Re: [squid-users] wccp2 does not working

[Sokvantha YOUK]

Dear All,

I get wccp working after shrink the cache size of rock store from
170GB down to 70GB. My server memory is 32GB.

# Rockstore filesytem
workers 4
cpu_affinity_map process_numbers=1,2,3,4 cores=2,4,6,8
# Rock Store: SMP Awared
cache_dir  rock /cache1 7 max-size=31000 max-swap-rate=300
swap-timeout=300
cache_dir  rock /cache2 7 max-size=31000 max-swap-rate=300
swap-timeout=300
cache_dir  rock /cache3 7 max-size=31000 max-swap-rate=300
swap-timeout=300

# AUFS file system
if ${process_number}=4
cache_dir  aufs /cache4/squid/${process_number} 17 32 256
min-size=31001 max-size=2
cache_dir  aufs /cache5/squid/${process_number} 17 32 256
min-size=31001 max-size=2
cache_dir  aufs /cache6/squid/${process_number} 17 32 256
min-size=31001 max-size=2
cache_dir  aufs /cache7/squid/${process_number} 17 32 256
min-size=31001 max-size=2
cache_dir  aufs /cache8/squid/${process_number} 17 32 256
min-size=31001 max-size=2
endif

---
Regards,
Vantha

On Wed, Mar 20, 2013 at 9:44 PM, Alex Rousskov
 wrote:
> On 03/20/2013 12:58 AM, Amos Jeffries wrote:
>
>> I am suspecting the problem is related to the WCCP default of waiting
>> until all caches are loaded before starting to advertise HERE_I_AM.
>> Scanning 1.4 TB of disk is going to take a while. Sokvantha YOUK was
>> waiting _only_ about ten minutes for WCCP packets.
>
> I see. This behavior sounds like a Squid bug to me: By default, Squid
> should advertise its presence when it is ready to service requests, not
> when it is done loading the cache index. In [rare] situations where the
> cache index is required, there is a "foreground rebuild" option (IIRC)
> that should be taken into account when fixing this.
>
>
>> With the "fixed" config the AUFS disk cache is isolated into a worker
>> separate from the rock stores. This introduces a few new factors:
> 
>
> Agreed. However, since that config is wrong, we should probably ignore
> its side-effects especially if we can now explain them.
>
>
> Thank you,
>
> Alex.
>



-- 

Regards,
Vantha

Re: [squid-users] wccp2 does not working

[Alex Rousskov]

On 03/20/2013 12:58 AM, Amos Jeffries wrote:

> I am suspecting the problem is related to the WCCP default of waiting
> until all caches are loaded before starting to advertise HERE_I_AM.
> Scanning 1.4 TB of disk is going to take a while. Sokvantha YOUK was
> waiting _only_ about ten minutes for WCCP packets.

I see. This behavior sounds like a Squid bug to me: By default, Squid
should advertise its presence when it is ready to service requests, not
when it is done loading the cache index. In [rare] situations where the
cache index is required, there is a "foreground rebuild" option (IIRC)
that should be taken into account when fixing this.


> With the "fixed" config the AUFS disk cache is isolated into a worker
> separate from the rock stores. This introduces a few new factors:


Agreed. However, since that config is wrong, we should probably ignore
its side-effects especially if we can now explain them.


Thank you,

Alex.

Re: [squid-users] wccp2 does not working

[Amos Jeffries]

On 20/03/2013 7:19 a.m., Alex Rousskov wrote:

On 03/19/2013 09:14 AM, Sokvantha YOUK wrote:


Here is my configuration

# Rockstore filesytem
workers 4
cpu_affinity_map process_numbers=1,2,3,4 cores=2,4,6,8

if ${process_number}=1
cache_dir  rock /cache1 17 max-size=31000
cache_dir  rock /cache2 17 max-size=31000
endif

if ${process_number}=2
cache_dir  rock /cache3 17 max-size=31000
cache_dir  rock /cache4 17 max-size=31000
endif

if ${process_number}=3
cache_dir  rock /cache5 17 max-size=31000
cache_dir  rock /cache6 17 max-size=31000
endif

# AUFS file system
if ${process_number}=4
cache_dir  aufs /cache7/squid/${process_number} 17 16 256
min-size=31001 max-size=2
cache_dir  aufs /cache8/squid/${process_number} 17 16 256
min-size=31001 max-size=2
endif


Just in case somebody finds this in the archives and tries to replicate,
please note that the above config does not make sense: It does not allow
rock directories to share cache storage among workers and it isolates
the aufs storage to a single worker (#4) as if that worker is somehow
special.


I doubt WCCP problems are related to caching. However, I recommend
making sure WCCP works _before_ you make your configuration more complex
by adding caching.


I am suspecting the problem is related to the WCCP default of waiting 
until all caches are loaded before starting to advertise HERE_I_AM.
Scanning 1.4 TB of disk is going to take a while. Sokvantha YOUK was 
waiting _only_ about ten minutes for WCCP packets.


With the "fixed" config the AUFS disk cache is isolated into a worker 
separate from the rock stores. This introduces a few new factors:
 1) no single worker is loading more than 333GB of cache. This alone 
could make it fast enough to start emitting WCCP packets in the waiting 
period.


 2) the AUFS cache is isolated by itself on one worker. This means that 
worker is possibly _only_ loading the swap.state journal before starting 
to emit WCCP packets. Which has long been a highly optimized process.


I suspect that factor #2 is teh main one causing WCCP packets to show up 
within the waited 10 minute period.



Sokvantha YOUK, I have some tests for you to try:

1) Using your "works" configuration with per-worker cach_dir lines, 
please run with debug_options ALL,1 and check your cache.log to see the 
time difference between Startup message and store scan completion 
messages from each worker/disker process.


2) Using your original "don't work" configuration please try starting 
Squid with the configurtion option wccp2_rebuild_wait set to OFF.


HTH
Amos

Re: [squid-users] wccp2 does not working

[Alex Rousskov]

On 03/19/2013 05:55 PM, Sokvantha YOUK wrote:

> May you help to advice how to use rock store with SMP, say in my case
> that I need caching content share among workers.

Rock store is SMP-aware so you do not need to do anything special to use
it with SMP or without. For example, if you want to use four 170GB rock
caches (which usually means that you have four disks), the following may
be a good starting point:

  cache_dir rock /cache1 17 max-size=31000
  cache_dir rock /cache2 17 max-size=31000
  cache_dir rock /cache3 17 max-size=31000
  cache_dir rock /cache4 17 max-size=31000

You will then tune the above to limit swap rate and I/O wait to avoid
disk overload and timeouts as discussed in "Performance Tuning" at
  http://wiki.squid-cache.org/Features/RockStore


HTH,

Alex.


> ---
> Regards,
> Vantha
> 
> On Mar 20, 2013 1:20 AM, "Alex Rousskov"
>  > wrote:
> 
> On 03/19/2013 09:14 AM, Sokvantha YOUK wrote:
> 
> > Here is my configuration
> >
> > # Rockstore filesytem
> > workers 4
> > cpu_affinity_map process_numbers=1,2,3,4 cores=2,4,6,8
> >
> > if ${process_number}=1
> > cache_dir  rock /cache1 17 max-size=31000
> > cache_dir  rock /cache2 17 max-size=31000
> > endif
> >
> > if ${process_number}=2
> > cache_dir  rock /cache3 17 max-size=31000
> > cache_dir  rock /cache4 17 max-size=31000
> > endif
> >
> > if ${process_number}=3
> > cache_dir  rock /cache5 17 max-size=31000
> > cache_dir  rock /cache6 17 max-size=31000
> > endif
> >
> > # AUFS file system
> > if ${process_number}=4
> > cache_dir  aufs /cache7/squid/${process_number} 17 16 256
> > min-size=31001 max-size=2
> > cache_dir  aufs /cache8/squid/${process_number} 17 16 256
> > min-size=31001 max-size=2
> > endif
> 
> 
> Just in case somebody finds this in the archives and tries to replicate,
> please note that the above config does not make sense: It does not allow
> rock directories to share cache storage among workers and it isolates
> the aufs storage to a single worker (#4) as if that worker is somehow
> special.
> 
> 
> I doubt WCCP problems are related to caching. However, I recommend
> making sure WCCP works _before_ you make your configuration more complex
> by adding caching.
> 
> 
> HTH,
> 
> Alex.
> 

Re: [squid-users] wccp2 does not working

[Alex Rousskov]

On 03/19/2013 09:14 AM, Sokvantha YOUK wrote:

> Here is my configuration
> 
> # Rockstore filesytem
> workers 4
> cpu_affinity_map process_numbers=1,2,3,4 cores=2,4,6,8
> 
> if ${process_number}=1
> cache_dir  rock /cache1 17 max-size=31000
> cache_dir  rock /cache2 17 max-size=31000
> endif
> 
> if ${process_number}=2
> cache_dir  rock /cache3 17 max-size=31000
> cache_dir  rock /cache4 17 max-size=31000
> endif
> 
> if ${process_number}=3
> cache_dir  rock /cache5 17 max-size=31000
> cache_dir  rock /cache6 17 max-size=31000
> endif
> 
> # AUFS file system
> if ${process_number}=4
> cache_dir  aufs /cache7/squid/${process_number} 17 16 256
> min-size=31001 max-size=2
> cache_dir  aufs /cache8/squid/${process_number} 17 16 256
> min-size=31001 max-size=2
> endif


Just in case somebody finds this in the archives and tries to replicate,
please note that the above config does not make sense: It does not allow
rock directories to share cache storage among workers and it isolates
the aufs storage to a single worker (#4) as if that worker is somehow
special.


I doubt WCCP problems are related to caching. However, I recommend
making sure WCCP works _before_ you make your configuration more complex
by adding caching.


HTH,

Alex.

[squid-users] Re: Not-Solved - [squid-users] wccp2 does not working

[Sokvantha YOUK]

Dear All,

Sorry for my confusion. This issue not yet solved even I use process macro.

---
Regards,
Vantha

On Tue, Mar 19, 2013 at 10:14 PM, Sokvantha YOUK  wrote:
> Dear All,
>
> My issue with WCCP  is solved with following configuration:
>
> --- Using process macro to isolate cache_dir to each process
> --- I have allowed each process to have two cache_dir
> --- Then reconfigure squid with /usr/local/squid/sbin/squid -k reconf
> --- Look at the router using
> #show ip wccp 80 detail
>
> Here is my configuration
>
> # Rockstore filesytem
> workers 4
> cpu_affinity_map process_numbers=1,2,3,4 cores=2,4,6,8
>
> if ${process_number}=1
> cache_dir  rock /cache1 17 max-size=31000
> cache_dir  rock /cache2 17 max-size=31000
> endif
>
> if ${process_number}=2
> cache_dir  rock /cache3 17 max-size=31000
> cache_dir  rock /cache4 17 max-size=31000
> endif
>
> if ${process_number}=3
> cache_dir  rock /cache5 17 max-size=31000
> cache_dir  rock /cache6 17 max-size=31000
> endif
>
> # AUFS file system
> if ${process_number}=4
> cache_dir  aufs /cache7/squid/${process_number} 17 16 256
> min-size=31001 max-size=2
> cache_dir  aufs /cache8/squid/${process_number} 17 16 256
> min-size=31001 max-size=2
> endif
>
> 
> Regards,
> Vantha
>
> Dear Amos,
>
> On Tue, Mar 19, 2013 at 6:23 PM, Sokvantha YOUK  wrote:
>> Dear Amos,
>>
>> After removing "Workers" SMP, WCCP works fine :) I want to make use of
>> SMP feature with Rock store. What is alternate solution for this?
>>
>> ---
>> Regards,
>> Vantha
>>
>> On Tue, Mar 19, 2013 at 5:36 PM, Amos Jeffries  wrote:
>>> On 19/03/2013 11:27 p.m., Sokvantha YOUK wrote:

 Dear Amos,

 I have run tcpdump on the wccp interface for 10 minutes but see nothing
 happens.

 My previous email:

 -- Before meaning that, I run squid 3.3.3 with no rock store files
 system support at compiled time and wccp just works fine.

 What else I need to check?
>>>
>>>
>>> Okay.
>>>
>>> Rock storage type and SMP workers are two very different (although related)
>>> features.
>>> So the next thing to try is to see if a similar config with rock but not
>>> "workers" SMP is working or not?
>>>
>>> Amos
>>>
>>>
 
 Regards,
 Vantha

 On Tue, Mar 19, 2013 at 4:16 PM, Amos Jeffries 
 wrote:
>
> On 19/03/2013 9:27 p.m., Sokvantha YOUK wrote:
>>
>> Dear All,
>>
>> I am appreciate your expert advices on this matter :). I have tried
>> with following configuration but it is strange that WCCP2 is not
>> initiated the communication with Cisco Router. I were using this
>> configuration before, wccp2 was working fine.
>
>
> What do you mean by "before" ?
>   ... same Squid, same config working yesterday?
>   ... SMP support enabled in older Squid before we coded it?
>   ... or earlier releases without SMP support were working with WCCP?
>
>
>
>> Operation System: CentOS 6.4, x64 bits, Kernel 2.6.32-358.2.1.el6.x86_64
>>
>> Below is my configuration:
>>
>> 1. Disk mount option
>> /dev/sdb1 /cache1 ext4
>> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
>> 0 0
>> /dev/sdc1 /cache2 ext4
>> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
>> 0 0
>> /dev/sdd1 /cache3 ext4
>> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
>> 0 0
>> /dev/sde1 /cache4 ext4
>> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
>> 0 0
>> /dev/sdf1 /cache5 ext4
>> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
>> 0 0
>> /dev/sdg1 /cache6 ext4
>> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
>> 0 0
>> /dev/sdh1 /cache7 ext4
>> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
>> 0 0
>> /dev/sdi1 /cache8 ext4
>> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
>> 0 0
>>
>> 2. Squid compiled option
>> Squid Cache: Version 3.3.3-20130318-r12517
>> configure options:  '--sysconfdir=/etc/squid'
>> '--enable-follow-x-forwarded-for' '--enable-snmp'
>> '--enable-linux-netfilter' '--enable-http-violations'
>> '--enable-delay-pools' '--enable-storeio=diskd,aufs,ufs,rock'
>> '--with-large-files' '--enable-removal-policies=lru,heap'
>> '--enable-ltdl-convenience' '--with-logdir=/var/log/squid'
>> '--enable-wccpv2' '--with-default-user=squid'
>> '--enable-log-daemon-helpers' '--enable-build-info'
>> '--enable-url-rewrite-helpers' '--enable-async-io=128'
>>
>> 3. Squid Configuration
>> ###
>> # wccpv2 configuration
>> ###

[squid-users] Re: Solved - [squid-users] wccp2 does not working

[Sokvantha YOUK]

Dear All,

My issue with WCCP  is solved with following configuration:

--- Using process macro to isolate cache_dir to each process
--- I have allowed each process to have two cache_dir
--- Then reconfigure squid with /usr/local/squid/sbin/squid -k reconf
--- Look at the router using
#show ip wccp 80 detail

Here is my configuration

# Rockstore filesytem
workers 4
cpu_affinity_map process_numbers=1,2,3,4 cores=2,4,6,8

if ${process_number}=1
cache_dir  rock /cache1 17 max-size=31000
cache_dir  rock /cache2 17 max-size=31000
endif

if ${process_number}=2
cache_dir  rock /cache3 17 max-size=31000
cache_dir  rock /cache4 17 max-size=31000
endif

if ${process_number}=3
cache_dir  rock /cache5 17 max-size=31000
cache_dir  rock /cache6 17 max-size=31000
endif

# AUFS file system
if ${process_number}=4
cache_dir  aufs /cache7/squid/${process_number} 17 16 256
min-size=31001 max-size=2
cache_dir  aufs /cache8/squid/${process_number} 17 16 256
min-size=31001 max-size=2
endif


Regards,
Vantha

Dear Amos,

On Tue, Mar 19, 2013 at 6:23 PM, Sokvantha YOUK  wrote:
> Dear Amos,
>
> After removing "Workers" SMP, WCCP works fine :) I want to make use of
> SMP feature with Rock store. What is alternate solution for this?
>
> ---
> Regards,
> Vantha
>
> On Tue, Mar 19, 2013 at 5:36 PM, Amos Jeffries  wrote:
>> On 19/03/2013 11:27 p.m., Sokvantha YOUK wrote:
>>>
>>> Dear Amos,
>>>
>>> I have run tcpdump on the wccp interface for 10 minutes but see nothing
>>> happens.
>>>
>>> My previous email:
>>>
>>> -- Before meaning that, I run squid 3.3.3 with no rock store files
>>> system support at compiled time and wccp just works fine.
>>>
>>> What else I need to check?
>>
>>
>> Okay.
>>
>> Rock storage type and SMP workers are two very different (although related)
>> features.
>> So the next thing to try is to see if a similar config with rock but not
>> "workers" SMP is working or not?
>>
>> Amos
>>
>>
>>> 
>>> Regards,
>>> Vantha
>>>
>>> On Tue, Mar 19, 2013 at 4:16 PM, Amos Jeffries 
>>> wrote:

 On 19/03/2013 9:27 p.m., Sokvantha YOUK wrote:
>
> Dear All,
>
> I am appreciate your expert advices on this matter :). I have tried
> with following configuration but it is strange that WCCP2 is not
> initiated the communication with Cisco Router. I were using this
> configuration before, wccp2 was working fine.


 What do you mean by "before" ?
   ... same Squid, same config working yesterday?
   ... SMP support enabled in older Squid before we coded it?
   ... or earlier releases without SMP support were working with WCCP?



> Operation System: CentOS 6.4, x64 bits, Kernel 2.6.32-358.2.1.el6.x86_64
>
> Below is my configuration:
>
> 1. Disk mount option
> /dev/sdb1 /cache1 ext4
> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
> 0 0
> /dev/sdc1 /cache2 ext4
> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
> 0 0
> /dev/sdd1 /cache3 ext4
> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
> 0 0
> /dev/sde1 /cache4 ext4
> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
> 0 0
> /dev/sdf1 /cache5 ext4
> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
> 0 0
> /dev/sdg1 /cache6 ext4
> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
> 0 0
> /dev/sdh1 /cache7 ext4
> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
> 0 0
> /dev/sdi1 /cache8 ext4
> defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
> 0 0
>
> 2. Squid compiled option
> Squid Cache: Version 3.3.3-20130318-r12517
> configure options:  '--sysconfdir=/etc/squid'
> '--enable-follow-x-forwarded-for' '--enable-snmp'
> '--enable-linux-netfilter' '--enable-http-violations'
> '--enable-delay-pools' '--enable-storeio=diskd,aufs,ufs,rock'
> '--with-large-files' '--enable-removal-policies=lru,heap'
> '--enable-ltdl-convenience' '--with-logdir=/var/log/squid'
> '--enable-wccpv2' '--with-default-user=squid'
> '--enable-log-daemon-helpers' '--enable-build-info'
> '--enable-url-rewrite-helpers' '--enable-async-io=128'
>
> 3. Squid Configuration
> ###
> # wccpv2 configuration
> ###
> wccp2_router 
> wccp2_forwarding_method 2
> wccp2_return_method 2
> wccp_version 4
> wccp2_assignment_method 2


 FYI: Since 3.2 the above magic numbers can all be written as textual
 labels
 for easier reading.


> wccp2_service dynamic 80 password=abc
> w

Re: [squid-users] wccp2 does not working

[Amos Jeffries]

On 19/03/2013 9:27 p.m., Sokvantha YOUK wrote:

Dear All,

I am appreciate your expert advices on this matter :). I have tried
with following configuration but it is strange that WCCP2 is not
initiated the communication with Cisco Router. I were using this
configuration before, wccp2 was working fine.


What do you mean by "before" ?
 ... same Squid, same config working yesterday?
 ... SMP support enabled in older Squid before we coded it?
 ... or earlier releases without SMP support were working with WCCP?



Operation System: CentOS 6.4, x64 bits, Kernel 2.6.32-358.2.1.el6.x86_64

Below is my configuration:

1. Disk mount option
/dev/sdb1 /cache1 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
   0 0
/dev/sdc1 /cache2 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
   0 0
/dev/sdd1 /cache3 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
   0 0
/dev/sde1 /cache4 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
   0 0
/dev/sdf1 /cache5 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
   0 0
/dev/sdg1 /cache6 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
   0 0
/dev/sdh1 /cache7 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
   0 0
/dev/sdi1 /cache8 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
   0 0

2. Squid compiled option
Squid Cache: Version 3.3.3-20130318-r12517
configure options:  '--sysconfdir=/etc/squid'
'--enable-follow-x-forwarded-for' '--enable-snmp'
'--enable-linux-netfilter' '--enable-http-violations'
'--enable-delay-pools' '--enable-storeio=diskd,aufs,ufs,rock'
'--with-large-files' '--enable-removal-policies=lru,heap'
'--enable-ltdl-convenience' '--with-logdir=/var/log/squid'
'--enable-wccpv2' '--with-default-user=squid'
'--enable-log-daemon-helpers' '--enable-build-info'
'--enable-url-rewrite-helpers' '--enable-async-io=128'

3. Squid Configuration
###
# wccpv2 configuration
###
wccp2_router 
wccp2_forwarding_method 2
wccp2_return_method 2
wccp_version 4
wccp2_assignment_method 2


FYI: Since 3.2 the above magic numbers can all be written as textual 
labels for easier reading.



wccp2_service dynamic 80 password=abc
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
wccp2_service dynamic 90 password=abc
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80

# Rockstore filesytem
workers 4
cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7

cache_dir  rock /cache1 17 max-size=31000
cache_dir  rock /cache2 17 max-size=31000
cache_dir  rock /cache3 17 max-size=31000
cache_dir  rock /cache4 17 max-size=31000
cache_dir  rock /cache5 17 max-size=31000
cache_dir  rock /cache6 17 max-size=31000

# AUFS file system
if ${process_number}=4
cache_dir  aufs /cache7/squid/${process_number} 17 16 256
min-size=31001 max-size=2
cache_dir  aufs /cache8/squid/${process_number} 17 16 256
min-size=31001 max-size=2
endif

I don't understand which directive impacted on WCCP2 protocol which
prevented it from establishing communication with the router.
So as result http traffic is not redirected to this squid server :(


If there is any way you can tcpdump the WCCP packets please do. The 
latest versions of Wireshark are able to decipher the WCCP packets 
peoperly now.



May you help suggest me what else to check for the bug?


I am suspecting it is SMP suport issue. WCCP code is not SMP aware. It 
should theoretically be SMP agnostic in that all workers are pinging the 
router and advertising the same details, so in theory the router just 
gets 4x the normal HERE_I_AM packet pings.


Amos

[squid-users] wccp2 does not working

[Sokvantha YOUK]

Dear All,

I am appreciate your expert advices on this matter :). I have tried
with following configuration but it is strange that WCCP2 is not
initiated the communication with Cisco Router. I were using this
configuration before, wccp2 was working fine.

Operation System: CentOS 6.4, x64 bits, Kernel 2.6.32-358.2.1.el6.x86_64

Below is my configuration:

1. Disk mount option
/dev/sdb1 /cache1 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
  0 0
/dev/sdc1 /cache2 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
  0 0
/dev/sdd1 /cache3 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
  0 0
/dev/sde1 /cache4 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
  0 0
/dev/sdf1 /cache5 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
  0 0
/dev/sdg1 /cache6 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
  0 0
/dev/sdh1 /cache7 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
  0 0
/dev/sdi1 /cache8 ext4
defaults,noatime,nodiratime,noacl,barrier=0,data=writeback,commit=100
  0 0

2. Squid compiled option
Squid Cache: Version 3.3.3-20130318-r12517
configure options:  '--sysconfdir=/etc/squid'
'--enable-follow-x-forwarded-for' '--enable-snmp'
'--enable-linux-netfilter' '--enable-http-violations'
'--enable-delay-pools' '--enable-storeio=diskd,aufs,ufs,rock'
'--with-large-files' '--enable-removal-policies=lru,heap'
'--enable-ltdl-convenience' '--with-logdir=/var/log/squid'
'--enable-wccpv2' '--with-default-user=squid'
'--enable-log-daemon-helpers' '--enable-build-info'
'--enable-url-rewrite-helpers' '--enable-async-io=128'

3. Squid Configuration
###
# wccpv2 configuration
###
wccp2_router 
wccp2_forwarding_method 2
wccp2_return_method 2
wccp_version 4
wccp2_assignment_method 2
wccp2_service dynamic 80 password=abc
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
wccp2_service dynamic 90 password=abc
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
priority=240 ports=80

# Rockstore filesytem
workers 4
cpu_affinity_map process_numbers=1,2,3,4 cores=1,3,5,7

cache_dir  rock /cache1 17 max-size=31000
cache_dir  rock /cache2 17 max-size=31000
cache_dir  rock /cache3 17 max-size=31000
cache_dir  rock /cache4 17 max-size=31000
cache_dir  rock /cache5 17 max-size=31000
cache_dir  rock /cache6 17 max-size=31000

# AUFS file system
if ${process_number}=4
cache_dir  aufs /cache7/squid/${process_number} 17 16 256
min-size=31001 max-size=2
cache_dir  aufs /cache8/squid/${process_number} 17 16 256
min-size=31001 max-size=2
endif

I don't understand which directive impacted on WCCP2 protocol which
prevented it from establishing communication with the router.
So as result http traffic is not redirected to this squid server :(

May you help suggest me what else to check for the bug?

---
Regards,
Vantha

[squid-users] WCCP2 - Page content doesn't display correctly over HTTPS

[stephan.maurer]

Hi Guys,

I've configured transparent proxying with squid and a Cisco router. 
HTTP is working without problems and HTTPS only for some sites.

When accessing a page over https the content isn't displayed correctly. is
like plain html without images and formatting.
the issue happens with firefox and chrome, with IE8 it works when I enable
"display blocked content".
The certificate I'm using on squid for HTTPS is self signed.
Probably that's why it happens.

Could someone please tell me if I use an official certificate will it work? 
Are there any issues that might appear?

Thanks.
Best regards





--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/WCCP2-Page-content-doesn-t-display-correctly-over-HTTPS-tp4658891.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] WCCP2+tproxy and Cisco LNS

[Eliezer Croitoru]

On 7/14/2012 3:21 PM, Wayne Lee wrote:

HI Eliezer

Thanks for your reply.


SNIP>

if you could be more accurate about the cables setup and logic and not just
ip it can help understand things.



squid-SwitchCisco router
|
|
|
  gateway

Cat 5 ethernet



to sort it..
if i do understand correctly the cisco router is the squid gateway..
and the gateway is another machine.
so the sessions flow is
forward:
client-->LNS-->switch-->squid-->--switch->LNS-->switch->GW-->the server
back:
server-->GW-->switch-->LNS-->switch-->squid-->switch-->LNS-->client

this is inefficient since you have one switch usage that can be changed.
and it explains your problem.



the problem is that the traffic that comes from the internet suppose to get
into the proxy machine but it's going to the client which is not listening
to the same socket.
wccp + tproxy dont play good together!!!
if you will run tcpdump on the client machine you will see packets of
sessions that started on the squid box arriving to it.
you dont need to be with this 3 days.
just buy a 1Gbit Ethernet card and put a small bridge between the cisco and
the next hop.


I can add interfaces without problem as the squid box is a VM

When running tcpdump on the client machine I do not see any return
packets when using tproxy or DNAT methods.

When using the DNAT method and running tcpdump on the squid box I can
see the inbound request from the client and the return packets from
the webserver but nothing gets returned to the client

When using the tproxy method and running tcpdump on the squid box I
can see the inbound request from the client but that request is not
passed to squid and does not leave the squid box so no return packets
are seen on squid or the client.
before implementing and testing anything you should first ask yourself 
what are your needs.
if it's an ISP or OFFICE environment that you do care about what client 
IP visibility to the world for any reason to be.
And to take in account that IPV6 days are coming and the only way to 
intercept it will be TPROXY you should go with TPROXY.


if you dont care for any reason there is about what IP the servers after 
this "Junction" will see then the Intercept way is good until IPV6 comes 
around.

you dont need to use DNAT you can use REDIRECT and it will be good.

i have tested it in my lab today just to make sure.


it depends.
you can always do something with vlans and stuff to make one interface act
like two.
with tproxy the traffic that comes from the proxy is the same as the one
that comes from the client.
10.10.254.254 comes in and 10.10.254.254 comes out.
so the only options you have are:
use some routing technique such as routing map with next hop.
you can setup the cisco to send traffic to the squidbox using one ip that
squid will use as gw for the clients network.
and second ip to access the net and from the net.
this way squid will be a "router" on the way.
another option is the bridge thing with two networks cards.
you can play with vlans and bridge two vlans but it's pretty nasty to do so.

Regards,
Eliezer



Which method is the best way to go, DNAT or tproxy and what else can I
do to debug the process?

The final goal once testing is complete is to have 5 LNS's using the
proxy, the proxy will be on a different subnet to the LNS's.


Thanks

Wayne

It's better to implement the TPROXY but beware as you know you must 
understand what is going on all the time.

first understand what TPROXY and INTERCEPT are:
when cache proxy intercepts a request the client only talks to the proxy 
and thinks he is talking to the origin server while squid is talking 
with the origin server with his own IP.

so routing rules are plain.. for the gw:
when you get ip from client send to squid.
when you get ip to the client send to client.
when you get ip from squid send to world.
when you get ip to squid send to squid.
simple routing.
wccp makes the routing interception more fault tolerance and scalable 
over couple proxies.


TPROXY packets can be identified only at level 2 with WCCP which seems 
to not work for me on one interface.

i have also seen that using cisco WAE and Policy-Based Routing.

what i would suggest is:
puts some routing rules based on acls\routing policies on each of the 
routers.
since the LNS routes can be changed always it's better to use the other 
gateway as the "interceptor".
client ->LNS1\2\3\4\5->GW->squid port 1\vlan 1 -> GW port 2\vlan 2 - 
internet.
internet-->GW-->SQUID port 2\vlan 2 -->GW port 1\vlan 1 -->LNS 
1\2\3\4\5-client.


this flow will give you better survivability and centralization.
i suppose the GW will use some kind of routing protocol to get clients 
IP routes.


you will need to use 2 pairs of /30 subnet for this setup.

on the GW machine you will need to do some routing based on dst and src 
ports of 80\8000\8080 etc.. to distinct www and other traffic.

you dont need traffic other then www to be routed to 

Re: [squid-users] WCCP2+tproxy and Cisco LNS

[Wayne Lee]

HI Eliezer

Thanks for your reply.

> SNIP>
>
> if you could be more accurate about the cables setup and logic and not just
> ip it can help understand things.


squid-SwitchCisco router
   |
   |
   |
 gateway

Cat 5 ethernet


>>
> the problem is that the traffic that comes from the internet suppose to get
> into the proxy machine but it's going to the client which is not listening
> to the same socket.
> wccp + tproxy dont play good together!!!
> if you will run tcpdump on the client machine you will see packets of
> sessions that started on the squid box arriving to it.
> you dont need to be with this 3 days.
> just buy a 1Gbit Ethernet card and put a small bridge between the cisco and
> the next hop.

I can add interfaces without problem as the squid box is a VM

When running tcpdump on the client machine I do not see any return
packets when using tproxy or DNAT methods.

When using the DNAT method and running tcpdump on the squid box I can
see the inbound request from the client and the return packets from
the webserver but nothing gets returned to the client

When using the tproxy method and running tcpdump on the squid box I
can see the inbound request from the client but that request is not
passed to squid and does not leave the squid box so no return packets
are seen on squid or the client.




> it depends.
> you can always do something with vlans and stuff to make one interface act
> like two.
> with tproxy the traffic that comes from the proxy is the same as the one
> that comes from the client.
> 10.10.254.254 comes in and 10.10.254.254 comes out.
> so the only options you have are:
> use some routing technique such as routing map with next hop.
> you can setup the cisco to send traffic to the squidbox using one ip that
> squid will use as gw for the clients network.
> and second ip to access the net and from the net.
> this way squid will be a "router" on the way.
> another option is the bridge thing with two networks cards.
> you can play with vlans and bridge two vlans but it's pretty nasty to do so.
>
> Regards,
> Eliezer


Which method is the best way to go, DNAT or tproxy and what else can I
do to debug the process?

The final goal once testing is complete is to have 5 LNS's using the
proxy, the proxy will be on a different subnet to the LNS's.


Thanks

Wayne

Re: [squid-users] WCCP2+tproxy and Cisco LNS

[Eliezer Croitoru]

On 7/13/2012 2:33 PM, Wayne Lee wrote:

Hello List

My first post here but have been using squid for a while.

Trying to implement a transparent proxy for some of our DSL users.
I've setup a test LNS on a Cisco 2821, the connections come in via the
standard PPPoA and are sent via L2TP from the provider. Standard stuff
which works.  WCCPv2 is setup and working OK, I can see the packets
arriving on the box. The trouble I'm having is that the packets are
arriving on the squid box but don't seem to be diverted into squid
daemon.

Details

LNS = Cisco 2821, (C2800NM-SPSERVICESK9-M), Version 12.4(3b). LNS is
acting as a router on a stick (1 active interface)

(IP's changed to protect the guilty. NAT is not used in this network)

LNS IP = 172.16.254.253 /30
LNS GW = 172.16.254.254 /30
DSL user IP = 10.10.254.254 /32


SNIP>

if you could be more accurate about the cables setup and logic and not 
just ip it can help understand things.



Packet traces

traffic from dsl connection directed via wccp to squid

root@squid:~# !tcpdump
tcpdump -niwccp0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wccp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
12:19:54.287278 IP 10.10.254.254.46360 > 80.239.148.170.80: Flags [S],
seq 975284290, win 13600, options [mss 1360,sackOK,TS val 2009935 ecr
0,nop,wscale 4], length 0
12:19:54.445694 IP 10.10.254.254.46361 > 80.239.148.170.80: Flags [S],
seq 1791319806, win 13600, options [mss 1360,sackOK,TS val 2009975 ecr
0,nop,wscale 4], length 0
12:19:55.285531 IP 10.10.254.254.46360 > 80.239.148.170.80: Flags [S],
seq 975284290, win 13600, options [mss 1360,sackOK,TS val 2010185 ecr
0,nop,wscale 4], length 0
12:19:55.445826 IP 10.10.254.254.46361 > 80.239.148.170.80: Flags [S],
seq 1791319806, win 13600, options [mss 1360,sackOK,TS val 2010225 ecr
0,nop,wscale 4], length 0

the problem is that the traffic that comes from the internet suppose to 
get into the proxy machine but it's going to the client which is not 
listening to the same socket.

wccp + tproxy dont play good together!!!
if you will run tcpdump on the client machine you will see packets of 
sessions that started on the squid box arriving to it.

you dont need to be with this 3 days.
just buy a 1Gbit Ethernet card and put a small bridge between the cisco 
and the next hop.





I have followed several guides on the wiki, tried different distro's,
DNAT without Tproxy and now with Tproxy. Any pointers on where I'm
going wrong will be helpful as I've been at this for 3 days now. If I
set this up in a "normal" network with LAN, WAN and squid being the
gateway device it works in non-transparent and transparent modes. This
feels like a issue with the DSL connections being rejected by squid or
iptables but I'm at a loss to explain where or how.

When tested using the DNAT method the packets were routed via the
squid box although still bypassed the squid daemon, the packets would
return from the webserver but were then dropped. Using the Tproxy
method shows the packets never getting to squid and not leaving the
box to the webserver.

Do I require multiple interfaces on the squid box and maybe use
ebtables or is what I'm trying to achieve possible on 1 interface ?


it depends.
you can always do something with vlans and stuff to make one interface 
act like two.
with tproxy the traffic that comes from the proxy is the same as the one 
that comes from the client.

10.10.254.254 comes in and 10.10.254.254 comes out.
so the only options you have are:
use some routing technique such as routing map with next hop.
you can setup the cisco to send traffic to the squidbox using one ip 
that squid will use as gw for the clients network.

and second ip to access the net and from the net.
this way squid will be a "router" on the way.
another option is the bridge thing with two networks cards.
you can play with vlans and bridge two vlans but it's pretty nasty to do so.

Regards,
Eliezer



Thanks for reading


Wayne




--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer  ngtech.co.il

[squid-users] WCCP2+tproxy and Cisco LNS

[Wayne Lee]

Hello List

My first post here but have been using squid for a while.

Trying to implement a transparent proxy for some of our DSL users.
I've setup a test LNS on a Cisco 2821, the connections come in via the
standard PPPoA and are sent via L2TP from the provider. Standard stuff
which works.  WCCPv2 is setup and working OK, I can see the packets
arriving on the box. The trouble I'm having is that the packets are
arriving on the squid box but don't seem to be diverted into squid
daemon.

Details

LNS = Cisco 2821, (C2800NM-SPSERVICESK9-M), Version 12.4(3b). LNS is
acting as a router on a stick (1 active interface)

(IP's changed to protect the guilty. NAT is not used in this network)

LNS IP = 172.16.254.253 /30
LNS GW = 172.16.254.254 /30
DSL user IP = 10.10.254.254 /32

interface GigabitEthernet0/0
 description TEST-LNS
 ip address 172.16.254.253 255.255.255.252
 ip wccp redirect exclude in
 duplex auto
 speed auto
 no cdp enable
 no mop enabled

interface Virtual-Template99
 ip unnumbered GigabitEthernet0/0
 ip wccp 80 redirect in
 ip wccp 90 redirect out
 peer default ip address pool dsl
 ppp authentication pap chap dsl
 ppp accounting dsl
end

ip wccp web-cache
ip wccp 80 redirect-list 100
ip wccp 90 redirect-list 100

access-list 100 permit ip 10.0.0.0 0.255.255.255 any
access-list 100 permit ip any 10.0.0.0 0.255.255.255

test-lns#sh ip wccp
Global WCCP information:
Router information:
Router Identifier:   172.16.254.253
Protocol Version:2.0

Service Identifier: web-cache
Number of Cache Engines: 0
Number of routers:   0
Total Packets Redirected:1180
Process: 0
Fast:0
CEF: 1180
Redirect access-list:-none-
Total Packets Denied Redirect:   0
Total Packets Unassigned:48
Group access-list:   -none-
Total Messages Denied to Group:  0
Total Authentication failures:   0
Total Bypassed Packets Received: 0

Service Identifier: 80
Number of Cache Engines: 1
Number of routers:   1
Total Packets Redirected:1003
Process: 0
Fast:0
CEF: 1003
Redirect access-list:100
Total Packets Denied Redirect:   0
Total Packets Unassigned:12
Group access-list:   -none-
Total Messages Denied to Group:  0
Total Authentication failures:   0
Total Bypassed Packets Received: 0

Service Identifier: 90
Number of Cache Engines: 1
Number of routers:   1
Total Packets Redirected:0
Process: 0
Fast:0
CEF: 0
Redirect access-list:100
Total Packets Denied Redirect:   0
Total Packets Unassigned:11
Group access-list:   -none-
Total Messages Denied to Group:  0
Total Authentication failures:   0
Total Bypassed Packets Received: 0


Squid box = Debian Wheezy, iptables v1.4.14, Squid Cache: Version
3.1.20 (also one interface)

root@squid:~# uname -a
Linux squid 3.2.0-3-amd64 #1 SMP Thu Jun 28 09:07:26 UTC 2012 x86_64 GNU/Linux


eth0 = 172.16.254.2 /30
gw = 172.16.254.1 /30
wccp0 = 172.16.254.2 /32
rp_filter = disabled
forwarding = enabled

egrep -v "^#|^$" /etc/squid3/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
http_port localhost:3129 tproxy tcpkeepalive=60,10,6
disable-pmtu-discovery=transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:   144020% 10080
refresh_pattern ^gopher:14400%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_p

[squid-users] WCCP2 / HTTPS /Squid3

[Todd Smith]

Hey all,

I'm doing some research into the subject of having Squid3.0 work through WCCP2 
to such that CONNECT based ACLs work in the same manner as a straight browser 
connected proxy.

Is there a straight answer to this question?  Some are claiming WCCP2 working 
with HTTPS connections and other posts are saying that its impossible or 
possible but without being fully transparent.

I'm scouring the web for examples but if anyone has any specific information on 
how to get HTTPS connections redirected to WCCP and thus squid they would be 
infinitely helpful.

In regards to version information I am using an ASA 5510, with Squid 3.1.11, I 
have base WCCP working with HTTP connections all through the same router 
interface.  I can provide configuration examples if needed but I'd like to 
surmise if what I'm after is possible first and foremost.

Thanks,
Todd

[squid-users] WCCP2 not working with squid 3.1.10 with tproxy

[AZHAR CHOWDHURY]

Hi,
We are following Squid's wiki to configure Squid 3.1.10 with TPROXY and wccp2.
http://wiki.squid-cache.org/Features/Tproxy4#Minimum_Requirements_.28IPv4.29
But no fruitful result yet and nothing showing at access.log.
I guess we meshed up with CISCO, following is the configuration,
looking forward for correction suggestion:
=

ip wccp 80
ip wccp 90
!
!
!
interface GigabitEthernet6/1
 description *** Connection to Core Router *** Connection to Core Route
 ip address 202.125.64.251 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip wccp 90 redirect out
 ip route-cache flow
 no ip mroute-cache
 ip ospf flood-reduction
 no cdp enable
!
!
interface GigabitEthernet6/7
 ip address 203.83.175.209 255.255.255.252
 ip access-group 125 in
 ip access-group 173 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip wccp redirect exclude in
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
!
!
interface GigabitEthernet6/9
  ip address 203.191.33.23 255.255.255.0
 ip access-group 125 in
 ip access-group 173 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip wccp 80 redirect out
 ip route-cache flow
 no ip mroute-cache
 ip ospf flood-reduction
 no cdp enable
!

-

mynet#sh ip wccp
Global WCCP information:
Router information:
Router Identifier:   203.83.175.251
Protocol Version:2.0

Service Identifier: 80
Number of Cache Engines: 1
Number of routers:   1
Total Packets Redirected:16685
Redirect access-list:-none-
Total Packets Denied Redirect:   0
Total Packets Unassigned:4342
Group access-list:   -none-
Total Messages Denied to Group:  0
Total Authentication failures:   0

Service Identifier: 90
Number of Cache Engines: 1
Number of routers:   1
Total Packets Redirected:0
Redirect access-list:-none-
Total Packets Denied Redirect:   0
Total Packets Unassigned:0
Group access-list:   -none-
Total Messages Denied to Group:  0
Total Authentication failures:   0

mynet#

Re: [squid-users] WCCP2 L2 redirect with Squid transparent

[Shawn Wright]

- "Amos Jeffries"  wrote:

> Shawn Wright wrote:
> > Got it working after closer inspection of tcpdump output, which
> revealed a routing problem.
> > 
> > Now I need to move on to SSL traffic. We are using Squid 2.6-20 in
> production, so clearly we need to upgrade to use SSLbump. Which
> version of squid is considered most stable for use with SSLbump, in
> conjunction with many ACLs and delay pools. 
> > 
> > Thanks
> > 
> 
> I should mention that SSL Bump only works for browsers configured 
> explicitly to know the proxy is there and also to trust the proxy 
> generated SSL certificates.

I have seen a few people mentioning it can work in transparent (redirect) mode, 
but I'd rather not venture into unsupported territory in a production 
environment. Our focus now is to get the most seamless solution using NAT for 
SSL traffic, and transparent proxy for http traffic, while still providing as 
much control over SSL as possible. 

We use OpenDNS for filtering, but NAT of SSL will not allow us to prevent a 
user from specifying an https proxy by IP. This is a problem...

 

Re: [squid-users] WCCP2 L2 redirect with Squid transparent

[Amos Jeffries]

Nyamul Hassan wrote:

Hi,

Sometime ago, a sales pitch from a very well known proxy vendor,
claimed to have SSL working seamlessly through their cache. Does
anyone know of a commercial proxy solution that can work without this
explicit config on the client side?


A TCP-level proxy is needed to legally do that. Squid does not pass 
packets through anonymously, but requires the HTTP headers to be visible 
for security checks.


HTTPS is designed specifically to prevent middleware decrypting traffic 
without the client being informed. Which is why the client needs to 
trust the proxy.





On 2010-08-27, Amos Jeffries  wrote:

Shawn Wright wrote:

Got it working after closer inspection of tcpdump output, which revealed a
routing problem.

Now I need to move on to SSL traffic. We are using Squid 2.6-20 in
production, so clearly we need to upgrade to use SSLbump. Which version of
squid is considered most stable for use with SSLbump, in conjunction with
many ACLs and delay pools.

Thanks


I should mention that SSL Bump only works for browsers configured
explicitly to know the proxy is there and also to trust the proxy
generated SSL certificates.




Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1

Re: [squid-users] WCCP2 L2 redirect with Squid transparent

[Nyamul Hassan]

Hi,

Sometime ago, a sales pitch from a very well known proxy vendor,
claimed to have SSL working seamlessly through their cache. Does
anyone know of a commercial proxy solution that can work without this
explicit config on the client side?

Regards,
HASSAN


On 2010-08-27, Amos Jeffries  wrote:
> Shawn Wright wrote:
>> Got it working after closer inspection of tcpdump output, which revealed a
>> routing problem.
>>
>> Now I need to move on to SSL traffic. We are using Squid 2.6-20 in
>> production, so clearly we need to upgrade to use SSLbump. Which version of
>> squid is considered most stable for use with SSLbump, in conjunction with
>> many ACLs and delay pools.
>>
>> Thanks
>>
>
> I should mention that SSL Bump only works for browsers configured
> explicitly to know the proxy is there and also to trust the proxy
> generated SSL certificates.
>
> Amos
> --
> Please be using
>Current Stable Squid 2.7.STABLE9 or 3.1.7
>Beta testers wanted for 3.2.0.1
>

-- 
Sent from my mobile device

Re: [squid-users] WCCP2 L2 redirect with Squid transparent

[Amos Jeffries]

Shawn Wright wrote:

Got it working after closer inspection of tcpdump output, which revealed a 
routing problem.

Now I need to move on to SSL traffic. We are using Squid 2.6-20 in production, so clearly we need to upgrade to use SSLbump. Which version of squid is considered most stable for use with SSLbump, in conjunction with many ACLs and delay pools. 


Thanks



I should mention that SSL Bump only works for browsers configured 
explicitly to know the proxy is there and also to trust the proxy 
generated SSL certificates.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1

Re: [squid-users] WCCP2 L2 redirect with Squid transparent

[Amos Jeffries]

Shawn Wright wrote:

Got it working after closer inspection of tcpdump output, which revealed a 
routing problem.

Now I need to move on to SSL traffic. We are using Squid 2.6-20 in production, so clearly we need to upgrade to use SSLbump. Which version of squid is considered most stable for use with SSLbump, in conjunction with many ACLs and delay pools. 



3.1.7 for sslbump.

Most of the 2.6 configurable features work in that version. But its 
still worth checking the list of feature-regressions in the 3.1 release 
notes to ensure nothing you need is unavailable.


Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.7
  Beta testers wanted for 3.2.0.1

Re: [squid-users] WCCP2 L2 redirect with Squid transparent

[Shawn Wright]

Got it working after closer inspection of tcpdump output, which revealed a 
routing problem.

Now I need to move on to SSL traffic. We are using Squid 2.6-20 in production, 
so clearly we need to upgrade to use SSLbump. Which version of squid is 
considered most stable for use with SSLbump, in conjunction with many ACLs and 
delay pools. 

Thanks

> - "Amos Jeffries"  wrote:
> Sorry, that last reply was meant for the list. I checked into the
> rp_filter setting:
> 
> net.ipv4.conf.lo.rp_filter = 0
> net.ipv4.conf.lo.arp_filter = 0
> net.ipv4.conf.all.rp_filter = 0
> net.ipv4.conf.all.arp_filter = 0
> net.ipv4.conf.default.rp_filter = 0
> net.ipv4.conf.default.arp_filter = 0
> net.ipv4.conf.eth0.rp_filter = 0
> net.ipv4.conf.eth0.arp_filter = 0
> net.ipv4.conf.eth1.rp_filter = 0
> net.ipv4.conf.eth1.arp_filter = 0
> net.ipv4.conf.gre0.rp_filter = 0
> net.ipv4.conf.gre0.arp_filter = 0
> 
> Also, the tcpdump from the client shows nothing coming back to it,
> just the outgoing SYN.
> 
> 
> Regards, 
> 
> 
> Shawn Wright 
> I.T. Manager, Shawnigan Lake School 
> http://www.shawnigan.ca

Re: [squid-users] WCCP2 L2 redirect with Squid transparent

[Shawn Wright]

- "Amos Jeffries"  wrote:

> 
> Um, ACK means *something* accepted the connection and responded to the
> 
> client box. All things working that should have been Squid.

This is the part the puzzles me. I'm not sure what is accepting it, if not 
squid.

> The usual source of this behaviour is admin overlooking the fact that
> the
> 
> Squid box in these setups is a router (which *happens* to only route
> port
> 
> 80 traffic passed in by the WCCP, but still routing). It requires
> packet
> 
> forwarding to be working and rp_filter to be disabled.
> 
> 
> 
> By "I enable proxy to 72.2.0.4:80"  do you mean configuring the
> browser to
> 
> use a proxy at 72.2.0.4:80 ?
> 
> Or that you configure Squid to listen on 72.2.0.4:80 ?

I change the browser to use proxy, and it works fine. No changes made on the 
squid box. 

I have been advised to get a tcpdump from the client, which I will do next. I 
will look into rp_filter setting also.

===

Sorry, that last reply was meant for the list. I checked into the rp_filter 
setting:

net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.lo.arp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth0.arp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0
net.ipv4.conf.eth1.arp_filter = 0
net.ipv4.conf.gre0.rp_filter = 0
net.ipv4.conf.gre0.arp_filter = 0

Also, the tcpdump from the client shows nothing coming back to it, just the 
outgoing SYN.


Regards, 


Shawn Wright 
I.T. Manager, Shawnigan Lake School 
http://www.shawnigan.ca 

Re: [squid-users] WCCP2 L2 redirect with Squid transparent

[Amos Jeffries]

On Wed, 25 Aug 2010 15:47:18 -0700 (PDT), Shawn Wright
 wrote:
> Hello, 
> 
> I've been trying to get a transparent squid setup to work with our Cisco
> Cat 6500 MSFC layer 3 switch, which supports WCCP2 with L2 redirect (not
> GRE). I can see the traffic reaching the squid box, and using a
shorewall
> redirect rule, it should be reaching squid on port 3128, but I see no
> evidence of this in squid logs. 
> 
> tcpdump on the squid box shows this: 
> 
> 14:58:00.929489 IP 10.3.5.23.2565 > 136.1.241.33.80: S
> 4047376542:4047376542(0) win 65535  
> 14:58:00.929745 IP 136.1.241.33.80 > 10.3.5.23.2565: S
> 2225419399:2225419399(0) ack 4047376543 win 5840  

Um, ACK means *something* accepted the connection and responded to the
client box. All things working that should have been Squid.

> 
> 10.3.5.23 is the client using a webbrowser to hit 136.1.241.33, with no
> proxy set. 
> If I enable proxy to 72.2.0.4:80, squid works correctly, which confirms
> the redirect for port 80->3128 on the squid box is working. 
> 
> I'd appreciate some ideas on tracking down where this traffic is going.

The usual source of this behaviour is admin overlooking the fact that the
Squid box in these setups is a router (which *happens* to only route port
80 traffic passed in by the WCCP, but still routing). It requires packet
forwarding to be working and rp_filter to be disabled.

By "I enable proxy to 72.2.0.4:80"  do you mean configuring the browser to
use a proxy at 72.2.0.4:80 ?
Or that you configure Squid to listen on 72.2.0.4:80 ?


Amos

[squid-users] WCCP2 L2 redirect with Squid transparent

[Shawn Wright]

Hello, 

I've been trying to get a transparent squid setup to work with our Cisco Cat 
6500 MSFC layer 3 switch, which supports WCCP2 with L2 redirect (not GRE). I 
can see the traffic reaching the squid box, and using a shorewall redirect 
rule, it should be reaching squid on port 3128, but I see no evidence of this 
in squid logs. 

tcpdump on the squid box shows this: 

14:58:00.929489 IP 10.3.5.23.2565 > 136.1.241.33.80: S 4047376542:4047376542(0) 
win 65535  
14:58:00.929745 IP 136.1.241.33.80 > 10.3.5.23.2565: S 2225419399:2225419399(0) 
ack 4047376543 win 5840  

10.3.5.23 is the client using a webbrowser to hit 136.1.241.33, with no proxy 
set. 
If I enable proxy to 72.2.0.4:80, squid works correctly, which confirms the 
redirect for port 80->3128 on the squid box is working. 

I'd appreciate some ideas on tracking down where this traffic is going. 


Thanks 

Shawn Wright 
I.T. Manager, Shawnigan Lake School 
http://www.shawnigan.ca 

[squid-users] wccp2+tproxy4+squid 3.1 last

[Alexandre Correa]

Hello,
i´m trying setup tproxy4 + wccp2 + squid 3.1 but i don´t know whats happens..

squid + wccp2 works fine..

my network scheme: http://img269.imageshack.us/img269/2286/19551413.jpg

my squid.conf:
http_port 3129 tproxy transparent

..
wccp2_router 66.0.0.1
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
wccp2_address 66.0.0.3

wccp2_service dynamic 80
wccp2_service_info 80 protocol=tcp flags=dst_ip_hash priority=240 ports=80
wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp flags=src_ip_hash,ports_source
priority=240 ports=80


iptables:

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 80 -j
TPROXY --tproxy-mark 0x1/0x1 --on-port 3129

ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100


cisco:

!
ip wccp 80
ip wccp 90
!
interface FastEthernet 0/0
   ip wccp 80 redirect in
   ip wccp 90 redirect out
!


i can see packets comming from router to wccp0 interface on linux...
but can´t access web

where is the problem ?!

thanks !!

-- 
Sds.

Alexandre Jeronimo Correa

Onda Internet
www.onda.net.br

IPV6 Ready !
www.ipv6.onda.net.br

Re: [squid-users] WCCP2 service info

[Henrik Nordstrom]

On Sun, 2008-12-14 at 20:47 +, kgardenia42 wrote:

> Yeah I thought so too but unless I missed something that doesn't
> appear to work, or not on the latest 2.7 release.  For the record, I
> was able to get it working by commenting out these lines :
> 
> if (!(flags & WCCP2_SERVICE_PORTS_DEFINED)) {
> fatalf("parse_wccp2_service_info: service %d: no ports
> defined!\n", service_id);
> }

Please file a bug repot and we will get that fixed.

  http://bugs.squid-cache.org/

Regards
Henrik

Re: [squid-users] WCCP2 service info

[kgardenia42]

On Tue, Dec 9, 2008 at 12:56 AM, Henrik Nordstrom
 wrote:
> mån 2008-12-08 klockan 20:51 + skrev kgardenia42:
>> Hi,
>>
>> When defining a wccp2 dynamic service group it seems that it only
>> allows for a finite list of up to 8 ports which should be redirected
>> to the squid box.  In my case I don't want to statically list the
>> ports to be redirected in the squid config and 8 is too few.
>>
>> Is there any way, whether in wccp2 config or router config, that I can
>> say "just redirect all ports to the squid box"?
>
> Should be to just define a service with no ports specified.

Yeah I thought so too but unless I missed something that doesn't
appear to work, or not on the latest 2.7 release.  For the record, I
was able to get it working by commenting out these lines :

if (!(flags & WCCP2_SERVICE_PORTS_DEFINED)) {
fatalf("parse_wccp2_service_info: service %d: no ports
defined!\n", service_id);
}

Thanks.

Re: [squid-users] WCCP2 service info

[Henrik Nordstrom]

mån 2008-12-08 klockan 20:51 + skrev kgardenia42:
> Hi,
> 
> When defining a wccp2 dynamic service group it seems that it only
> allows for a finite list of up to 8 ports which should be redirected
> to the squid box.  In my case I don't want to statically list the
> ports to be redirected in the squid config and 8 is too few.
> 
> Is there any way, whether in wccp2 config or router config, that I can
> say "just redirect all ports to the squid box"?

Should be to just define a service with no ports specified.

Regards
Henrik

[squid-users] WCCP2 service info

[kgardenia42]

Hi,

When defining a wccp2 dynamic service group it seems that it only
allows for a finite list of up to 8 ports which should be redirected
to the squid box.  In my case I don't want to statically list the
ports to be redirected in the squid config and 8 is too few.

Is there any way, whether in wccp2 config or router config, that I can
say "just redirect all ports to the squid box"?

Thanks.

RE: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail not working

[Miraj Shah]

Hi, spoke too soon. Was working for a few hours, then it started to fail again. 
Nothing changed on the network, cant figure this out. Perhaps I should give up 
running squid as a transparent proxy. :'(


Miraj.

-Original Message-
From: Miraj Shah [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 26, 2008 12:19 PM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail 
not working


Hi all,

I made progress to get this to work. Thanks to Adrian's suggestion :-)

http_port 127.0.0.1:3128 transparent disable-pmtu-discovery=always

Kind Regards,

Miraj Shah.



-Original Message-
From: Miraj Shah [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 15, 2008 4:34 PM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail 
not working

Hi,

Thanks for this. I have put the acls... but what to do with them?

header_access Accept-Encoding deny Hotmail
header_access Accept-Encoding deny Gmail
header_access Accept-Encoding deny GmailUrlRegExp???

I noticed one thing, gmail/msn does open up eventually after about 5mins or 
so... but cant work inside any of the pages, yahoo is also starting to behave 
*almost* similar too...

Could my problem just be freebsd? Or squid 2.6?

Kind regards,

Miraj Shah.

-Original Message-
From: Davan Wong [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 14, 2008 9:11 PM
To: Miraj Shah; squid-users@squid-cache.org
Subject: RE: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail 
not working

I required the following to allow Hotmail and Gmail:

acl Hotmail dstdomain .hotmail.com .hotmail.msn.com .login.live.com
.mail.live.com .passport.com calendar.msn.com g.live.com 
acl Gmail dstdomain .gmail.com mail.google.com ssl.google-analytics.com 
acl GmailUrlRegExp url_regex -i .google.com/accounts .google.ca/accounts 

These were used in combination with a couple other lines to allow Gmail
without allowing Google, and allowing Hotmail without allowing MSN or
Microsoft sites.

Davan Wong
World Health Club
Information Technology Department

 

> -Original Message-
> From: Miraj Shah [mailto:[EMAIL PROTECTED] 
> Sent: February 13, 2008 11:38 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail 
> and hotmail not working
> 
> Hello All,
> 
> I have run into some problems with a the two websites not 
> able to load when squid is configured with wccp2. I have 
> followed the example by Adrian Chadd, and the wiki:
> 
> http://wiki.squid-cache.org/ConfigExamples/FreeBsdAndWccp2?hig
> hlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29
> 
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
> 
> 
> Everything is working great until when we open up 
> http://mail.google.com and http://www.hotmail.com, the 
> websites open up ok, and you can enter the login credentials, 
> goes pass the https stage and just before getting to the 
> emails. The page goes quiet, and blank. Have tested this on 
> different computers and different browsers but get the same problem.
> 
> If I disable the squid, and let the users browse thru NAT on 
> the ASA, they are able to get thru to these two sites, also 
> when I reconfigure the squid to be non-transparent and change 
> the settings on my browser to point to the proxy, am able to 
> open the two sites in question.
> 
> I don't see anything unusual in cache.log or access.log
> 
> After googleing around for a bit, I came across a site that 
> mentioned lowering the MTU size on the GRE tunnel, which I 
> did to 1400 and 1390 but had no effect. (ifconfig gre0 mtu 1400)
> 
> For hotmail, the intercepting proxy guide mentions to put the 
> following entries on squid.conf, but that did not help:
> 
> acl hotmail_domains dstdomain .hotmail.msn.com header_access 
> Accept-Encoding deny hotmail_domains
> 
> I know this is probably a repeated problem, though I hope 
> someone can assist. Do let me know if there are any other 
> details that you might need.
> 
> Many thanks, and kind regards,
> 
> Miraj Shah.
> 
> 
> 
> 
> here is a quick network diagram;
>  
> LAN - ASA - Router - Internet
>    |
>  Squid
>  
> below is the config i have set up:
>  
>  
> asa-firewall# sh run int vlan 10
> !
> interface Vlan10
>  description Internet Interface
>  nameif internet
>  security-level 0
>  ip address xxx.xxx.179.86 255.255.255.252
> 
> asa-firewall# sh run interface vlan 40
> !
> interface Vlan40
>  description Inside Interface
>  nameif inside
>  security-level 100
>  ip address 10.110.150.252 255.255.254.0
> 
> route internet 0.0.0.0 0.0.0.0 xxx.xxx.179.85 1 access-list 
> inside_nat0_outbound extended permit ip an

RE: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail not working

[Miraj Shah]

Hi all,

I made progress to get this to work. Thanks to Adrian's suggestion :-)

http_port 127.0.0.1:3128 transparent disable-pmtu-discovery=always

Kind Regards,

Miraj Shah.



-Original Message-
From: Miraj Shah [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 15, 2008 4:34 PM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail 
not working

Hi,

Thanks for this. I have put the acls... but what to do with them?

header_access Accept-Encoding deny Hotmail
header_access Accept-Encoding deny Gmail
header_access Accept-Encoding deny GmailUrlRegExp???

I noticed one thing, gmail/msn does open up eventually after about 5mins or 
so... but cant work inside any of the pages, yahoo is also starting to behave 
*almost* similar too...

Could my problem just be freebsd? Or squid 2.6?

Kind regards,

Miraj Shah.

-Original Message-
From: Davan Wong [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 14, 2008 9:11 PM
To: Miraj Shah; squid-users@squid-cache.org
Subject: RE: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail 
not working

I required the following to allow Hotmail and Gmail:

acl Hotmail dstdomain .hotmail.com .hotmail.msn.com .login.live.com
.mail.live.com .passport.com calendar.msn.com g.live.com 
acl Gmail dstdomain .gmail.com mail.google.com ssl.google-analytics.com 
acl GmailUrlRegExp url_regex -i .google.com/accounts .google.ca/accounts 

These were used in combination with a couple other lines to allow Gmail
without allowing Google, and allowing Hotmail without allowing MSN or
Microsoft sites.

Davan Wong
World Health Club
Information Technology Department

 

> -Original Message-
> From: Miraj Shah [mailto:[EMAIL PROTECTED] 
> Sent: February 13, 2008 11:38 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail 
> and hotmail not working
> 
> Hello All,
> 
> I have run into some problems with a the two websites not 
> able to load when squid is configured with wccp2. I have 
> followed the example by Adrian Chadd, and the wiki:
> 
> http://wiki.squid-cache.org/ConfigExamples/FreeBsdAndWccp2?hig
> hlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29
> 
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
> 
> 
> Everything is working great until when we open up 
> http://mail.google.com and http://www.hotmail.com, the 
> websites open up ok, and you can enter the login credentials, 
> goes pass the https stage and just before getting to the 
> emails. The page goes quiet, and blank. Have tested this on 
> different computers and different browsers but get the same problem.
> 
> If I disable the squid, and let the users browse thru NAT on 
> the ASA, they are able to get thru to these two sites, also 
> when I reconfigure the squid to be non-transparent and change 
> the settings on my browser to point to the proxy, am able to 
> open the two sites in question.
> 
> I don't see anything unusual in cache.log or access.log
> 
> After googleing around for a bit, I came across a site that 
> mentioned lowering the MTU size on the GRE tunnel, which I 
> did to 1400 and 1390 but had no effect. (ifconfig gre0 mtu 1400)
> 
> For hotmail, the intercepting proxy guide mentions to put the 
> following entries on squid.conf, but that did not help:
> 
> acl hotmail_domains dstdomain .hotmail.msn.com header_access 
> Accept-Encoding deny hotmail_domains
> 
> I know this is probably a repeated problem, though I hope 
> someone can assist. Do let me know if there are any other 
> details that you might need.
> 
> Many thanks, and kind regards,
> 
> Miraj Shah.
> 
> 
> 
> 
> here is a quick network diagram;
>  
> LAN - ASA - Router - Internet
>    |
>  Squid
>  
> below is the config i have set up:
>  
>  
> asa-firewall# sh run int vlan 10
> !
> interface Vlan10
>  description Internet Interface
>  nameif internet
>  security-level 0
>  ip address xxx.xxx.179.86 255.255.255.252
> 
> asa-firewall# sh run interface vlan 40
> !
> interface Vlan40
>  description Inside Interface
>  nameif inside
>  security-level 100
>  ip address 10.110.150.252 255.255.254.0
> 
> route internet 0.0.0.0 0.0.0.0 xxx.xxx.179.85 1 access-list 
> inside_nat0_outbound extended permit ip any 10.110.150.0 
> 255.255.0.0 nat (inside) 0 access-list inside_nat0_outbound 
> nat (inside) 1 10.110.150.0 255.255.254.0 wccp web-cache wccp 
> interface inside web-cache redirect in
>  
> asa-firewall# sh wccp web-cache detail
> WCCP Cache-Engine information:
>     Web Cache ID:  10.110.150.253
>     Protocol Version:  2.0
>     State: Usable
>     Initial Hash Info: 

RE: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail not working

[Miraj Shah]

Hi,

Thanks for this. I have put the acls... but what to do with them?

header_access Accept-Encoding deny Hotmail
header_access Accept-Encoding deny Gmail
header_access Accept-Encoding deny GmailUrlRegExp???

I noticed one thing, gmail/msn does open up eventually after about 5mins or 
so... but cant work inside any of the pages, yahoo is also starting to behave 
*almost* similar too...

Could my problem just be freebsd? Or squid 2.6?

Kind regards,

Miraj Shah.

-Original Message-
From: Davan Wong [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 14, 2008 9:11 PM
To: Miraj Shah; squid-users@squid-cache.org
Subject: RE: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail 
not working

I required the following to allow Hotmail and Gmail:

acl Hotmail dstdomain .hotmail.com .hotmail.msn.com .login.live.com
.mail.live.com .passport.com calendar.msn.com g.live.com 
acl Gmail dstdomain .gmail.com mail.google.com ssl.google-analytics.com 
acl GmailUrlRegExp url_regex -i .google.com/accounts .google.ca/accounts 

These were used in combination with a couple other lines to allow Gmail
without allowing Google, and allowing Hotmail without allowing MSN or
Microsoft sites.

Davan Wong
World Health Club
Information Technology Department

 

> -Original Message-
> From: Miraj Shah [mailto:[EMAIL PROTECTED] 
> Sent: February 13, 2008 11:38 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail 
> and hotmail not working
> 
> Hello All,
> 
> I have run into some problems with a the two websites not 
> able to load when squid is configured with wccp2. I have 
> followed the example by Adrian Chadd, and the wiki:
> 
> http://wiki.squid-cache.org/ConfigExamples/FreeBsdAndWccp2?hig
> hlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29
> 
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
> 
> 
> Everything is working great until when we open up 
> http://mail.google.com and http://www.hotmail.com, the 
> websites open up ok, and you can enter the login credentials, 
> goes pass the https stage and just before getting to the 
> emails. The page goes quiet, and blank. Have tested this on 
> different computers and different browsers but get the same problem.
> 
> If I disable the squid, and let the users browse thru NAT on 
> the ASA, they are able to get thru to these two sites, also 
> when I reconfigure the squid to be non-transparent and change 
> the settings on my browser to point to the proxy, am able to 
> open the two sites in question.
> 
> I don't see anything unusual in cache.log or access.log
> 
> After googleing around for a bit, I came across a site that 
> mentioned lowering the MTU size on the GRE tunnel, which I 
> did to 1400 and 1390 but had no effect. (ifconfig gre0 mtu 1400)
> 
> For hotmail, the intercepting proxy guide mentions to put the 
> following entries on squid.conf, but that did not help:
> 
> acl hotmail_domains dstdomain .hotmail.msn.com header_access 
> Accept-Encoding deny hotmail_domains
> 
> I know this is probably a repeated problem, though I hope 
> someone can assist. Do let me know if there are any other 
> details that you might need.
> 
> Many thanks, and kind regards,
> 
> Miraj Shah.
> 
> 
> 
> 
> here is a quick network diagram;
>  
> LAN - ASA - Router - Internet
>    |
>  Squid
>  
> below is the config i have set up:
>  
>  
> asa-firewall# sh run int vlan 10
> !
> interface Vlan10
>  description Internet Interface
>  nameif internet
>  security-level 0
>  ip address xxx.xxx.179.86 255.255.255.252
> 
> asa-firewall# sh run interface vlan 40
> !
> interface Vlan40
>  description Inside Interface
>  nameif inside
>  security-level 100
>  ip address 10.110.150.252 255.255.254.0
> 
> route internet 0.0.0.0 0.0.0.0 xxx.xxx.179.85 1 access-list 
> inside_nat0_outbound extended permit ip any 10.110.150.0 
> 255.255.0.0 nat (inside) 0 access-list inside_nat0_outbound 
> nat (inside) 1 10.110.150.0 255.255.254.0 wccp web-cache wccp 
> interface inside web-cache redirect in
>  
> asa-firewall# sh wccp web-cache detail
> WCCP Cache-Engine information:
>     Web Cache ID:  10.110.150.253
>     Protocol Version:  2.0
>     State: Usable
>     Initial Hash Info: 
>    
>     Assigned Hash Info:    
>    
>     Hash Allotment:    0 (0.00%)
>     Packets Redirected:    113242
>     Connect Time:  00:00:12
> 
> asa-firewall# sh wccp web-cache
> Global WCCP i

RE: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail not working

[Davan Wong]

I required the following to allow Hotmail and Gmail:

acl Hotmail dstdomain .hotmail.com .hotmail.msn.com .login.live.com
.mail.live.com .passport.com calendar.msn.com g.live.com 
acl Gmail dstdomain .gmail.com mail.google.com ssl.google-analytics.com 
acl GmailUrlRegExp url_regex -i .google.com/accounts .google.ca/accounts 

These were used in combination with a couple other lines to allow Gmail
without allowing Google, and allowing Hotmail without allowing MSN or
Microsoft sites.

Davan Wong
World Health Club
Information Technology Department

 

> -Original Message-
> From: Miraj Shah [mailto:[EMAIL PROTECTED] 
> Sent: February 13, 2008 11:38 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail 
> and hotmail not working
> 
> Hello All,
> 
> I have run into some problems with a the two websites not 
> able to load when squid is configured with wccp2. I have 
> followed the example by Adrian Chadd, and the wiki:
> 
> http://wiki.squid-cache.org/ConfigExamples/FreeBsdAndWccp2?hig
> hlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29
> 
> http://wiki.squid-cache.org/SquidFaq/InterceptionProxy
> 
> 
> Everything is working great until when we open up 
> http://mail.google.com and http://www.hotmail.com, the 
> websites open up ok, and you can enter the login credentials, 
> goes pass the https stage and just before getting to the 
> emails. The page goes quiet, and blank. Have tested this on 
> different computers and different browsers but get the same problem.
> 
> If I disable the squid, and let the users browse thru NAT on 
> the ASA, they are able to get thru to these two sites, also 
> when I reconfigure the squid to be non-transparent and change 
> the settings on my browser to point to the proxy, am able to 
> open the two sites in question.
> 
> I don't see anything unusual in cache.log or access.log
> 
> After googleing around for a bit, I came across a site that 
> mentioned lowering the MTU size on the GRE tunnel, which I 
> did to 1400 and 1390 but had no effect. (ifconfig gre0 mtu 1400)
> 
> For hotmail, the intercepting proxy guide mentions to put the 
> following entries on squid.conf, but that did not help:
> 
> acl hotmail_domains dstdomain .hotmail.msn.com header_access 
> Accept-Encoding deny hotmail_domains
> 
> I know this is probably a repeated problem, though I hope 
> someone can assist. Do let me know if there are any other 
> details that you might need.
> 
> Many thanks, and kind regards,
> 
> Miraj Shah.
> 
> 
> 
> 
> here is a quick network diagram;
>  
> LAN - ASA - Router - Internet
>    |
>  Squid
>  
> below is the config i have set up:
>  
>  
> asa-firewall# sh run int vlan 10
> !
> interface Vlan10
>  description Internet Interface
>  nameif internet
>  security-level 0
>  ip address xxx.xxx.179.86 255.255.255.252
> 
> asa-firewall# sh run interface vlan 40
> !
> interface Vlan40
>  description Inside Interface
>  nameif inside
>  security-level 100
>  ip address 10.110.150.252 255.255.254.0
> 
> route internet 0.0.0.0 0.0.0.0 xxx.xxx.179.85 1 access-list 
> inside_nat0_outbound extended permit ip any 10.110.150.0 
> 255.255.0.0 nat (inside) 0 access-list inside_nat0_outbound 
> nat (inside) 1 10.110.150.0 255.255.254.0 wccp web-cache wccp 
> interface inside web-cache redirect in
>  
> asa-firewall# sh wccp web-cache detail
> WCCP Cache-Engine information:
>     Web Cache ID:  10.110.150.253
>     Protocol Version:  2.0
>     State: Usable
>     Initial Hash Info: 
>    
>     Assigned Hash Info:    
>    
>     Hash Allotment:    0 (0.00%)
>     Packets Redirected:    113242
>     Connect Time:  00:00:12
> 
> asa-firewall# sh wccp web-cache
> Global WCCP information:
>     Router information:
>     Router Identifier:   xxx.xxx.179.86
>     Protocol Version:    2.0
>     Service Identifier: web-cache
>     Number of Cache Engines: 1
>     Number of routers:   1
>     Total Packets Redirected:    113242
>     Redirect access-list:    -none-
>     Total Connections Denied Redirect:   0
>     Total Packets Unassigned:    241
>     Group access-list:   -none-
>     Total Messages Denied to Group:  0
>     Total Authentication failures:   0
>     Total Bypassed Packet

[squid-users] WCCP2 + Cisco ASA + FreeBSD 6.3, gmail and hotmail not working

[Miraj Shah]

Hello All,

I have run into some problems with a the two websites not able to load when 
squid is configured with wccp2. I have followed the example by Adrian Chadd, 
and the wiki:

http://wiki.squid-cache.org/ConfigExamples/FreeBsdAndWccp2?highlight=%28%5EConfigExamples/%5B%5E/%5D%2A%24%29

http://wiki.squid-cache.org/SquidFaq/InterceptionProxy


Everything is working great until when we open up http://mail.google.com and 
http://www.hotmail.com, the websites open up ok, and you can enter the login 
credentials, goes pass the https stage and just before getting to the emails. 
The page goes quiet, and blank. Have tested this on different computers and 
different browsers but get the same problem.

If I disable the squid, and let the users browse thru NAT on the ASA, they are 
able to get thru to these two sites, also when I reconfigure the squid to be 
non-transparent and change the settings on my browser to point to the proxy, am 
able to open the two sites in question.

I don't see anything unusual in cache.log or access.log

After googleing around for a bit, I came across a site that mentioned lowering 
the MTU size on the GRE tunnel, which I did to 1400 and 1390 but had no effect. 
(ifconfig gre0 mtu 1400)

For hotmail, the intercepting proxy guide mentions to put the following entries 
on squid.conf, but that did not help:

acl hotmail_domains dstdomain .hotmail.msn.com
header_access Accept-Encoding deny hotmail_domains

I know this is probably a repeated problem, though I hope someone can assist. 
Do let me know if there are any other details that you might need.

Many thanks, and kind regards,

Miraj Shah.




here is a quick network diagram;
 
LAN - ASA - Router - Internet
   |
 Squid
 
below is the config i have set up:
 
 
asa-firewall# sh run int vlan 10
!
interface Vlan10
 description Internet Interface
 nameif internet
 security-level 0
 ip address xxx.xxx.179.86 255.255.255.252

asa-firewall# sh run interface vlan 40
!
interface Vlan40
 description Inside Interface
 nameif inside
 security-level 100
 ip address 10.110.150.252 255.255.254.0

route internet 0.0.0.0 0.0.0.0 xxx.xxx.179.85 1
access-list inside_nat0_outbound extended permit ip any 10.110.150.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.110.150.0 255.255.254.0
wccp web-cache
wccp interface inside web-cache redirect in
 
asa-firewall# sh wccp web-cache detail
WCCP Cache-Engine information:
    Web Cache ID:  10.110.150.253
    Protocol Version:  2.0
    State: Usable
    Initial Hash Info: 
   
    Assigned Hash Info:    
   
    Hash Allotment:    0 (0.00%)
    Packets Redirected:    113242
    Connect Time:  00:00:12

asa-firewall# sh wccp web-cache
Global WCCP information:
    Router information:
    Router Identifier:   xxx.xxx.179.86
    Protocol Version:    2.0
    Service Identifier: web-cache
    Number of Cache Engines: 1
    Number of routers:   1
    Total Packets Redirected:    113242
    Redirect access-list:    -none-
    Total Connections Denied Redirect:   0
    Total Packets Unassigned:    241
    Group access-list:   -none-
    Total Messages Denied to Group:  0
    Total Authentication failures:   0
    Total Bypassed Packets Received: 0


asa-firewall# sh ver

Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)

Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"

sarova-firewall up 3 days 3 hours

Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW080 @ 0xffe0, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
 Boot microcode   : CNlite-MC-Boot-Cisco-1.2
 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
 IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Int: Internal-Data0/0    : address is 001b.531b.5bb2, irq 11
 1: Ext: Ethernet0/0 : address is 001b.531b.5baa, irq 255
 2: Ext: Ethernet0/1 : address is 001b.531b.5bab, irq 255
 3: Ext: Ethernet0/2 : address is 001b.531b.5bac, irq 255
 4: Ext: Ethernet0/3 : address is 001b.531b.5bad, irq 255
 5: Ext: Ethernet0/4 : address is 001b.531b.5bae, irq 255
 6: Ext: Ethernet0/5 : address is 001b.531b.5baf, irq 255
 7: Ext: Ethernet0/6 : address is 001b.531b.5bb0, irq 255
 8: Ext: Ethernet0/7 : address is 001b.531b.5bb1, irq 255
 9: Int: Internal-Data0/1    : address is .000

Re: [squid-users] WCCP2 and Router/Switch combo

[Jason Taylor]

Ryan Thoryk wrote:
We currently have Squid set up as a GRE-based WCCP2 transparent proxy, 
and are wondering if it can support both GRE and L2 modes 
simultaneously - we have a couple Cisco 7200 routers pointing to it, 
but are wanting to add a 3750 switch that has wccp2 support.


Ryan Thoryk

If it doesn't, you could always configure a second squid instance 
listening to a different IP and/or port using a separate configuration file.


/Jason

[squid-users] WCCP2 and Router/Switch combo

[Ryan Thoryk]

We currently have Squid set up as a GRE-based WCCP2 transparent proxy, 
and are wondering if it can support both GRE and L2 modes simultaneously 
- we have a couple Cisco 7200 routers pointing to it, but are wanting to 
add a 3750 switch that has wccp2 support.


Ryan Thoryk

Re: [squid-users] WCCP2 FreeBSD bandwidth increasing

[Amos Jeffries]

Reid W. Johnson wrote:

Hi everyone,

I am experiencing a strange issue that is more than likely a
configuration error. I have a FreeBSD(6.1) box running Squid 2.6(9)
connecting to a Cisco 7206VXR running IOS 12.4. Everything appears to be
running well and traffic is being cached by the squid server but when I
start the squid server my utilization on my internet connection goes
from 10Mbps up to 13-15Mbps. As soon as I shut off squid the utilization
returns to previous levels. Not much point in having a caching server if
your internet usage increases. Any ideas what I have done wrong, what
information would be helpful to diagnose.

Thanks,
Reid



Take a good look at the machines that are trying to use squid (from 
which both directions and location).


I can think of two immediate possibilities, which may or not be right. 
You are the one in a position to know and test.


1) You have a few(?) machines configured to use a proxy for updates or 
something. When the squid is off they can't do anything (low bandwidth) 
but when its on they do their thing.


2) Is there a rule at the FW capping web usage for users or their 
netblocks , but excluding the server you have squid on? Heavy users 
getting a free web access would explain it.


You will get a better idea  yourself of whether its the above or 
something else by looking at the connections to-from squid when its active.



AYJ

[squid-users] WCCP2 FreeBSD bandwidth increasing

[Reid W. Johnson]

Hi everyone,

I am experiencing a strange issue that is more than likely a
configuration error. I have a FreeBSD(6.1) box running Squid 2.6(9)
connecting to a Cisco 7206VXR running IOS 12.4. Everything appears to be
running well and traffic is being cached by the squid server but when I
start the squid server my utilization on my internet connection goes
from 10Mbps up to 13-15Mbps. As soon as I shut off squid the utilization
returns to previous levels. Not much point in having a caching server if
your internet usage increases. Any ideas what I have done wrong, what
information would be helpful to diagnose.

Thanks,
Reid



This message has been verified virus free by MxLogic, for information on this 
Email Defense 
product please visit our website  www.corenetwork.ca or contact a sales 
representative at 
1-877-418-0138  email : [EMAIL PROTECTED]

Re: [squid-users] wccp2 - Squid 2.6.Stable6 - Fedora Core 6

[Adrian Chadd]

Try "show ip wccp web-cache detail", see what the hash assignment masks are.



Adrian

On Thu, Jan 04, 2007, tacoen wrote:
> Hi! I dig everywhere but could not found the answer of my recent wccp
> implementations
> 
> 
> in my router, I could see
> 
> sh ip wccp web-cache view
> 
> WCCP Routers Informed of:
> IP-OF-ROUTER
> 
> WCCP Cache Engines Visible:
> IP-OF-SQUID
> 
> WCCP Cache Engines NOT Visible:
> -none-
> 
> 
> In router term mon, i see:
> 
> 1d17h: WCCP-PKT:S00: Received valid Here_I_Am packet from IP-OF-SQUID
> w/rcv_id 1309
> 1d17h: WCCP-PKT:S00: Sending I_See_You packet to IP-OF-SQUID w/ rcv_id 
> 130A
> 
> and so on...
> 
> in my /var/log/squid/cache.log
> 
> 2007/01/04 02:53:32| wccp2HereIam: Called
> 2007/01/04 02:53:32| wccp2HereIam: sending to service id 0
> 2007/01/04 02:53:32| Sending HereIam packet size 144
> 2007/01/04 02:53:32| wccp2HandleUdp: Called.
> 2007/01/04 02:53:32| Incoming WCCPv2 I_SEE_YOU length 132.
> 2007/01/04 02:53:32| Complete packet received
> 2007/01/04 02:53:32| Incoming WCCP2_I_SEE_YOU Received ID old=4881 new=4882.
> 2007/01/04 02:53:32| Cleaning out cache list
> 2007/01/04 02:53:32| checking cache list: (a98e6e40:a98e6e40)
> 2007/01/04 02:53:32| Change not detected (26 = 26)
> 
> But in "sh ip wccp"
> 
> Global WCCP information:
>Router information:
>Router Identifier:   IP-OF-ROUTER
>Protocol Version:2.0
> 
>Service Identifier: web-cache
>Number of Cache Engines: 1
>Number of routers:   1
>Total Packets Redirected:0
>Redirect access-list:REDIRECTL
>Total Packets Denied Redirect:   0
>Total Packets Unassigned:0
>Group access-list:   SQUID
>Total Messages Denied to Group:  0
>Total Authentication failures:   0
> 
> In my squid.conf:
> 
> wccp2_router IP-OF-ROUTER
> wccp2_rebuild_wait on
> wccp2_forwarding_method 1
> wccp2_return_method 1
> wccp2_assignment_method 1
> wccp2_service standard 0
> wccp2_weight 1
> wccp2_address IP-OF-SQUID
> 
> My question is:  Why my Total Packets Redirected is 0 ?
> The number of object in squid cache is also not increasing also.
> 
> What wrong? I try to use wccp version 1, but it also got zero packets
> redirected.
> 
> 
> IP-OF-SQUID and IP-OF-ROUTER is on the same subnet. IP that being
> redirected is also on the same subnet.
> 
> What did happen?
> 
> 
> 
> The rest of references:
> 
> 
> 
> 
> #modprobe ip_gre
> #ip tunnel add gre0 mode gre remote 64.110.142.161 local
> 64.110.142.169 dev eth0
> #ip addr add 172.16.1.6/32 dev gre0
> #ip link set gre0 up
> 
> ifconfig
> 
> # ifconfig gre0
> gre0  Link encap:UNSPEC  HWaddr
> 00-00-00-00-05-08-28-2C-00-00-00-00-00-00-00-00
>  inet addr:172.16.1.6  Mask:255.255.255.255
>  UP RUNNING NOARP  MTU:1476  Metric:1
>  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>  TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>  collisions:0 txqueuelen:0
>  RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
> 
> 
> #iptables -L -t nat -xnv
> 
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>pkts  bytes target prot opt in out source
> destination
>   00 DNAT   tcp  --  gre0   *   IPS-MYNET  !
> IPS-MYNET   tcp dpt:80 to:IP-OF-SQUID:3128
>   00 REDIRECT   tcp  --  gre0   *0.0.0.0/0
>0.0.0.0/0   tcp dpt:80 redir ports 3128
>   00 REDIRECT   tcp  --  eth0   *   0.0.0.0/0
>0.0.0.0/0   tcp dpt:80 redir ports 3128
> 
> 
> 
> As for router, I use
> 
> IOS (tm) C2600 Software (C2600-IS-M), Version 12.1(4), RELEASE SOFTWARE 
> (fc1)
> 
> sh run
> 
> --cut--
> 
> policy-map qos
> !
> ip subnet-zero
> no ip source-route
> ip wccp web-cache redirect-list REDIRECTL group-list SQUID
> no ip finger
> no ip domain-lookup
> 
> --cut--
> 
> interface FastEthernet0/1
> ip address MYNET MYNETMASK
> no ip unreachables
> ip wccp redirect exclude in
> ip wccp web-cache redirect out
> no ip mroute-cache
> duplex auto
> speed auto
> no cdp enable
> 
> --cut--
> 
> ip access-list standard SQUID
> permit IP-OF-SQUID
> !
> ip access-list extended REDIRECTL
> deny   ip host IP-OF-SQUID any
> permit ip any any
> 
> --cut--
> 
> 
> 
> Thanks in advance.
> 
> 
> -- 
> Oh, this is my hypertext version:
> http://tacoen.smedia.or.id
> http://www.flickr.com/photos/tacoen-and-tacoen/
> 
> -- 
> Oh, this is my hypertext version:
> http://tacoen.smedia.or.id
> http://www.flickr.com/photos/tacoen-and-tacoen/

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level bandwidth-capped VPSes available in WA -

[squid-users] wccp2 - Squid 2.6.Stable6 - Fedora Core 6

[tacoen]

Hi! I dig everywhere but could not found the answer of my recent wccp
implementations


in my router, I could see

sh ip wccp web-cache view

WCCP Routers Informed of:
IP-OF-ROUTER

WCCP Cache Engines Visible:
IP-OF-SQUID

WCCP Cache Engines NOT Visible:
-none-


In router term mon, i see:

1d17h: WCCP-PKT:S00: Received valid Here_I_Am packet from IP-OF-SQUID
w/rcv_id 1309
1d17h: WCCP-PKT:S00: Sending I_See_You packet to IP-OF-SQUID w/ rcv_id 130A

and so on...

in my /var/log/squid/cache.log

2007/01/04 02:53:32| wccp2HereIam: Called
2007/01/04 02:53:32| wccp2HereIam: sending to service id 0
2007/01/04 02:53:32| Sending HereIam packet size 144
2007/01/04 02:53:32| wccp2HandleUdp: Called.
2007/01/04 02:53:32| Incoming WCCPv2 I_SEE_YOU length 132.
2007/01/04 02:53:32| Complete packet received
2007/01/04 02:53:32| Incoming WCCP2_I_SEE_YOU Received ID old=4881 new=4882.
2007/01/04 02:53:32| Cleaning out cache list
2007/01/04 02:53:32| checking cache list: (a98e6e40:a98e6e40)
2007/01/04 02:53:32| Change not detected (26 = 26)

But in "sh ip wccp"

Global WCCP information:
   Router information:
   Router Identifier:   IP-OF-ROUTER
   Protocol Version:2.0

   Service Identifier: web-cache
   Number of Cache Engines: 1
   Number of routers:   1
   Total Packets Redirected:0
   Redirect access-list:REDIRECTL
   Total Packets Denied Redirect:   0
   Total Packets Unassigned:0
   Group access-list:   SQUID
   Total Messages Denied to Group:  0
   Total Authentication failures:   0

In my squid.conf:

wccp2_router IP-OF-ROUTER
wccp2_rebuild_wait on
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method 1
wccp2_service standard 0
wccp2_weight 1
wccp2_address IP-OF-SQUID

My question is:  Why my Total Packets Redirected is 0 ?
The number of object in squid cache is also not increasing also.

What wrong? I try to use wccp version 1, but it also got zero packets
redirected.


IP-OF-SQUID and IP-OF-ROUTER is on the same subnet. IP that being
redirected is also on the same subnet.

What did happen?



The rest of references:




#modprobe ip_gre
#ip tunnel add gre0 mode gre remote 64.110.142.161 local
64.110.142.169 dev eth0
#ip addr add 172.16.1.6/32 dev gre0
#ip link set gre0 up

ifconfig

# ifconfig gre0
gre0  Link encap:UNSPEC  HWaddr
00-00-00-00-05-08-28-2C-00-00-00-00-00-00-00-00
 inet addr:172.16.1.6  Mask:255.255.255.255
 UP RUNNING NOARP  MTU:1476  Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


#iptables -L -t nat -xnv

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
   pkts  bytes target prot opt in out source
destination
  00 DNAT   tcp  --  gre0   *   IPS-MYNET  !
IPS-MYNET   tcp dpt:80 to:IP-OF-SQUID:3128
  00 REDIRECT   tcp  --  gre0   *0.0.0.0/0
   0.0.0.0/0   tcp dpt:80 redir ports 3128
  00 REDIRECT   tcp  --  eth0   *   0.0.0.0/0
   0.0.0.0/0   tcp dpt:80 redir ports 3128



As for router, I use

IOS (tm) C2600 Software (C2600-IS-M), Version 12.1(4), RELEASE SOFTWARE (fc1)

sh run

--cut--

policy-map qos
!
ip subnet-zero
no ip source-route
ip wccp web-cache redirect-list REDIRECTL group-list SQUID
no ip finger
no ip domain-lookup

--cut--

interface FastEthernet0/1
ip address MYNET MYNETMASK
no ip unreachables
ip wccp redirect exclude in
ip wccp web-cache redirect out
no ip mroute-cache
duplex auto
speed auto
no cdp enable

--cut--

ip access-list standard SQUID
permit IP-OF-SQUID
!
ip access-list extended REDIRECTL
deny   ip host IP-OF-SQUID any
permit ip any any

--cut--



Thanks in advance.


--
Oh, this is my hypertext version:
http://tacoen.smedia.or.id
http://www.flickr.com/photos/tacoen-and-tacoen/

--
Oh, this is my hypertext version:
http://tacoen.smedia.or.id
http://www.flickr.com/photos/tacoen-and-tacoen/

Re: [squid-users] Wccp2

[Henrik Nordstrom]

On Fri, 24 Dec 2004, kavos gabor wrote:
Waht do i need to do on Redhat Linux 9, kernel 2.4.20 to get wccp2 working on it?
A current ip_wccp module (linked from the Squid FAQ)
A squid patched with WCCPv2 suppport (patch found from 
devel.squid-cache.org)

Proper configuration of all components involved. See the Squid FAQ.
Regards
Henrik

[squid-users] Wccp2

[kavos gabor]

Waht do i need to do on Redhat Linux 9, kernel 2.4.20 to get wccp2 working on 
it?

regards,

kavos
-- 
___
Graffiti.net free e-mail @ www.graffiti.net
Check out our value-added Premium features, such as a 1 GB mailbox for just 
US$9.95 per year!


Powered by Outblaze

[squid-users] WCCP2 Authentication type 7

[Snowy]

Hi, All,

Is there anyone happening to know how Cisco router do the authentication
hashing within the WCCP2 security component when "type 7" password is used?
That is, with IOS command, "ip wccp web-cache password 7 abc123".

Thanks a lot!

Regards!

Snowy