05-09-2012 05:33 PM - edited 03-11-2019 04:04 PM
Lately I've been trying to get a squid server to work with WCCP on our network so that client traffic transparently goes through the proxy. The problem is, having very little experience with squid, I've hit a brick wall and despite spending days searching the web and reading through tons of material, I can't seem to move past it. Maybe you guys can spot the problem. Here's what I have so far.
Network Diagram -
I'm pretty sure my Cisco router is configured properly. The Cisco router ACL is NOT blocking anything coming from or going to the squid server. The linux firewall (iptables) is also NOT blocking anything. 'show ip wccp' on the router shows that squid registers with the router, and wireshark on the squid server shows that the GRE tunnel is receiving packets. The iptables rule that is meant to redirect all traffic from the GRE tunnel to the squid port shows that it's getting hits (iptables -t nat -nvL PREROUTING). The thing is - squid logs don't show that it's receiving any kind of requests. The client machine (the only machine that WCCP should be sending HTTP traffic to squid from) basically can't load any web page once the squid daemon is started on the squid server - it just times out. Is there something wrong with the iptables rule? Could it be something else? I have a feeling it's just one simple thing I'm missing somewhere. Here are the different sections:
Router:
ip wccp web-cache redirect-list 120 group-list 10
interface GigabitEthernet0/2
ip address 192.168.13.1 255.255.255.0
ip wccp web-cache redirect in
ip access-list standard 10
permit 10.10.10.2
ip access-list extended 120
deny ip host 10.10.10.2 any
permit tcp host 192.168.13.250 any eq www
deny ip any any
Squid server:
iptunnel add gre1 mode gre remote [external IP of router] local 10.10.10.2 dev eth0
ip addr add 10.10.10.2/32 dev gre1
ip link set gre1 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter
iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.2:3128
squid.conf:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.13.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
wccp2_router 10.10.10.1
wccp_version 4
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0
06-01-2012 07:10 AM
Anyone? Perhaps I'm missing commands on the Cisco to setup the GRE tunnel? Could it be that I'm missing something like this?
06-08-2012 08:42 AM
Wow! After weeks of trying to get this to work (on and off), and reading every howto on google relating to wccp and squid, I finally came across a line on some website that read:
"For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client..."
As soon as I made this happen, everything finally started working.
11-17-2012 01:18 AM
hi ,
congratulations ,
but i want to ask u ,
how can we enable ipv6 to work with squid cache 3
have u tried it ??
regards
11-17-2012 07:01 AM
11-17-2012 08:54 AM
hi ,
thanks for your reply ,
i think that talking about squid cache in all fourms in the internet will dead the post , i dont know why .
it may be most of people dont like to deal with
anyway , i would like to ask you special questions about only squid operation in linux .
can i ask you ??
regards
11-17-2012 09:10 AM
If you have a squid question for me that has nothing to do with this topic, you might want to send me a private message instead of continuing to post here. Also, I'm not a squid expert, and you might be better off trying the squid mailing lists where the real experts are:
http://www.squid-cache.org/Support/mailing-lists.html
They are always active, and always happy to answer squid questions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide