Tags

, , , , , ,

For Squid Proxy with WCCP support we need to recompile the kernel. We need to enable firewall & IP forward option. We use FreeBSD 7.0 as server.

[root@proxy ~]# cd /usr/src/sys/i386/conf
[root@proxy ~]# cp GENERIC to DCOM
[root@proxy ~]# vi DCOM

cpu I486_CPU
cpu I586_CPU
cpu I686_CPU
#ident GENERIC Commented on 29/06/08
ident DCOM #Change the ident name

# To statically compile in device wiring instead of /boot/device.hints#hints “GENERIC.hints”
# Default places to look for devices.
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD

[root@proxy ~]# /usr/sbin/config DCOM
[root@proxy ~]# cd ../compile/DCOM
[root@proxy ~]# make depend
[root@proxy ~]# make
[root@proxy ~]# make install


Reboot the server.
Download the latest stable version of Squid.



[root@proxy ~]# wget http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE10.tar.gz
[root@proxy ~]# tar –zxvf squid-3.0.STABLE10.tar.gz
[root@proxy ~]# cd squid-3.0.STABLE10
[root@proxy ~]# ./configure —prefix=/usr/local —enable-async-io —enable-icmp —enable-useragent-log —enable-snmp —enable-cache-digests —enable-follow-x-forwarded-for —enable-storeio=”aufs” —enable-removal-policies=”heap,lru” —with-maxfd=16384 —enable-poll —disable-ident-lookups —enable-truncate —exec-prefix=/usr —bindir=/usr/local/sbin —sbindir=/usr/local/sbin —datadir=/usr/local/etc/squid —libexecdir=/usr/local/libexec/squid —enable-external-acl-helpers=ip_user session unix_group wbinfo_group —enable-default-err-language=English —mandir=/usr/local/man —enable-ipfw-transparent ‘i386-portbld-freebsd7.0’ ‘build_alias=i386-portbld-freebsd7.0’ ‘host_alias=i386-portbld-freebsd7.0’ ‘target_alias=i386-portbld-freebsd7.0’ ‘CC=cc’ ‘CFLAGS= -DNUMTHREADS=150 -O2 -fno-strict-aliasing -pipe ’ ‘LDFLAGS=’ ‘CPPFLAGS=’
[root@proxy ~]# make
[root@proxy ~]# make install


Next we need to do some fine tune to our firewall and kernel parameters.


[root@proxy ~]# echo if_gre_load=”YES” > /boot/loader.conf


Add the following lines to the /etc/rc.local


/sbin/ifconfig gre0 plumb
/sbin/ifconfig gre0 link2
/sbin/ifconfig gre0 tunnel 172.16.1.2 172.16.1.1
/sbin/ifconfig gre0 inet 192.192.192.1 192.192.192.2
/sbin/sysctl -w net.inet.icmp.icmplim=50
/sbin/sysctl -w net.inet.tcp.msl=3000
/sbin/sysctl -w kern. =65536
/sbin/sysctl -w kern.maxfiles=32768
/sbin/sysctl -w kern.ipc.somaxconn=8192
/sbin/sysctl -w net.inet.tcp.sendspace=65535
/sbin/sysctl -w net.inet.tcp.recvspace=65535
/sbin/sysctl -w net.inet.udp.recvspace=65535
/sbin/sysctl -w net.local.stream.recvspace=65535
/sbin/sysctl -w net.local.stream.sendspace=65535
/sbin/sysctl -w kern.ipc.nmbclusters=32768
/sbin/sysctl -w kern.ipc.maxsockets=32768
We need to take care of gre0 inet line. Here first IP is the Proxy Server IP and the second IP is the Cisco Router External IP. 192.192.192.1 and 192.192.192.2 are the fake IP used to establish the GRE tunnel.

[root@proxy ~]# echo net.inet.ip.forwarding=1 > /etc/sysctl.conf


Add the following lines to /etc/rc.conf


inetd_enable=”NO”
keymap=”us.iso”
linux_enable=”YES”
router_enable=”YES”
sendmail_enable=”YES”
sshd_enable=”YES”
squid_enable=”YES”
firewall_enable=”YES”
firewall_type=”open”
gateway_enable=”YES”
natd_enable=”YES”


Lastly, add the following lines to /etc/rc.firewall


#!/bin/sh
ipfw -f flush
ipfw add fwd 127.0.0.1,8080 tcp from any to any 80 recv gre0

Reboot the server.

In this point we are done with the installing the proxy and fine tune the firewall parameter. Next we configure the squid proxy server.

Usually squid installed in /usr/local/etc/squid.conf. Backup the original squid.conf file and use the following configuration.

#——-start of squid.conf file———-
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl DCOM src 172.16.0.0/16 # your ip block which are allowed to use the proxy.

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
http_access allow localhost
http_access allow DCOM
http_access deny all
icp_access deny all
htcp_access deny all

http_port 172.16.1.2:8080 transparent
http_port 127.0.0.1:8080 transparent

hierarchy_stoplist cgi-bin ?


cache_mem 100 MB
maximum_object_size_in_memory 50 KB
cache_replacement_policy heap LFUDA
cache_dir ufs /cache 18000 16 256

maximum_object_size 25600 KB
cache_swap_low 90
cache_swap_high 95

access_log /usr/local/var/logs/access.log squid
cache_log /usr/local/var/logs/cache.log
cache_store_log /usr/local/var/logs/store.log

logfile_rotate 10
pid_filename /usr/local/squid/squid.pid
buffered_logs on

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|?) 0 0% 0
refresh_pattern . 0 20% 4320

quick_abort_min 0 KB
quick_abort_max 0 KB

half_closed_clients off
cache_effective_user squid

wccp2_router 172.16.1.1 # Router IP
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0

icp_port 3130log_icp_queries off
dns_nameservers 4.2.2.2
hosts_file /etc/hosts

memory_pools off
client_db off
coredump_dir /cache

#——End of squid.conf file———-
As we are storing the cache in /cache we need to create the folder and change the permission.

[root@proxy ~]# mkdir /cache
[root@proxy ~]# chown squid:squid /cache
[root@proxy ~]# /usr/local/sbin/squid –k
[root@proxy ~]# /usr/local/sbin/squid


At this point our squid is installed. Next we configure the router to forward the HTTP traffic to the proxy server.


core-router# config t
core-router(config)# ip wccp web-cache redirect-list 110
core-router(config)# access-list 110 permit ip any any
core-router(config)# interface FastEthernet1/0
core-router(config-if)# ip wccp web-cache redirect out



Troubleshoot
To check whether we are receiving the http request from the router through GRE tunnel we can use the following syntax.


[root@proxy ~]# tcpdump -nn -i re1 | grep gre-proto
[root@proxy ~]# tcpdump -nn -i gre0 | more


Check the log from tail –f /usr/local/var/log/access.log