Tuesday, September 23, 2014

transparent proxy, squid-cache, using wccp protocol

1- information
- cisco router:
  - interface f0/0: internet
  - interface f0/1: proxy --
  - interface f1/0: cleint --
- proxy linux:
  - eth0:

2- router configuration

hostname wccp

! enable wccp and redirection
ip wccp vertion 2
ip wccp web-cache redirect-list 110 group-list 10
ip cef
interface FastEthernet0/0
 ip address
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
interface FastEthernet0/1
 ip address
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
interface FastEthernet1/0
 ip address

! enable redirection on interface connect to clients
 ip wccp web-cache redirect in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
ip route
ip http server
no ip http secure-server
ip nat inside source list 2 interface FastEthernet0/0 overload
access-list 2 permit
access-list 2 permit
access-list 2 permit
access-list 10 permit
access-list 110 deny   ip host any
access-list 110 permit tcp any eq www
access-list 110 permit tcp any eq www

3- linux configuration

ip tunnel add grew0 mode gre remote local dev eth0
ifconfig grew0 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/grew0/rp_filter
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination

4- squid configuration

wccp2_rhttp_port 3127 transparent
http_port 3128
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_assignment_method hash
wccp2_service standard 0

5- show ip wccp on cisco router

wccp#show ip wccp
Global WCCP information:
    Router information:
        Router Identifier:         
        Protocol Version:                    2.0

    Service Identifier: web-cache
        Number of Service Group Clients:     1
        Number of Service Group Routers:     1
        Total Packets s/w Redirected:        2596
          Process:                           0
          Fast:                              0
          CEF:                               2596
        Redirect access-list:                110
        Total Packets Denied Redirect:       0
        Total Packets Unassigned:            611
        Group access-list:                   10
        Total Messages Denied to Group:      0
        Total Authentication failures:       0
        Total Bypassed Packets Received:     0

wccp#show ip wccp web-cache detail
WCCP Client information:
        WCCP Client ID:
        Protocol Version:        2.0
        State:                   Usable
        Initial Hash Info:       00000000000000000000000000000000
        Hash Allotment:          256 (100.00%)
        Packets s/w Redirected:  1682
        Connect Time:            01:07:45
        Bypassed Packets
          Process:               0
          Fast:                  0
          CEF:                   0
          Errors:                0

------- Note ----
1- squid must built with --enable-linux-netfilter --enable-wccpv2
2- Router Identifier for ip wccp will be assigned with the highest ip address automatically (ios 12.4), so it must be the ip address of the interface that connect to proxy server in order to make wccp work, for newer version, the ios include the command ip wccp source-interface, so just specific the interface that connect to proxy.

No comments:

Post a Comment