[squid-users] Assistance with WCCPv2 Setup with Cisco Router
Yuri Voinov
yvoinov at gmail.com
Tue Mar 21 19:13:14 UTC 2017
22.03.2017 1:04, Waldon, Cooper пишет:
>
> Hello All,
>
>
>
> I’m trying to set up a transparent proxy for http and https using
> Cisco Routers and Squid. I have followed the configuration examples
> that are listed under the wccp2 overview section
> (http://wiki.squid-cache.org/Features/Wccp2) of the squid wiki but I’m
> still having some issues.
>
>
>
> I have a little lab set up with a Cisco 7200 Router and a VM with
> CentOS running the proxy.
>
>
>
> The “WAN” IP of the Router is 192.168.0.23. The IP of the Squid Proxy
> is 192.168.0.24 and both have the default gateway of 192.168.0.1 which
> is the “ISP”
>
>
>
> The Client is sitting on a LAN behind the Router in the 10.10.10.0/24
> subnet and is also sitting behind nat.
>
>
>
> I believe that the router and proxy are communicating properly based
> on the information in the show ip wccp command on the router as it
> shows clients and routers as well as showing that packets are being
> forwarded:
>
>
>
> R3#show ip wccp
>
> Global WCCP information:
>
> Router information:
>
> Router Identifier: 192.168.0.23
>
> Configured source-interface: GigabitEthernet5/0
>
>
>
> Service Identifier: web-cache
>
> Protocol Version: 2.00
>
> Number of Service Group Clients: 1
>
> Number of Service Group Routers: 1
>
> Total Packets Redirected: 1079
>
> Process: 0
>
> CEF: 1079
>
> Service mode: Open
>
> Service Access-list: -none-
>
> Total Packets Dropped Closed: 0
>
> Redirect access-list: 100
>
> Total Packets Denied Redirect: 0
>
> Total Packets Unassigned: 0
>
> Group access-list: 10
>
> Total Messages Denied to Group: 0
>
> Total Authentication failures: 0
>
> Total GRE Bypassed Packets Received: 0
>
> Process: 0
>
> CEF: 0
>
> GRE tunnel interface: Tunnel1
>
>
>
> Service Identifier: 70
>
> Protocol Version: 2.00
>
> Number of Service Group Clients: 1
>
> Number of Service Group Routers: 1
>
> Total Packets Redirected: 500
>
> Process: 0
>
> CEF: 500
>
> Service mode: Open
>
> Service Access-list: -none-
>
> Total Packets Dropped Closed: 0
>
> Redirect access-list: 100
>
> Total Packets Denied Redirect: 0
>
> Total Packets Unassigned: 0
>
> Group access-list: 10
>
> Total Messages Denied to Group: 0
>
> Total Authentication failures: 0
>
> Total GRE Bypassed Packets Received: 0
>
> Process: 0
>
> CEF: 0
>
> GRE tunnel interface: Tunnel0
>
>
>
> Here is the relevant squid wccp configuration:
>
>
>
> ----Output removed----
>
> # Squid normally listens to port 3128
>
> http_port 3128
>
> http_port 0.0.0.0:3129
>
>
>
> # WCCPv2 Parameters
>
> wccp2_router 192.168.0.23
>
> wccp2_forwarding_method 1
>
> wccp2_return_method 1
>
> wccp2_assignment_method hash
>
> wccp2_service standard 0
>
> wccp2_service dynamic 70
>
> wccp2_service_info 70 protocol=tcp
> flags=dst_ip_hash,src_ip_alt_hash,src_port_alt_hash priority=231 ports=443
>
>
>
> ---Output remove----
>
>
>
> I think that the issue lies with the iptables configuration as I do
> not see any packets been processed in the nat table. I have tried a
> few different methods such as:
>
>
>
> iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 80 -j REDIRECT
> –to-port 3129
>
> iptables -t nat -A PREROUTING -i wccp0 -p tcp –dport 443 -j REDIRECT
> –to-port 3129
>
> iptables -t nat -A POSTROUTING -j MASQUERADE
>
>
>
> or
>
>
>
> iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination
> 192.168.0.24:3129
>
> iptables -t nat -A PREROUTING -p tcp –dport 443 -j DNAT
> –to-destination 192.168.0.24:3129
>
> iptables -t nat -A POSTROUTING -j MASQUERADE
>
>
>
> I have also tried adding ACCEPT commands to the PREROUTING zone just
> in case the proxy is dropping the packets right away but that also
> doesn’t work.
>
1.Ports, you using for redirection, in squid, should be defined as
'intercept':
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=VERIFY_CRL_ALL
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/etc/rootCA2.crt
key=/usr/local/squid/etc/rootCA2.key
tls-cafile=/usr/local/squid/etc/rootCA12.crt
options=SINGLE_DH_USE:SINGLE_ECDH_USE
tls-dh=secp384r1:/usr/local/squid/etc/dhparam.pem
cipher=HIGH:MEDIUM:RC4:3DES:!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS
tls-no-npn sslflags=VERIFY_CRL_ALL
(example from my config, DON'T copy-n-paste!)
2. HTTP and HTTPS ports should be different.
3. HTTPS port should be configured correctly.
http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoIOSv15Wccp2
Read carefully - here is explained almost all.
>
>
> The proxy functions perfectly when the client is configured to use a
> proxy so there doesn’t appear to be any issues with routing or
> anything like that, it’s just the transparent proxying that isn’t working.
>
>
>
> If anyone has any suggestions of what I could try that would be
> greatly appreciated. Let me know if anything is unclear or if you
> need further clarification.
>
>
>
> Thank you,
>
> Cooper Waldon
>
>
>
>
>
> *Cooper Waldon** **l **Network
> Engineer** **l****OTN****l****416-446-4110 x 4473 **l** **www.otn.ca*
> <http://www.otn.ca/>***|****Service Desk 1-855-654-0888 x2*
>
>
>
>
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
--
Bugs to the Future
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170322/904df808/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170322/904df808/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170322/904df808/attachment-0001.sig>
More information about the squid-users
mailing list