Re: [squid-users] Unable to make Squid work as a transparent proxy (Squid 3.1.7, Linux Debian, WCCP2)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 07 Nov 2010 17:12:23 +1300

On 06/11/10 04:50, Leonardo wrote:
> Hi all,
>
> I have compiled and installed Squid 3.1.7 on a Linux 2.6.26 (Debian
> 5.0.5), and successfully tested it as a non-transparent proxy (i.e.
> the proxy address:port is explicitly specified in the web browser).
>
> Now I need to use it to do transparent proxying. For this, I'm
> following the example at
> http://wiki.squid-cache.org/ConfigExamples/Intercept/CiscoAsaWccp2 .
> The clients will be on subnet 10.11.1.0/24. $ROUTER_IP and $SQUID_IP
> are both on the subnet 10.8.0.0/16.
>
> Squid has been compiled as follows:
> configure options: '--enable-linux-netfilter' '--enable-wccp'
> '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid'
> '--srcdir=.' '--datadir=/share/squid' '--sysconfdir=/etc/squid'
> 'CPPFLAGS=-I../libltdl' --with-squid=/root/squid-3.1.7
> --enable-ltdl-convenience
>
>
> ======= Squid configuration: =======
>
> File /etc/rc.local :
>
> modprobe ip_gre
> ip tunnel add wccp0 mode gre remote $ROUTER_IP local $SQUID_IP dev eth0
> ifconfig wccp0 $SQUID_IP netmask 255.255.255.255 up
> echo 0>/proc/sys/net/ipv4/conf/wccp0/rp_filter
> echo 0>/proc/sys/net/ipv4/conf/eth0/rp_filter
> echo 1>/proc/sys/net/ipv4/ip_forward
> iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> iptables -t nat -A POSTROUTING -j MASQUERADE
>
>
> File /etc/squid/squid.conf : I am basically using the default config,
> adding only the commands for transparent proxying:
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> acl localnet src 10.0.0.0/8
> acl localnet src fc00::/7
> acl localnet src fe80::/10
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> # Transparent proxying
> http_port 3128 transparent

http_port 3128 intercept

You will also need a separate port for the normal browser-configured and
management requests. 3.1 will reject these if sent to a NAT interception
port.

> wccp2_router $ROUTER_IP
> wccp2_forwarding_method gre
> wccp2_return_method gre
> wccp2_service standard 0
>
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
>
> # Deny requests to certain unsafe ports
> http_access deny !Safe_ports
>
> # Deny CONNECT to other than secure SSL ports
> http_access deny CONNECT !SSL_ports
>
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> http_access deny to_localhost
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> # We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?
>
> # Uncomment and adjust the following to add a disk cache directory.
> cache_dir ufs /var/cache 50000 16 256
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/cache
>
> # Add any of your own refresh_pattern entries above these.
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> ======= =======
>
>
> ======= Configuration of the router, a Cisco ASA 5520 firewall: =======
>
> access-list wccp_redirect extended deny ip host $SQUID_IP any
> access-list wccp_redirect extended permit tcp 10.11.1.0 255.255.255.0 any eq www
> wccp web-cache redirect-list wccp_redirect
> wccp interface inside web-cache redirect in
>
> ======= =======
>
>
> This does not work. The browser gives an error "Unable to connect to
> remote server" after a timeout.
>
> Here is is the output of "tcpdump -vvnn -i eth0 port 2048" on the Squid machine:
> 15:05:01.279896 IP (tos 0x0, ttl 64, id 22913, offset 0, flags [none],
> proto UDP (17), length 172) $SQUID_IP.2048> $ROUTER_IP.2048: UDP,
> length 144
> 15:05:01.280090 IP (tos 0x0, ttl 255, id 5011, offset 0, flags [none],
> proto UDP (17), length 168) $ROUTER_IP.2048> $SQUID_IP.2048: UDP,
> length 140
> 15:05:11.279893 IP (tos 0x0, ttl 64, id 22914, offset 0, flags [none],
> proto UDP (17), length 172) $SQUID_IP.2048> $ROUTER_IP.2048: UDP,
> length 144
> 15:05:11.280083 IP (tos 0x0, ttl 255, id 20123, offset 0, flags
> [none], proto UDP (17), length 168) $ROUTER_IP.2048> $SQUID_IP.2048:
> UDP, length 140
>
> This is what I see on the Cisco ASA when I turn debugging on with
> "debug ip wccp packets":
> WCCP-PKT:S00: Received valid Here_I_Am packet from $SQUID_IP w/rcv_id 000001ED
> WCCP-PKT:S00: Sending I_See_You packet to $SQUID_IP w/ rcv_id 000001EE
> WCCP-PKT:S00: Received valid Here_I_Am packet from $SQUID_IP w/rcv_id 000001EE
> WCCP-PKT:S00: Sending I_See_You packet to $SQUID_IP w/ rcv_id 000001EF
>

So the WCCP updates are working.

Also check the squid access.log. This will determine whether it is the
ASA side or the Internet side of Squid which then needs to be tcpdumped
for port 80 to find out whats going on.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.9
   Beta testers wanted for 3.2.0.2
Received on Sun Nov 07 2010 - 04:12:28 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 08 2010 - 12:00:01 MST