Lately I've been trying to get a squid server to work with WCCP on our network so that client traffic transparently goes through the proxy. The problem is, having very little experience with squid, I've hit a brick wall and despite spending days searching the web and reading through tons of material, I can't seem to move past it. Maybe you guys can spot the problem. Here's what I have so far.
Network Diagram -
I'm pretty sure my Cisco router is configured properly. The Cisco router ACL is NOT blocking anything coming from or going to the squid server. The linux firewall (iptables) is also NOT blocking anything. 'show ip wccp' on the router shows that squid registers with the router, and wireshark on the squid server shows that the GRE tunnel is receiving packets. The iptables rule that is meant to redirect all traffic from the GRE tunnel to the squid port shows that it's getting hits (iptables -t nat -nvL PREROUTING). The thing is - squid logs don't show that it's receiving any kind of requests. The client machine (the only machine that WCCP should be sending HTTP traffic to squid from) basically can't load any web page once the squid daemon is started on the squid server - it just times out. Is there something wrong with the iptables rule? Could it be something else? I have a feeling it's just one simple thing I'm missing somewhere. Here are the different sections:
ip wccp web-cache redirect-list 120 group-list 10
ip address 192.168.13.1 255.255.255.0
ip wccp web-cache redirect in
ip access-list standard 10
ip access-list extended 120
deny ip host 10.10.10.2 any
permit tcp host 192.168.13.250 any eq www
deny ip any any
iptunnel add gre1 mode gre remote [external IP of router] local 10.10.10.2 dev eth0
ip addr add 10.10.10.2/32 dev gre1
ip link set gre1 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/gre1/rp_filter
iptables -t nat -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.10.2:3128
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 192.168.13.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
wccp2_service standard 0
Wow! After weeks of trying to get this to work (on and off), and reading every howto on google relating to wccp and squid, I finally came across a line on some website that read:
"For Squid to work with WCCP2 and the Cisco firewall, the Squid server must be on a common subnet with the web client..."
As soon as I made this happen, everything finally started working.
thanks for your reply ,
i think that talking about squid cache in all fourms in the internet will dead the post , i dont know why .
it may be most of people dont like to deal with
anyway , i would like to ask you special questions about only squid operation in linux .
can i ask you ??
If you have a squid question for me that has nothing to do with this topic, you might want to send me a private message instead of continuing to post here. Also, I'm not a squid expert, and you might be better off trying the squid mailing lists where the real experts are:
They are always active, and always happy to answer squid questions.