port tproxy config entry
in squid.conf.


 Is "disable-pmtu-discovery=always" still needed?

RE: [squid-users] Re: squid tproxy problem

[Ritter, Nicholas]

I have had this problem. I have found that part of the problem is that when the 
iptables rules are entered at the CLI, they are not added in the correct order 
required for functioning.

I have also seen cases where the client web surfing keeps timing out, and 
either after timeout or after the client clicks the stop button, the access 
shows up in the access.log.

I find that I have add the iptables rules via the cli, do an "service iptables 
save", then "vim /etc/sysconfig/iptables" and rearrange the rules.

-Original Message-
From: Benjamin [mailto:benjo11...@gmail.com] 
Sent: Thursday, August 18, 2011 2:11 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Re: squid tproxy problem


  On 08/18/2011 08:19 PM, Amos Jeffries wrote:
> On 19/08/11 01:43, Benjamin wrote:
>> Hi Amos,
>>
>> Thanks for your kind response.I am going to try with latest kernel 
>> 3.0.3 and update u with final status.
>>
>> kernel 3.0.3 is ok for tproxy with squid verion 3.1.10 ?
>>
>
> I have no information about it. But I expect so.
>
> Amos
Hi Amos,

i tried with kernel 2.6.38.8.But i face same issue.When i see packets in 
iptables tproxy rule , i can not see any requests into access.log also 
customers are not able to browse sites. and then when i swap interface in 
ebtables rules , from customer side browsing is working but no packets in 
tproxy rule and no requests in access.log.

I don't find where is the mistake?

Regards,
Benjamin

RE: [squid-users] Re: squid tproxy problem

[Ritter, Nicholas]

I have one CentOS v6 box running the CentOS v6 supplied 2.6.32-71.29.1.el6 
kernel, and iptables-1.4.7-3.el6. I am using a recompiled squid-3 rpm that I 
popped 3.1.14 into and the combination seems be working fine.

I am also testing a CentOS v6 install with a the kernel source rpm from RHEL 6 
(kernel-2.6.32-131.6.1.el6), iptables source rpm from RHEL6 (iptables-1.4.7-4), 
and the squid 3.1.14 rpm I made. I am testing this because there was a TPROXY 
fixes made in an upstream kernel release that RedHat back-patched.

The only issue I have run into thus far is a higher than normal occurrence of 
TCP_MISS/502 errors in squid. I am not sure if the error is in 
squid/tproxy/kernel or on the network, but I suspect it is on my network.

Nick


-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Thursday, August 18, 2011 9:49 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Re: squid tproxy problem

On 19/08/11 01:43, Benjamin wrote:
> Hi Amos,
>
> Thanks for your kind response.I am going to try with latest kernel 
> 3.0.3 and update u with final status.
>
> kernel 3.0.3 is ok for tproxy with squid verion 3.1.10 ?
>

I have no information about it. But I expect so.

Amos
--
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.10

RE: [squid-users] squid tproxy

[Ritter, Nicholas]

I'm here...can send you the steps if you like. I am troubleshooting some 
performance issues with it though.

Nicholas


-Original Message-
From: Benjamin [mailto:benjo11...@gmail.com] 
Sent: Monday, August 08, 2011 12:45 AM
To: squid-users@squid-cache.org; squ...@treenet.co.nz
Subject: Re: [squid-users] squid tproxy


  Hi,

Can we have contact information of Mr. Ritter for new config of squid tproxy 
with centos 6.

Regards,
Benajo

RE: [squid-users] squid 3.1 (w/ TPROXY/WCCP) and increased 502 and 206 codes

[Ritter, Nicholas]

I should add one important point. When the error occurs, it is most
often not affecting the entire site nor transaction. This is to say that
I can visit a site, get content, and then at some point fill out a form
on the site, which then generates the 502. I don't want anyone to assume
that the 502 is being generated because of an obvious path connectivity
error where the site being surfed was down all along.

I should also not that I am not running any unique refresh patterns in
the squid.conf.

-Original Message-
From: Ritter, Nicholas [mailto:nicholas.rit...@americantv.com] 
Sent: Friday, July 22, 2011 11:16 AM
To: squid-users@squid-cache.org
Subject: [squid-users] squid 3.1 (w/ TPROXY/WCCP) and increased 502 and
206 codes

I am doing extended testing of a CentOS v6 TPROXY/SQUID3/WCCP setup and
I noticing higher than usual TCP_MISS/502 codes. I am also seeing some
206 codes, but it is the 502s that are much higher than normal. I think
it is transport related inside the TPROXY/SQUID side of things but I am
not sure.

I am seeing the 502 codes on both gets and posts. Can anyone provide
more insight on this condition and what/where I should start
troubleshooting?

I am running the stock CentOS v6 kernel (2.6.32-71.29.1) and Squid
3.1.10 as package by RHEL 6 (specifically a RHEL 6 rebuilt source rpm of
squid-3.1.10-1.el6.

Should update to the more recent release of squid 3.1 as a starting
point?

Nick

[squid-users] squid 3.1 (w/ TPROXY/WCCP) and increased 502 and 206 codes

[Ritter, Nicholas]

I am doing extended testing of a CentOS v6 TPROXY/SQUID3/WCCP setup and
I noticing higher than usual TCP_MISS/502 codes. I am also seeing some
206 codes, but it is the 502s that are much higher than normal. I think
it is transport related inside the TPROXY/SQUID side of things but I am
not sure.

I am seeing the 502 codes on both gets and posts. Can anyone provide
more insight on this condition and what/where I should start
troubleshooting?

I am running the stock CentOS v6 kernel (2.6.32-71.29.1) and Squid
3.1.10 as package by RHEL 6 (specifically a RHEL 6 rebuilt source rpm of
squid-3.1.10-1.el6.

Should update to the more recent release of squid 3.1 as a starting
point?

Nick

RE: [squid-users] Squid3 on CentOS 6 and tproxy [FIXED]

[Ritter, Nicholas]

I updated with the squid-3.1.10 rpm , using rpmbuild to rebuild itI figured 
the squid 3.1.4 that came with cent6 was old enough to be asking for trouble.

The 3.1.10 RPM built fine, installed fine, but gave the same error on startup, 
but only when attempting a startup using the init script supplied by the RPM 
file. Doing a "service squid start" would always give the error:

2011/07/13 22:32:23| FATAL: http(s)_port: TPROXY support in the system does not 
work.
FATAL: Bungled squid.conf line 66: http_port 3129 tproxy
Squid Cache (Version 3.1.10): Terminated abnormally.
CPU Usage: 0.008 seconds = 0.006 user + 0.002 sys
Maximum Resident Size: 21984 KB
Page faults with physical i/o: 0
2011/07/13 22:34:38| WARNING cache_mem is larger than total disk cache space!

(This is assuming on have http_port 3129 tproxy in /etc/squid/squid.conf)

When I started the squid process as root manually, I didn't get an error.

So I then issued the following on the root command line:

setsebool squid_connect_any=1
setsebool squid_use_tproxy=1

Note: using "=any" as noted on the squid wiki gave an illegal Boolean error 
from setsebool.

After doing this, I can now do "service squid start" and it doesn't error. 
Squid is now starting and it is registering with the router via WCCP.

Tomorrow I will test tproxy/squid operation with clients and see how things go. 
Assuming everything works, I will have a fairly easy centos v6 
Squid/TPROXY/WCCP howto to share.

CentOS 6 has been pretty stable in testing both in the beta and the release.

Nicholas



-Original Message-
From: Amos Jeffries [mailto:squ...@treenet.co.nz] 
Sent: Wednesday, July 13, 2011 6:28 PM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid3 on CentOS 6 and tproxy


 On Wed, 13 Jul 2011 15:54:54 -0500, Ritter, Nicholas wrote:
> In testing CentOS 6 and Squid v3.1 (as it comes with CentOS 6) I get 
> the error on squid startup:
>
> 2011/07/13 15:36:45| Processing Configuration File:
> /etc/squid/squid.conf (depth 0)
> 2011/07/13 15:36:45| Starting IP Spoofing on port [::]:3129
> 2011/07/13 15:36:45| Disabling Authentication on port [::]:3129 (IP 
> spoofing enabled)
> 2011/07/13 15:36:45| FATAL: http(s)_port: TPROXY support in the system 
> does not work.
>
> I think this may be related to capability checking based on a 
> squid-users thread I read  which was dated 2/2/2010.
>
> Before I go and download and build a squid-3.1.14 rpm for CentOS 6, 
> can someone comment on this issue, and any fixes, etc.?
>
> I am working on a an updated CentOS 6 with squid, TPROXY, and WCCP 
> setup howto.
>
> Thanks,
>
> Nicholas

 If your version was from before the TPROXY probing was added, then an  upgrade 
is definitely useful. If only to know what is broken. Probing  added debug 
level 3,3 log entries about the capabilities and build now  tests some library 
version requirements.


 Amos

[squid-users] Squid3 on CentOS 6 and tproxy

[Ritter, Nicholas]

In testing CentOS 6 and Squid v3.1 (as it comes with CentOS 6) I get the
error on squid startup:

2011/07/13 15:36:45| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2011/07/13 15:36:45| Starting IP Spoofing on port [::]:3129
2011/07/13 15:36:45| Disabling Authentication on port [::]:3129 (IP
spoofing enabled)
2011/07/13 15:36:45| FATAL: http(s)_port: TPROXY support in the system
does not work.

I think this may be related to capability checking based on a
squid-users thread I read  which was dated 2/2/2010.

Before I go and download and build a squid-3.1.14 rpm for CentOS 6, can
someone comment on this issue, and any fixes, etc.?

I am working on a an updated CentOS 6 with squid, TPROXY, and WCCP setup
howto.

Thanks,

Nicholas

RE: [squid-users] CentOS/Squid/Tproxy but no transfer

[Ritter, Nicholas]

Behnam-

The router is either not seeing the WCCP registration from the squid
box, or the squid box is not seeing the ack from the router. Tom's
suggestion of "debug ip wccp" is a good start.

The IOS version makes a huge difference. Between revisions of IOS, WCCP
works and/or breaks, so it is something you have to play with to know
which IOS works. The specific 12.4 releases I have used work...but on a
26xx series router you may not have enough flash and/or RAM for 12.4.

Nick

RE: [squid-users] Problems with WCCP

[Ritter, Nicholas]

You "cache" access-list is not correct, I'm guessing. The ACL should be used 
only for things that you want to deny redirection, and should end with a 
"permit any any"

Normally ACLs are implemented in the opposite fashion.


Nick


-Original Message-
From: Humberto Rodríguez [mailto:humbe...@ceniai.inf.cu] 
Sent: Thursday, July 09, 2009 12:06 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Problems with WCCP 


 
Hello:

I have SQUID 2.6.STABLE3 with wccp and a Cisco 3745 router with IOS Version
12.3(8)T8. I can see packets between the router and the the squid server, I
can browse Internet through 3128 port, but I can't browse Internet through
wccp protocol.
The router always show me what following:

Global WCCP information:
Router information:
Router Identifier:   x.x.x.129
Protocol Version:1.0

Service Identifier: web-cache
Number of Cache Engines: 1
Number of routers:   1
Total Packets Redirected:4696
Redirect access-list:cache
Total Packets Denied Redirect:   53336
Total Packets Unassigned:0
Group access-list:   -none-
Total Messages Denied to Group:  0
Total Authentication failures:   0
3745-HLG#sh ip wccp web-cache de
3745-HLG#sh ip wccp web-cache detail 
WCCP Cache-Engine information:
Web Cache ID:  0.0.0.0
Protocol Version:  0.4
State: Usable
Initial Hash Info: 
   
Assigned Hash Info:
   
Hash Allotment:256 (100.00%)
Packets Redirected:0
Connect Time:  00:11:01
  
3745-HLG#sh ip wccp web-cache view 
WCCP Routers Informed of:
-none-

WCCP Cache Engines Visible:
x.x.x.199

WCCP Cache Engines NOT Visible:
-none-


 

__ Information from ESET NOD32 Antivirus, version of virus signature
database 4228 (20090709) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 

RE: [squid-users] Updated CentOS/Squid/Tproxy Transparency steps.

[Ritter, Nicholas]

Bridging is a completely different beast...I have not done a bridging
solution, so I can't help as much...with bridging I think you don't use
iptables, but the bridging netfilter tables. That is probably the issue.


-Original Message-
From: johan firdianto [mailto:johanfi...@gmail.com] 
Sent: Tuesday, July 07, 2009 1:50 AM
To: Ritter, Nicholas
Cc: Adrian Chadd; Alexandre DeAraujo; squid-users
Subject: Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency
steps.

Hi Nick,

I already tried your example above, with exception I'm using bridge
with 2 ethernet not wccp.
 but i don't see something in access_log, when I tried to browse some
sites.
But i still could open the sites.

2009/07/07 21:44:17| Reconfiguring Squid Cache (version 3.1.0.9)...
2009/07/07 21:44:17| FD 10 Closing HTTP connection
2009/07/07 21:44:17| FD 13 Closing HTTP connection
2009/07/07 21:44:17| Processing Configuration File:
/usr/local/squid/etc/squid.conf (depth 0)
2009/07/07 21:44:17| Starting IP Spoofing on port [::]:3129
2009/07/07 21:44:17| Disabling Authentication on port [::]:3129 (Ip
spoofing enabled)
2009/07/07 21:44:17| Disabling IPv6 on port [::]:3129 (interception
enabled)
2009/07/07 21:44:17| Initializing https proxy context
2009/07/07 21:44:17| DNS Socket created at [::], FD 10
2009/07/07 21:44:17| Adding domain edgestream.com from /etc/resolv.conf
2009/07/07 21:44:17| Adding nameserver 202.169.224.44 from
/etc/resolv.conf
2009/07/07 21:44:17| Accepting  HTTP connections at [::]:3128, FD 11.
2009/07/07 21:44:17| Accepting  spoofing HTTP connections at
0.0.0.0:3129, FD 13.
2009/07/07 21:44:17| HTCP Disabled.
2009/07/07 21:44:17| Loaded Icons.
2009/07/07 21:44:17| Ready to serve requests.

iptables -t mangle -L -xvn
Chain PREROUTING (policy ACCEPT 9535 packets, 4088554 bytes)
pkts  bytes target prot opt in out source
 destination
7326   946003 DIVERT tcp  --  *  *   0.0.0.0/0
   0.0.0.0/0   socket
3661   949270 TPROXY tcp  --  *  *   0.0.0.0/0
   0.0.0.0/0   tcp dpt:80 TPROXY redirect 192.168.1.205:3129
mark 0x1/0x1

Chain INPUT (policy ACCEPT 10693 packets, 1269475 bytes)
pkts  bytes target prot opt in out source
 destination

Chain FORWARD (policy ACCEPT 13049 packets, 5011079 bytes)
pkts  bytes target prot opt in out source
 destination

Chain OUTPUT (policy ACCEPT 6481 packets, 2011014 bytes)
pkts  bytes target prot opt in out source
 destination

Chain POSTROUTING (policy ACCEPT 19530 packets, 7022093 bytes)
pkts  bytes target prot opt in out source
 destination

Chain DIVERT (1 references)
pkts  bytes target prot opt in out source
 destination
7326   946003 MARK   all  --  *  *   0.0.0.0/0
   0.0.0.0/0   MARK xset 0x1/0x
7326   946003 ACCEPT all  --  *  *   0.0.0.0/0
   0.0.0.0/0

ip rule
0:  from all lookup 255
32764:  from all fwmark 0x1 lookup tproxy
32765:  from all fwmark 0x1 lookup tproxy
32766:  from all lookup main
32767:  from all lookup default

ip route show table 100
local default dev lo  scope host





On Thu, Jul 2, 2009 at 11:31 AM, Ritter,
Nicholas wrote:
> I have not finished updating the wiki article for the CentOS example,
BTW.
>
> I will do this by tomorrow or possibly tonight yet.
>
> Nick
>
>
> -Original Message-
> From: adrian.ch...@gmail.com [mailto:adrian.ch...@gmail.com] On Behalf
Of Adrian Chadd
> Sent: Wednesday, July 01, 2009 11:10 PM
> To: Alexandre DeAraujo
> Cc: Ritter, Nicholas; squid-users
> Subject: Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency
steps.
>
> This won't work. You're only redirecting half of the traffic flow with
> the wccp web-cache service group. The tproxy code is probably
> correctly trying to originate packets -from- the client IP address to
> the upstream server but because you're only redirecting half of the
> packets (ie, packets from original client to upstream, and not also
> the packets from the upstream to the client <- and this is the flow
> that needs to be hijacked!) things will "hang".
>
> You need to read the TPROXY2 examples and look at the Cisco/Squid WCCP
> setup. There are two service groups configured - 80 and 90 - which
> redirect client -> server and server->client respectively. They have
> the right bits set in the service group definitions to redirect the
> traffic correctly.
>
> The WCCPv2/TPROXY4 pages are hilariously unclear. I ended up having to
> find the TPROXY2 pages to extract the "right" WCCPv2 setup to use,
> then combine that with the TPROXY4 rules. That is fine for me (I know
> a thing or two about this) but it should all be made much, much
> clearer for people trying to set this up.
>
> As I sug

RE: [squid-users] Updated CentOS/Squid/Tproxy Transparency steps.

[Ritter, Nicholas]

I have not finished updating the wiki article for the CentOS example, BTW.

I will do this by tomorrow or possibly tonight yet.

Nick


-Original Message-
From: adrian.ch...@gmail.com [mailto:adrian.ch...@gmail.com] On Behalf Of 
Adrian Chadd
Sent: Wednesday, July 01, 2009 11:10 PM
To: Alexandre DeAraujo
Cc: Ritter, Nicholas; squid-users
Subject: Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency steps.

This won't work. You're only redirecting half of the traffic flow with
the wccp web-cache service group. The tproxy code is probably
correctly trying to originate packets -from- the client IP address to
the upstream server but because you're only redirecting half of the
packets (ie, packets from original client to upstream, and not also
the packets from the upstream to the client <- and this is the flow
that needs to be hijacked!) things will "hang".

You need to read the TPROXY2 examples and look at the Cisco/Squid WCCP
setup. There are two service groups configured - 80 and 90 - which
redirect client -> server and server->client respectively. They have
the right bits set in the service group definitions to redirect the
traffic correctly.

The WCCPv2/TPROXY4 pages are hilariously unclear. I ended up having to
find the TPROXY2 pages to extract the "right" WCCPv2 setup to use,
then combine that with the TPROXY4 rules. That is fine for me (I know
a thing or two about this) but it should all be made much, much
clearer for people trying to set this up.

As I suggested earlier, you may wish to consider fleshing out an
interception section in the Wiki complete with explanations about how
all of the various parts of the puzzle hold together.

2c,


adrian

2009/7/2 Alexandre DeAraujo :
> I am giving this one more try, but have been unsuccessful. Any help is always 
> greatly appreciated.
>
> Here is the setup:
> Router:
> Cisco 7200 IOS 12.4(25)
> ip wccp web-cache redirect-list 11
> access-list 11 permits only selective ip addresses to use wccp
>
> Wan interface (Serial)
> ip wccp web-cache redirect out
>
> Global WCCP information:
> Router information:
> Router Identifier:                      192.168.20.1
> Protocol Version:                       2.0
>
> Service Identifier: web-cache
> Number of Service Group Clients:        1
> Number of Service Group Routers:        1
> Total Packets s/w Redirected:   8797
> Process:                                4723
> Fast:                                   0
> CEF:                                    4074
> Redirect access-list:                   11
> Total Packets Denied Redirect:  124925546
> Total Packets Unassigned:               924514
> Group access-list:                      -none-
> Total Messages Denied to Group: 0
> Total Authentication failures:          0
> Total Bypassed Packets Received:        0
>
> WCCP Client information:
> WCCP Client ID: 192.168.20.2
> Protocol Version:       2.0
> State:                  Usable
> Initial Hash Info:      
>                        
> Assigned Hash Info:     
>                        
> Hash Allotment: 256 (100.00%)
> Packets s/w Redirected: 306
> Connect Time:           00:21:33
> Bypassed Packets
> Process:                0
> Fast:                   0
> CEF:                    0
> Errors:                 0
>
> Clients are on FEthernet0/1
> Squid server is the only device on FEthernet0/3
> 
> Squid Server:
> eth0      Link encap:Ethernet  HWaddr 00:14:22:21:A1:7D
>          inet addr:192.168.20.2  Bcast:192.168.20.7  Mask:255.255.255.248
>          inet6 addr: fe80::214:22ff:fe21:a17d/64 Scope:Link
>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>          RX packets:3325 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:2606 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:1000
>          RX bytes:335149 (327.2 KiB)  TX bytes:394943 (385.6 KiB)
>
> gre0      Link encap:UNSPEC  HWaddr 
> 00-00-00-00-CB-BF-F4-FF-00-00-00-00-00-00-00-00
>          inet addr:192.168.20.2  Mask:255.255.255.248
>          UP RUNNING NOARP  MTU:1476  Metric:1
>          RX packets:400 errors:0 dropped:0 overruns:0 frame:0
>          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>          collisions:0 txqueuelen:0
>          RX bytes:31760 (31.0 KiB)  TX bytes:0 (0.0 b)
> 
> /etc/rc.d/rc.local file:
> ip rule add fwmark 1 lookup 100
> ip route add local 0.0.0.0/0 dev lo table 100
> modprobe ip_gre
> ifconfig gre0 192.168.20.2 netmask 255.

RE: [squid-users] Updated CentOS/Squid/Tproxy Transparency steps.

[Ritter, Nicholas]

Amos did this alreadyalthough the wiki article needs some
corrections because Amos merged the older with the newer. I need to get
that information to him. The steps, if followed in the wiki article may
not work quite right.

Nick


-Original Message-
From: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] 
Sent: Monday, June 29, 2009 4:01 PM
To: Ritter, Nicholas
Cc: squid-users
Subject: Re: [squid-users] Updated CentOS/Squid/Tproxy Transparency
steps.

Would be great if you could dump this in a wiki article to make it
easier to find (and update if needed).


Regards
Henrik

tor 2009-06-25 klockan 12:30 -0500 skrev Ritter, Nicholas:
> Some assumptions:
> 
> 1) You are using a Cisco Router to redirect traffic to the squid box
via
> WCCP
> 
> 2) 12.4(15)T8 or higher IOS on the router
> 
> 3) In my setups, the squid box is always Layer 2 adjacent to the Cisco
> router, either through a dedicated interface, or a sub-interface.
> 
> 4) The ability to compile and install a Linux kernel. Please note that
> in these steps, I am NOT using a redhat kernel, nor am I using the
> RedHat method of building a kernel.
> 
> 5) Some steps outlined here can be achieved through several different
> means, follow the steps exactly before emailing me or the list, as I
> have tested other methods, and they don't always work (case in point:
> GRE tunnel interface creation.)
> 
> 6) This setup assumes a separate WCCP service group for each direction
> of the HTTP connection, this is not needed, but makes the setup more
> scalable. If you choose to do it a different way, then YMMV. 
> 
> In the kernel build specific steps, I actually include possibly to
much
> information, as well as tell you to enable things that are not always
> needed for TPROXY related functionality, or never related to TPROXY
> functionality. I included them because they fit more environments, and
> thus less time wasted by people asking me questions, not that I mind
but
> I don't have enough time to answer all the emails I get. I tried to
> prepare this information out without errors, if the steps don't work,
> email me with the details of where you had problems so that I can
adjust
> the steps below. At the end the steps below are some common things to
> watch for in the steps that can cause the setup not to work.
> 
> 
> Steps
> 
> 1) Install CentOS 5.3, make sure you install nothing other than the
base
> packages, and trim even those down. I tend to install specific
packages
> from the distro later. 
> 
> Note: I suggest that you make separate partition(s) for where squid
will
> actually store its caches. Later mount these partitions with specific
> options (like "noatime") that will help increase performance.
> 
> 2) In the initial ncurses-based setup screen, turn off services that
you
> don't need, and turn off selinux compeletely.
> 
> 3) After install and initial bootup and configuration, run "yum
update"
> to update the system for fixes, etc. Then reboot.
> 
> 4) After step 2, issue this yum command:
> 
> yum install libcap libcap-devel gcc gcc-c++ bison flex yacc autoconf
> automake ncurses ncurses-devel rpm-devel libpcap tcpdump
> 
> Note: let it install other dependency packages. The command above
> installs compiles, utilities, etc.
> 
> 
> 5) Download iptables-1.4.3.2 from netfilter.org
> 
> 6) Download kernel 2.6.30 from kernel.org
> 
> 7) Download squid-3.1.0.8 from squid.org
> 
> 8) Decompress the kernel source, I decompress it to /usr/src/,
although
> I have read all over the place that this is a bad thing to do. The
> location really does not have to be /usr/src/
> 
> 9) Go into the kernel source directory, issue the following command:
> cp /boot/config-2.6.18-128.1.14.el5 ./RH-config-boxed.config
> 
> 10) Issue this command: make menuconfig
> 
> 11) When the ncurses-based kernel config screen loads, select the
"Load
> an Alternate Configuration File" and type in the full path to the
> RH-config-boxed.config. This will load the current kernel config, and
> there may be some errors, all of which can be ignored.
> 
> 
> 12) Configure the kernel as you normally would, but be sure to enable
> the following:
> 
> In "Networking support -> Networking options"
> 
> Enable (not as modules):
> Packet socket
> Packet socket: mmapped IO
> TCP/IP networking
> IP: advanced router
> IP: policy routing
> 
> Enable (as modules):
> IP: tunneling
> 
> Enable (not as modules):
> IP: GRE tunnels over IP
> IP: broadcast GRE over IP
> Network packet filtering framework (Netfilter)
> 
> 
> In "Networking support -> Networking options -> Network packet
filtering
> framewo

[squid-users] Updated CentOS/Squid/Tproxy Transparency steps.

[Ritter, Nicholas]

Some assumptions:

1) You are using a Cisco Router to redirect traffic to the squid box via
WCCP

2) 12.4(15)T8 or higher IOS on the router

3) In my setups, the squid box is always Layer 2 adjacent to the Cisco
router, either through a dedicated interface, or a sub-interface.

4) The ability to compile and install a Linux kernel. Please note that
in these steps, I am NOT using a redhat kernel, nor am I using the
RedHat method of building a kernel.

5) Some steps outlined here can be achieved through several different
means, follow the steps exactly before emailing me or the list, as I
have tested other methods, and they don't always work (case in point:
GRE tunnel interface creation.)

6) This setup assumes a separate WCCP service group for each direction
of the HTTP connection, this is not needed, but makes the setup more
scalable. If you choose to do it a different way, then YMMV. 

In the kernel build specific steps, I actually include possibly to much
information, as well as tell you to enable things that are not always
needed for TPROXY related functionality, or never related to TPROXY
functionality. I included them because they fit more environments, and
thus less time wasted by people asking me questions, not that I mind but
I don't have enough time to answer all the emails I get. I tried to
prepare this information out without errors, if the steps don't work,
email me with the details of where you had problems so that I can adjust
the steps below. At the end the steps below are some common things to
watch for in the steps that can cause the setup not to work.


Steps

1) Install CentOS 5.3, make sure you install nothing other than the base
packages, and trim even those down. I tend to install specific packages
from the distro later. 

Note: I suggest that you make separate partition(s) for where squid will
actually store its caches. Later mount these partitions with specific
options (like "noatime") that will help increase performance.

2) In the initial ncurses-based setup screen, turn off services that you
don't need, and turn off selinux compeletely.

3) After install and initial bootup and configuration, run "yum update"
to update the system for fixes, etc. Then reboot.

4) After step 2, issue this yum command:

yum install libcap libcap-devel gcc gcc-c++ bison flex yacc autoconf
automake ncurses ncurses-devel rpm-devel libpcap tcpdump

Note: let it install other dependency packages. The command above
installs compiles, utilities, etc.


5) Download iptables-1.4.3.2 from netfilter.org

6) Download kernel 2.6.30 from kernel.org

7) Download squid-3.1.0.8 from squid.org

8) Decompress the kernel source, I decompress it to /usr/src/, although
I have read all over the place that this is a bad thing to do. The
location really does not have to be /usr/src/

9) Go into the kernel source directory, issue the following command:
cp /boot/config-2.6.18-128.1.14.el5 ./RH-config-boxed.config

10) Issue this command: make menuconfig

11) When the ncurses-based kernel config screen loads, select the "Load
an Alternate Configuration File" and type in the full path to the
RH-config-boxed.config. This will load the current kernel config, and
there may be some errors, all of which can be ignored.


12) Configure the kernel as you normally would, but be sure to enable
the following:

In "Networking support -> Networking options"

Enable (not as modules):
Packet socket
Packet socket: mmapped IO
TCP/IP networking
IP: advanced router
IP: policy routing

Enable (as modules):
IP: tunneling

Enable (not as modules):
IP: GRE tunnels over IP
IP: broadcast GRE over IP
Network packet filtering framework (Netfilter)


In "Networking support -> Networking options -> Network packet filtering
framework (Netfilter)"

Enable (not as modules):
Advanced netfilter configuration


In "Networking support -> Networking options -> Network packet filtering
framework (Netfilter) -> Core Netfilter 

Configuration"

Enable (as modules):
Netfilter connection tracking support

Enable (not as modules):
Connection tracking security mark support
Connection tracking events

Enable (as modules):
Connection tracking netlink interface
Transparent proxying support (EXPERIMENTAL)
Netfilter Xtables support (required for ip_tables)
"CONNMARK" target support
"MARK" target support 
"TPROXY" target support (EXPERIMENTAL)
"connmark" connection mark match support
"conntrack" connection tracking match support
"mark" match support
"socket" match support (EXPERIMENTAL)
"state" match support


In "Networking support -> Networking options -> Network packet filtering
framework (Netfilter) -> IP: Netfilter Configuration"

Enable (as modules):
IPv4 connection tracking support (required for NAT)
IP tables support (required for filtering/masq/NAT)
Full NAT
MASQUERADE target support
REDIRECT target support
Packet mangling


13) After setting the above options, and any other items you want, exit
out of the kernel config, saving your changes. It will save the kernel
com

RE: [squid-users] TPROXY and wiki article working on CentOS 5.3

[Ritter, Nicholas]

I had two separate problems with the setup that were both due to the
ordering of rules in iptables. I am still testing one issue, which I
just recently solved, and was not a squid/tproxy problem. 

And I am considering the task and need of upgrading the other components
of iptables, such as conntrack-tools, etc.

I can post the exact steps I used.

Nick

-Original Message-
From: Alexandre DeAraujo [mailto:al...@cal.net] 
Sent: Tuesday, June 23, 2009 4:32 PM
To: 'Ritter, Nicholas'
Subject: RE: [squid-users] TPROXY and wiki article working on CentOS 5.3

Nicholas,

I have been trying the exact same setup for quite some time now and am
having nothing but troubles. If possible, could you give me
the link to the exact wiki you used? Do you also have any pointers as to
what I should watch out for? I really appreciate any
help/pointers you can give.

Thank you,

Alex DeAraujo



> -Original Message-
> From: Ritter, Nicholas [mailto:nicholas.rit...@americantv.com]
> Sent: Tuesday, June 23, 2009 2:21 PM
> To: squid-users
> Subject: [squid-users] TPROXY and wiki article working on CentOS 5.3
> 
> I just started a task to upgrade our CentOS v5-based squid3/tproxy
boxes
> utilizing the Wiki article that Amos wrote. Everything is working
great
> and it was actually far easier to setup then it used to be. Amos,
> Laszlo, and Krisztian...you are amazing, and I wish to offer my
sincere
> thanks to you guys for the work and talent that you give to the open
> source community.
> 
> I am using the following software pieces to accomplish a
WCCP-redirected
> TPROXY/transparent squid service in combination with Cisco routers:
> 
> CentOS 5.3 x86_64
> Squid 3.1.0.8
> Iptables 1.4.3.2
> Kernel 2.6.30
> 
> IOS Advanced Security 12.4(15)T8 on a 2811 (as the testbed router/ios
> combination)
> 
> 
> 
> Amos-
> 
> I can either create a new set of steps, this time more detailed and
> better tested, for TPROXY/SQUID on CentOS 5.3 to replace the current
one
> that has my name on it, and/or add some details to the article you
> wrote.
> 
> Nick

[squid-users] TPROXY and wiki article working on CentOS 5.3

[Ritter, Nicholas]

I just started a task to upgrade our CentOS v5-based squid3/tproxy boxes
utilizing the Wiki article that Amos wrote. Everything is working great
and it was actually far easier to setup then it used to be. Amos,
Laszlo, and Krisztian...you are amazing, and I wish to offer my sincere
thanks to you guys for the work and talent that you give to the open
source community.

I am using the following software pieces to accomplish a WCCP-redirected
TPROXY/transparent squid service in combination with Cisco routers:

CentOS 5.3 x86_64
Squid 3.1.0.8
Iptables 1.4.3.2
Kernel 2.6.30

IOS Advanced Security 12.4(15)T8 on a 2811 (as the testbed router/ios
combination)



Amos-

I can either create a new set of steps, this time more detailed and
better tested, for TPROXY/SQUID on CentOS 5.3 to replace the current one
that has my name on it, and/or add some details to the article you
wrote.

Nick

RE: [squid-users] FW: Re[2]: squid with tproxy

[Ritter, Nicholas]

No troublesgetting it working the first time is tricky...

Lets break it down and see if we can figure out where they problem is happening.

1) The acl for the wccp on the router should really be empty unless there are 
specific hosts (either destination web sites, or source clients) that should 
not go through the squid server. I do find it useful to have it there though 
because it will show a counter.

2) do a "show ip wccp" on the router to see if there squid box has registered 
with the router as a usable server. In this output, you should see three main 
sections, referred to as service-identifiers: web-cache, 80, and 90. 

- The "Number of Service Group Clients:" should say 0 for web-cache
- The "Number of Service Group Clients:" should say 1 for Service Identifier: 80
- The "Number of Service Group Clients:" should say 1 for Service Identifier: 90
- The "Number of Service Group Routers:" should say 0 for web-cache
- The "Number of Service Group Routers:" should say 1 for Service Identifier: 80
- The "Number of Service Group Routers:" should say 1 for Service Identifier: 90

3) Look at the "Total Packets s/w redirected" for service identifier 80 and 90, 
look to see what the packet counts are.

4) Look at the "Total Packets Denied Redirect:" and "Total Packets Unassigned:".

5) Do you have CEF enabled (or are you using flow based switching? ( sh run | 
include ip cef )

6) Another thing that is useful is to enable ip wccp events debugging in the 
router, this will show here_i_am and I_see_you events to be seen. I have run 
into situations where the squid cache does not stay registered long enough to 
do anything usefull.

7) If you are using a gre tunnel interface on the squid, do an ifconfig to see 
if "RX packets" for the gre interface is incrementing.

8) tail -f the squid access.log to see if the squid server is seeing access 
attempts, and just can't get the data back to the client, or can't fetch the 
content.


-Original Message-
From: 7441122 [mailto:7441...@gmail.com] 
Sent: Monday, June 08, 2009 11:03 AM
To: Ritter, Nicholas
Subject: Re: [squid-users] FW: Re[2]: squid with tproxy

sorry, i found out the problem, i had not put  redirect on this
command.. ip wccp 80 ( thats why all traffic was routed via the box )

but my problem is still same, squid does not reroute traffic to tproxy port.

i am sorry for all this trouble, but do you have working example on,
squid / iptables and kernel which works ? as tproxy, as the latest
version do not, on 4.1, i want to try on old working versions. i tried
to follow http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS
but as the versions have changed did not reach anywhere !

i am not sure if the iptables are doing the correct job here, or
something which i do not understand completely, as i tried on ubuntu
jaunty, centos 5.3, but all are giving hard time !

thanks for your time.



On Mon, Jun 8, 2009 at 6:47 PM, Ritter, Nicholas
 wrote:
> Don't reverse the ip wccp 80 and 90 statements. What is the output of the two 
> commands: "sh ip wccp" and "sh access-list 150" ?
>
> Nick
>
> -Original Message-
> From: 7441122 [mailto:7441...@gmail.com]
> Sent: Saturday, June 06, 2009 1:23 AM
> To: Ritter, Nicholas
> Subject: Re: [squid-users] FW: Re[2]: squid with tproxy
>
> some progress, seems the initial wccp config i was doing was doing nothing,
>
> ip wccp web-cache redirect-list 150
> with the list of ip i need to redirect
>
> and then on interface fast0/0
> ip wccp web-cache redirect in
>
> i was getting time out from squid. and no counters going.
>
> with this one, looks something is happening, but the rules are not
> right for my setup, its directing the traffic i do not want to be
> directed, the 196 ips are getting via squid box.
>
> can i reverse them ?
>
> ip wccp 80 redirect out
> ip wccp 90 redirect in
>
> ?
>
> many thanks.
>
>
>
>
> On Fri, Jun 5, 2009 at 10:23 PM, Ritter, Nicholas
>  wrote:
>> If traffic to/from 192.41.62.0 and 196.41.45.0 are traffic you don't want to 
>> be redirected/cached, the acl should look like this:
>>
>> access-list 150 deny ip 196.41.62.0 0.0.0.255 any
>> access-list 150 deny ip 196.41.45.0 0.0.0.255 any
>> access-list 150 permit ip any any
>>
>>
>>
>>
>> -Original Message-
>> From: 7441122 [mailto:7441...@gmail.com]
>> Sent: Friday, June 05, 2009 12:37 PM
>> To: Ritter, Nicholas
>> Subject: Re: [squid-users] FW: Re[2]: squid with tproxy
>>
>> Thank you for all teh details.
>>
>>
>> My router has the following interfaces
>>
>> fa0/0 - local interface
>> fa0/1 - incoming traffic (

[squid-users] FW: Re[2]: squid with tproxy

[Ritter, Nicholas]

From: Ritter, Nicholas 
Sent: Wednesday, May 27, 2009 12:04 PM
To: 'Manish P. Govindji'
Subject: RE: Re[2]: squid with tproxy

I remember something importantif you are using a more recent version of 
TPROXY then what is stated in the squid wiki articleI think the method by 
which TPROXY is configured in iptables changed a bit to make it more to the 
liking of the netfilter and kernel developers in an effort to get the TPROXY 
code included into the netfilter and kernel release code.

My setup and the wiki article I wrote are from before these changes, and I have 
not worked with TPROXY since, so that could be the issue here. I have not 
downloaded the latest TPROXY code to be sure though. And I think I might have 
actually seen TPROXY as included in the most recent (ie: 2.6.29) kernel as 
experimental.

I have been meaning to setup a new squid/tproxy system, and update the wiki 
article...just have not gotten to it yet. I suggest taking a look at the readme 
with the latest tproxy source code, or even looking at your kernel config to 
see which tproxy version is being used. If you do a dmesg command and look for 
the TProxy module loading, I think it tells you what version it is.

Nick


From: Manish P. Govindji [mailto:man...@mcc.co.tz] 
Sent: Wednesday, May 27, 2009 11:43 AM
To: Ritter, Nicholas
Cc: squid-users
Subject: Re[2]: squid with tproxy


Thanks a lot for reply, i am already tired pulling my hairs for this one.

Sorry, typo its 3128.

I do not have the file, /etc/sysconfig/iptables I use iptables in rc.local

#

#Increase Squid file Descriptors
ulimit -HSn 30720

#Start caches
/usr/sbin/squid

#Enable Forwarding
echo '1' > /proc/sys/net/ipv4/ip_forward

#disable rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 
0x1/0x1 --on-port 3129

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

# defe! nces
iptables -A FORWARD -p tcp --syn -m limit -j ACCEPT
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit

#Allow established sessions to continue
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT




I am using squid as gateway, all the pc are on public IP and Squid is also on 
public IP as Gateway PC. ( was working as transparent cache, but wanted to use 
the Tproxy )

Rgds,


-Original Message-----
From: "Ritter, Nicholas" 
To: "Manish govindji" 
Cc: "squid-users" 
Date: 27-05-2009 18:47
Subject: RE: squid with tproxy
Port 3128, or 1328? The default port is 3128, but is configurable.
 
 
Your rules are not right...you are marking, as you should, but not redirecting 
to the squid port. In addition to sending the output of the raw iptables 
command, send the contents of /etc/sysconfig/iptables.
 
I think the problem is partly in the rules setup. Are you using wccp as well, 
and/or a gre interface?
 
Also, make sure you have Full NAT enabled in the kernel. Looks like that is ok 
though.
 
 

From:Manish govindji [mailto:man...@mcc.co.tz] 
Sent: Wednesday, May 27, 2009 6:06 AM 
To: nicholas.rit...@americantv.com 
Subject: squid with tproxy
 
Hello Nicholas,
 
I have been trying to compile squid with tproxy but am failing, have searched 
all over google but nothing of help.
 
I have centos 5.3, installed custom kernel 2.6.28, and iptables 1.4.3, squid 3.1
 
In compiling the custom kernel, i copied the old config and added the below :-
 
NF_CONNTRACK
NETFILTER_TPROXY
NETFILTER_XT_MATCH_SOCKET
NETFILTER_XT_TARGET_TPROXY
 
When i do iptables stat :-
 
[r...@gateway ~]# iptables -t mangle -L -v -n
Chain PREROUTING (policy ACCEPT 5768K packets, 1538M bytes)
 pkts bytes target prot opt in out source   
destination
 
Chain INPUT (policy ACCEPT 1494K packets, 892M bytes)
 pkts bytes target prot opt in out source   
destination
 
Chain FORWARD (policy ACCEPT 4234K packets, 638M bytes)
 pkts bytes target prot opt in out source   
destination
 
Chain OUTPUT (policy ACCEPT 2398K packets, 1027M bytes)
 pkts bytes target prot opt in out source   
destination
 
Chain POSTROUTING (policy ACCEPT 6632K packets, 1665M bytes)
 pkts bytes target prot opt in out source   
destination
 
Chain DIVERT (0 references)
 pkts bytes target prot opt in out source   
destination
    0     0 MARK  

RE: [squid-users] Continue:Tproxy with WCCP error configuration

[Ritter, Nicholas]

Be careful on terminology because the 2800 series router, at least to my
knowledge, is not a distributed routing platform in the Cisco sense of
things. A distributed routing platform would utilize dCEF not CEF and
2800 series routers use only CEF.

So I am assuming here that the 2800 router doing WCCP is behind the
firewall along with the squid box? The problem I often had with setting
up this type of setup was the following:

1) Make sure your IOS does not have any WCCP bugs. Cisco has an iffy
track record with WCCP-related bugs popping in and out of IOS revisions.
I have used Advanced Security IOS release 12.4-15T3 and Advanced
Security IOS release 12.4-15T8 without problems on 2811 routers with
Squid and TPROXY.

2) Be carful with how you setup the GRE Tunnel on the linux box. There
are at least two ways to do it where there are not errors presented by
the commands on the linux box, the gre interface is up, but there is no
data.

3) Make sure to point the GRE interface to the IP listed in the router
"sh ip wccp " output. 

4) With transparent TPROXY, you only need one Ethernet interface.

5) The WCCP setup on the router should follow the squid FAQ article
where two different WCCP groups are used.

6) a wccp exclude statement should be used so that the traffic from the
squid box itself doesn't get redirected. I don't think this is your
problem, at least not yet, because your gre interface is showing no
data.

7) the "debug ip wccp" command on the router is useful because it will
show WCCP status messages between the squid box and the router.

Nick


-Original Message-
From: Engr.M.monzur Alam [mailto:mon...@citechco.net] 
Sent: Wednesday, May 13, 2009 4:56 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Continue:Tproxy with WCCP error configuration

Dear all,
I have basically problem face TPROXY configuration with WCCP. Another
one of my proxy server running well with WCCP gre0 tunnel. My main
problem when any packet goes outside then of course takes my proxy
server IP. In our some clients use rapid share or same kind of download
link in randomly. Usually in the free license version this site don't
give permission more than three time same IP daily base. So, this
network scenario we need different IP to going outside internet cloud.
For this reason we need TPROXY configuration.

My distributed router status is:
  
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 
12.3(14)T
4, RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)
 
Could anybody give suggestion what the required network topology TPROXY+
WCCP ?

My Physical connectivity structure is...
Internet cloud (un-trusted) to Cisco core router to Juniper firewall to
Distributed Cisco router to Core Cisco switch to TPROXY+ WCCP. 

This is right??  
Another matter current I have two Ethernet card eth0 (WAN) & eth1 (LAN).

Virtual Gre0 interface connected which one? eth0 or eth1??


Thanks
Engr.M.Monzur Alam
Network & System Admin
Grameen CyberNet Ltd.
Dhaka,Bangladesh

RE: [squid-users] CISCO + WCCP Stopping forward packets

[Ritter, Nicholas]

My experience has been, and my local cisco field engineers were the ones who 
told me this, that you should always use the T train of IOS releases.

-Original Message-
From: alexmontoane...@gmail.com [mailto:alexmontoane...@gmail.com] On Behalf Of 
Alex Montoanelli
Sent: Friday, May 08, 2009 8:29 AM
To: squid-users
Subject: Re: [squid-users] CISCO + WCCP Stopping forward packets

Hi all.

This problem appeared when I started to use more than one Squid to
regiter on wccp/cisco.

In the past, where I just use one squid, this not the case.

Browsing the Web site cisco, I found this on Cisco IOS Changelog:

http://www.cisco.com/en/US/docs/ios/12_4/release/notes/124MCAVS.html#wp280492
-
Resolved Caveats-Cisco IOS Release 12.4(21)
This section describes possibly unexpected behavior by Cisco IOS
Release 12.4(21). All the caveats listed in this section are resolved
in Cisco IOS Release 12.4(21).
*
CSCsm12247
Symptoms: A Cisco IOS router configured for WCCP may stop redirecting
traffic following a change in topology.
Conditions: The router must be configured for WCCP redirection using
the hash assignment method. When there is only a single appliance in
the service group, the loss of hash assignment details is permanent.
However with multiple appliances in the group, the loss of assignment
information is transitory; the router soon recovers.
Workaround: To recover the assignment details, the WCCP configuration
needs to be removed and re-added to the router. Use the no ip wccp
service command followed by ip wccp service args command.
Additional Information: The changes address also situation where some
wccp clients are sending modified weight field in the wccp message and
this way create a topology change situation.
--

I upgraded to IOS 12.4.(23), but problems remain.

What you think to migrate to the IOS release T ?

Anyone has using more than one Squid registered on the same router?

Regards

Alex


On Mon, May 4, 2009 at 9:08 PM, Ritter, Nicholas
 wrote:
> Yuplooks like an IOS related problemtry a different release of IOS.
>
>
> -Original Message-
> From: alexmontoane...@gmail.com on behalf of Alex Montoanelli
> Sent: Mon 5/4/2009 4:00 PM
> To: squid-users
> Subject: Re: [squid-users] CISCO + WCCP Stopping forward packets
>
> Hi, after a day works fine, the problem appear.
>
> I see the HereIAm and ISeeYou  packets between Cisco and Squid, above
> is the logs of both.
>
> I have 4 Instances of Squid, running on the same machine, I just
> shutdown 3 of then, and start again, and every one
> go to normal. The fourth instance back to normal without any touch.
>
>
> The *** mark, is the begin of trouble.
>
> --CISCO
> May  4 17:21:32 cliente-1-254.unetvale.com.br 240185: 240210: *May  4
> 21:23:36: WCCP-PKT:S00: Sending I_See_You packet to 200.193.10.140 w/
> rcv_id 00091ACD
> May  4 17:21:37 cliente-1-254.unetvale.com.br 240188: 240213: *May  4
> 21:23:41: WCCP-PKT:S00: Received valid Here_I_Am packet from
> 200.193.10.141 w/rcv_id 00091ACB
> May  4 17:21:37 cliente-1-254.unetvale.com.br 240189: 240214: *May  4
> 21:23:41: WCCP-PKT:S00: Sending I_See_You packet to 200.193.10.141 w/
> rcv_id 00091ACF
> May  4 17:21:41 cliente-1-254.unetvale.com.br 240190: 240215: *May  4
> 21:23:44: WCCP-PKT:S00: Received valid Here_I_Am packet from
> 200.193.10.143 w/rcv_id 00091ACC
> May  4 17:21:41 cliente-1-254.unetvale.com.br 240191: 240216: *May  4
> 21:23:44: WCCP-PKT:S00: Sending I_See_You packet to 200.193.10.143 w/
> rcv_id 00091AD0
> May  4 17:21:42 cliente-1-254.unetvale.com.br 240192: 240217: *May  4
> 21:23:46: WCCP-PKT:S00: Received valid Here_I_Am packet from
> 200.193.10.140 w/rcv_id 00091ACD
> May  4 17:21:42 cliente-1-254.unetvale.com.br 240193: 240218: *May  4
> 21:23:46: WCCP-PKT:S00: Sending I_See_You packet to 200.193.10.140 w/
> rcv_id 00091AD1
> May  4 17:22:31 cliente-1-254.unetvale.com.br 240244: 240269: *May  4
> 21:24:35: WCCP-EVNT:S00: Here_I_Am packet from 200.193.10.141 w/bad
> rcv_id 00091ACB
> May  4 17:22:32 cliente-1-254.unetvale.com.br 240247: 240272: *May  4
> 21:24:36: WCCP-EVNT:S00: Here_I_Am packet from 200.193.10.140 w/bad
> rcv_id 00091AD1
> May  4 17:23:27 cliente-1-254.unetvale.com.br 240310: 240335: *May  4
> 21:25:30: WCCP-PKT:S00: Received valid Here_I_Am packet from
> 200.193.10.143 w/rcv_id 00091AFE
> May  4 17:23:27 cliente-1-254.unetvale.com.br 240311: 240336: *May
>  4 21:25:30: WCCP-EVNT:S00: Assignment wait timer started
> May  4 17:23:31 cliente-1-254.unetvale.com.br 240314: 240339: *May  4
> 21:25:34: WCCP-EVNT:S00: Redirect_Assignment packet from
> 200.193.10.143 w/bad rcv_id 00091AFE
> May  4 17:24:54 cliente-1-254.unetvale.com.br 240378: 240403: *May  4
> 21:26:58: WCCP-EVNT:S00: Here_I_Am packet from 200.193.10.140 w/bad
> rcv_id

RE: [squid-users] CISCO + WCCP Stopping forward packets

[Ritter, Nicholas]

 packet to
200.193.10.141w/ rcv_id 00091B51
May  4 17:26:28 cliente-1-254.unetvale.com.br 240477: 240502: *May  4
21:28:32: WCCP-EVNT:S00: Here_I_Am packet from 200.193.10.140 w/bad
rcv_id 00091B49
--


Squid - Cachelog
--
2009/05/04 17:21:33| ctx: enter level  0:
'http://wm-ttv-mirror01-mia.terra.com/kboing/439755.asf'
2009/05/04 17:21:33| httpProcessReplyHeader: Impossible keep-alive
header from 'http://wm-ttv-mirror01-mia.terra.com/kboing/439755.asf'
2009/05/04 17:21:41| ctx: exit level  0
2009/05/04 17:21:41| wccp2HereIam: sending to service id 0
2009/05/04 17:21:41| Sending HereIam packet size 144
2009/05/04 17:21:41| Incoming WCCPv2 I_SEE_YOU length 264.
2009/05/04 17:21:41| Complete packet received
2009/05/04 17:21:41| Incoming WCCP2_I_SEE_YOU Received ID old=596685 new=596689.
2009/05/04 17:21:41| Cleaning out cache list
2009/05/04 17:21:41| checking cache list: (8c0ac1c8:8c0ac1c8)
2009/05/04 17:21:41| checking cache list: (8d0ac1c8:8c0ac1c8)
2009/05/04 17:21:41| checking cache list: (8e0ac1c8:8c0ac1c8)
2009/05/04 17:21:41| checking cache list: (8f0ac1c8:8c0ac1c8)
2009/05/04 17:21:41| Change not detected (2496 = 2496)
2009/05/04 17:21:44| ctx: enter level  0: 'http://br.msn.com/'
2009/05/04 17:21:44| httpProcessReplyHeader: Impossible keep-alive
header from 'http://br.msn.com/'
2009/05/04 17:21:51| ctx: exit level  0
2009/05/04 17:21:51| wccp2HereIam: sending to service id 0
2009/05/04 17:21:51| Sending HereIam packet size 144
2009/05/04 17:22:01| wccp2HereIam: sending to service id 0
2009/05/04 17:22:01| Sending HereIam packet size 144
2009/05/04 17:22:11| wccp2HereIam: sending to service id 0
2009/05/04 17:22:11| Sending HereIam packet size 144
2009/05/04 17:22:21| wccp2HereIam: sending to service id 0
2009/05/04 17:22:21| Sending HereIam packet size 144
2009/05/04 17:22:25| CACHEMGR: @10.100.0.101 requesting 'info'
2009/05/04 17:22:21| wccp2HereIam: sending to service id 0
2009/05/04 17:22:21| Sending HereIam packet size 144
2009/05/04 17:22:25| CACHEMGR: @10.100.0.101 requesting 'info'
2009/05/04 17:22:25| CACHEMGR: @10.100.0.101 requesting 'info'
2009/05/04 17:22:30| CACHEMGR: @10.100.0.101 requesting 'counters'
2009/05/04 17:22:30| CACHEMGR: @10.100.0.101 requesting 'info'
2009/05/04 17:22:31| wccp2HereIam: sending to service id 0
2009/05/04 17:22:31| Sending HereIam packet size 144
2009/05/04 17:22:41| wccp2HereIam: sending to service id 0
2009/05/04 17:22:41| Sending HereIam packet size 144
2009/05/04 17:22:51| wccp2HereIam: sending to service id 0
2009/05/04 17:22:51| Sending HereIam packet size 144
2009/05/04 17:23:01| wccp2HereIam: sending to service id 0
2009/05/04 17:23:01| Sending HereIam packet size 144
2009/05/04 17:23:11| wccp2HereIam: sending to service id 0
2009/05/04 17:23:11| Sending HereIam packet size 144
2009/05/04 17:23:26| wccp2HereIam: sending to service id 0
2009/05/04 17:23:26| Sending HereIam packet size 144
2009/05/04 17:24:33| wccp2HereIam: sending to service id 0
2009/05/04 17:24:33| Sending HereIam packet size 144
2009/05/04 17:24:43| wccp2HereIam: sending to service id 0
2009/05/04 17:24:43| Sending HereIam packet size 144
2009/05/04 17:24:53| wccp2HereIam: sending to service id 0
2009/05/04 17:24:53| Sending HereIam packet size 144
2009/05/04 17:25:03| wccp2HereIam: sending to service id 0
2009/05/04 17:25:03| Sending HereIam packet size 144
2009/05/04 17:25:13| wccp2HereIam: sending to service id 0
2009/05/04 17:25:13| Sending HereIam packet size 144
2009/05/04 17:25:23| wccp2HereIam: sending to service id 0
2009/05/04 17:25:23| Sending HereIam packet size 144
2009/05/04 17:25:33| wccp2HereIam: sending to service id 0
2009/05/04 17:25:33| Sending HereIam packet size 144
-


Alex Montoanelli
Administração e Gerência de Redes
Unetvale Conectividade
+55 48 3263 8700


On Mon, May 4, 2009 at 11:35 AM, Ritter, Nicholas
 wrote:
>
> I have not noticed other faqs requiring this, but make sure your iptables is 
> allowing UDP port 2048 on the Ethernet and gre interfaces of the squid box 
> and coming from the IP address listed in the "sh ip wccp" (the router 
> identifier IP.)
>
> Also, update you IOS. The loss of the hello packets is the problem, but the 
> reason behind the packet transmission loss is the mystery. You can try 
> running a packet sniffer on the squid box to make sure it is sending the 
> "Here I am" packets, are increase the debug level of squid to see them.
>
> My experience as been that the problem is on the Cisco side though.
>
> -Original Message-
> From: alexmontoane...@gmail.com [mailto:alexmontoane...@gmail.com] On Behalf 
> Of Alex Montoanelli
> Sent: Monday, May 04, 2009 8:57 AM
> To: Ritter, Nicholas
> Subject: Re: [squid-users] CISCO + WCCP Stopping forward packets
>
> Hello Nicholas.
>
> When the service break down, the rel

RE: [squid-users] CISCO + WCCP Stopping forward packets

[Ritter, Nicholas]

I have not noticed other faqs requiring this, but make sure your iptables is 
allowing UDP port 2048 on the Ethernet and gre interfaces of the squid box and 
coming from the IP address listed in the "sh ip wccp" (the router identifier 
IP.)

Also, update you IOS. The loss of the hello packets is the problem, but the 
reason behind the packet transmission loss is the mystery. You can try running 
a packet sniffer on the squid box to make sure it is sending the "Here I am" 
packets, are increase the debug level of squid to see them. 

My experience as been that the problem is on the Cisco side though.

-Original Message-
From: alexmontoane...@gmail.com [mailto:alexmontoane...@gmail.com] On Behalf Of 
Alex Montoanelli
Sent: Monday, May 04, 2009 8:57 AM
To: Ritter, Nicholas
Subject: Re: [squid-users] CISCO + WCCP Stopping forward packets

Hello Nicholas.

When the service break down, the related fields, are not 0, is equal
1/1. ( 1 Client / 1 Router ).

I have setting up a router to log to a syslog server, and when the
issue occur, the packets/messages are not transmited.

My router, a Cisco 2811 has running a
'flash:c2800nm-ipbase-mz.124-21.bin' / 12.4-21 IOS Version.

On Mon, May 4, 2009 at 10:45 AM, Ritter, Nicholas
 wrote:
>
> Two things you can do:
>
> 1) When the wccp service breaks as you describe, do a "sh ip wccp" on
> the router, make sure that "Number of Service Group Clients" and "Number
> of Service Group Routers" are both no zero.
>
> 2)
>
> On the router:
>
> Debug ip wccp
>
>  - make sure your logging is set to debug level on the router
>
> What for the "Here I am" and "I see you" packets, which identifies that
> the router and the squid box see each other.
>
>
> One important thing, make sure you router is running the most recent
> version of IOS...different revisions have WCCP problems come and go. I
> have been running 12.4(15)T8 without problems for months.
>
> I was running various sub releases of 12.4 and had problems...but
> 12.4(15)T8 seems stable.
>
> Nick
>
>
> -Original Message-
> From: alexmontoane...@gmail.com [mailto:alexmontoane...@gmail.com] On
> Behalf Of Alex Montoanelli
> Sent: Monday, May 04, 2009 7:13 AM
> To: squid-users
> Subject: [squid-users] CISCO + WCCP Stopping forward packets
>
> Hello all.
>
> I have a FreeBSD Box, running Squid Version 2.7.STABLE6-20090306, with
> WCCP2 features on, with my Cisco Router 2811.
>
> It's running fine, but after a few hours, the traffic is not forwarded
> from Cisco do Squid Box.
>
> I don't see any packet on gre0 and a 'show ip wccp' in Cisco, has not
> increment counters from redirected packets.
>
> In my logs (cisco e squid) I could not get nothing;
>
> someone has been there?
>
> Regards
>
> Alex Montoanelli
>
>

RE: [squid-users] CISCO + WCCP Stopping forward packets

[Ritter, Nicholas]

Two things you can do:

1) When the wccp service breaks as you describe, do a "sh ip wccp" on
the router, make sure that "Number of Service Group Clients" and "Number
of Service Group Routers" are both no zero.

2)

On the router:

Debug ip wccp

 - make sure your logging is set to debug level on the router

What for the "Here I am" and "I see you" packets, which identifies that
the router and the squid box see each other.


One important thing, make sure you router is running the most recent
version of IOS...different revisions have WCCP problems come and go. I
have been running 12.4(15)T8 without problems for months.

I was running various sub releases of 12.4 and had problems...but
12.4(15)T8 seems stable.

Nick


-Original Message-
From: alexmontoane...@gmail.com [mailto:alexmontoane...@gmail.com] On
Behalf Of Alex Montoanelli
Sent: Monday, May 04, 2009 7:13 AM
To: squid-users
Subject: [squid-users] CISCO + WCCP Stopping forward packets

Hello all.

I have a FreeBSD Box, running Squid Version 2.7.STABLE6-20090306, with
WCCP2 features on, with my Cisco Router 2811.

It's running fine, but after a few hours, the traffic is not forwarded
from Cisco do Squid Box.

I don't see any packet on gre0 and a 'show ip wccp' in Cisco, has not
increment counters from redirected packets.

In my logs (cisco e squid) I could not get nothing;

someone has been there?

Regards

Alex Montoanelli

RE: [squid-users] WCCP return method

[Ritter, Nicholas]

-Original Message-
From: kgardenia42 [mailto:kgardeni...@googlemail.com] 
Sent: Thursday, April 30, 2009 1:44 PM
To: squid-users@squid-cache.org
Subject: [squid-users] WCCP return method

My questions are :

* When the squid box has to proxy to the web-app, what is the
recommended way to stop a circular redirect i.e. I want to avoid the
squid box's proxied connection from getting intercepted by the
router's WCCP rules and looped back around to the squid box again.


Have the squid box on a dedicated sub-interface or physical interface,
run the "wccp redirect" statements on the local Ethernet interface and
use an "ip wccp redirect exclude" statement on the interface the squid
box is running on.

This is how I do it, and it works great.



* WCCP supports a return method for packets which the web-cache
decides to reject/return.  Does squid support this?  I see that the
return method can be configured in squid but is the support for
returning actually there?

I dunno about this one.

RE: [squid-users] Cisco with WCCP!! newbie here..

[Ritter, Nicholas]

The firewall on the squid box might be blocking the traffic, either the GRE 
traffic itself, or some other facet. Start by allowing all traffic in to the 
box on the eth interface and the gre interface from both the IP from the router 
identifier field, and the IP of the ethernet interface of the router that 
egresses to the squid box. For example, if 172.16.50.54 is the loopback 
interface on the router, and 192.168.10.1 is the FastEthernet0/0 interface of 
the router, and the squid box hangs off of FastEthernet0/0, then put those two 
IPs in as allows. If you use subinterfaces with IPs, use the subinterface.
 
Testing I have done has shown that depending on the configuration and IOS of 
the router, the router will use different IPs to talk to the squid box.
 
If doing this fixes your problem, you can then narrow down the firewall rules 
to be more specific, and therefore more secure.
 
Nick



From: Roland Roland [mailto:r_o_l_a_...@hotmail.com]
Sent: Fri 1/16/2009 8:27 PM
To: Ritter, Nicholas; squid-users@squid-cache.org
Subject: Re: [squid-users] Cisco with WCCP!! newbie here..



hello :)
I've took a break of working live on squid and started reading more about it
to see what I'm getting myself into..
I managed to get the router and squid to see each other and troubleshoot the
GRE tunnel..
sh ip wccp shows hits.. but when I check the access.log and cache.log of
squid I  see nothing..
any idea what might be causing this?
heres the output of router debug:


6 17:10:14.012: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0020
6 17:10:14.012: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0021
6 17:10:14.016: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0020
6 17:10:14.016: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0021
6 17:10:31.504: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0021
6 17:10:31.504: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0022
6 17:10:31.508: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0021
6 17:10:31.508: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0022
6 17:10:48.640: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0022
6 17:10:48.640: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0023
6 17:10:48.644: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0022
6 17:10:48.644: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0023
6 17:11:03.656: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0023
6 17:11:03.656: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0024
6 17:11:03.656: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0023
6 17:11:03.656: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0024
6 17:11:17.056: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0024
6 17:11:17.056: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0025
6 17:11:17.060: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0024
6 17:11:17.060: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0025
6 17:11:28.060: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0025
6 17:11:28.060: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0026
6 17:11:28.064: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0025
6 17:11:28.064: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0026
6 17:11:42.904: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0026
6 17:11:42.904: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0027
6 17:11:42.904: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0026
6 17:11:42.904: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0027
6 17:11:56.640: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0027
6 17:11:56.640: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0028
6 17:11:56.644: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0027
6 17:11:56.644: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0028
6 17:12:11.392: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0028
6 17:12:11.392: WCCP-PKT:D90: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0029
6 17:12:11.392: WCCP-PKT:D80: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0028
6 17:12:11.392: WCCP-PKT:D80: Sending I_See_You packet to 192.168.0.2 w/
rcv_id 0029
6 17:12:22.960: WCCP-PKT:D90: Received valid Here_I_Am packet from
192.168.0.2 w/rcv_id 0029
6 17:12:22.960: WC

RE: [squid-users] Re: WCCP configuration

[Ritter, Nicholas]

With TProxy, I think you need to use Squid3-HEAD to reliably fix your 
issueAmos would know for sure.
 
Nick
 



From: vivek...@aol.in [mailto:vivek...@aol.in]
Sent: Fri 1/9/2009 8:39 AM
To: hen...@henriknordstrom.net
Cc: squid-users@squid-cache.org; squ...@treenet.co.nz
Subject: [squid-users] Re: WCCP configuration



Hi,

Thanks for the reply. It did help us solve the problem.

But there is a new issue.

We have configured as squid+tproxy. The squid ip is not displayed and
only the client ip is displayed when we do the proxy test. But after
configuring wccp we find that the server ip is displayed in the proxy
test instead of the client ip.

We also find that the http request is pathetically slow.

squid.conf

wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
ports=80
wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80

http_port 3128 transparent tproxy

iptable:
/usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp
--dport 80 -j TPROXY --on-port 3128


We created a gre tunnel based on the router identifier.

wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid
machine)

The following command is assigned at the router interface connected to
the lan.
ip wccp 80 redirect in
ip wccp 90 redirect out

Following command at the router interface connected to squid.
ip wccp redirect exclude in

Router : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M),
Version 12.4(13b)
Kernel : linux-2.6.20.21
IPtable : iptables-1.3.8
Os Ver : squid-2.7 Stable 5

#lsmod

ip_gre 19616  0
iptable_filter 11136  0
ipt_TPROXY 11136  1
ipt_REDIRECT   10624  0
xt_tcpudp  11904  1
reiserfs  235144  5
iptable_tproxy 23036  2 ipt_TPROXY
iptable_nat15492  1 iptable_tproxy
ip_nat 24620  3 ipt_REDIRECT,iptable_tproxy,iptable_nat
ip_tables  25448  3
iptable_filter,iptable_tproxy,iptable_nat
x_tables   23560  5
ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables
ip_conntrack   53400  3 iptable_tproxy,iptable_nat,ip_nat


The internet works, but the browsing is dead slow. Temporarily we have
bypassed squid to browse the net.


Thanks
VK


-Original Message-
From: Henrik Nordstrom 
To: vivek...@aol.in
Cc: squ...@treenet.co.nz; squid-users@squid-cache.org
Sent: Thu, 8 Jan 2009 12:05 am
Subject: Re: WCCP configuration


ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in:

> wccp2_router xxx.xx.xxx.xxx
> wccp_version 4
> wccp2_forwarding_method 1
> wccp2_return_method 1
> wccp2_assignment_method 1
> wccp2_service dynamic 80
> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
> ports=80
> wccp2_service dynamic 90
> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
> priority=240 ports=80
>
>
> Router Eth0 - connected to lan. Eth1 - connecte to squid.

Have you also configured
* A loopback address on the router, giving it a easily identified router
ID

* the required GRE/WCCP tunnel interface on the Squid server

* disabled rp_filter on the above GRE/WCCP interface.

* And adjusted the REDIRECT/NAT rules to act on traffic received on the
GRE/WCCP interface configured above?


> Service Identifier: web-cache
> Number of Service Group Clients: 1
> Number of Service Group Routers: 1
> Total Packets s/w Redirected:11336
>   Process:   0
>   Fast:  0
>   CEF:   11336

Looks fine.

> Is there any simple way of configuring WCCP. We have beating round
the
> bush all day long to configure wccp.

WCCP as such is configured. But something is missing in the interception
at the proxy. Most likely the GRE interface mentioned above.

Regards
Henrik








You are invited to Get a Free AOL Email ID. - http://webmail.aol.in 
 

RE: [squid-users] transparent proxy not working!! any advice?

[Ritter, Nicholas]

ip_gre is enough...the IP_WCCP module was used prior to gre support in the 
kernel. CentOS 5 is new enough that that it uses a kernel that is gre capable.
 
I have found that there are routing problems with some IOS versions because the 
squid cache may be sitting on a IP subnet that is not directly connected to the 
ip subnet the squid box is on.
 
The way to check on this is to see if the "Router Identifier" in the "sh ip 
wccp" output on the router shows an IP address that is on the same IP subnet as 
the squid box.
 
The solution is to make sure they are the same IP subnet, or update your IOS. I 
know the problem was fixed at or around IOS version 12.4(15)T3. I happen to be 
running (C2800NM-ADVSECURITYK9-M), Version 12.4(15)T3 and the problem is no 
longer there. But initially I was having the problem with an earlier 12.4 
version of SPServices IOS.
 
Nick



From: r_o_l_a_...@hotmail.com [mailto:r_o_l_a_...@hotmail.com]
Sent: Thu 1/8/2009 9:44 AM
To: Ritter, Nicholas
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] transparent proxy not working!! any advice?



Nicholas

ports are open now, however I'm still not seeing traffic on the tunnel
(tcpdump -i gre0). Also I'm not certain if the ip_gre module is enough. I'm
seeing many configurations using  ip_wccp, but I do not have that one on my
centos
What is the proper way to verify that tunnel is working properly? I tried to
create 2 VMs, and setup a GRE tunnel between them, and it worked.


----------
From: "Ritter, Nicholas" 
Sent: Tuesday, January 06, 2009 11:25 PM
To: "Roland Roland" 
Cc: 
Subject: RE: [squid-users] transparent proxy not working!! any advice?

> Ok...so the squid server and the router are seeing eachother
> initiallythen it fails. On the squid box you need to make sure the
> firewall is allowing UDP port 2048 from the the router and that the GRE
> tunnel is functioning properly, and is setup in iptables properly.
>
> The other issue is that may be needed is that access-list (access-list
> 180, from my last email) should have the ip of the squid box in it as a
> deny entry. The reason for this is that you want to avoid traffic being
> 'looped' from the router to the squid box.
>
> You can setup WCCP where you are using no service groups and just the
> web-cache and web-cache redirect, etc. The two things that can break doing
> that are: multiple squid servers in a WCCP setup, and support for
> apps/ports other than port 80.
>
> Nick
>
> ________
>
> From: Roland Roland [mailto:r_o_l_a_...@hotmail.com]
> Sent: Tue 1/6/2009 1:48 PM
> To: Ritter, Nicholas; sq...@vdvyver.net
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>
>
>
> Hello,
>
> after adding the ACL below.
> I've got the following result.
> if im not mistaken, it has something to due with the "dynamic" issue?
> should
> I set it as standard 0
> or ?!
>
> *Jan  6 20:21:39.294: WCCP-PKT:D90: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 0019
> *Jan  6 20:21:39.298: WCCP-PKT:D80: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 0019
> *Jan  6 20:21:57.290: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183
> w/bad rcv_id 
> *Jan  6 20:21:57.290: WCCP-PKT:D90: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 001A
> *Jan  6 20:21:57.290: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183
> w/bad rcv_id 
> *Jan  6 20:21:57.290: WCCP-PKT:D80: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 001A
> *Jan  6 20:22:04.294: WCCP-PKT:D90: Sending Removal_Query packet to
> 192.168.0.183w/ rcv_id 001B
> *Jan  6 20:22:04.298: WCCP-PKT:D80: Sending Removal_Query packet to
> 192.168.0.183w/ rcv_id 001B
> *Jan  6 20:22:09.294: %WCCP-1-SERVICELOST: Service 90 lost on WCCP client
> 192.168.0.183
> *Jan  6 20:22:09.298: %WCCP-1-SERVICELOST: Service 80 lost on WCCP client
> 192.168.0.183
> *Jan  6 20:22:15.298: WCCP-PKT:D90: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 001C
> *Jan  6 20:22:15.298: WCCP-PKT:D80: Sending I_See_You packet to
> 192.168.0.183 w/ rcv_id 001C
>
> --
> From: "Roland Roland" 
> Sent: Monday, January 05, 2009 9:50 PM
> To: "Ritter, Nicholas" ;
> 
> Cc: 
> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>
>>
>> Hello,
>> thanks for the advice ill proceed and add the new ACL.
>> in the meantime, to answer your question
>> yes Squid is on the same interface as all the other clients. what sort of
>> entries should I add to 

RE: [squid-users] transparent proxy not working!! any advice?

[Ritter, Nicholas]

Ok...so the squid server and the router are seeing eachother initiallythen 
it fails. On the squid box you need to make sure the firewall is allowing UDP 
port 2048 from the the router and that the GRE tunnel is functioning properly, 
and is setup in iptables properly.
 
The other issue is that may be needed is that access-list (access-list 180, 
from my last email) should have the ip of the squid box in it as a deny entry. 
The reason for this is that you want to avoid traffic being 'looped' from the 
router to the squid box.
 
You can setup WCCP where you are using no service groups and just the web-cache 
and web-cache redirect, etc. The two things that can break doing that are: 
multiple squid servers in a WCCP setup, and support for apps/ports other than 
port 80.
 
Nick



From: Roland Roland [mailto:r_o_l_a_...@hotmail.com]
Sent: Tue 1/6/2009 1:48 PM
To: Ritter, Nicholas; sq...@vdvyver.net
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] transparent proxy not working!! any advice?



Hello,

after adding the ACL below.
I've got the following result.
if im not mistaken, it has something to due with the "dynamic" issue? should
I set it as standard 0
or ?!

 *Jan  6 20:21:39.294: WCCP-PKT:D90: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 0019
*Jan  6 20:21:39.298: WCCP-PKT:D80: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 0019
*Jan  6 20:21:57.290: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183
w/bad rcv_id 
*Jan  6 20:21:57.290: WCCP-PKT:D90: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 001A
*Jan  6 20:21:57.290: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183
w/bad rcv_id 
*Jan  6 20:21:57.290: WCCP-PKT:D80: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 001A
*Jan  6 20:22:04.294: WCCP-PKT:D90: Sending Removal_Query packet to
192.168.0.183w/ rcv_id 001B
*Jan  6 20:22:04.298: WCCP-PKT:D80: Sending Removal_Query packet to
192.168.0.183w/ rcv_id 001B
*Jan  6 20:22:09.294: %WCCP-1-SERVICELOST: Service 90 lost on WCCP client
192.168.0.183
*Jan  6 20:22:09.298: %WCCP-1-SERVICELOST: Service 80 lost on WCCP client
192.168.0.183
*Jan  6 20:22:15.298: WCCP-PKT:D90: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 001C
*Jan  6 20:22:15.298: WCCP-PKT:D80: Sending I_See_You packet to
192.168.0.183 w/ rcv_id 001C

--
From: "Roland Roland" 
Sent: Monday, January 05, 2009 9:50 PM
To: "Ritter, Nicholas" ; 
Cc: 
Subject: Re: [squid-users] transparent proxy not working!! any advice?

>
> Hello,
> thanks for the advice ill proceed and add the new ACL.
> in the meantime, to answer your question
> yes Squid is on the same interface as all the other clients. what sort of
> entries should I add to tht access list?
>
> PS: my IOS is Version 12.4(17b), RELEASE SOFTWARE (fc2) Cisco 2811
> (revision 53.51)
>
>
> --
> From: "Ritter, Nicholas" 
> Sent: Monday, January 05, 2009 9:23 PM
> To: ; 
> Cc: 
> Subject: RE: [squid-users] transparent proxy not working!! any advice?
>
>> The error on the Cisco router is stating that the squid box is trying to
>> tell the router that it is able to service the wccp group 80 and 90, but
>> for some reason the router does not see those groups as ones it is
>> servicing.
>>
>> This is odd. Try doing the following in the router:
>>
>> ip access-list 180 permit any any
>> ip wccp web-cache redirect-list 180
>> ip wccp 80 redirect-list 180
>> ip wccp 90 redirect-list 180
>>
>> Is the squid box on the same router interface as the rest of the clients?
>> If it is, you may need to add lines to the access-list 180, or put the
>> squid box on the secondary interface of the router and do a "ip wccp
>> redirect exclude in" statement on that interface.
>>
>> Which IOS feature set and version is this?
>>
>> WCCP is buggy in some IOS releases.
>>
>>
>>
>> 
>>
>> From: r_o_l_a_...@hotmail.com [mailto:r_o_l_a_...@hotmail.com]
>> Sent: Mon 1/5/2009 8:43 AM
>> To: sq...@vdvyver.net
>> Cc: squid-users@squid-cache.org
>> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>>
>>
>>
>> Hello,
>> actually I have both of set on the lan interface ( am I mistaken to set
>> the
>> "redirect out" on the lan interface? should I be setting it on the
>> interface
>> facing the internet?)
>>
>> ip wccp 80 redirect in
>> ip wccp 90 redirect out
>>
>> as for the wiki provided, I fail to see what's missing!
>> obviously there is something, but I&

RE: [squid-users] transparent proxy not working!! any advice?

[Ritter, Nicholas]

The error on the Cisco router is stating that the squid box is trying to tell 
the router that it is able to service the wccp group 80 and 90, but for some 
reason the router does not see those groups as ones it is servicing.
 
This is odd. Try doing the following in the router:
 
ip access-list 180 permit any any
ip wccp web-cache redirect-list 180
ip wccp 80 redirect-list 180
ip wccp 90 redirect-list 180
 
Is the squid box on the same router interface as the rest of the clients? If it 
is, you may need to add lines to the access-list 180, or put the squid box on 
the secondary interface of the router and do a "ip wccp redirect exclude in" 
statement on that interface.
 
Which IOS feature set and version is this? 
 
WCCP is buggy in some IOS releases.
 
 



From: r_o_l_a_...@hotmail.com [mailto:r_o_l_a_...@hotmail.com]
Sent: Mon 1/5/2009 8:43 AM
To: sq...@vdvyver.net
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] transparent proxy not working!! any advice?



Hello,
actually I have both of set on the lan interface ( am I mistaken to set the
"redirect out" on the lan interface? should I be setting it on the interface
facing the internet?)

ip wccp 80 redirect in
ip wccp 90 redirect out

as for the wiki provided, I fail to see what's missing!
obviously there is something, but I'm not detecting it!



--
From: "Regardt van de Vyver" 
Sent: Monday, January 05, 2009 12:46 AM
Cc: 
Subject: Re: [squid-users] transparent proxy not working!! any advice?

> Roland Roland wrote:
>> Hello,
>> the output of the debugging is as such:
>>
>>
>>
>> *Jan  4 23:16:43.205: WCCP-EVNT:D90: Here_I_Am packet from 192.168.0.183:
>> service not active
>> *Jan  4 23:16:43.205: WCCP-EVNT:D80: Here_I_Am packet from 192.168.0.183:
>> service not active
>>
>> what service is that?!
>>
>>
>>
>> --
>> From: "Regardt van de Vyver" 
>> Sent: Sunday, January 04, 2009 9:33 PM
>> Cc: 
>> Subject: Re: [squid-users] transparent proxy not working!! any advice?
>>
>>> Roland Roland wrote:
 i've just created a new box with the following options:
 but wccp with router is still not working!
 any advice?


 using centos 5.2
 and squid 2.6
 firewall enabled
 SElinux permissive
 ---
 done the following:

 yum update yum

 yum install squid

 squid -z
 ---
 gedit /etc/rc.d/init.d/rc.local

 #added:
 modprobe ip_gre
 ifconfig gre0 192.168.0.183 netmask 255.255.255.0 up
 #this is the same ip as my eth0

 
 gedit /etc/sysconfig/iptables

 #added:
 -A INPUT -i gre0 -j ACCEPT
 -A INPUT -i gre0 -j ACCEPT
 -A INPUT -p gre -j ACCEPT
 #my routers lan interface 192.168.0.1
 -A RH-Firewall-1-INPUT -s 192.168.0.1/24 -p udp -m udp --dport 2048 -j
 ACCEPT
 ---
 service iptables condrestart
 
 gedit /etc/squid/squid.conf

 #edited/added the follwoing:
 http_port 80 transparent
 http_access allow all
 wccp2_router 192.168.0.1
 wccp_version 4
 wccp2_rebuild_wait on
 wccp2_forwarding_method 1
 wccp2_return_method 1
 wccp2_assignment_method 1
 wccp2_service dynamic 80
 wccp2_service dynamic 90
 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
 ports=80
 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
 priority=240 ports=80
 --
 Cisco router 2811 side:

 conf t
 ip wccp version 2
 ip wccp web-cache

 int f0/1 (Lan interface)
 ip wccp 80 redirect in
 ip wccp 90 redirect out
 --
 service squid restart

 then sh ip wccp on router gave me all hits as 0 no hits from squid to
 router!!
 --

 service iptables status

 [r...@localhost ~]# service iptables status
 Table: filter
 Chain INPUT (policy ACCEPT)
 num  target prot opt source   destination
 1RH-Firewall-1-INPUT  all  --  0.0.0.0/00.0.0.0/0
 2ACCEPT all  --  0.0.0.0/00.0.0.0/0
 3ACCEPT all  --  0.0.0.0/00.0.0.0/0
 4ACCEPT 47   --  0.0.0.0/00.0.0.0/0

 Chain FORWARD (policy ACCEPT)
 num  target prot opt source   destination
 1RH-Firewall-1-INPUT  all  --  0.0.0.0/00.0.0.0/0

 Chain OUTPUT (policy ACCEPT)
 num  target prot opt source   destina

RE: [squid-users] How important is harddisk performance?

[Ritter, Nicholas]

To a degree I agree with Matus in that the type of load is important. It is 
also important to keep in mind how you plan to setup cache dirs, and cache 
replacement. If you configure squid to cache most stuff to RAM, then disks are 
not as important as RAMalthough RAM is really always the most important 
because it is faster and why would you want to cache stuff to a slower medium 
when you can cache it to faster medium.
 
If you can afford the faster disks, get themalthough I would suggest that 
you be sure to get an I20 capable card like an adaptec because you can further 
improve performance by offloading disk IO operations (to an extent anyway) away 
from the kernel to the controller. I have know idea if, much less how much, 
Squid itself would improve its performance from this, but I20 capable cards are 
affordable.
 
I was having a discussion with some of my coworkers about SATAII versus 
SCSIsome felt that one was worth more than the other given costs and ease 
of management.
 
In general, identify how your users will be using it and how plan the cache 
replacement policy and setup. Are your users going to be downloading files, or 
just web content? What sizes files will you cache to disk versus cache to 
RAMetc.
 
Nick



From: rihad [mailto:ri...@mail.ru]
Sent: Tue 12/23/2008 12:44 AM
To: squid-users@squid-cache.org
Subject: [squid-users] How important is harddisk performance?



Hi there.

I'm planning to build a new dedicated Squid-box, with amd64 and 4 gigs
of RAM, with two cache_dir's on two separate harddisks and Squid-3 doing
application level striping, all servicing around 6k users. Will two
recent IDE disks of 7200 rpm suffice, or I'm better off getting two
15000 rpm SCSI disks on a dedicated controller board? Just not sure if
performance gains would be noticeable by an average user, given enough
ram. I read this too: http://wiki.squid-cache.org/BestOsForSquid
Just double checking.

Thanks for any tips.

RE: [squid-users] Squid-3 / TProxy v4.1

[Ritter, Nicholas]

Although the TProxy I am currently using is not ICMP aware, I am using it in a 
production environment across the midwest of the US. It is working very well. I 
am using CentOS 5.2 x86_64 on custom built Intel Core 2 Duo machines (single 
CPU, 2 cores) with 3GB RAM. I have 20 of these boxes and they each serve about 
75 to 150 clients behind them. I am using Cisco 2811 routers for WCCP 
redirection.
 
I will soon start working on a revised tutorial for setup of CentOS 5.2 x86_64, 
Squid, and TProxy to reflect the newer builds of Squid and TProxy. All though 
the concepts having changed, I haved learned some lessons from my production 
deployments that I would like to pass into the Squid community.
 
Nicholas



From: Amos Jeffries [mailto:squ...@treenet.co.nz]
Sent: Mon 12/22/2008 5:52 AM
To: ri...@mail.ru
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid-3 / TProxy v4.1



rihad wrote:
> Are Squid-3 / TProxy v4.1 still under heavy development? Anyone using it
> in production with any success?

IIRC Nicholas Ritter was using it in Production for the final round of
testing.

>
> Thanks.
>
> P.S.: I know Squid 3 is still beta: http://www.squid-cache.org/Versions/
> But as I'm new to TProxy I'd like to start using the bleeding edge
> version that requires no additional patching.

Both are technically still in beta. The tproxy won't be out formally
until kernel 2.6.28. But yes, we who worked on it believe they are
finished and usable. Even if not proven by years and masses of usage.

Amos
--
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1

RE: [squid-users] TProxy setup

[Ritter, Nicholas]

The docs are accurate for rules and marking. Exactly what you need to do varies 
on if you need to do NAT or not. 
 
Generally, in a Cisco environment where WCCP is used, and NAT is done on the 
outside egress interface of the router, a Squid/WCCP/TProxy setup can be done 
with no NAT being taken into consideration  because all of the redirection, 
etc. happens behind the NAT point for the network as a whole.
 
You should open up a port for the WCCP control traffic though. The doc on the 
squid wiki mentions the port number. Although not always needed, I have found 
from experience that depending on the IOS code level, the port is needed and 
sometimes notbut logically it is needed, so it is safe to always open it up.
 
Here is what I have for iptables rules:
 
# Allow all incoming traffic on the GRE interface
-A INPUT -i gre0 -j ACCEPT 
-A INPUT -p gre -j ACCEPT 
# Allow GRE Protocol on physical interface which the GRE is expected on
-A INPUT -i eth0 -p gre -j ACCEPT 
-A LocalFW -p icmp -m icmp --icmp-type any -j ACCEPT 
# Allow WCCP "control" traffic to UDP port 2048
-A LocalFW -s /32 -p udp -m udp --dport 2048 -j ACCEPT
#divert, mangling, etc. of inbound HTTP request traffic redirected by WCCP on 
the router to the squid box
-A PREROUTING -p tcp -m socket -j DIVERT 
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 --on-ip  --tproxy-mark 0x1/0x1 
-A DIVERT -j MARK --set-mark 0x1 
-A DIVERT -j ACCEPT 

 
The rules above are not exactly optimal. The "-A PREROUTING -p tcp -m socket -j 
DIVERT" line can break some other functionality on the linux box hosting squid, 
but for a dedicated cache box, this is ok. 
 
I am going to start working on a updated CentOS 5.2/TProxy/Squid setup and 
HOWTO because the one I put up on the Squid wiki is a little incorrect and the 
new version of TProxy has ICMP support that is important.
 
Nicholas


From: rihad [mailto:ri...@mail.ru]
Sent: Mon 12/22/2008 12:28 AM
To: Squid Users
Subject: [squid-users] TProxy setup



Hello there,

How should TProxy/Cisco be configured in iptables/netfilter:
0) as outlined in SquidFaq with just two lines
(http://wiki.squid-cache.org/SquidFaq/InterceptionProxy#head-5887c3744368f290e63fda47fd1e4715c9bdbc9b):
iptables -t nat -A PREROUTING -i wccp0 -j REDIRECT --redirect-to 3128
iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j
TPROXY --on-port 80

1) As described in the official TProxy docs
(http://www.balabit.com/downloads/files/tproxy/README.txt):
   ip rule add fwmark 1 lookup 100
   ip route add local 0.0.0.0/0 dev lo table 100

   iptables -t mangle -N DIVERT
   iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT

   # DIVERT chain: mark packets and accept
   iptables -t mangle -A DIVERT -j MARK --set-mark 1
   iptables -t mangle -A DIVERT -j ACCEPT

   iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \
   --tproxy-mark 0x1/0x1 --on-port 50080

2) Both :-/
3) Something else.

I'm totally confused...

RE: [squid-users] Cisco with WCCP!! newbie here..

[Ritter, Nicholas]

I can help you out with this as needed.

Nick


-Original Message-
From: RoLaNd RoLaNd [mailto:r_o_l_a_...@hotmail.com]
Sent: Thu 12/11/2008 1:05 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Cisco with WCCP!! newbie here..
 

Hi All,

am obviously a newbie here so am seeking an advice if i may..
 
my current topology is as such:
 
cisco 2811 router---Lan (contains users/squid)
 
Squid is installed on ubuntu.
and has one NIC with static ip 192.168.0.14/24
 
i've managed to get direct proxy working with minimal settings..
but am finding it hard to set it as transparent..
i looked around and found at squid-cache that i could use cisco's WCCP prot=
ocol...
i've checked the config examples but as i'm a newbie i got a little bit los=
t!!!
 
could anyone help out?!
 
any advice would be appreciated:)
 
thank you in advance..
 
Roland
_
Connect to the next generation of MSN Messenger 
http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline

RE: [squid-users] Tproxy iptables rules issue

[Ritter, Nicholas]

As Amos said, we are close to a solution, I am in the middle of load
testing it to make sure things are ok.

Loading testing it has been delayed a little more than planned because I
am having that same annoying GRE tunnel problem I noted back in May. It
appears that the GRE tunnel setup on the Linux server running Squid is
not the same when the WCCP router identifier is not on the same logical
IP subnet...either that or there is a screwy problem between IOS version
numbers.

I soon as I finish the load testing, I will update the wiki article,
because it is way off now.

Nick

> -Original Message-
> From: Amos Jeffries [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, September 23, 2008 11:42 PM
> To: Dan Letkeman
> Cc: Ritter, Nicholas; squid-users
> Subject: Re: [squid-users] Tproxy iptables rules issue
> 
> > Did you ever get this going?  I have successfully setup a 
> > squid2.6/tproxy/iptables server, and I have successfully setup a 
> > squid2.6/wccp server and now I'm trying to combine both of 
> them, but I 
> > think the iptables commands i'm trying are wrong.  Do you have any 
> > suggestions?
> 
> Squid 2.6 does not have Tproxy v4.1+ support. Nick was 
> testing a 3-HEAD Squid server.
> 
> We just got it going yesterday :-) the patch to Squid-3 is in 
> HEAD now.
> Though a few alterations to the kernel side of TPROXY were 
> also needed, which may not have been added to the Balabit 
> side quite yet.
> 
> The How-to about kernel patching is still awaiting a few 
> adjustments due in shortly.
> 
> 
> Amos
> 
> >
> > Thanks,
> > Dan.
> >
> > On Fri, May 30, 2008 at 3:58 PM, Ritter, Nicholas 
> > <[EMAIL PROTECTED]> wrote:
> >> What exactly are the redirection rules for wccp/iptables 1.4/squid 
> >> 2.6/tproxy look like? I have browsed the Internet plus 
> messed with it 
> >> for a while now and found that the README rules don't 
> fully work, and 
> >> the examples on the Internet don't fully work.
> >>
> >> Symptomatically, I see the router redirecting via the GRE 
> tunnel, the 
> >> squid box sees the gre packets (2.6 kernel), but ifconfig does not 
> >> show the GRE interface counters incrementing, and the 
> squid service 
> >> run in debug mode shows no transactions. Something is wrong with 
> >> either my iptables rules or my GRE tunnel setup. I don't 
> think it is 
> >> the GRE tunnel because I set it up the same exact was as I did the 
> >> non-tproxy squid boxes that I have in the same setup which 
> are working.
> >>
> >> Any help would be a appreciated. I can provide my rule 
> setup, etc. if 
> >> needed. My knowledge and direct interaction is limited 
> with iptables, 
> >> which is one more reason why I think the problem is there. 
> BTW - my 
> >> system log does show the tproxy module loading.
> >>
> >> Nick
> >>
> >
> 
> 
> 
> 

RE: [squid-users] Odd purging problem

[Ritter, Nicholas]

 
I have noticed when doing much the same thing as you with GETs and
PURGES to the cache with squidclient that sometime the log will show a
PURGE, but squidclient returns and error that the URL was not in the
cache. Even when I do a GET, see it in the log, do another GET to see
the TCP_HIT to confirm it is in the cache, and a PURGE, I get a MISS
error (which I assume means it tried to purge the object but couldn't
find it in the cache)

I am doing schedule GETs and PURGEs but only a small number of them, and
I am using SQUID2/HEAD.

I just noticed this behavior yesterday.

Nick



-Original Message-
From: Nicole [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 19, 2008 2:11 PM
To: squid-users@squid-cache.org
Subject: [squid-users] Odd purging problem



 Hello all

 Some time ago I had mentioned a problem I was having doing purges on
squid.
 Sometimes the purge will happen, but the tool will complain it never
got a reply from a particular server. Othertimes, it complains and no
purge happened either.


 We wrote a small perl tool to contact our squid array and say "delete
these URL's." Everything was fine until we switched some to squid3 and
now even with squid 2.7. (2.6 works always)



 The coders feel certain the problem is with squid. When we do a purge,
one by one, they always work. When we do a mass purge, we send the
deletes through, one url at a time, to each server, then come back
around again to delete the next url. It seems to be a problem more when
we have to send a quantity of deletes over several. 

 I am curious if perhaps in the newer versions of squid, purges have
been given a lower priority, thus they might take a longer time to reply
and accept new ones after one has been requested? 


 Anyone have any thoughts on this. 



 Thanks!

   Nicole



--
 |\ __ /|   (`\
 | o_o  |__  ) )   
//  \\ 
  -  [EMAIL PROTECTED]  -  Powered by FreeBSD  -
--
 "The term "daemons" is a Judeo-Christian pejorative.
 Such processes will now be known as "spiritual guides"
  - Politicaly Correct UNIX Page

[squid-users] refresh_pattern questions

[Ritter, Nicholas]

Can someone answer these questions for me, I have read some conflicting
information.

1) Does the refresh_pattern work when squid is in transparent mode?

2) Is there a way to know when a refresh_pattern is being matched other
than the noticing it in the log when the url pattern is seen and squid
reacts.

[squid-users] header_replace question

[Ritter, Nicholas]

When using either Squid 2.6STABLE (latest) or Squid3HEAD, will the
following work?

acl myjar_cache_ctl urlpatch_regex -i .(jar)
header_access Cache-Control deny all
header_replace Cache-Control public, s-maxage=14400, max-age=14400



This is for overriding the cache-control settings for an
internal/private Java JRE app where the client downloads the jar files
from the server and runs them. I want to do this because the client-side
java JRE is sending a cache-control no-cache setting, and my server is
following also doing this. I have already set my server to the
public/max-age, but the client still sends a no-cache directive.

Nick

[squid-users] Squid 3Head steps with TProxy

[Ritter, Nicholas]

Listed below are the beginnings of steps I have. They are not complete,
I left out some steps which I will add and repost. Please let me know if
you have questions/troubles with the steps. I have not fully checked the
steps for clarity and accuracy...but I eventually will.

These steps are for setting squid3HEAD with TProxy, IP spoofing and
Cisco WCCP. This is not a bridging setup. 

Also, there is a patch for squid that I have applied which I have not
noted in the steps, but I want to talk to them about it's commit status
before putting it in the steps.

Nick


1) Install CentOS 5.2
a.) be sure not to install squid via the OS installer
b.) install the development libraries and tools, as well as the
legacy software development
2) Once the install completes and you have booted into the OS, run: yum
update  (and apply all updates.)
3) Once the yum command completes, reboot
4) Download iptables-1.4.0 from netfilter.org. Be sure to NOT download a
later version of iptables 1.4 (such as 1.4.1 or 1.4.1.1)
5) Download kernel 2.6.25.11 from kernel mirror
6) Download squid3HEAD (squid 3.1 source code).
7) Download tproxy patch for iptables from balabit. Be sure to get the
correct patch, should be:
tproxy-iptables-1.4.0-20080521-113954-1211362794.patch
a.) note, that so long as the tproxy-iptables-1.4.0 part of the
patch name is the same as the iptables version, it is the correct patch.
8) Download tproxy patch for kernel from Balabit. Be sure to get the
correct patch, should be:
tproxy-kernel-2.6.25-20080519-165031-1211208631
a.) note, that so long as the tproxy-kernel-2.6.25 part of the
patch name is the same as the kernel, it is the correct patch.
b.) decompress the archive, which will create a directory with
the patches in it.
9) decompress the kernel source to /usr/src/linux-2.6.25
10) ln -s /usr/src/linux-2.6.25 /usr/src/linux
11) cd /usr/src/linux
12) patch the kernel source with the tproxy patches as stated in the
README, should be something like: 
cat /00*.patch | patch -p1 
13) configure the kernel, enabling the tproxy support as noted in the
TProxy README.
14) compile, install, and reboot into the new kernel
15) Next, patch configure, compile and install iptables. This is done
with the thought in mind to correctly overwrite the existing iptables
setup so that the current service init script that ships with CentOS 5.2
can be used. To do this, decompress the iptables 1.4.0 source code, and
cd to that directory. The follow the steps noted:
a.) Patch the iptables source with the TProxy patch as noted in
the TPRoxy README: 
cat /00*.patch | patch -p1 
b.) then run the following config line to configure the Makefile
for iptables:
make BINDDIR=/sbin LIBDIR=/lib64
KERNEL_DIR=/usr/src/linux
d.) check that TPROXY was built: ls extensions/libxt_TPROXY*
c.) then install:
make BINDDIR=/sbin LIBDIR=/lib64
KERNEL_DIR=/usr/src/linux install

16) Next check iptables versioning to make sure it installed properly in
the right path: 
a) "iptables -v" should show:

iptables v1.4.0: no command specified
Try `iptables -h' or 'iptables --help' for more
information.

If it doesn't show this, but v1.3.5 instead, then I wrote the
step 15 above from memory incorrectly, and the paths need to be
adjusted.

17) Do a "service iptables status" and see if iptables is running,
stopped, or has a 
"RH-Firewall-1-INPUT" chain. If it stopped altogether, do a "service
iptables start" and make sure that it starts and stays running.

18) Is the following iptables commands to enable TPROXY functionality in
the running iptables instance:

iptables -t mangle -N DIVERT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3128

Note: if any of the above commands fails, there is something wrong with
iptables update to 1.4.0 and/or tproxy module status in iptables 1.4.0.
Keep in mind that the commands are sensitive to case, spacing, and
hyphenation.

19) WCCP related iptables rules need to be created next...this and
further steps are only needed if L4 WCCPv2 is used with a router, and
not L2 WCCP with a switch.

iptables -A INPUT -i gre0 -j ACCEPT
iptables -A INPUT -i gre0 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT

20) For the WCCP udp traffic that is not in a gre tunnel:

-A RH-Firewall-1-INPUT -s 10.48.33.2/32 -p udp -m udp --dport 2048 -j
ACCEPT

NOTE: with steps 17 through 19, you my find that you have no firewall
rules at all. In this case you will need to create an input chain to add
some of the rules to. I created a chain called "LocalFW" and added the
rule in step 20 to that chain. The rul

RE: [squid-users] Problems displaying images on specific website

[Ritter, Nicholas]

I am guilty of the same...

I suggested to Jeff that the cache.log be checked again after a second
fetch for the same objects from teh client to see if the code changes
from TCP_MISS to IMS_HIT, TCP_HIT, or REFRESH, etc. Also to check the
store.log to see if the objects are being stored and/or imemdiatly
removed from the cache storage.

One other thing to verify would be object size settings for the cache,
so that you would know if the objects should be stored in the RAM or on
the DISK. I don't think where the data is store in cache (or not) would
be the cause of the problem though.

Nick

RE: [squid-users] Problems displaying images on specific website

[Ritter, Nicholas]

What does the access.log say for each of the graphics image files?

Nick

-Original Message-
From: Jeff Gerard [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 04, 2008 11:13 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Problems displaying images on specific website

Hi all,

I am stumped. I was running squid 2.6 stable 13 on Fedora Core 6 and
came across this issue displaying the images on
http://promotions.everydaycelebrations.ca/web/guest/ProgramHome
The images simply do not display. They are replaced with place holders
in both IE7 and Firefox 3. I though maybe my old squid release needed
upgrading so I upgraded to 3 stable 8.

This has not solved the problem displaying images. I am doing
transparent proxy and have also tested with explicit proxy. If I bypass
squid completely, the images display fine. I have also confirmed this to
occur on a completely different network/squid install (fedora core 2
with an old squid 2.x release) with the exact same results. I have also
confirmed that I do not have any firewall rules blocking access to the
url's IP.

I am wondering if it is just me or if there is maybe something with this
particular site that squid does not like??

Thanks in advance

---
Jeff Gerard

RE: [squid-users] linux + tproxy

[Ritter, Nicholas]

 
Of course...I was planning on that...don't know why I had not done that
yet...I will check the steps for clarity and send them off to you.

Nick


-Original Message-
From: Amos Jeffries [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 04, 2008 10:28 AM
To: Ritter, Nicholas
Cc: Abdock; squid-users@squid-cache.org
Subject: Re: [squid-users] linux + tproxy

Ritter, Nicholas wrote:
>  
> Abdock,
> 
> I can give you some instructions I wrote up for Squid 3HEAD, TProxy, 
> on CentOS 5.2 if you would like.
> 
> Nick
> 

Can we have them for the squid wiki at the very least anyway?

Amos

> 
> -Original Message-
> From: Abdock [mailto:[EMAIL PROTECTED]
> Sent: Saturday, August 02, 2008 10:22 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] linux + tproxy
> 
> Hello Squid users,
> 
> 
> Last time I just replied on a post, that must have created problem 
> with people using threads. Sorry did not know that.
> 
> 
> I want to test squid with tproxy, I have centos 5, but am lost on 
> kernel patching on tproxy.
>  
> 
> Can somebody help or point me to a site which has a little how to so i

> can deploy squid + tproxy + transparent. All i need is some refresh on

> how to patch the kernel for the tpoxy to work.
> 
>  
> 
> Many thanks.
> 
>  
> 
> 


--
Please use Squid 2.7.STABLE3 or 3.0.STABLE8

RE: [squid-users] linux + tproxy

[Ritter, Nicholas]

 
Abdock,

I can give you some instructions I wrote up for Squid 3HEAD, TProxy, on
CentOS 5.2 if you would like.

Nick


-Original Message-
From: Abdock [mailto:[EMAIL PROTECTED] 
Sent: Saturday, August 02, 2008 10:22 AM
To: squid-users@squid-cache.org
Subject: [squid-users] linux + tproxy

Hello Squid users,


Last time I just replied on a post, that must have created problem with
people using threads. Sorry did not know that.


I want to test squid with tproxy, I have centos 5, but am lost on kernel
patching on tproxy.
 

Can somebody help or point me to a site which has a little how to so i
can deploy squid + tproxy + transparent. All i need is some refresh on
how to patch the kernel for the tpoxy to work. 

 

Many thanks.

 

RE: [squid-users] refresh_pattern question

[Ritter, Nicholas]

Thanks Chris for the information you provided. 

The application for which I am messing with is still not caching the jar
files though. I get TCP_MISS/200 messages now. I think it is because the
server is providing expiry information as you stated, this is the only
way which I can see it behaving in the manner depicted. 

Although I can't believe I am asking this, is there a way to selectively
ignore server expiry information?

Nick

[squid-users] refresh_pattern question

[Ritter, Nicholas]

Hey all,

Can someone correct me if I am wrong, would the following
refresh_pattern catch all java jar files and cache them no matter what?

refresh_pattern -i \.jar$   480 20% 4320
ignore-no-cache


I keep getting "TCP_MISS/304 259 GET" access.log entries, and I am not
sure why. I checked my cache limits to make sure that I had the cache
configured to store something that was that size. My min is set to 0 and
my max is set to 4096 in memory and 300MB on disk.

This is the Squid 3 HEAD branch, but had the same problem on squid 2.6.
At that point it was my assumption that I had the regex wrong.

Nick

RE: [squid-users] Squid 3HEAD w/ tproxy : invalid headers clienterror

[Ritter, Nicholas]

 No errors in squid cache.log, nor in the access.log...but the error has
since gone away and not come back, sorry about thatif it comes back
up I will post a comment to squid-devel?

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 22, 2008 4:41 PM
To: Ritter, Nicholas
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] Squid 3HEAD w/ tproxy : invalid headers
clienterror

On tis, 2008-07-22 at 14:27 -0500, Ritter, Nicholas wrote:
> I am not sure if it site or application centric, but I have some HTTP 
> driven applications failing due to an error the the HTTP server sent 
> invalid reply headers.

> So far the only application giving
> this error is apt-get on ubuntu. I don't know how to begin 
> troublshooting this, but does anyone have suggestions on 
> troubleshooting it, or fixing it?

Is there anything said in cache.log?

Regards
Henrik

[squid-users] Squid 3HEAD w/ tproxy : invalid headers client error

[Ritter, Nicholas]

I am not sure if it site or application centric, but I have some HTTP
driven applications failing due to an error the the HTTP server sent
invalid reply headers.
 
I am running squid-3.HEAD-20080721 and I have not changed any of the
settings in squid.conf with the exception of those mentioned in the
QUICKSTART, and WCCP  related items. So far the only application giving
this error is apt-get on ubuntu. I don't know how to begin
troublshooting this, but does anyone have suggestions on troubleshooting
it, or fixing it?
 
I can visit web sites like CNN just fine. 
 
I didn't want to post the whole squid.conf unless someone wants me to
becuase it really is the default config for squid-3.HEAD-20080721.
 
I have what so far is a working Squid3HEAD setup with TProxy and WCCP on
CentOS 5.2 x86_64.
 
Nick

[squid-users] this cttproxy error seen by anyone?

[Ritter, Nicholas]

Has anyone on the list seen this cttproxy error in squid.cache log
before? I am tryign to figure out if I should be concerned about the
error.
 
2008/07/16 15:21:20| tproxy ip=10.48.1.3,0x301300a,port=0 ERROR ASSIGN

 
10.48.1.3 is the IP of a client behind the squid box. The setup is a
CentOS 5.2 x86_64 box with WCCP redirection from a cisco router and
cttproxy with Squid 2.6stable21. I used the wiki article on
squid-cache.org as a setup reference. The setup is working, but I don't
have a are client load on this box yet.
 
BTW - I will have a detailed HOWTO ready once I complete the
load/stability testing.
 
 
Here are some details of the software and setup:
 
software versions:
 
CentOS 5.2 x86_64 linux distribution
squid-2.6.STABLE21
cttproxy-2.6.18-2.0.6
vanilla 2.6.18 kernel, custom compiled (I did choose the NAT
reservations support in addition the other TProxy options.)
iptables-1.3.5-4 source rpm, patched and built via rpmbuild with the
cttproxy diff added to the spec file
 
squid build options:
CHOST="x86_64-pc-linux-gnu" \
CFLAGS="-DNUMTHREADS=60 \
-O3 \
-pipe \
-funroll-loops \
-ffast-math \
-fno-exceptions" \
./configure \
--prefix=/usr/local/squidapp \
--exec-prefix=/usr/local/squidapp \
--enable-async-io \
--enable-icmp \
--enable-snmp \
--enable-cache-digests \
--enable-useragent-log \
--enable-storeio="aufs" \
--enable-follow-x-forwarded-for \
--enable-removal-policies="heap,lru" \
--with-maxfd=16384 \
--enable-poll \
--disable-ident-lookups \
--enable-delay-pools \
--enable-linux-netfilter \
--enable-linux-tproxy 
 
Other patches that came with the iptables rpm that were applied to the
IPTables source:Patch2: iptables-1.2.8-nolibnsl.patch
Patch4: iptables-1.2.9-netlink.patch
Patch5: iptables-1.3.0-selinux.patch
Patch6: iptables-1.2.10-counters.patch
Patch8: iptables-1.3.0-cleanup.patch
Patch9: iptables-1.3.0-autoload.patch
Patch10: iptables-1.3.0-no_root.patch
Patch11: iptables-1.3.5-dscp_max.patch
Patch12: iptables-1.3.5-headers.patch
 
 
Squid deployment is using the setup as detailed onthe squid WiKi at:
http://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY
http://wiki.squid-cache.org/ConfigExamples/FullyTransparentWit
hTPROXY> 
 
This squid deployment using using WCCP v2 with a Cisco router, and two
squid services as itemized in the WiKi article, where one wccp service
is bound to the inbound traffic, and one to the outbound traffic like
this:
 
wccp2_service dynamic 80
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
ports=80
wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80

RE: [squid-users] wccp and Cisco router identifier

[Ritter, Nicholas]

 You can't set this in the router that I am aware of. I had the same issue.

-Original Message-
From: Clemente Aguiar [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 14, 2008 11:01 AM
To: squid-users@squid-cache.org
Subject: [squid-users] wccp and Cisco router identifier

I am in the process of installing a "transparent" squid cache using wcpp using 
a Cisco Router C2600 (IOS Version 12.2(46a))

Everything is working fine except there is something that I don't know how to 
change.

The Cisco router identifier is the address that is used for GRE on the router. 
Our router has two FastEthernet interfaces, each configured with an IP, and 
the router chose one of the IPs at random as the Cisco router identifier. How 
can that be changed? (i.e. how can I force the Cisco router identifier to be a 
specific IP) 

I searched in this list and somebody said to use a loopback interface on the 
Cisco, that it would much more predictable as the wccpv2 routerid is then 
always loopback id.
How is this done?


Clemente

[squid-users] other questions re: pattern-matching

[Ritter, Nicholas]

I assume I can specify multiple options for a specific regex
pattern...such as  ignore-no-cache and ignore-refresh? And that it is
space delimited, or how is it delimited?

Also, does the regex match against any part of the URL, or do I have to
specify the whole URL? I had assumed the regex patches any part of the
URL...but my regex is matching.

Nick

[squid-users] regex wildcard for refresh_pattern

[Ritter, Nicholas]

Is the regex wildcard for refresh_pattern a '.*' or just a '.'.

I want to apply a pattern match to some specific jar files that fit a
pattern of 'name.jar-serialnumber.zip'


Would the correct pattern match then be 'refresh_pattern -i name.jar.*'
?

[squid-users] squid 3 HEAD make error

[Ritter, Nicholas]

I get the following error when doing a make of squid-3.HEAD-020080609 on Fedora 
9. The odd thing is that the error doesn't happen with each build attempt, just 
95% of the build attempts. I tried removing various CFLAG options but to with 
no luck. I have also included by configure directives. Any ideas on how to fix 
this?


Configure command:

# squid compile options
#
CHOST="x86_64-pc-linux-gnu" \
CFLAGS="-DNUMTHREADS=65 \
-march=nocona" \
./configure \
--enable-async-io \
--enable-icmp \
--enable-useragent-log \
--enable-snmp \
--enable-cache-digests \
--enable-follow-x-forwarded-for \
--enable-storeio="aufs" \
--enable-removal-policies="heap,lru" \
--with-maxfd=16384 \
--enable-poll \
--disable-ident-lookups \
--enable-linux-trpoxy4 \
--enable-auth="basic,digest" \
--enable-zph-qos \
--enable-ssl \


Error output: 

if g++ -DHAVE_CONFIG_H 
-DDEFAULT_CONFIG_FILE=\"/opt/squid/etc/squid.conf\" -I. -I. -I../include -I. 
-I. -I../include -I../include -I../lib/libTrie/include -I../lib -I../lib   
-I/usr/include/libxml2  -Werror -Wall -Wpointer-arith -Wwrite-strings 
-Wcomments  -D_REENTRANT -g -O2 -MT client_side_reply.o -MD -MP -MF 
"$depbase.Tpo" -c -o client_side_reply.o client_side_reply.cc; \
then mv -f "$depbase.Tpo" "$depbase.Po"; else rm -f "$depbase.Tpo"; 
exit 1; fi
cc1plus: warnings being treated as errors
client_side_reply.cc: In member function ‘void 
clientReplyContext::doGetMoreData()’:
client_side_reply.cc:1575: error: suggest parentheses around && within ||
client_side_reply.cc:1592: error: suggest parentheses around && within ||
make[3]: *** [client_side_reply.o] Error 1
make[3]: Leaving directory `/root/FC9SquidStuff/squid-3.HEAD-20080609/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/root/FC9SquidStuff/squid-3.HEAD-20080609/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/root/FC9SquidStuff/squid-3.HEAD-20080609/src'
make: *** [all-recursive] Error 1

[squid-users] Squid 3 netfilter question

[Ritter, Nicholas]

Where does Squid 3 HEAD look for the netfilter and tproxy kernel header
files? 

I am running Fedora 9 and the squid configure keeps erroring on the
linux netfilter step. I manually copied headers to /usr/include but it
still errors. I took the iptables src rpm and rebuilt it with the tproxy
patch, and I have the devel rpms installed, but still no luck.

[squid-users] RE: performances ... again

[Ritter, Nicholas]

 I had a problem similar to this at another job site a coulple of years ago. 
The clients were windows xp machines, and they were using wpad/pac style 
configuration. The fix was transparent caching.

-Nick


-Original Message-
From: Dean Weimer [mailto:[EMAIL PROTECTED] 
Sent: Thursday, June 05, 2008 1:53 PM
To: GARDAIS Ionel; squid-users@squid-cache.org
Subject: [squid-users] Re:[squid-users] performances ... again

How are your browsers configured to use the proxy? Manual, wpad script, 
transparent?
 
Could be a problem with discovering proxy settings.

What about a second page on the same server, ie. http://some.domain.com then 
http://some.domain.com/nextpage.html?  Could be a DNS response issue, perhaps 
your first server is timing out, and the clients have to wait for the second to 
respond.  If the second page comes up right away, this would be a good 
indicator of that.  As Squid would have cached the DNS lookup from the first 
request.

Most servers are not going to have a 12Mb/s of bandwidth is a decent chunk, I 
wouldn't expect to see that maxed out all the time, because you are averaging 
under 2Mb/s in itself is not cause for concern.  The fact that you are hitting 
it on large downloads means the link is performing well.

I am seeing about 180ms median response time on misses and 5ms median response 
time on hits, 87ms response time on DNS Lookups.  The server is running 2G cpu 
and 1G ram, with an average of 900 req/min.  The server is servicing about 500 
clients connected behind 2 T1 lines.  Both lines are consistently running at 
1.2 to 1.5Mb/s from 7am to 6pm when most users are at work.  Disk cache is 
8gigs on the same disk as system, which is actually a hardware mirrored ultra 
160 10K SCSI disks, (Not ideal, as I have learned a lot more since I first 
built this system), but the performance is excellent, so I haven't found cause 
to change it.  The server is running FreeBSD 5.4, squid the cache and logs are 
installed on their own mount point using ufs file system, Mount point is on a 
single Disk slice encompassing entire hard drive, and to top that off, the file 
system runs about 90% of capacity, yet another no no.

Thanks,
 Dean Weimer
 Network Administrator
 Orscheln Management Co

-Original Message-
From: GARDAIS Ionel [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 05, 2008 12:11 PM
To: chris brain; squid-users@squid-cache.org
Subject: [squid-users] RE : [squid-users] Re:[squid-users] performances ... 
again

Hi Chris,

The internet link is not congested.
As I wrote, we use less than 2Mb/s of the 12Mb/s we can reach (but yes, upload 
seems to be limited to 512Kb/s (somewhere around the maximum of the line), this 
might be a bottleneck).
When downloading large files (from ten to hundereds of megabytes), the whole 
12Mb are used (showing a 1100KB/s download speed).

After rereading my post, I saw that I did not finish a line :
"[...] cache-misses median service times are around 200ms and cache-hits are 
around 3ms" but we often see a 10-second lag for browser to start loading the 
page.

Ionel


-Message d'origine-
De : chris brain [mailto:[EMAIL PROTECTED]
Envoyé : jeudi 5 juin 2008 18:34
À : squid-users@squid-cache.org
Objet : [squid-users] Re:[squid-users] performances ... again

Hi Ionel,

Your performance dont look that bad. Our stats roughly work out to be :

1000+ users
NTLM auth
Average HTTP requests per minute since start:   2990.8
with max 30% hits. (so your hits look coparable to us.) Our cache miss service 
time averages to about 160ms and cache hits service time about 10ms running IBM 
blade P4 3G cpu 1Gb ram. mirrored drive.

Our links can get quite congested and we dont get complaints about the 
performance.

Are you having internet link performance issues?? are you monitoring it
(snmp/netflow) ?

chris 




West Australian Newspapers Group

Privacy and Confidentiality Notice

The information contained herein and any attachments are intended solely for 
the named recipients. It may contain privileged confidential information.  If 
you are not an intended recipient, please delete the message and any 
attachments then notify the sender. Any use or disclosure of the contents of 
either is unauthorised and may be unlawful. Any liability for viruses is 
excluded to the fullest extent permitted by law.

Advertising Terms & Conditions
Please refer to the current rate card for advertising terms and conditions.  
The rate card is available on request or via www.thewest.com.au

Unsubscribe
If you do not wish to receive emails such as this in future please reply to it 
with "unsubscribe" in the subject line.

[squid-users] ignoring a no_cache directive

[Ritter, Nicholas]

Is there a way to tell squid 2.6 (selective to URL or not) to ignore the
"Cache-Control: no-cache" directive?

Nick

[squid-users] Tproxy iptables rules issue

[Ritter, Nicholas]

What exactly are the redirection rules for wccp/iptables 1.4/squid
2.6/tproxy look like? I have browsed the Internet plus messed with it
for a while now and found that the README rules don't fully work, and
the examples on the Internet don't fully work.
 
Symptomatically, I see the router redirecting via the GRE tunnel, the
squid box sees the gre packets (2.6 kernel), but ifconfig does not show
the GRE interface counters incrementing, and the squid service run in
debug mode shows no transactions. Something is wrong with either my
iptables rules or my GRE tunnel setup. I don't think it is the GRE
tunnel because I set it up the same exact was as I did the non-tproxy
squid boxes that I have in the same setup which are working.
 
Any help would be a appreciated. I can provide my rule setup, etc. if
needed. My knowledge and direct interaction is limited with iptables,
which is one more reason why I think the problem is there. BTW - my
system log does show the tproxy module loading.
 
Nick

RE: [squid-users] squid 2.6, wccp and tproxy

[Ritter, Nicholas]

 
That is interesting to note, and part of where my problem lies. Given
the way the files are marked on the balabit site, I would not have known
of the support versions and differences. I just downloaded the patches
for the versions of squid, iptables, and kernel I was using.

During the setup of the software, so far anyway, I have not seen ways to
specify the version of Tproxy, etc. The initial tproxy README file I was
using must have been an older version because it didn't use the
difference in iptables table names that the newer README mentions, and
that someone was gracious enough to point out to me on the TPROXY
listserv.

Once I get Tproxy working, I would love to contribute docs to the squid
project.

On the Tproxy enabled system I have now, which is the same unit as my
working WCCP/Squid 2.6 boxes now, WCCP does not seem to be redirecting
traffic to the squid box. I am sure it is something I have done wrong,
and will figure out, but I wanted to be sure the end result was possible
before spending more time on the project.

I am currently using the following for my TPROXY setup:

CentOS 5.1 x86_64
Squid 2.6 STABLE 18 (custom compiled)
iptables 1.4.0 (custom compiled)
kernel 2.6.25.4 (custom compiled)
tproxy-iptables-1.4.0-20080521-113954-1211362794.patch
tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2
tproxy-squid-2.6-STABLE18.20080304-110716-1204625236.patch


BTW - to Henrik, I was aware of a websense piece that ran on a
linux/windows based Squid box running squid 2.5. The issues I currently
have with that are:

1) Is the squid agent free to enterprise users? (I posed this question
to our sales rep)
2) Does it support Squid 2.6, or only 2.5.
3) Does it truly change the reporting such that original client Ips can
be seen, or does it just fetch enforcement policies?



-Original Message-
From: Amos Jeffries [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 29, 2008 7:12 AM
To: Ritter, Nicholas
Cc: Adrian Chadd; squid-users@squid-cache.org
Subject: Re: [squid-users] squid 2.6, wccp and tproxy

Ritter, Nicholas wrote:
> In websense the client IP addresses that show up are those of the
squid boxes I have deployed. Websense does not utilize, as far as I
know, the x-forwarded-for header.
> 
> The doc on squid-cache.org about how to setup TPROXY with squid is a
bit out of date because the latest version of tproxy uses the mangle
table and not a tproxy table.
> 

The docs as far as we know are correct for all current releases of
Squid.
Unpatched Squid up to 3.1 still require TPROXY v2.2, so far only
3-HEAD/3.1 has proper integrated support for TPROXY v4+

If you have any updates for the wiki regarding the TPROXYv4 configs for
when 3.1 is released, please point out the variations.

Amos

> Nick
> 
> 
> -Original Message-
> From: Adrian Chadd [mailto:[EMAIL PROTECTED]
> Sent: Wed 5/28/2008 4:52 PM
> To: Ritter, Nicholas
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] squid 2.6, wccp and tproxy
>  
> On Wed, May 28, 2008, Ritter, Nicholas wrote:
>> Can tproxy, squid 2.6, and wccp be used together?
> 
> Yes.
> 
>> I want to work around the hiding of the original client ip because it

>> is breaking websense. Any suggestions/comments?
> 
> What do you mean?
> 
> 
>> Nick
> 


--
Please use Squid 2.7.STABLE1 or 3.0.STABLE6

RE: [squid-users] squid 2.6, wccp and tproxy

[Ritter, Nicholas]

In websense the client IP addresses that show up are those of the squid boxes I 
have deployed. Websense does not utilize, as far as I know, the x-forwarded-for 
header.

The doc on squid-cache.org about how to setup TPROXY with squid is a bit out of 
date because the latest version of tproxy uses the mangle table and not a 
tproxy table.

Nick


-Original Message-
From: Adrian Chadd [mailto:[EMAIL PROTECTED]
Sent: Wed 5/28/2008 4:52 PM
To: Ritter, Nicholas
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] squid 2.6, wccp and tproxy
 
On Wed, May 28, 2008, Ritter, Nicholas wrote:
> Can tproxy, squid 2.6, and wccp be used together?

Yes.

> I want to work around the hiding of the original client ip because it is
> breaking websense. Any suggestions/comments?

What do you mean?


> 
> Nick

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -

[squid-users] squid 2.6, wccp and tproxy

[Ritter, Nicholas]

Can tproxy, squid 2.6, and wccp be used together?

I want to work around the hiding of the original client ip because it is
breaking websense. Any suggestions/comments?

Nick

[squid-users] squid monitoring question

[Ritter, Nicholas]

Is there a way to report on the contents of the cache which are specific
to a given URL? I want to be able to build reports of specific sites and
how squid and its cache are interacting with the specific site(s). I
want to know what parts of the site are being cached and what aren't. 

In this situation, the sites are all internal sites.

Nick

[squid-users] squid 2.6 and patchlink

[Ritter, Nicholas]

Has anyone had issues with PatchLink agents and Squid 2.6?

Nicholas

[squid-users] adjacency issues with Cisco devices and WCCP

[Ritter, Nicholas]

I am having an adjacency issue with Cisco devices, WCCP v2 and
Linux-based squid 2.6.

I am running a CentOS 5.1 box with the packaged Squid that comes with
the ditribution. If I have a router redirecting to the squid box, and
the squid box has a GRE tunnel setup to point to the "show ip wccp"
advertised IP, the whole setup does not work. The moment I make the
squid box layer2/layer3 adjacent to the "show ip wccp" advertised IP the
whole setup works fine.

I am allowing all GRE traffic, so I know it is not a firewalling issue,
but I do notice that the linux box is not using the GRE tunnel because
ifconfig shows no increase in packet counts.

The commands I am using are as follows, and this is for WCCP/Transparent
caching:

**Note: the local ip of the squid box is 10.2.2.31, and 192.168.1.1 is
the IP of the WCCP router. 192.168.1.1 is a Cat6506/Sup720, and
192.168.1.1 is a router link on that switch, 10.2.2.0/24 is a vlan with
a router link on it, all on the same switch.

/sbin/ip tunnel add gre0 mode gre remote 192.168.1.1 local 10.2.2.31 dev
eth0
/sbin/ip addr add 10.2.2.31/32 dev gre0
/bin/echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter
/sbin/ip link set gre0 up
/sbin/service squid start


The WCCP router does not register the squid cache as being there, but a
"debug ip wccp" shows the two talking to each other. This issue, in
general, has been a problem on mulitple IOS versions, but I think it may
be something wrong with the gre tunnel setup on the Linux box.

Anyone have ideas as to what I may be doing wrong?

Nick

[squid-users] Squid 2.6 with Citirix and MS outlook web access

[Ritter, Nicholas]

Are there specific items that need to be in the squid configuration to
make it work with Citrix and (seperatly) MS Outlook Web Access?
 
Nicholas

[squid-users] wccp v2 and cisco working info

[Ritter, Nicholas]

 I have complete testing of our squid implementation...here is the Cisco
information for the wiki. Unless someone objects, Iwould like to submit
a detailed howto to squid-cache.org for CentOS 5.1 deployment. This
solution is working VERY well.

Special thanks to all of those on this list who gave some of their time
and knowledge to helping me out.


Platform: CentOS 5.1 x86_64
Squid version: CentOS packaged 2.6stable6-5.el5_1.2

Router info:

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version
12.4(15)T3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 24-Jan-08 15:26 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T5, RELEASE SOFTWARE (fc1)


wccp-test-rtr-1#sh ip wccp
Global WCCP information:
Router information:
Router Identifier:   10.80.33.1
Protocol Version:2.0

Service Identifier: web-cache
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected:60
  Process:   0
  Fast:  0
  CEF:   60
Service mode:Open
Service access-list: -none-
Total Packets Dropped Closed:0
Redirect access-list:-none-
Total Packets Denied Redirect:   0
Total Packets Unassigned:0
Group access-list:   -none-
Total Messages Denied to Group:  0
Total Authentication failures:   0
Total Bypassed Packets Received: 0

RE: [squid-users] problem with wccp v2 and cisco

[Ritter, Nicholas]

 
Regarding the gre tunnel, does the IP address on the the gre0 interface
have to be unique, or can it be the same address, or a dot1q trunked
address? I was hoping to use one physical network interface to do the
GRE tunnel and the squid daemon. This would require subinterfaces and
dot1q trunking/vlan tagging on both the router and the squid box if I am
to use unique IP addresses, much less IP addresses on different IP
subnets.

Nick

RE: [squid-users] problem with wccp v2 and cisco

[Ritter, Nicholas]

I am running a Cisco 2811 with 12.4(15)T3 Advanced Security IOS. 

The squid server is a custom built box with the following specs:

Intel Core 2 Duo 2.2GHz
800MHz FSB
4GB RAM
250GB SATAII storage

The squid server is intended to provided target caching of specific
sites internally and servicing an 10/100 switched ethernet LAN with
about 30 to 50 computers on it. Topologically the LAN is connected via a
fractional T1, with the 2811 router serving as the gateway router which
has a 4 port Etherswitch WIC installed. The LAN is plugged into
FastEthernet 0/0.1 and the squid server is attached to one of the ports
on the 4 port etherswitch card in the router. The LAN on FastEthernet
0/0.1 is a CIDR /23, and the subnet on the 4 port etherswitch card is a
CIDR /24. Both subnets are in the same CIDR /16.

I have confirmed so far that:

1) Redirection to 3128 from 80 from a client in the /23 is working fine.
This was tested via pointing the browser settings to the squid server
IP, but on port 80. This was done only after I did the same test on
3128.

2) I am seeing traffic come down the GRE tunnel to the squid server (via
ifconfig on the squid server), and I am seeing the packets being
redirected as noted on the router via 'sh ip wccp'

3) The squid server does not even see the stuff coming in when
redirected via the router. When I shutoff iptables and run tcpdump, I
see the traffic redirected from the router, but running tcpdump with
iptables enabled does not show the traffic.

I am doing the redirection via an 'ip wccp web-cache redirect in'
interface statement on the FastEthernet0/0.1 interface, although appling
the same rule to other interfaces and directions has not changed the
outcome.

I have come to find that many of the transparent squid proxy guides on
the Internet are either out of date or simply missing steps.

Doesn't iptables need an additional masqurade or mangle rule(s)? Because
of what I have seen so far, I now think the problems is with iptables.


-Original Message-
From: Adrian Chadd [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 22, 2008 6:35 PM
To: Ritter, Nicholas
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] problem with wccp v2 and cisco

On Fri, Feb 22, 2008, Ritter, Nicholas wrote:
> Adrian-
> 
> Thanks for the info.
> 
> Question is, if I am listening with squid on port 80, do I still need 
> to run iptables? I thought iptables was only needed to do redirect 
> from port 80 to 3128 if squid was not or could not be un on port 80.

No. The traffic being redirected via WCCPv2 just rewrites the next hop
in the forwarding path; making it go down a GRE tunnel or rewriting the
destination MAC address.

The packet arriving at your cache still has the original
source/destination.
iptables/etc is needed to redirect packets destined for ANYHOST:80 to
LOCALHOST:3128 .

> Does any happen to know which Cisco IOS versions work with WCCP v2 and

> squid? I find people saying it is buggy and to start with a known 
> working version and work your way up to a needed release, but I can't 
> seem to confirm a known working version.

Whats your hardware?




Adrian

--
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid
Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -

[squid-users] RE: Cisco IOS version as suggested by Cisco TAC

[Ritter, Nicholas]

 
Correction, according to testing and Cisco bug toolkit check, 12.4(15)T3
seems to be the better solution.


-Original Message-
From: Ritter, Nicholas 
Sent: Friday, February 22, 2008 12:18 PM
To: 'squid-users@squid-cache.org'
Subject: Cisco IOS version as suggested by Cisco TAC

FYI-
 
Cisco TAC just told me that 12.4(9)T1 and 12.4(11)T3 are the recommended
IOS versions for WCCPv2 redirection/interception.
 
Nick

[squid-users] Cisco IOS version as suggested by Cisco TAC

[Ritter, Nicholas]

FYI-
 
Cisco TAC just told me that 12.4(9)T1 and 12.4(11)T3 are the recommended
IOS versions for WCCPv2 redirection/interception.
 
Nick

RE: [squid-users] problem with wccp v2 and cisco

[Ritter, Nicholas]

Adrian-

Thanks for the info.

Question is, if I am listening with squid on port 80, do I still need to
run iptables? I thought iptables was only needed to do redirect from
port 80 to 3128 if squid was not or could not be un on port 80.

Does any happen to know which Cisco IOS versions work with WCCP v2 and
squid? I find people saying it is buggy and to start with a known
working version and work your way up to a needed release, but I can't
seem to confirm a known working version.

Nick

-Original Message-
From: Adrian Chadd [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 21, 2008 2:32 PM
Subject: Re: [squid-users] problem with wccp v2 and cisco

G'day,

* Yes you still need iptables to redirect packets going to arbitrary
destinations
  into Squid running on a port.

* Traffic will only flow over the GRE tunnel one way - from the router
to the
  cache.

[squid-users] problem with wccp v2 and cisco

[Ritter, Nicholas]

I am trying to setup an HTTP-only WCCP v2 redirection via Cisco 2811
router to a Linux-based Squid 2.6 box. The problem is that there is no
content showing up in the squid access log, and web connections are slow
and often timeout. I have done some research on the net and checked some
things that were noted by peoples posts, but I am still a bit stumped.
The router shows WCCP status as good in that the router and the cache
server see each other, and there appears to be redirection occurring
because 'sh ip wccp' on the router shows it, and a tcpdump session on
the web cache server sees it. The router and the web cache appliance are
layer 2 adjacent to each other, and on the same ip subnet, but the cache
server is connected via a Cisco EtherSwitch module installed in the 2811
router, and the clients being redirected to the cache server are hanging
off a different ip subnet and different layer 2 segment.
 
I also notice that the wccp2 GRE tunnel I setup on the Linux box shows
traffic in only one direction. I suspect that at least part of my
problem is that I have setup the GRE tunnel wrong. I also read that WCCP
functionality is buggy in various Cisco IOS versions, I have tried to
figure out if the IOS version I am using is a buggy one. I attempted to
use the same IOS version as is in use on a Cisco WAAS 2811 router, which
is 12.4(9) but the closest I could get to that was 12.4(10c) 12.4(15)T3
exhibited the same problems. 
 
I have provided information below on my setup, can someone please
provide me with some information that can help to figure out what I am
doing wrong?
 
 
 
 
ROUTER INFO

---
Router: Cisco 2811 running c2800nm-advsecurityk9-mz.124-10c
WCCP version: 2
 
#sh ip wccp
Global WCCP information:
Router information:
Router Identifier:   
Protocol Version:2.0
 
Service Identifier: web-cache
Number of Service Group Clients: 1
Number of Service Group Routers: 1
Total Packets s/w Redirected:4285
  Process:   0
  Fast:  0
  CEF:   4285
Redirect access-list:-none-
Total Packets Denied Redirect:   0
Total Packets Unassigned:0
Group access-list:   -none-
Total Messages Denied to Group:  0
Total Authentication failures:   0
Total Bypassed Packets Received: 0
 
Other router configure directives:
 
Clients using cache server on FastEthernet 0/0.1
Squid server is directly connected to FastEthernet 0/2/0
 
WCCP router config directives:
ip wccp web-cache
ip wccp web-cache version 2
interface fastethernet0/0.1
ip wccp web-cache redirect in
 
 
SQUID INFO

---
Squid platform: CentOS 5.1 on x86_64
Squid version: CentOS bundled RPM which is squid-2.6.STABLE6-5.el5_1.2
 
Squid is set for transparent mode and to listen on port 80 and port
3128. The host based firewall is disabled, because I don't need redirect
to 3128 from 80. (Could this be a problem, do I need iptables mangling
of some sort?)
 
squid.conf directives:
http_port 80 transparent
http_port 3128 transparent
wccp2_router 
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0
 
 
CENTOS Linux OS INFO

---
CentOS 5.1 x86_64 on Intel Core 2 Duo
Kernel is custom compiled, version 2.6.23
 
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
/bin/echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
/bin/echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
/sbin/modprobe ip_gre
/sbin/ip tunnel add wccp2 mode gre remote  local  dev eth0
/sbin/ifconfig wccp2  netmask 255.255.255.255 up
 
 
ifconfig output from CentOS box:
 
eth0  Link encap:Ethernet  HWaddr 00:30:1B:44:7F:11  
  inet addr:  Bcast:
Mask:255.255.240.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:38474 errors:0 dropped:0 overruns:0 frame:0
  TX packets:38245 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000 
  RX bytes:6402032 (6.1 MiB)  TX bytes:5488603 (5.2 MiB)
  Interrupt:19 
 
loLink encap:Local Loopback  
  inet addr:127.0.0.1  Mask:255.0.0.0
  UP LOOPBACK RUNNING  MTU:16436  Metric:1
  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0 
  RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
 
wccp2 Link encap:UNSPEC  HWaddr
0A-0C-20-3C-00-00-00-00-00-00-00-00-00-00-00-00  
  inet addr:  P-t-P:
Mask:255.255.255.255
  UP POINTO