[squid-users] Need your help : Tproxy + WCCP
Hello All, I am trying to setup a Tproxy+WCCP. WCCP+Transparent proxy works fine and also Tproxy works good without WCCP. I had followed the following link for WCCP configuration: http://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY. Only SYNC packets reaches the web server and return packets doesn't come to squid server. So we get connection timeout error. Problem in squid or Router ?. Please share your views on this issue. Thanks, Vivek You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Re: [squid-users] Some sites not working!!!
Hi Henrik, Thanks for your reply. I have sent it to squid-users mailing list and i received it. I will correct it if i am doing wrong. The below problem was solved. Thanks for mailing list archival. Thanks Vivek Squid usage configuration questions is best sent to the squid-users mailing list. Note: to post to the list you must be subscribed, and have your mail program configured to send plain-text email only (HTML not accepted). Regards Henrik ons 2009-02-04 klockan 15:38 -0500 skrev vivek...@aol.in: Hi All, I am using Squid 2.7 Stable 5 with Tproxy. I have problem while accessing some sites. Example: When accessing http://seek.co.nz, it takes more time and returns error time out. It works good with out squid. I had changed following parameters, but no luck. Is it related with http 1.1 ??? ignore_expect_100 on half_closed_clients off client_persistent_connections off server_persistent_connections off Thanks in advance. Vivek. You are invited to Get a Free AOL Email ID. - http://webmail.aol.in You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
[squid-users] Some sites not working!!!
Hi All, I am using Squid 2.7 Stable 5 with Tproxy. I have problem while accessing some sites. Example: When accessing http://seek.co.nz, it takes more time and returns error time out. It works good with out squid. I had changed following parameters, but no luck. Is it related with http 1.1 ??? ignore_expect_100 on half_closed_clients off client_persistent_connections off server_persistent_connections off Thanks in advance. Vivek. You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
[squid-users] Doubts in Tproxy
Hi All, I have a doubt in Tproxy with WCCP. How squid+WCCP identifies the packets return from the web server ?.. For example When client access the squid-cache.org, the request comes to router then redirects to squid server using GRE tunnel then goes to squid-cache.org server. when squid-cache.org server reply packets back to router, how does WCCP + Squid identifies the particular packets? Any flag or marking in headers? Thanks, vivek You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
[squid-users] Problem in WCCP configuration
Hi All, Two wccp services 80, 90 is detected by the router. 80 - outgoing, 90-incoming. But return traffic does not comes to squid. No packets redirected by the service 90. Router IOS version is Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b), RELEASE SOFTWARE (fc3). Any bug in this IOS version. Global WCCP information: Router information: Router Identifier: xx.xx.xx.xx Protocol Version:2.0 Service Identifier: 80 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:1146 Process: 0 Fast: 0 CEF: 1146 Redirect access-list:15 Total Packets Denied Redirect: 2814525 Total Packets Unassigned:15328 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 Service Identifier: 90 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:0 Process: 0 Fast: 0 CEF: 0 Redirect access-list:15 Total Packets Denied Redirect: 3143419 Total Packets Unassigned:17297 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 Squid configuration : wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 But it works good in transparent mode. Thanks in advance. Thanks Vk. You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
[squid-users] Fwd: Problem in WCCP configuration
Amos, Henrik I need your help. I am a newbie in squid + tproxy + WCCP. So I sent lot messages to you. Now i describe my problem. I have a router with 2 Ethernet, 6 Serial interfaces. LAN users connected via Ethernet 0/0 and squid machine connected via Ethernet 0/1 interface. And internet connected all the 4 interfaces. I had created the tunneling interface using router identifier address. Router detects the two wccp services. But my problem is.. Squid works transparent perfectly. rule- ip wccp web-cache redirect in -- Ethernet 0/0 -LAN interface. But I tried Tproxy, it doesn't works. ip wccp 80 redirect in , ip wccp 90 redirect out -- Ethernet 0/0 - LAN interface. And i tried all the options based on --http://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY. But no luck. I checked in webserver. Client reaches it. Squid returns connection timeout error. Router IOS version is Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b), RELEASE SOFTWARE (fc3). Any bug in this IOS version. Global WCCP information: Router information: Router Identifier: xx.xx.xx.xx Protocol Version:2.0 Service Identifier: 80 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:1146 Process: 0 Fast: 0 CEF: 1146 Redirect access-list:15 Total Packets Denied Redirect: 2814525 Total Packets Unassigned:15328 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 Service Identifier: 90 Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:0 Process: 0 Fast: 0 CEF: 0 Redirect access-list:15 Total Packets Denied Redirect: 3143419 Total Packets Unassigned:17297 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 Squid configuration : wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 But it works good in transparent mode. Thanks in advance. Thanks Vk. You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Re: [squid-users] Re: WCCP configuration
Henrik, Thanks for your reply. You said we should use only either transparent or tproxy and not both, but i feel we need to use both, like http_port 3128 tproxy tranparent based on the following. The parseHttpRequest() function needs to parse the Host: header in the http request. However, it only does this if the conn-port-transparent or conn-port-accel is true (if the http_port option has either transparent or accel) Squid version -- Squid 2.7 Stable 5. This is only my understanding, any advice from you is appreciated. Regards, vk From: vivek...@aol.in [mailto:vivek...@aol.in] We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. http_port 3128 transparent tproxy You should only use one of transparent or tproxy, not both. transparent for transparent interception (NAT style) tproxy for TPROXY interception. Regards Henrik You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
[squid-users] Connection time out error with tproxy
Amos, Thanks again for your reply. We have configured squid + Tproxy + WCCP and client ip is redirect to the web server, but browser shows a connection timeout(110) error and it takes a long time even to display this error message. The access.log shows long timestamp value. forward log shows the request has been forwarded. Squid wotks perfectly fine when configured as transparent proxy. We need your valuable advice and if possible can you point out few areas where are all the possibilities for the problems to arise. Thanks, vk vivek...@aol.in wrote: Amos, Thanks for your reply. Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 1.3.8 and linux kernal 2.6.20.21. Cisco IOS 2800 Ver 12.4 (13b) WCCP+Tranparent proxy works good. Trproxy without wccp works well by not revealing the server ip and only displaying the client ip. But once the wccp is enabled with tproxy, the sever ip is revealed instead of the client ip. Please scroll down below to check our previous mails. Any suggestions please. Other than checking your squid is built with --enable-linux-tproxy, none from me sorry. cttproxy was obsolete and officially unsupported before I ever heard of it. Amos VK -Original Message- From: Amos Jeffries squ...@treenet.co.nz To: Ritter, Nicholas nicholas.rit...@americantv.com Cc: vivek...@aol.in; squid-users@squid-cache.org Sent: Sat, 10 Jan 2009 8:06 am 0ASubject: Re: [squid-users] Re: WCCP configuration Ritter, Nicholas wrote: With TProxy, I think you need to use Squid3-HEAD to reliably fix your issueAmos would know for sure. Nick Yes. Squid-2.* has no support for TPROXY v4.1+ 3.1.0.3 or later is needed. Which is at least an RC beta now, more stable that pure 3.HEAD alpha code. Also the squid.conf and configure details have changed. http://wiki.squid-cache.org/Features/Tproxy4 Amos From: vivek...@aol.in [mailto:vivek...@aol.in] Sent: Fri 1/9/2009 8:39 A M To: hen...@henriknordstrom.net Cc: squid-users@squid-cache.org; squ...@treenet.co.nz Subject: [squid-users] Re: WCCP configuration Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf =0 A wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy iptable: /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 We created a gre tunnel based on the router identifier. wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid machine) The following command is assigned at the router interface connected =0 Ato the lan. ip wccp 80 redirect in ip wccp 90 redirect out Following command at the router interface connected to squid. ip wccp redirect exclude in Router : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b) Kernel : linux-2.6.20.21 IPtable : iptables-1.3.8 Os Ver : squid-2.7 Stable 5 #lsmod ip_gre 19616 0 iptable_filter 11136 0 ipt_TPROXY 11136 1 ipt_REDIRECT 10624 0 xt_tcpudp 11904 1 reiserfs 235144 5 iptable_tproxy 23036 2 ipt_TPROXY iptable_nat15492 1 iptable_tproxy ip_nat 24620 3 ipt_REDIRECT,iptable_tproxy,iptable_nat ip_tables 25448 3 iptable_filter,iptable_tproxy,iptable_nat x_tables 23560 5 ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat The internet works, b ut the browsing is dead slow. Temporarily we have bypassed squid to browse the net. Thanks VK -Original Message- From: Henrik Nordstrom hen...@henriknordstrom.net To: vivek...@aol.in Cc: squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 8 Jan 2009 12:05 am Subject: Re: WCCP configuration ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: wccp2_router xxx.xx.xxx.xxx wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 8 0 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
Re: [squid-users] Connection time out error with tproxy
Hi Amos, Thank you very much. This is ifconfig result of the squid server. But it works in transparent mode. but why not in tproxy ? eth0 Link encap:Ethernet HWaddr inet addr:xx.xx.xx.xx Bcast:xx.xx.xx.xx Mask:255.255.255.252 inet6 addr: fe80::21a:4bff:fe34:9af0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2435572 errors:0 dropped:0 overruns:0 frame:0 TX packets:2694449 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1371738325 (1.2 GiB) TX bytes:1495109099 (1.3 GiB) Interrupt:16 Memory:f800-f8012100 loLink encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2715 errors:0 dropped:0 overruns:0 frame:0 TX packets:2715 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:216227 (211.1 KiB) TX bytes:216227 (211.1 KiB) wccp Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:xx.xx.xx.xx P-t-P:xx.xx.xx.xx Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:1298005 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:142161462 (135.5 MiB) TX bytes:0 (0.0 b) WCCP -- GRE tunnel interface. Thanks, vk vivek...@aol.in wrote: Amos, Thanks again for your reply. We have configured squid + Tproxy + WCCP and client ip is redirect to the web server, but browser shows a connection timeout(110) error and it takes a long time even to display this error message. The access.log shows long timestamp value. forward log shows the request has been forwarded. Squid wotks perfectly fine when configured as transparent proxy. Aha. Check MTUs. This type of forwarded and no reply issue is usually seen on links where MTU-discovery is broken. It may be that there are ICMP info packets being sent to the client instead of Squid. Amos We need your valuable advice and if possible can you point out few areas where are all the possibilities for the problems to arise. Thanks, vk vivek...@aol.in wrote: Amos, Thanks for your reply. Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 1.3.8 and linux kernal 2.6.20.21. Cisco IOS 2800 Ver 12.4 (13b) WCCP+Tranparent proxy works good. Trproxy without wccp works well by not revealing the server ip and only displaying the client ip. But once the wccp is enabled with tproxy, the sever ip is revealed instead of the client ip. Please scroll down below to check our previous mails. Any suggestions please. Other than checking your squid is built with --enable-linux-tproxy, none from me sorry. cttproxy was obsolete and officially unsupported before I ever heard of it. Amos VK -Original Message- From: Amos Jeffries squ...@treenet.co.nz To: Ritter, Nicholas nicholas.rit...@americantv.com Cc: vivek...@aol.in; squid-users@squid-cache.org Sent: Sat, 10 Jan 2009 8:06 am 0ASubject: Re: [squid-users] Re: WCCP configuration Ritter, Nicholas wrote: With TProxy, I think you need to use Squid3-HEAD to reliably fix your issueAmos would know for sure. Nick Yes. Squid-2.* has no support for TPROXY v4.1+ 3.1.0.3 or later is needed. Which is at least an RC beta now, more stable that pure 3.HEAD alpha code. Also the squid.conf and configure details have changed. http://wiki.squid-cache.org/Features/Tproxy4 Amos From: vivek...@aol.in [mailto:vivek...@aol.in] Sent: Fri 1/9/2009 8:39 A M To: hen...@henriknordstrom.net Cc: squid-users@squid-cache.org; squ...@treenet.co.nz Subject: [squid-users] Re: WCCP configuration Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf =0 A wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy
Re: [squid-users] Re: WCCP configuration
Hello Hendrik, I am facing some issues while implementing Squid + Tproxy and WCCP. There is no problem with squid + Transparent + WCCP. cache.log as follows... 2009/01/12 08:36:11| clientTryParseRequest: FD 155 (189.50.133.254:1955) Invalid Request 2009/01/12 08:36:18| clientTryParseRequest: FD 114 (189.50.133.254:1956) Invalid Request 2009/01/12 08:36:25| clientTryParseRequest: FD 78 (189.50.133.254:1957) Invalid Request 2009/01/12 08:36:33| clientTryParseRequest: FD 60 (189.50.133.254:1958) Invalid Request 2009/01/12 08:36:40| clientTryParseRequest: FD 60 (189.50.133.254:1959) Invalid Request 2009/01/12 08:36:47| clientTryParseRequest: FD 42 (189.50.133.254:1960) Invalid Request 2009/01/12 08:36:55| clientTryParseRequest: FD 159 (189.50.133.254:1961) Invalid Request 2009/01/12 08:37:02| clientTryParseRequest: FD 77 (189.50.133.254:1962) Invalid Request access.log as follows... TCP_DENIED/400 1415 GET / - NONE/- text/html TCP_DENIED/400 1415 GET / - NONE/- text/html squid.conf... http_port 3128 transparent. tcp_outgoing_address is configured. /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128. . Squid version : Squid 2.7 Stable 5. Kernel : linux-2.6.20.21 OS : FC 8 Router IOS : 2800 Software, Version 12.4(13b) Regards, vk From: vivek...@aol.in [mailto:vivek...@aol.in] We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. http_port 3128 transparent tproxy You should only use one of transparent or tproxy, not both. transparent for transparent interception (NAT style) tproxy for TPROXY interception. Regards Henrik You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Re: [squid-users] Re: WCCP configuration
Amos, Thanks for your reply. Sorry, we are not using TPROXY but cttporxy 2.6.20-2.0.6, iptables 1.3.8 and linux kernal 2.6.20.21. Cisco IOS 2800 Ver 12.4 (13b) WCCP+Tranparent proxy works good. Trproxy without wccp works well by not revealing the server ip and only displaying the client ip. But once the wccp is enabled with tproxy, the sever ip is revealed instead of the client ip. Please scroll down below to check our previous mails. Any suggestions please. VK -Original Message- From: Amos Jeffries squ...@treenet.co.nz To: Ritter, Nicholas nicholas.rit...@americantv.com Cc: vivek...@aol.in; squid-users@squid-cache.org Sent: Sat, 10 Jan 2009 8:06 am 0ASubject: Re: [squid-users] Re: WCCP configuration Ritter, Nicholas wrote: With TProxy, I think you need to use Squid3-HEAD to reliably fix your issueAmos would know for sure. Nick Yes. Squid-2.* has no support for TPROXY v4.1+ 3.1.0.3 or later is needed. Which is at least an RC beta now, more stable that pure 3.HEAD alpha code. Also the squid.conf and configure details have changed. http://wiki.squid-cache.org/Features/Tproxy4 Amos From: vivek...@aol.in [mailto:vivek...@aol.in] Sent: Fri 1/9/2009 8:39 A M To: hen...@henriknordstrom.net Cc: squid-users@squid-cache.org; squ...@treenet.co.nz Subject: [squid-users] Re: WCCP configuration Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf =0 A wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy iptable: /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 We created a gre tunnel based on the router identifier. wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid machine) The following command is assigned at the router interface connected =0 Ato the lan. ip wccp 80 redirect in ip wccp 90 redirect out Following command at the router interface connected to squid. ip wccp redirect exclude in Router : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b) Kernel : linux-2.6.20.21 IPtable : iptables-1.3.8 Os Ver : squid-2.7 Stable 5 #lsmod ip_gre 19616 0 iptable_filter 11136 0 ipt_TPROXY 11136 1 ipt_REDIRECT 10624 0 xt_tcpudp 11904 1 reiserfs 235144 5 iptable_tproxy 23036 2 ipt_TPROXY iptable_nat15492 1 iptable_tproxy ip_nat 24620 3 ipt_REDIRECT,iptable_tproxy,iptable_nat ip_tables 25448 3 iptable_filter,iptable_tproxy,iptable_nat x_tables 23560 5 ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat The internet works, b ut the browsing is dead slow. Temporarily we have bypassed squid to browse the net. Thanks VK -Original Message- From: Henrik Nordstrom hen...@henriknordstrom.net To: vivek...@aol.in Cc: squ...@treenet.co.nz; squid-us...@squid-cache.org Sent: Thu, 8 Jan 2009 12:05 am Subject: Re: WCCP configuration ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: wccp2_router xxx.xx.xxx.xxx wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 8 0 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 Router Eth0 - connected to lan. Eth1 - connecte to squid. Have you also configured * A loopback address on the router, giving it a easily identified router ID * the required GRE/WCCP tunnel interface on the Squid server * disabled rp_filter on the above GRE/WCCP interface. * And adjusted the REDIRECT/NAT rules to act on traffic=2 0received on the GRE/WCCP interface configured above? Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:11336 Process: 0
[squid-users] Re: WCCP configuration
Hi, Thanks for the reply. It did help us solve the problem. But there is a new issue. We have configured as squid+tproxy. The squid ip is not displayed and only the client ip is displayed when we do the proxy test. But after configuring wccp we find that the server ip is displayed in the proxy test instead of the client ip. We also find that the http request is pathetically slow. squid.conf wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 http_port 3128 transparent tproxy iptable: /usr/local/sbin/iptables -t tproxy -A PREROUTING -i wccp -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128 We created a gre tunnel based on the router identifier. wccp2_router xx.xx.xxx.xx (ip of router interface connected to squid machine) The following command is assigned at the router interface connected to the lan. ip wccp 80 redirect in ip wccp 90 redirect out Following command at the router interface connected to squid. ip wccp redirect exclude in Router : Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(13b) Kernel : linux-2.6.20.21 IPtable : iptables-1.3.8 Os Ver : squid-2.7 Stable 5 #lsmod ip_gre 19616 0 iptable_filter 11136 0 ipt_TPROXY 11136 1 ipt_REDIRECT 10624 0 xt_tcpudp 11904 1 reiserfs 235144 5 iptable_tproxy 23036 2 ipt_TPROXY iptable_nat15492 1 iptable_tproxy ip_nat 24620 3 ipt_REDIRECT,iptable_tproxy,iptable_nat ip_tables 25448 3 iptable_filter,iptable_tproxy,iptable_nat x_tables 23560 5 ipt_TPROXY,ipt_REDIRECT,xt_tcpudp,iptable_nat,ip_tables ip_conntrack 53400 3 iptable_tproxy,iptable_nat,ip_nat The internet works, but the browsing is dead slow. Temporarily we have bypassed squid to browse the net. Thanks VK -Original Message- From: Henrik Nordstrom hen...@henriknordstrom.net To: vivek...@aol.in Cc: squ...@treenet.co.nz; squid-users@squid-cache.org Sent: Thu, 8 Jan 2009 12:05 am Subject: Re: WCCP configuration ons 2009-01-07 klockan 08:46 -0500 skrev vivek...@aol.in: wccp2_router xxx.xx.xxx.xxx wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 Router Eth0 - connected to lan. Eth1 - connecte to squid. Have you also configured * A loopback address on the router, giving it a easily identified router ID * the required GRE/WCCP tunnel interface on the Squid server * disabled rp_filter on the above GRE/WCCP interface. * And adjusted the REDIRECT/NAT rules to act on traffic received on the GRE/WCCP interface configured above? Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:11336 Process: 0 Fast: 0 CEF: 11336 Looks fine. Is there any simple way of configuring WCCP. We have beating round the bush all day long to configure wccp. WCCP as such is configured. But something is missing in the interception at the proxy. Most likely the GRE interface mentioned above. Regards Henrik You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
[squid-users] WCCP configuration
OS - Fedor8 Kernal - 2.6.20 Cttproxy - 2.6.20 Cisco Router - IOS 12.4 We have compiled squid+Tproxy and it works fine. Tunelling has been done between the squid machine and the router. We need to configure WCCP. The WCCP config in squid:- wccp2_router xxx.xx.xxx.xxx wccp_version 4 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_assignment_method 1 wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 Router Eth0 - connected to lan. Eth1 - connecte to squid. Router WCCP Configuration. Eth0 - ip wccp web-cache redirect out ip wccp web-cache redirect in Eth1 - ip wccp redirect exclude in We tried the above commands in all combination possible, interchanging the commands but in vain. Internet just doesn't work in WCCP sh ip wccp Global WCCP information: Router information: Router Identifier: xxx.xx.xxx.x Protocol Version:2.0 Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:11336 Process: 0 Fast: 0 CEF: 11336 Redirect access-list:-none- Total Packets Denied Redirect: 0 Total Packets Unassigned:9198 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 Is there any simple way of configuring WCCP. We have beating round the bush all day long to configure wccp. You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Re: [squid-users] Squid conf for live video stream
Thanks Henrik, All the videos are cachable. Because the video's are maintained by us. But the origin server not near by us. So i try to cache and serve to customers quickly. And also the objects are cached by squid. But performance is very slow. so i need some tips to improve the performance. On mån, 2008-10-20 at 19:13 +1300, Amos Jeffries wrote: You need to fix the VOD implementation to use cacheable URI. Or scream at the vendors who wrote it so they fix it. And most won't fix it as they regard this cache unfriendlyness as one of the premium features of their system. Regards Henrik __ __ You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
[squid-users] Squid conf for live video stream
Hi all, i configured squid transparent for caching live video stream. I need to cache the live video objects from my particular domain. But mostly url's vary from request to request.Because VOD service. So i configured the rewrite program. video object size is 5 Mb to 100Mb... I need to tune the squid configuration for their video needs. This is my current squid conf. http_port 80 transparent icp_port 0 htcp_port 0 acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_mem 1024 MB minimum_object_size 0 KB maximum_object_size 1024 MB maximum_object_size_in_memory 512 MB cache_replacement_policy lru memory_replacement_policy lru cache_dir aufs /var/cache/squid 40960 16 256 logformat common %a %ui %un [%tl] %rm %ru HTTP/%rv %Hs %st %Ss:%Sh logformat squid %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %un %Sh/%A %mt access_log /var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log /var/log/squid/store.log pid_filename /var/run/squid.pid request_header_max_size 256 KB collapsed_forwarding on quick_abort_min -1 KB range_offset_limit -1 MB url_rewrite_program /usr/local/bin/ralph-rewrite.pl url_rewrite_children 200 refresh_pattern . 0 20% 4320ignore-reload negative_ttl 2 seconds connect_timeout 15 seconds client_persistent_connections on persistent_request_timeout 15 seconds pconn_timeout 15 seconds read_timeout 15 seconds request_timeout 15 seconds acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 acl Safe_ports port 488 acl Safe_ports port 591 acl Safe_ports port 777 acl Safe_ports port 901 acl purge method PURGE acl CONNECT method CONNECT acl mirror url_regex /mirror/ url_rewrite_access allow all snmp_access allow snmppublic localhost http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow mirror http_access deny all http_reply_access allow all always_direct allow all icp_access allow all visible_hostname localhost forwarded_for off header_access X-Cache-Lookup deny all header_access Age deny all snmp_port 3401 coredump_dir /var/cache/squid client_lifetime 4 hours store_avg_object_size 2 MB Thanks Vivek N. You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Re: [squid-users] HTTPS traffic in normal transparent proxy
Thanks Hendrik. I tried with both types for blocking https://gmail.com. My conf is acl gmail1 url_regex gmail.com mail.google.com and acl gmail dstdomain gmail.com mail.google.com http_access deny gmail gmail1 Now https://gmail.com is blocking.. But all other https sites not working.. Error in browser. while retrieving the url (disply ip address). protocol error.. In access.log only one https request goes.. GET https://gmail.com Regards Vivek On ons, 2008-10-15 at 10:23 -0400, [EMAIL PROTECTED] wrote: My configuration is... http_port 0.0.0.0:3128 transparent https_port 0.0.0.0:3129 transparent cert=/usr/local/squid-test/CA/servercert.pem key=/usr/local/squid-test/CA/serverkey.pem Iptable rules are: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3129 In cache.log Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 12. Accepting HTTPS connections at 0.0.0.0, port 3129, FD 13 In access.log while accessing https://gmail.com TCP_MISS/200 2213 CONNECT gmail.com:443 This is not a transparently intercepted https request. This browser is configured to use the proxy. The https_port method will only work for transparently intercepted requests, not when the browser is configured to use the proxy. For this to work when the browser is configured to use the proxy you need the sslbump feature available in the upcoming 3.1 release. But problem is now gmail not blocked... In http://gmail.com requests...it's blocked.. CONNECT requests is subject to the same http_access rules as http access. If GET http://gmail.com is blocked but CONNECT gmail.com:443 is not then check your access rules. A guess without seeing your ruleset is that you are using url_regex instead of dstdomain type acls.. Regards Henrik You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
[squid-users] HTTPS traffic in normal transparent proxy
Hi all, I need to handle the HTTPS request(443) in squid transparent proxy. I am using squid 3.0. http_port 3128 transparent https_port 3129. Forward the 80 port request to 3128 and 443 port to 3129. In debugging mode, squid ready to handle the HTTPS requests.But not working. ( Error : take long time and time out) And also i tried with https_port 0.0.0.0:3129 cert=/usr/local/squid/CA/servercert.pem key=/usr/local/squid/CA/serverkey.pem But this also not working. Error in browser:(https://gmail.com/) error while retrieving the url=/ In access.log GET / - NONE/- text/html. How to resolve this problem. Thx in advance. Thanks, Vivek N. You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Re: [squid-users] HTTPS traffic in normal transparent proxy
My configuration is... http_port 0.0.0.0:3128 transparent https_port 0.0.0.0:3129 transparent cert=/usr/local/squid-test/CA/servercert.pem key=/usr/local/squid-test/CA/serverkey.pem Iptable rules are: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3129 In cache.log Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 12. Accepting HTTPS connections at 0.0.0.0, port 3129, FD 13 In access.log while accessing https://gmail.com TCP_MISS/200 2213 CONNECT gmail.com:443 But problem is now gmail not blocked... In http://gmail.com requests...it's blocked.. Thanks Vivek N. On ons, 2008-10-15 at 07:57 -0400, [EMAIL PROTECTED] wrote: Thanks Henrik. i tried with https_port 0.0.0.0:3129 transparent cert=/usr/local/squid/CA/servercert.pem key=/usr/local/squid/CA/serverkey.pem But not working... Not working in what manner? Squid rejects the configuration? Error message in the browser? Error message in cache.log? Regards Henrik You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
Re: [squid-users] HTTPS traffic in normal transparent proxy
Thanks Henrik. i tried with https_port 0.0.0.0:3129 transparent cert=/usr/local/squid/CA/servercert.pem key=/usr/local/squid/CA/serverkey.pem But not working... My problem is i want to block some sites like gmail.com. I have an acl for blocking. it works only for http://gmail.com not https://gmail.com Help me.. how to resolve this... On ons, 2008-10-15 at 03:01 -0400, [EMAIL PROTECTED] wrote: I need to handle the HTTPS request(443) in squid transparent proxy. Ouch. You are aware that this is not possible without acting as a man-in-the-middle, sending invalid certificates to the browsers? And that the users no longer will be able to verify the contacted servers certificate? I am using squid 3.0. http_port 3128 transparent https_port 3129. https_port needs a certificate specified. Forward the 80 port request to 3128 and 443 port to 3129. Ok. In debugging mode, squid ready to handle the HTTPS requests.But not working. ( Error : take long time and time out) And also i tried with https_port 0.0.0.0:3129 cert=/usr/local/squid/CA/servercert.pem key=/usr/local/squid/CA/serverkey.pem You also need to enable transparent interception (transparent option), just as you did for http_port. If not Squid assumes it's a normal proxy port. Regards Henrik You are invited to Get a Free AOL Email ID. - http://webmail.aol.in
