Transparent Squid with WCCP
Based on the request of XR6 i’m gonna describe some guidelines of making squid work with WCCP. For those not aware of WCCP this is the acronym for Web Cache Communication Protocol developed by Cisco. Squid knows how to operate WCCP and latest kernel versions have added WCCP to the ip_gre module, so that’s what we will use for this. The cisco router, the linux box with squid, kernel 2.6.10+ with ip_gre enabled and iptables. If for any reason you do not have or can use a 2.6.10 kernel or newer you will need to patch your existing kernel and/or install the ip_wccp module.
The box running squid must support packet filtering, connection tracking, iptables support, NAT support, and REDIRECT target support in your kernel. fast switching should be disabled and make sure ip_forward is 1 in your /proc/sys/net/ipv4/ip_forward.
Once you are sure all the above are available on your system you can proceed installing squid. I suggest installing squid from source tarball and compile it manually in order to enable the wccp features of it. So after you’ve got the latest squid source you compile it like this:
gw1-livent:~# wget http://www.squid-cache.org/Versions/v2/2.7/squid-2.7.STABLE3.tar.gz
–18:35:11– http://www.squid-cache.org/Versions/v2/2.7/squid-2.7.STABLE3.tar.gz
=> `squid-2.7.STABLE3.tar.gz’
Resolving www.squid-cache.org… 12.160.37.9
Connecting to www.squid-cache.org|12.160.37.9|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1,782,040 (1.7M) [application/x-gzip]100%[=========================================================>] 1,782,040 106.67K/s ETA 00:00
18:35:30 (95.71 KB/s) – `squid-2.7.STABLE3.tar.gz’ saved [1782040/1782040]
gw1-livent:~#
unpack the source code and proceed with configure
gw1-livent:~# tar zxf squid-2.7.STABLE3.tar.gz
gw1-livent:~# cd squid-2.7.STABLE3
gw1-livent:~/squid-2.7.STABLE3# ./configure –enable-linux-netfilter –enable-wccp && make && make install
After you have installed squid tweak it to fit your needs and make sure transprent proxying is turned on in the config file:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
After you are done with the config file and you think all your config is ok initialize the squid cache by typing:
gw1-livent:~# squid -z
Now that squid is running we would like to redirect all the traffic to port 80 to the squid port 3128. This being said we can type:
gw1-livent:~# iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
With traffic redirected to squid we need to bring up the GRE tunnel between the cisco router and and the linux box running squid:
gw1-livent:~# iptunnel add gre1 mode gre remote IP-ADDRESS-OF-ROUTER local IP-ADDRESS-OF-SQUID-CACHE dev eth0
and then setup a GRE loopback adapter that acts like the local endpoint for the tunnel
gw1-livent:~# ifconfig gre1 127.0.0.2 up
gw1-livent:~# echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter
Now let’s proceed to the router configuration since the linux should be done. Login onto your cisco router and set it up to catch all outgoing web requests:
Cisco> enable
Cisco# config t
Cisco(config)# ip wccp version 1
Cisco(config)# ip wccp web-cache
Cisco(config)# int your-outgoing-interface
Cisco(config-if)# ip wccp web-cache redirect out
Cisco(config-if)# end
Cisco# write mem
Optionally you may want to define an access list to control what IP’s get cached content and what IP’s are allowed to get out directly on the internet.
Cisco> enable
Cisco# config t
Cisco(config)# ip wccp version 1
Cisco(config)# ip wccp web-cache redirect-list 150
Cisco(config)# access-list 150 permit tcp 192.168.1.0 0.0.0.255 any
Cisco(config)# access-list 150 deny tcp any any
Cisco(config)# int your-outgoing-interface
Cisco(config-if)# ip wccp web-cache redirect out
Cisco(config-if)# end
Cisco# write mem
With all these being said i recommend you reading even more to find out ways of getting out the most of the squid web-cache server either by using it’s builtin features or by using third-party addons to enhance it.
Over and out
Andy
16 Responses to “Transparent Squid with WCCP”
Leave a Reply
Login
Subscribe
Stay updated with Digitalnerds News
- Content RSS - Straight to your reader
- Comments RSS - Add to the discussion
Recent Posts
- Avatar on 3D.
- Young Jeezy – The Recession
- Apache2/workerMPM/FastCGI/PHP5
- VSFTPd with mysql backend
- Transparent Squid with WCCP
- How To Install Bind9+MySQL
- Laurence Fishburn prime “CSI” suspect
- Party Under Fire
- The Mummy 3 opening
- Iphone Nano for Christmas?
- Fury Servers closing
- Linus Torvalds bashes OpenBSD
Categories
Archive
Links
September 4th, 2008 at 11:06 am
my gre1 interface is receiving traffic from the router, but nothing happens, no acitivy on /var/log/squid/access.log and on /var/log/syslog shows the following information:
Sep 4 15:48:45 bluepencil squid[2319]: Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13.
Sep 4 15:48:45 bluepencil squid[2319]: Accepting ICP messages at 0.0.0.0, port 3130, FD 14.
Sep 4 15:48:45 bluepencil squid[2319]: HTCP Disabled.
Sep 4 15:48:45 bluepencil squid[2319]: WCCP Disabled.
Sep 4 15:48:45 bluepencil squid[2319]: Ready to serve requests.
WCCP Disabled?
September 4th, 2008 at 5:06 pm
Looks like your squid is not configured with –enable-wccp. See the first step.
Regards
Andy
September 8th, 2008 at 5:05 am
It’s now configuredo to –enable-wccp, but on syslog file keeps saying that is disabled…but on the next line it says that accepts WCCP2 messages….:
Sep 8 09:50:50 bluepencil squid[4049]: Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 12.
Sep 8 09:50:50 bluepencil squid[4049]: Accepting ICP messages at 0.0.0.0, port 3130, FD 13.
Sep 8 09:50:50 bluepencil squid[4049]: Accepting HTCP messages on port 4827, FD 14.
Sep 8 09:50:50 bluepencil squid[4049]: Accepting SNMP messages on port 3401, FD 15.
Sep 8 09:50:50 bluepencil squid[4049]: WCCP Disabled.
Sep 8 09:50:50 bluepencil squid[4049]: Accepting WCCPv2 messages on port 2048, FD 16.
Sep 8 09:50:50 bluepencil squid[4049]: Initialising all WCCPv2 lists
Sep 8 09:50:50 bluepencil squid[4049]: Ready to serve requests.
Sep 8 09:50:50 bluepencil squid[4049]: Done scanning /var/spool/squid/cache (0 entries)
Sep 8 09:50:50 bluepencil squid[4049]: Finished rebuilding storage from disk.
Sep 8 09:50:50 bluepencil squid[4049]: 0 Entries scanned
Sep 8 09:50:50 bluepencil squid[4049]: 0 Invalid entries.
Sep 8 09:50:50 bluepencil squid[4049]: 0 With invalid flags.
Sep 8 09:50:50 bluepencil squid[4049]: 0 Objects loaded.
Sep 8 09:50:50 bluepencil squid[4049]: 0 Objects expired.
Sep 8 09:50:50 bluepencil squid[4049]: 0 Objects cancelled.
Sep 8 09:50:50 bluepencil squid[4049]: 0 Duplicate URLs purged.
Sep 8 09:50:50 bluepencil squid[4049]: 0 Swapfile clashes avoided.
Sep 8 09:50:50 bluepencil squid[4049]: Took 0.4 seconds ( 0.0 objects/sec).
Sep 8 09:50:50 bluepencil squid[4049]: Beginning Validation Procedure
Sep 8 09:50:50 bluepencil squid[4049]: Completed Validation Procedure
Sep 8 09:50:50 bluepencil squid[4049]: Validated 0 Entries
Sep 8 09:50:50 bluepencil squid[4049]: store_swap_size = 0k
Sep 8 09:50:51 bluepencil squid[4049]: storeLateRelease: released 0 objects
On my browser keep getting the messages “The server is taking too much time to respond”…is the access.log file writen during this process? Can i actually see the requests coming? If i use the squid as a proxy server it works fine…
Need help
September 8th, 2008 at 6:18 pm
I might be wrong but it looks like your squid config file is configured for wccp2 while my router setup is for wccp1. However for that matter here it is the config for wccp2 on the cisco. Make sure your cisco support the versions configured in squid.conf on the line “wccp2_version”:
So .. log in into your cisco and make it like this:
Cisco> enable
Cisco# config t
Cisco(config)# ip wccp version 2
Cisco(config)# ip wccp web-cache redirect-list SQUID-BYPASS-NEW
Cisco(config)# interface FastEthernet0/0.128
Cisco(config)# description Connection to internet
Cisco(config)# bandwidth 24000
Cisco(config)# encapsulation dot1Q 128
Cisco(config)# ip address xxx.xxx.xxx.xxx 255.255.255.252
Cisco(config)# ip wccp web-cache redirect out
Cisco(config)# no cdp enable
Cisco(config)# end
Cisco# write
(note: if you already have the interface configured just make sure you switch to it with “int your-outgoing-interface” and then only declare “ip wccp web-cache redirect out” for it.
Regards
Andy
September 11th, 2008 at 3:47 am
Hi there…
The following line seems to make it work:
iptables -t nat -A POSTROUTING -j MASQUERADE
At least i can acess the internet with no proxy (the router redirects the packets, the squid accepts them)…but i have now a question:
Should i see the user requests in the access.log? I created an ACL in squid.conf denying access to a specific domanin (acl blockedURL dstdomain .microsoft.com), but when using squid as a transparent proxy i have access, only using squid as my default proxy i get the denied access page…
help again?
September 11th, 2008 at 11:56 am
You are plain masquerading all network ip’s through the external ip. I dont know why the REDIRECT rule doesnt do it for you, while it should.
You should see the requests in the access.log with the flag TCP_DENIED when a request is being denied by an ACL.
About your ACL it seems to be correct but i am not sure if you have the second line needed. It should be something like:
———————————————————–
acl blocked dstdomain .blocked-domain
http_access deny blocked
———————————————————–
Regards
Andy
September 15th, 2008 at 9:48 am
Everythings seems ok, it’s so transparent that the requests don’t apear in the access.log file
Does the syslog output bellow indicates anything wrong?
Sep 15 14:42:29 webfilter squid[2413]: Starting Squid Cache version 2.7.STABLE3 for i686-pc-linux-gnu…
Sep 15 14:42:29 webfilter squid[2413]: Process ID 2413
Sep 15 14:42:29 webfilter squid[2413]: With 1024 file descriptors available
Sep 15 14:42:29 webfilter squid[2413]: Using epoll for the IO loop
Sep 15 14:42:29 webfilter squid[2413]: DNS Socket created at 0.0.0.0, port 32770, FD 6
Sep 15 14:42:29 webfilter squid[2413]: Adding domain min-saude.pt from /etc/resolv.conf
Sep 15 14:42:29 webfilter squid[2413]: Adding nameserver 194.xxx.xxx.xxx from /etc/resolv.conf
Sep 15 14:42:29 webfilter squid[2413]: logfileOpen: opening log /usr/local/squid/var/logs/access.log
Sep 15 14:42:29 webfilter squid[2411]: Squid Parent: child process 2413 started
Sep 15 14:42:29 webfilter squid[2413]: Unlinkd pipe opened on FD 11
Sep 15 14:42:29 webfilter squid[2413]: Swap maxSize 102400 KB, estimated 7876 objects
Sep 15 14:42:29 webfilter squid[2413]: Target number of buckets: 393
Sep 15 14:42:29 webfilter squid[2413]: Using 8192 Store buckets
Sep 15 14:42:29 webfilter squid[2413]: Max Mem size: 8192 KB
Sep 15 14:42:29 webfilter squid[2413]: Max Swap size: 102400 KB
Sep 15 14:42:29 webfilter squid[2413]: logfileOpen: opening log /usr/local/squid/var/logs/store.log
Sep 15 14:42:29 webfilter squid[2413]: Rebuilding storage in /usr/local/squid/var/cache (DIRTY)
Sep 15 14:42:29 webfilter squid[2413]: Using Least Load store dir selection
Sep 15 14:42:29 webfilter squid[2413]: Set Current Directory to /usr/local/squid/var/cache
Sep 15 14:42:29 webfilter squid[2413]: Loaded Icons.
Sep 15 14:42:29 webfilter squid[2413]: Accepting transparently proxied HTTP connections at 0.0.0.0, port 3128, FD 13.
Sep 15 14:42:29 webfilter squid[2413]: Accepting ICP messages at 0.0.0.0, port 3130, FD 14.
Sep 15 14:42:29 webfilter squid[2413]: WCCP Disabled.
Sep 15 14:42:29 webfilter squid[2413]: Accepting WCCPv2 messages on port 2048, FD 15.
Sep 15 14:42:29 webfilter squid[2413]: Initialising all WCCPv2 lists
Sep 15 14:42:29 webfilter squid[2413]: Ready to serve requests.
Sep 15 14:42:29 webfilter squid[2413]: Done reading /usr/local/squid/var/cache swaplog (358 entries)
Sep 15 14:42:29 webfilter squid[2413]: Finished rebuilding storage from disk.
Sep 15 14:42:29 webfilter squid[2413]: 299 Entries scanned
Sep 15 14:42:29 webfilter squid[2413]: 0 Invalid entries.
Sep 15 14:42:29 webfilter squid[2413]: 0 With invalid flags.
Sep 15 14:42:29 webfilter squid[2413]: 299 Objects loaded.
Sep 15 14:42:29 webfilter squid[2413]: 0 Objects expired.
Sep 15 14:42:29 webfilter squid[2413]: 59 Objects cancelled.
Sep 15 14:42:29 webfilter squid[2413]: 0 Duplicate URLs purged.
Sep 15 14:42:29 webfilter squid[2413]: 0 Swapfile clashes avoided.
Sep 15 14:42:29 webfilter squid[2413]: Took 0.3 seconds (1037.8 objects/sec).
Sep 15 14:42:29 webfilter squid[2413]: Beginning Validation Procedure
Sep 15 14:42:29 webfilter squid[2413]: Completed Validation Procedure
Sep 15 14:42:29 webfilter squid[2413]: Validated 240 Entries
Sep 15 14:42:29 webfilter squid[2413]: store_swap_size = 2076k
Sep 15 14:42:30 webfilter squid[2413]: storeLateRelease: released 0 objects
September 15th, 2008 at 9:51 am
Another thing…the squid.conf options that you talk on this article:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
These dont’ appear on my squid.conf, i used the following line to set the transparency:
http_port 3128 transparent
September 25th, 2008 at 2:25 pm
I’m curious on how the routing is handled with SQUID and WCCP2. I’ve installed a couple of WCCP2 servers using Bluecoat. But want to try using a much cheaper solution like SQUID. The previous hardware links looked like this:
UserWS———->Cisco———->Internet
|
|
WCCP Cache (Bluecoat)
However, all the configuration docs I’ve found for SQUID were the following:
UserWS——–>Cisco———->WCCPCache(Squid)——->Internet
Can anyone shed some light on the physical config? I’m going to be authenticating to my LDAP server (Win2003) but dont want to have open access to the unprotected network directly to my private side. In other words, I want to ensure the only device that can talk to the private side is the WCCPCache(Squid) itself.
Thanks for your help!
October 22nd, 2008 at 6:26 pm
Hey Scott
You may want to check this cisco diagram:
http://www.cisco.com/en/US/i/100001-200000/110001-120000/115001-116000/115457.jpg
Regards
Andy
August 31st, 2009 at 12:08 am
If the squid server should be offline or the squid process dies, will the users’ port 80 requests automatically redirect to the “live” internet connection??
October 2nd, 2009 at 8:45 am
Well there many theories on this subject. You may either use WPAD which means you should run two squid proxies or more OR a HA fail-over solution which may be either ultramonkey.org or linux-ha.org.
However you may simply combine the PAC with or w/o the WPAD since it’s the best practice out there.
Andy
October 22nd, 2009 at 11:43 pm
How about tunnel config on cisco router, is it not needed ? If needed, may i know the config sample.
thanks
October 23rd, 2009 at 12:28 pm
It does not make the subject of this tutorial Ineb.
Andy
October 26th, 2009 at 9:55 pm
you dont need to configure the tunnel on cisco router, linux will initialize the GRE tunnel, i have this setup running on the compnay i work for. i you need any help please let me know.
November 4th, 2009 at 8:35 pm
Im having the same problems Nuno did in the begining of the comments and cannot for the life of me figure out whats wrong, it seems to be something with the tunnel
root@ubuntu1:~# iptunnel
gre0: gre/ip remote any local any ttl inherit nopmtudisc
gre1: gre/ip remote 10.251.0.1 local 10.251.0.99 dev eth0 ttl inherit
root@ubuntu1:~# ifconfig gre0
gre0 Link encap:UNSPEC HWaddr 00-00-00-00-05-08-E0-E3-00-00-00-00-00-00-00-00
inet addr:127.0.0.3 Mask:255.0.0.0
UP RUNNING NOARP MTU:1476 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1560 (1.5 KB) TX bytes:0 (0.0 B)
root@ubuntu1:~# ifconfig gre1
gre1 Link encap:UNSPEC HWaddr 0A-FB-00-63-05-08-E0-E3-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@ubuntu1:~# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp — anywhere anywhere tcp dpt:www to:127.0.0.1:3128