Re: [squid-users] CentOS/Squid/Tproxy but no transfer

From: Tom Penndorf <tpenndorf_at_seibert-media.net>
Date: Fri, 10 Jul 2009 08:41:42 +0200

Am 10.07.2009 um 08:19 schrieb Behnam B.Marandi:

> Thanks for quick replay.
>
> I did set "ip wccp web-cache" in the router config but;
>
> #sh ip wccp web-cache detail
> No information is available for the service.
>

try to debug wccp
#debug wccp packet

can you see any packets from your squid engine?

>
> In case of access-list, what I got from step 35 is that access-list
> just used for excluding specific web sites from redirecting to
> cache. Otherwise I don't know how and where (in router config or
> squid config) to put an access-list.
>

ok, i didn't have to configure a cisco router for some time.

> Behnam.
>
>
>
>
> Tom Penndorf wrote:
>
>> Hi,
>>
>>
>> Am 10.07.2009 um 07:29 schrieb Behnam B.Marandi:
>>
>>> I did setup a full transparent caching machine based on Nicholas
>>> Ritter's guide:
>>> http://www.mail-archive.com/squid-users@squid-cache.org/
>>> msg65056.html
>>> Cache machine is a Cent OS 5.3
>>> Router is;
>>> IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(11)T8, RELEASE
>>> SOFTWARE (fc1)
>>>
>>> Squid config is;
>>> http_port 194.225.241.40:5119 tproxy disable-pmtu-discovery=always
>>> wccp2_router xx.xx.241.39
>>> wccp_version 4
>>> wccp2_rebuild_wait off
>>> wccp2_forwarding_method 1
>>> wccp2_return_method 1
>>> wccp2_assignment_method 1
>>> wccp2_service dynamic 80
>>> wccp2_service dynamic 90
>>> wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240
>>> ports=80
>>> wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source
>>> priority=240 ports=80
>>> acl manager proto cache_object
>>> acl localhost src 127.0.0.1/32
>>> acl to_localhost dst 127.0.0.0/8
>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal
>>> network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal
>>> network
>>> acl localnet src xx.xx.240.0/20
>>> acl SSL_ports port 443
>>> acl Safe_ports port 80 # http
>>> acl Safe_ports port 21 # ftp
>>> acl Safe_ports port 443 # https
>>> acl Safe_ports port 70 # gopher
>>> acl Safe_ports port 210 # wais
>>> acl Safe_ports port 1025-65535 # unregistered ports
>>> acl Safe_ports port 280 # http-mgmt
>>> acl Safe_ports port 488 # gss-http
>>> acl Safe_ports port 591 # filemaker
>>> acl Safe_ports port 777 # multiling http
>>> acl CONNECT method CONNECT
>>> http_access allow manager localhost
>>> http_access deny manager
>>> http_access deny !Safe_ports
>>> http_access deny CONNECT !SSL_ports
>>> http_access allow localnet
>>> http_access deny all
>>> cache_dir ufs /var/spool/squid 4000 16 256
>>> hierarchy_stoplist cgi-bin ?
>>> refresh_pattern ^ftp: 1440 20% 10080
>>> refresh_pattern ^gopher: 1440 0% 1440
>>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>>> refresh_pattern . 0 20% 4320
>>> coredump_dir /usr/local/squid/var/cache
>>> visible_hostname tco53
>>>
>>> I'm not sure IOS version is critical or not, and in case of
>>> "wccp2_rebuild_wait" I had to set it "off" so the router can see
>>> the cache machine;
>>>
>>> 6#sh ip wccp
>>> Global WCCP information:
>>> Router information:
>>> Router Identifier: xx.xx.241.39
>>> Protocol Version: 2.0
>>>
>>> Service Identifier: web-cache
>>> Number of Cache Engines: 0
>>> Number of routers: 0
>>> Total Packets Redirected: 0
>>> Redirect access-list: -none-
>>> Total Packets Denied Redirect: 0
>>> Total Packets Unassigned: 0
>>> Group access-list: -none-
>>> Total Messages Denied to Group: 0
>>> Total Authentication failures: 0
>>>
>>> Service Identifier: 80
>>> Number of Cache Engines: 1
>>> Number of routers: 1
>>> Total Packets Redirected: 0
>>> Redirect access-list: -none-
>>> Total Packets Denied Redirect: 0
>>> Total Packets Unassigned: 0
>>> Group access-list: -none-
>>> Total Messages Denied to Group: 0
>>> Total Authentication failures: 0
>>>
>>> Service Identifier: 90
>>> Number of Cache Engines: 1
>>> Number of routers: 1
>>> Total Packets Redirected: 0
>>> Redirect access-list: -none-
>>> Total Packets Denied Redirect: 0
>>> Total Packets Unassigned: 0
>>> Group access-list: -none-
>>> Total Messages Denied to Group: 0
>>> Total Authentication failures: 0

What are the last 2 entries? Is it your squid machine, too?

>>
>>
>> As you can see, the router isn't redirecting the traffic to the
>> proxy. Please send the output of "show ip wccp detail". Also you
>> don't have defined any access-list for redirecting, so the router
>> don't knows, which traffic to redirect.
>>
>>
>>
>>>
>>> Clients can browse web but there is no transfer between router and
>>> cache machine:
>>> [root_at_tco53 ~]# ifconfig
>>> eth0 Link encap:Ethernet HWaddr 00:10:22:FE:6E:EC
>>> inet addr:xx.xx.241.40 Bcast:194.225.241.63 Mask:255.255.255.192
>>> inet6 addr: fe80::210:22ff:fefe:6eec/64 Scope:Link
>>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>>> RX packets:83610 errors:0 dropped:0 overruns:1 frame:0
>>> TX packets:24135 errors:0 dropped:0 overruns:0 carrier:0
>>> collisions:0 txqueuelen:1000
>>> RX bytes:7179021 (6.8 MiB) TX bytes:3493119 (3.3 MiB)
>>> Interrupt:5
>>>
>>> gre0 Link encap:UNSPEC HWaddr 00-00-00-00-AC-BF-
>>> F4-6F-00-00-00-00-00-00-00-00 inet addr:xx.xx.241.40
>>> Mask:255.255.255.192
>>> UP RUNNING NOARP MTU:1476 Metric:1
>>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>>> collisions:0 txqueuelen:0
>>> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
>>>
>>> lo Link encap:Local Loopback inet addr:127.0.0.1
>>> Mask:255.0.0.0
>>> inet6 addr: ::1/128 Scope:Host
>>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>>> RX packets:10097 errors:0 dropped:0 overruns:0 frame:0
>>> TX packets:10097 errors:0 dropped:0 overruns:0 carrier:0
>>> collisions:0 txqueuelen:0
>>> RX bytes:424456 (414.5 KiB) TX bytes:424456 (414.5 KiB)
>>>
>>> [root_at_tco53 ~]# cat /etc/rc.local
>>> ifconfig gre0 194.225.241.40 netmask 255.255.255.192 up
>>> touch /var/lock/subsys/local
>>> ip rule add fwmark 1 lookup 100
>>> ip route add local 0.0.0.0/0 dev lo table 100
>>> echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
>>> /usr/local/squid/sbin/squid
>>>
>>> I compiled gre in the kernel so there is no need to modprobe it;
>>> CONFIG_NET_IPGRE=y
>>> CONFIG_NET_IPGRE_BROADCAST=y
>>>
>>> [root_at_tco53 ~]# ip ru sh
>>> 0: from all lookup 255
>>> 32765: from all fwmark 0x1 lookup 100
>>> 32766: from all lookup main
>>> 32767: from all lookup default
>>>
>>> [root_at_tco53 ~]# ip ro sh ta 100
>>> local default dev lo scope host
>>>
>>> [root_at_tco53 ~]# cat /etc/sysconfig/iptables
>>> # Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [26:3416]
>>> :RH-Firewall-1-INPUT - [0:0]
>>> -A INPUT -i gre0 -j ACCEPT
>>> -A INPUT -p gre -j ACCEPT
>>> -A INPUT -i eth0 -p gre -j ACCEPT
>>> -A INPUT -j RH-Firewall-1-INPUT
>>> -A FORWARD -j RH-Firewall-1-INPUT
>>> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
>>> -A RH-Firewall-1-INPUT -d 224.0.0.251/32 -p udp -m udp --dport
>>> 5353 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j
>>> ACCEPT
>>> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport
>>> 55936 -j ACCEPT
>>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>> -A RH-Firewall-1-INPUT -s xx.xx.241.39/32 -p udp -m udp --dport
>>> 2048 -j ACCEPT
>>> COMMIT
>>> # Completed on Sun Jul 5 17:04:57 2009
>>> # Generated by iptables-save v1.4.3.2 on Sun Jul 5 17:04:57 2009
>>> *mangle
>>> :PREROUTING ACCEPT [10:1680]
>>> :INPUT ACCEPT [38:3760]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [26:3416]
>>> :POSTROUTING ACCEPT [26:3416]
>>> :DIVERT - [0:0]
>>> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>>> -A DIVERT -j ACCEPT
>>> -A PREROUTING -p tcp -m socket -j DIVERT
>>> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 5119 --
>>> on-ip xx.xx.241.40 --tproxy-mark 0x1/0x1 COMMIT
>>> # Completed on Sun Jul 5 17:04:57 2009
>>>
>>> I don't know where this line came from; "-A RH-Firewall-1-INPUT -d
>>> 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT"
>>>
>>> I guess despite identification of cache machine by router, it does
>>> not qualified by the router to route web traffic trough it.
>>> Don't know how to debug this, any idea to help this out would be
>>> greatly appreciated.
>>> Behnam.
>>
>> Tom
>>
>>
Received on Fri Jul 10 2009 - 06:41:48 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 10 2009 - 12:00:02 MDT