Software Effect Enterprises, Inc
SoftwareEffect.com Home | Site Map
Search SoftwareEffect.com:



Software Effect Enterprises TOC

Notes





Squid Notes

The following is the configuration I used to set up squid on Fedora Core 6 and configure it to use WCCP with a Cisco router



Cisco Router Settings

Interface ethernet0/0 is connected the firewall of my network. All of the clients are connected to ethernet1/0 and ethernet 1/1

ip wccp version 1
ip wccp web-cache
interface Ethernet0/0
ip wccp web-cache redirect out


Squid configuration on Fedora Core 6

edit /etc/sysctl.conf to say:
net.ipv4.ip_forward =1
net.ipv4.conf.all.rp_filter = 0

and reboot

Checked your rp_filter settings for the gre interface and eth0: (or the ethernet interface you are using)

cat /proc/sys/net/ipv4/conf/all/rp_filter
cat /proc/sys/net/ipv4/conf/eth0/rp_filter
cat /proc/sys/net/ipv4/conf/gre1/rp_filter
(they should all print out "0")

Put this at the TOP of /etc/sysconfig/iptables. Replace 10.9.7.99 with the ip address of the squid server

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i gre1 -d 0/0 -p tcp --dport 80 -j DNAT --to-destination 10.9.7.99:3128
COMMIT

Put these lines in the middle of the *filter section of the /etc/sysconfig/iptables. Replace 10.9.7.246 with the IP address of the router that is running WCCP

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.9.7.246 -p gre -j ACCEPT

Create a file named /usr/local/sbin/squidtunnel

#!/bin/bash
# set the next line to the ethernet interface that you are using on your squid server
EINTERFACE=eth0
IPADDR=`ifconfig $EINTERFACE | grep "inet addr" | awk -F ":" {'print $2'} | awk {'print $1'}`
IPROUTER=`egrep \^wccp_router /etc/squid/squid.conf | awk {'print $2'}`

# set up tunnel for squid
modprobe ip_gre
iptunnel add gre1 mode gre remote $IPROUTER local $IPADDR dev $EINTERFACE
ifconfig gre1 127.0.0.2 up

##### end of /usr/local/sbin/squidtunnel

chown 700 /usr/local/sbin/squidtunnel

edit /etc/rc.d/rc.local and add the following line to the end

/usr/local/sbin/squidtunnel

edit /etc/squid/squid.conf and make sure it contains the following. (Remarks removed for brevity) Replace 10.9.7.246 with the IP address of the router that is running WCCP Replace 10.9.0.0/21 with the ip address range of your client machines. If you have more than one network range (i.e. 10.1.1.0/24 and 10.1.10.0/24) list each range on the same line with "acl our_networks src" separated by spaces

http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl our_networks src 10.9.0.0/21
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow our_networks
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
wccp_router 10.9.7.246
coredump_dir /var/spool/squid


Today's date is: Monday November 20, 2017
This document last modifiedSunday May 29, 2005