Configuring multiple interception ports using WCCPv2
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
The Squid WCCPv2 implementation can intercept more than TCP port 80. The currrent implementation can create multiple arbitrary TCP and UDP ports.
There are a few caveats:
Squid will have to be configured to listen on each port - the wccp2_service configuration only tells WCCPv2 what to do, not Squid;
- WCCPv2 (as far as I know) can't be told to redirect random dynamic TCP sessions, only "fixed" service ports - so it can't intercept and cache the FTP data streams;
You could use Squid to advertise services which are handled by "other" software running on the server (for example, if you had a RealServer proxy which functioned you could use Squid to cache the web traffic and announce the RealMedia port interception and RealMedia to proxy.)
Here is an example of redirecting port 80 and port 8080 traffic to a Squid proxy server.
This configures a dynamic service group - group 80 - which is handed a bunch of details by the neighbour caches. I chose 80 because its "web and some other stuff", but it doesn't have to be 80 and it doesn't have to involve http (tcp port 80.) It could be 90, or 100, or 123.
! ip wccp 80 ! interface FastEthernet0/1 ip address 192.0.2.1 255.255.255.0 ip wccp 80 redirect in ip nat inside ip virtual-reassembly duplex auto speed auto !
This configuration covers the interception part - this Squid sits behind a NATted interface that is WCCPv2 intercepted. The Squid server sits on two network interfaces: an external interface with real a IP address that squid binds to with tcp_outgoing_address, and the internal 192.0.2.0/24 WCCPv2 intercept + NAT'ted address.
wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp priority=240 ports=80,8000,2080 wccp2_router 192.0.2.1:2048 http_port 192.0.2.10:3128 transparent vport=80 http_port 192.0.2.10:8000 transparent vport=8000 http_port 192.0.2.10:2080 transparent vport=2080
Linux interception configuration
eth0 is the external (public) IP address; eth1 is the internal IP address which is being WCCPv2 intercepted.
ip tunnel add gre0 mode gre remote 192.0.2.1 local 192.0.2.10 dev eth1 ifconfig gre0 inet 192.0.2.4 netmask 255.255.255.0 up echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter iptables -F -t nat iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.0.2.10:3128 iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.0.2.10:8000 iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 2080 -j DNAT --to-destination 192.0.2.10:2080