Re: [squid-users] squid in load balanced wccpv2 configuration

From: Jiffy 1111 <jiffy1111_at_yahoo.com>
Date: Wed, 12 May 2010 07:03:59 -0700 (PDT)

--- On Sun, 5/9/10, Amos Jeffries <squid3_at_treenet.co.nz> wrote:

> From: Amos Jeffries <squid3_at_treenet.co.nz>
> Subject: Re: [squid-users] squid in load balanced wccpv2 configuration
> To: squid-users_at_squid-cache.org
> Date: Sunday, May 9, 2010, 6:55 AM
> Jiffy 1111 wrote:
> > Hi, all,
> >
> > In a nutshell, I am trying to install squid as a third
> proxy to alleviate some pressure from our two Bluecoat
> proxies into a currently working wccpv2 configuration.
> > We now have 5000+ users.
> >
> > My current squid configuration works perfectly fine in
> explicit mode.
> > The problem I am having, is that squid can't seem to
> join the wccp service groups.
> > I've tried the configuration examples from http://wiki.squid-cache.org/ConfigExamples/ to no
> avail.
> >
> > We have two Cisco 6513's in our core and we are using
> wccp to load balance between the proxies.
> >
> > I'm posting my sanitized configs hoping someone can
> shed some light on this and show me what my squid.conf,
> iptables and network interfaces should look like.
> > I would also appreciate any recommended settings for
> memory and disk use based on the hardware spec I am posting.
> This server will be dedicated to squid.
> >
> > Server:
> > cat /etc/redhat-release
> > Fedora release 12 (Constantine)
> >
> > rpm -qa squid
> > squid-3.1.1-1.fc12.i686
> >
> > 4 x Intel(R) Xeon(R) CPU 5160  @ 3.00GHz
> >
> > free -m
> >      total
> > Mem: 7991
> > 600 Gig on /var
> >
> > ip tunnel add wccp1 mode gre remote x.x.0.1 local
> x.x.1.77 dev eth0
> > ifconfig wccp1 inet x.x.1.76 netmask 255.255.255.192
> up
> >
> > ifconfig
> > eth0
> > inet addr:x.x.1.77  Bcast:x.x.1.127 
> Mask:255.255.255.192
> >
> > wccp1
> > inet addr:x.x.1.76  P-t-P:x.x.1.76 
> Mask:255.255.255.192
> >
> > iptables:
> > echo 1 > /proc/sys/net/ipv4/ip_forward
> > echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
> > echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
> > echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
> > echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
> > echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
> > echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter
> > iptables -F -t nat
> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
> --dport 80 -j DNAT --to-destination x.x.1.77:55555
> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
> --dport 20 -j DNAT --to-destination x.x.1.77:20
> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
> --dport 21 -j DNAT --to-destination x.x.1.77:21
> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
> --dport 443 -j DNAT --to-destination x.x.1.77:443
> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
> --dport 1755 -j DNAT --to-destination x.x.1.77:1755
> > iptables -t nat -A PREROUTING -i wccp1 -p tcp -m tcp
> --dport 7070 -j DNAT --to-destination x.x.1.77:7070
> >
>
> DNAT used on TCP links (only) with no sign of a matching
> source fix-up. (MASQUERADE or SNAT).
>
> Everything else looks good at a quick glance.
>
> Amos
> -- Please be using
>   Current Stable Squid 2.7.STABLE9 or 3.1.3
>

Hi, Amos,

Thank you for the hint, but, I guess you are speaking about iptables. I am not overly familiar with that. Would you be so kind as to provide an example or an explanation for this set up?

I am in training this week and will be back in the office on Monday ready and willing to try this and if it works, provide a working config for others to reference.

Thanks again,
Jeff
Received on Wed May 12 2010 - 14:04:06 MDT

This archive was generated by hypermail 2.2.0 : Thu May 13 2010 - 12:00:05 MDT