squid3 transparent proxy using wccp

vzvonarov1 · ‎05-09-2012

Lately I've been trying to get a squid server to work with WCCP on our network so that client traffic transparently goes through the proxy. The problem is, having very little experience with squid, I've hit a brick wall and despite spending days searching the web and reading through tons of material, I can't seem to move past it. Maybe you guys can spot the problem. Here's what I have so far.

Network Diagram -

I'm pretty sure my Cisco router is configured properly. The Cisco router ACL is NOT blocking anything coming from or going to the squid server. The linux firewall (iptables) is also NOT blocking anything. 'show ip wccp' on the router shows that squid registers with the router, and wireshark on the squid server shows that the GRE tunnel is receiving packets. The iptables rule that is meant to redirect all traffic from the GRE tunnel to the squid port shows that it's getting hits (iptables -t nat -nvL PREROUTING). The thing is - squid logs don't show that it's receiving any kind of requests. The client machine (the only machine that WCCP should be sending HTTP traffic to squid from) basically can't load any web page once the squid daemon is started on the squid server - it just times out. Is there something wrong with the iptables rule? Could it be something else? I have a feeling it's just one simple thing I'm missing somewhere. Here are the different sections:

Router:

ip wccp web-cache redirect-list 120 group-list 10

interface GigabitEthernet0/2

ip address 192.168.13.1 255.255.255.0

ip wccp web-cache redirect in

ip access-list standard 10

permit 10.10.10.2

ip access-list extended 120

deny ip host 10.10.10.2 any

permit tcp host 192.168.13.250 any eq www

deny ip any any

Squid server:

iptunnel add gre1 mode gre remote [external IP of router] local 10.10.10.2 dev eth0

ip addr add 10.10.10.2/32 dev gre1

ip link set gre1 up

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter

iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.2:3128

squid.conf:

acl manager proto cache_object

acl localhost src 127.0.0.1/32 ::1

acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 192.168.13.0/24

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet

http_access allow localhost

http_access deny all

http_port 3128 transparent

hierarchy_stoplist cgi-bin ?

coredump_dir /var/spool/squid

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

wccp2_router 10.10.10.1

wccp_version 4

wccp2_forwarding_method gre

wccp2_return_method gre

wccp2_service standard 0

vzvonarov1 · ‎06-01-2012

Anyone? Perhaps I'm missing commands on the Cisco to setup the GRE tunnel? Could it be that I'm missing something like this?

vzvonarov1 · ‎06-08-2012

Wow! After weeks of trying to get this to work (on and off), and reading every howto on google relating to wccp and squid, I finally came across a line on some website that read:

"For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client..."

As soon as I made this happen, everything finally started working.

Dr.X · ‎11-17-2012

hi ,

congratulations ,

but i want to ask u ,

how can we enable ipv6 to work with squid cache 3

have u tried it ??

regards

vzvonarov1 · ‎11-17-2012

No idea
Your grammar is terrible. English is my second language and I would never write like that - even online. Please take some lessons in grammar - unless of course you write bad on purpose, in which case, please stop.
Your question has very little to do with the topic of this thread
This thread has been dead for almost 6 months (assuming that one guy talking to himself could be considered alive in the first place). You may want to start a new topic for your question

Dr.X · ‎11-17-2012

hi ,

thanks for your reply ,

i think that talking about squid cache in all fourms in the internet will dead the post , i dont know why .

it may be most of people dont like to deal with

anyway , i would like to ask you special questions about only squid operation in linux .

can i ask you ??

regards

vzvonarov1 · ‎11-17-2012

If you have a squid question for me that has nothing to do with this topic, you might want to send me a private message instead of continuing to post here. Also, I'm not a squid expert, and you might be better off trying the squid mailing lists where the real experts are:

http://www.squid-cache.org/Support/mailing-lists.html

They are always active, and always happy to answer squid questions.