Squid Web Cache wiki

Squid Web Cache documentation

🔗 Fully Transparent Interception with Squid-2, TPROXYv2 and WCCP

🔗 Outline

This is a work in progress (read: a place for Adrian to jot down TPROXY documentation notes as he’s coming up with the authoritative documentation.)

:information_source: The following documentation applies to Squid-2 WCCPv2 support and TPROXYv2 support running on a Linux box. If you have a newer version of the exact configuration options may differ.

:warning: Balabit now only support TPROXY v4.1 which has been integrated with the 3.1 squid code (see Features/Tproxy4)

:information_source: The configuration for Squid-3.1 is very different than the following documentation.

🔗 Usage

(stuff from emails from Steve Wilton)

The kernel and iptables need to be patched with the tproxy patches (and the tproxy include file needs to be placed in /usr/include/linux/netfilter_ipv4/ip_tproxy.h or include/netfilter_ipv4/ip_tproxy.h in the squid src tree).

TThe iptables rule needs to use the TPROXY target (instead of the REDIRECT target) to redirect the port 80 traffic to the proxy. Ie:

iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 80

The kernel must strip the GRE header from the incoming packets (either using the ip_wccp module, or by having a GRE tunnel set up in linux pointing at the router (no GRE setup is required on the router)).

wccp2_service dynamic 80
wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80
wccp2_service dynamic 90
wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80

It is highly recommended that the above definitions be used for the two wccp services, otherwise things will break if you have more than 1 cache (specifically, you will have problems when the a web server’s name resolves to multiple ip addresses).

The http_port that you are redirecting to must have the transparent and tproxy options enabled as follows (modify the port as appropriate):

http_port 80 transparent tproxy

There must be a tcp_outgoing_address defined. This will need to be valid to satisfy any non-tproxied connections.

On the router, you need to make sure that all traffic going to/from the customer will be processed by both wccp rules. The way we have implemented this is to apply wccp service 80 to all traffic coming in from a customer-facing interface, and wccp service 90 applied to all traffic going out a customer-facing interface. We have also applied the wccp “exclude-in” rule to all traffic coming in from the proxy-facing interface. Ie:

interface GigabitEthernet0/3.100
 description ADSL customers
 encapsulation dot1Q 502
 ip address x.x.x.x y.y.y.y
 ip wccp 80 redirect in
 ip wccp 90 redirect out

interface GigabitEthernet0/3.101
 description Dialup customers
 encapsulation dot1Q 502
 ip address x.x.x.x y.y.y.y
 ip wccp 80 redirect in
 ip wccp 90 redirect out

interface GigabitEthernet0/3.102
 description proxy servers
 encapsulation dot1Q 506
 ip address x.x.x.x y.y.y.y
 ip wccp redirect exclude in

It’s highly recommended to turn httpd_accel_no_pmtu_disc on in the squid conf.

If you have some clients who set their proxy, it is recommended to use a separate port in squid for transparent/tproxy requests compared to clients with proxies set.

(next email)

The tproxy support in Squid-2.6 does not need to be run as root. It maintains root capabilities for network requests at all times (allowing the tproxy patch to work), without the need to maintain all root capabilities.

(next email)

I would like to add the following to my previous list of requirements for tproxy + wccpv2:

Can you please check that you’ve enabled ip_forwarding in your kernel. If that doesn’t work, I don’t know if the “vhost vport=80” is required in the http_port line in the squid config (we don’t have these options enabled on our proxies).

I use the ip_wccp module to make the kernel handle the GRE packets correctly (which works slightly differently from the ip_gre module). Do you have a GRE tunnel set up in linux? If so, what command are you running to set it up? I don’t have an example to give you here, but I’m sure other people are using the ip_gre module with wccp to handle the GRE packets, and should be able to help.

(reply from the user)

Hi, Steve

finally it work….

Here is my step :

Now, I will try tuning-up my box & squid.conf tommorow

🔗 Another Example

🔗 References

⚠️ Disclaimer: Any example presented here is provided "as-is" with no support
or guarantee of suitability. If you have any further questions about
these examples please email the squid-users mailing list.

Categories: ConfigExample

Navigation: Site Search, Site Pages, Categories, 🔼 go up