Hace varios meses tuve necesidad de usar WCCPv2 con un router Cisco 7206 que tiene configurada una interfaz de red usando Squid-2.6.x y FreeBSD-6.x
Este "como" detalla los pasos requeridos para configurar WCCP version 2 usando FreeBSD 6.x y Squid 2.16.STABLE13, basándonos en la información de:
http://teklimbu.wordpress.com/2007/10/10/configuring-wccp2-on-a-cisco-36207206-router-with-squid-2616-running-on-freebsd-6x/
NOTA: En el blog veran la configuracíon del router, yo no proporciono ésa información dado que desconozco esa parte.
Cisco's WCCP (Web Cache Control Protocol) version 2 is used for sending web requests from clients to 1 or more Squid proxy servers. WCCP feature allows us to redirect Web traffic to our proxy servers which in turn provides Web caching, filtering, or other services, thus reducing transmission costs and downloading time.
With WCCP, we can build a "cache cluster" for load balancing, scaling, and fault tolerance.
For example, in the case of 2 proxy severs, if 1 proxy server goes down, WCCP redirects clients requests to the 2nd working proxy server.
In the rare circumstance where both or all of your proxy servers should go down, WCCP will determine the dead proxy servers and will route clients web requests directly from your cisco router.
Note: Only Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the WCCP.
---------------------------------------------------------------------------------
How WCCP and transparent intercepting Squid caches work?
A Client's Web browser makes a request, which goes to the cisco router. The router intercepts the request. The router redirects the request to a new location inside a generic routing encapsulation (GRE) frame to prevent any modifications to the original packet.
A (GRE) tunnel is established between our FreeBSD squid boxes and the cisco 3620/7206 router.
All redirected requests from the router are encapsulated down the GRE tunnel to our FreeBSD Squid caches.
The FreeBSD Squid boxes decapsulates the GRE traffic and redirects the WCCP packets onto Squid.
This redirection is achieved transparently using FreeBSD IP forwarding and IPFW firewall.
Squid pulls apart the request, then attempts to deliver the content either from the local cache or via direct request from target.
The content is then delivered back to the router for delivery to the originator (ie. client's browser).
---------------------------------------------------------------------------------
INSTALACIÓN DE SQUID.
Primero hay que compilar el port de squid habilitando la opcion "--enable-wccpv2", VERIFICAR QUE NO TENGAS SOPORTE PARA WCCPV1.
cd /usr/ports/www/squid
make clean
(1.) Configurar y compilar el kernel
cd /usr/src/sys/i386/conf/
cp GENERIC kernel
vi kernel
(2.) Copiar y pegar los siguientes parametros:
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=500 #limit verbosity
options IPSTEALTH #support for stealth forwarding
options DUMMYNET
options NETGRAPH
options DEVICE_POLLING
options HZ=1000
Los siguientes parámetros se modifican de acuerdo a la restriccion del tamaño del proceso de squid a 2 GB, los dejo únicamente para conocimiento de la configuración hecha por el autor del artículo.
options SHMSEG=128
options SHMMNI=256
options SHMMAX=50331648 # max shared memory segment size (bytes)
options SHMALL=16384 # max amount of shared memory (pages)
options MSGMNB=16384 # max # of bytes in a queue
options MSGMNI=48 # number of message queue identifiers
options MSGSEG=768 # number of message segments
options MSGSSZ=64 # size of a message segment
options MSGTQL=4096 # max messages in system
(3.) Configure and compile your new kernel
(a.) config SQUID_WCCP
(b.) cd ../compile/SQUID_WCCP/
(c.) make cleandepend
(d.) make depend
(e.) make
(f.) make install
(g.) reboot
If all goes well, your kernel has been compiled!!!. Reboot with your new kernel.
(4.) Create the GRE tunnel on your FreeBSD-6.x box
IP.PUBLICA.DEL.SQUID= 6.7.8.9
IP.OF.CISCO.ROUTER=1.2.3.4
ifconfig gre0 create
ifconfig gre0 6.7.8.9 10.20.30.40 netmask 255.255.255.255 link2 tunnel 6.7.8.9 1.2.3.4 up
10.20.30.40 es una ip falsa, ya que el túnel funciona en un solo sentido, ésta ip no tiene importancia.
Verificar la información de squid en: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy, "Since the WCCP/GRE tunnel is one-way, Squid never sends any packets to 10.20.30.40 and that particular address doesn't matter."
Agregar las siguientes lineas al archivo /etc/rc.conf para que se levante la interfaz gre
Para una ip en el router:
# begin rc.conf snippet
cloned_interfaces="gre0"
ifconfig_gre0="inet 6.7.8.9 10.20.30.40 netmask 255.255.255.255 link2 tunnel 6.7.8.9 1.2.3.4 up"
# end rc.conf snippet
(3.) Configuring WCCP on your squid box. Add/Modify the following in your squid.conf
http_port 3128 transparent
wccp2_router 1.2.3.4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
(4.) Create the firewall rules to redirect web requests to Squid's 3128 port via the GRE tunnel.
Archivo rc.local para una IP en el router y WCCPv2
### Increase TCP window ###
/sbin/sysctl -w net.inet.tcp.sendspace=32768
/sbin/sysctl -w net.inet.tcp.recvspace=65536
/sbin/sysctl -w net.inet.tcp.local_slowstart_flightsize=4
### Block Synflood Attacks ###
/sbin/sysctl -w kern.ipc.somaxconn=1024
/sbin/sysctl -w net.inet.ip.portrange.last=40000
/sbin/sysctl -w net.inet.tcp.delayed_ack=0
### Deny Redirects ###
/sbin/sysctl -w net.inet.icmp.drop_redirect=1
/sbin/sysctl -w net.inet.icmp.log_redirect=1
/sbin/sysctl -w net.inet.ip.redirect=0
#/sbin/sysctl -w net.inet6.ip6.redirect=0
### Deny Source Routing ###
/sbin/sysctl -w net.inet.ip.sourceroute=0
/sbin/sysctl -w net.inet.ip.accept_sourceroute=0
### Delete aged ARP ###
/sbin/sysctl -w net.link.ether.inet.max_age=1200
### Block SMURF attack ###
/sbin/sysctl -w net.inet.icmp.bmcastecho=0
### Block stealth port scans ###
/sbin/sysctl -w net.inet.tcp.blackhole=2
/sbin/sysctl -w net.inet.udp.blackhole=2
### Enable Firewall ###
ipfw add 1 allow gre from any to any frag
ipfw add 2 deny ip from any to any frag
ipfw add 3 deny ip from any to any ipoptions ssrr
ipfw add 3 deny ip from any to any ipoptions lsrr
ipfw add 12 allow all from my.personal.computer to me 22
ipfw add 12 deny all from any to me 22
ipfw add 20 allow tcp from 127.0.0.1 to 127.0.0.1 25
ipfw add 30 fwd 127.0.0.1,3128 tcp from any to any 80 recv gre0
ipfw add 30 fwd 6.7.8.9,3128 tcp from any to any 80
ipfw add 40 allow icmp from my.personal.computer to me
ipfw add 40 deny icmp from any to me
(5.) Restart Squid and reload your firewall. If all goes well, you will have a working WCCP2 on your FreeBSD Box with Squid-2.6.STABLE13.
La opciones de configuración de squid son las siguientes:
http_port 3128 transparent
wccp2_router 1.2.3.4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
Espero les sirva de ayuda y disculpen que sea tan "pocho".
Thank's to Tek Bahadur Limbu, for doing the original "how to".
Este "como" detalla los pasos requeridos para configurar WCCP version 2 usando FreeBSD 6.x y Squid 2.16.STABLE13, basándonos en la información de:
http://teklimbu.wordpress.com/2007/10/10/configuring-wccp2-on-a-cisco-36207206-router-with-squid-2616-running-on-freebsd-6x/
NOTA: En el blog veran la configuracíon del router, yo no proporciono ésa información dado que desconozco esa parte.
Cisco's WCCP (Web Cache Control Protocol) version 2 is used for sending web requests from clients to 1 or more Squid proxy servers. WCCP feature allows us to redirect Web traffic to our proxy servers which in turn provides Web caching, filtering, or other services, thus reducing transmission costs and downloading time.
With WCCP, we can build a "cache cluster" for load balancing, scaling, and fault tolerance.
For example, in the case of 2 proxy severs, if 1 proxy server goes down, WCCP redirects clients requests to the 2nd working proxy server.
In the rare circumstance where both or all of your proxy servers should go down, WCCP will determine the dead proxy servers and will route clients web requests directly from your cisco router.
Note: Only Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the WCCP.
---------------------------------------------------------------------------------
How WCCP and transparent intercepting Squid caches work?
A Client's Web browser makes a request, which goes to the cisco router. The router intercepts the request. The router redirects the request to a new location inside a generic routing encapsulation (GRE) frame to prevent any modifications to the original packet.
A (GRE) tunnel is established between our FreeBSD squid boxes and the cisco 3620/7206 router.
All redirected requests from the router are encapsulated down the GRE tunnel to our FreeBSD Squid caches.
The FreeBSD Squid boxes decapsulates the GRE traffic and redirects the WCCP packets onto Squid.
This redirection is achieved transparently using FreeBSD IP forwarding and IPFW firewall.
Squid pulls apart the request, then attempts to deliver the content either from the local cache or via direct request from target.
The content is then delivered back to the router for delivery to the originator (ie. client's browser).
---------------------------------------------------------------------------------
INSTALACIÓN DE SQUID.
Primero hay que compilar el port de squid habilitando la opcion "--enable-wccpv2", VERIFICAR QUE NO TENGAS SOPORTE PARA WCCPV1.
cd /usr/ports/www/squid
make clean
# make SQUID_CONFIGURE_ARGS="--prefix='/usr/local' --sbindir='/usr/local/sbin' --bindir='/usr/local/sbin' --datadir='/usr/local/etc/squid' --sysconfdir='/usr/local/etc/squid' --localstatedir='/usr/local/squid' --enable-removal-policies='lru heap' --enable-basic-auth-helpers='NCSA PAM MSNT SMB YP' --enable-auth='basic ntlm digest' -enable-digest-auth-helpers='password' --enable-external-acl-helpers='ip_user session unix_group wbinfo_group' --enable-ntlm-auth-helpers='SMB' --enable-storeio='ufs diskd null' --disable-ident-lookups --enable-kqueue --enable-default-err-language='English' --enable-underscores i386-portbld-freebsd6.1 --enable-snmp --enable-largefile --enable-ipfilter --enable-wccpv2"
Estos son los siguientes pasos requeridos :
Estos son los siguientes pasos requeridos :
(1.) Configurar y compilar el kernel
cd /usr/src/sys/i386/conf/
cp GENERIC kernel
vi kernel
(2.) Copiar y pegar los siguientes parametros:
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=500 #limit verbosity
options IPSTEALTH #support for stealth forwarding
options DUMMYNET
options NETGRAPH
options DEVICE_POLLING
options HZ=1000
Los siguientes parámetros se modifican de acuerdo a la restriccion del tamaño del proceso de squid a 2 GB, los dejo únicamente para conocimiento de la configuración hecha por el autor del artículo.
options SHMSEG=128
options SHMMNI=256
options SHMMAX=50331648 # max shared memory segment size (bytes)
options SHMALL=16384 # max amount of shared memory (pages)
options MSGMNB=16384 # max # of bytes in a queue
options MSGMNI=48 # number of message queue identifiers
options MSGSEG=768 # number of message segments
options MSGSSZ=64 # size of a message segment
options MSGTQL=4096 # max messages in system
(3.) Configure and compile your new kernel
(a.) config SQUID_WCCP
(b.) cd ../compile/SQUID_WCCP/
(c.) make cleandepend
(d.) make depend
(e.) make
(f.) make install
(g.) reboot
If all goes well, your kernel has been compiled!!!. Reboot with your new kernel.
(4.) Create the GRE tunnel on your FreeBSD-6.x box
IP.PUBLICA.DEL.SQUID= 6.7.8.9
IP.OF.CISCO.ROUTER=1.2.3.4
ifconfig gre0 create
ifconfig gre0 6.7.8.9 10.20.30.40 netmask 255.255.255.255 link2 tunnel 6.7.8.9 1.2.3.4 up
10.20.30.40 es una ip falsa, ya que el túnel funciona en un solo sentido, ésta ip no tiene importancia.
Verificar la información de squid en: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy, "Since the WCCP/GRE tunnel is one-way, Squid never sends any packets to 10.20.30.40 and that particular address doesn't matter."
Agregar las siguientes lineas al archivo /etc/rc.conf para que se levante la interfaz gre
Para una ip en el router:
# begin rc.conf snippet
cloned_interfaces="gre0"
ifconfig_gre0="inet 6.7.8.9 10.20.30.40 netmask 255.255.255.255 link2 tunnel 6.7.8.9 1.2.3.4 up"
# end rc.conf snippet
(3.) Configuring WCCP on your squid box. Add/Modify the following in your squid.conf
http_port 3128 transparent
wccp2_router 1.2.3.4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
(4.) Create the firewall rules to redirect web requests to Squid's 3128 port via the GRE tunnel.
Archivo rc.local para una IP en el router y WCCPv2
### Increase TCP window ###
/sbin/sysctl -w net.inet.tcp.sendspace=32768
/sbin/sysctl -w net.inet.tcp.recvspace=65536
/sbin/sysctl -w net.inet.tcp.local_slowstart_flightsize=4
### Block Synflood Attacks ###
/sbin/sysctl -w kern.ipc.somaxconn=1024
/sbin/sysctl -w net.inet.ip.portrange.last=40000
/sbin/sysctl -w net.inet.tcp.delayed_ack=0
### Deny Redirects ###
/sbin/sysctl -w net.inet.icmp.drop_redirect=1
/sbin/sysctl -w net.inet.icmp.log_redirect=1
/sbin/sysctl -w net.inet.ip.redirect=0
#/sbin/sysctl -w net.inet6.ip6.redirect=0
### Deny Source Routing ###
/sbin/sysctl -w net.inet.ip.sourceroute=0
/sbin/sysctl -w net.inet.ip.accept_sourceroute=0
### Delete aged ARP ###
/sbin/sysctl -w net.link.ether.inet.max_age=1200
### Block SMURF attack ###
/sbin/sysctl -w net.inet.icmp.bmcastecho=0
### Block stealth port scans ###
/sbin/sysctl -w net.inet.tcp.blackhole=2
/sbin/sysctl -w net.inet.udp.blackhole=2
### Enable Firewall ###
ipfw add 1 allow gre from any to any frag
ipfw add 2 deny ip from any to any frag
ipfw add 3 deny ip from any to any ipoptions ssrr
ipfw add 3 deny ip from any to any ipoptions lsrr
ipfw add 12 allow all from my.personal.computer to me 22
ipfw add 12 deny all from any to me 22
ipfw add 20 allow tcp from 127.0.0.1 to 127.0.0.1 25
ipfw add 30 fwd 127.0.0.1,3128 tcp from any to any 80 recv gre0
ipfw add 30 fwd 6.7.8.9,3128 tcp from any to any 80
ipfw add 40 allow icmp from my.personal.computer to me
ipfw add 40 deny icmp from any to me
(5.) Restart Squid and reload your firewall. If all goes well, you will have a working WCCP2 on your FreeBSD Box with Squid-2.6.STABLE13.
La opciones de configuración de squid son las siguientes:
http_port 3128 transparent
wccp2_router 1.2.3.4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
Espero les sirva de ayuda y disculpen que sea tan "pocho".
Thank's to Tek Bahadur Limbu, for doing the original "how to".