Configurar WCCPv2 con un router Cisco 7206 que tiene configuradas dos interfaces de red usando Squid-2.6.x y FreeBSD-6.x
Hace dos meses les puse los pasos que seguimos para realizar la configuración pero teniendo solo una dirección IP en el router, ahora les pongo los pasos para cuando se presenta el caso en que tenemos dos direcciones IP en el router.
Este "como" detalla los pasos requeridos para configurar WCCP version 2 con un router Cisco 7206 usando FreeBSD 6.x y Squid 2.16.STABLE13, basándonos en la información de la página:
http://teklimbu.wordpress.com/2007/10/10/configuring-wccp2-on-a-cisco-36207206-router-with-squid-2616-running-on-freebsd-6x/.
NOTA: En el blog veran la configuración del router, yo no proporciono ésa información dado que desconozco esa parte.
----------------------------------------------------------------------------------
Notas:
Cisco's WCCP (Web Cache Control Protocol) version 2 is used for sending web requests from clients to 1 or more Squid proxy servers. WCCP feature allows us to redirect Web traffic to our proxy servers which in turn provides Web caching, filtering, or other services, thus reducing transmission costs and downloading time.
With WCCP, we can build a "cache cluster" for load balancing, scaling, and fault tolerance.
For example, in the case of 2 proxy severs, if 1 proxy server goes down, WCCP redirects clients requests to the 2nd working proxy server.
In the rare circumstance where both or all of your proxy servers should go down, WCCP will determine the dead proxy servers and will route clients web requests directly from your cisco router.
Note: Only Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or Version 2 (WCCPv2) of the WCCP.
---------------------------------------------------------------------------------
How WCCP and transparent intercepting Squid caches work?
A Client's Web browser makes a request, which goes to the cisco router.
The router intercepts the request.
The router redirects the request to a new location inside a generic routing encapsulation (GRE) frame to prevent any modifications to the original packet.
A (GRE) tunnel is established between our FreeBSD squid boxes and the cisco 3620/7206 router.
All redirected requests from the router are encapsulated down the GRE tunnel to our FreeBSD Squid caches.
The FreeBSD Squid boxes decapsulates the GRE traffic and redirects the WCCP packets onto Squid.
This redirection is achieved transparently using FreeBSD IP forwarding and IPFW firewall.
Squid pulls apart the request, then attempts to deliver the content either from the local cache or via direct request from target.
The content is then delivered back to the router for delivery to the originator (ie. client's browser).
---------------------------------------------------------------------------------
**************** (RE)INSTALACIÓN DE SQUID ****************
Primero hay que recompilar el port de squid habilitando la opción --enable-wccpv2 y (re)instalarlo; VERIFICAR QUE NO TENGAS SOPORTE PARA WCCPV1.
cd /usr/ports/www/squid
make clean
# make SQUID_CONFIGURE_ARGS="--prefix='/usr/local' --sbindir='/usr/local/sbin' --bindir='/usr/local/sbin' --datadir='/usr/local/etc/squid' --sysconfdir='/usr/local/etc/squid' --localstatedir='/usr/local/squid' --enable-removal-policies='lru heap' --enable-basic-auth-helpers='NCSA PAM MSNT SMB YP' --enable-auth='basic ntlm digest' -enable-digest-auth-helpers='password' --enable-external-acl-helpers='ip_user session unix_group wbinfo_group' --enable-ntlm-auth-helpers='SMB' --enable-storeio='ufs diskd null' --disable-ident-lookups --enable-kqueue --enable-default-err-language='English' --enable-underscores i386-portbld-freebsd6.1 --enable-snmp --enable-largefile --enable-ipfilter --enable-wccpv2"
Estos son los siguientes pasos requeridos :
(1.) Configurar y compilar el kernel
cd /usr/src/sys/i386/conf/
cp GENERIC kernel
vi kernel
(2.) Copiar y pegar los siguientes parámetros:
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #enable logging to syslogd(8)
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPFIREWALL_VERBOSE_LIMIT=500 #limit verbosity
options IPSTEALTH #support for stealth forwarding
options DUMMYNET
options NETGRAPH
options DEVICE_POLLING
options HZ=1000
Los siguientes parámetros los modificamos de acuerdo a la restricción del tamaño del proceso de squid a 2 GB, los dejo únicamente para conocimiento de la configuración hecha por el autor del artículo.
options SHMSEG=128
options SHMMNI=256
options SHMMAX=50331648 # max shared memory segment size (bytes)
options SHMALL=16384 # max amount of shared memory (pages)
options MSGMNB=16384 # max # of bytes in a queue
options MSGMNI=48 # number of message queue identifiers
options MSGSEG=768 # number of message segments
options MSGSSZ=64 # size of a message segment
options MSGTQL=4096 # max messages in system
(3.) Configure and compile your new kernel
(a.) config SQUID_WCCP
(b.) cd ../compile/SQUID_WCCP/
(c.) make cleandepend
(d.) make depend
(e.) make
(f.) make install
(g.) reboot
If all goes well, your kernel has been compiled!!!. Reboot with your new kernel.
(4.) Create the GRE tunnel on your FreeBSD-6.x box
IP.PUBLICA.DEL.SQUID= 6.7.8.9
IP.OF.SQUID.BOX = 1.2.3.5
IP.OF.CISCO.ROUTER=1.2.3.4
IP.OF.CISCO.LOOPBACK.ROUTER=1.2.3.1
*** En estas configuraciones la ip que se queda como "loopback" en el router será siempre la más pequeña.
ifconfig gre0 create
ifconfig gre0 1.2.3.5 10.20.30.40 netmask 255.255.255.255 link2 tunnel 1.2.3.5 1.2.3.1 up
Atención con
"link2" en la línea anterior.
10.20.30.40 es una ip falsa, ya que el túnel funciona en un solo sentido, ésta ip no tiene importancia. Verificar la información de squid en:
http://wiki.squid-cache.org/SquidFaq/InterceptionProxy,
"Since the WCCP/GRE tunnel is one-way, Squid never sends any packets to 10.20.30.40 and that particular address doesn't matter."
Agregar las siguientes lineas al archivo /etc/rc.conf para que se levante la interfaz gre:
Para dos ip's en el router:
# begin rc.conf snippet
cloned_interfaces="gre0"
ifconfig_gre0="inet 1.2.3.5 10.20.30.40 netmask 255.255.255.255 link2 tunnel 1.2.3.5 1.2.3.4 up"
# end rc.conf snippet
(3.) Configuring WCCP on your squid box. Add/Modify the following in your squid.conf
http_port 127.0.0.1:3128 transparent
wccp2_router 1.2.3.4
wccp2_router 1.2.3.1
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
(4.) Create the firewall rules to redirect web requests to Squid's 3128 port via the GRE tunnel.
Archivo rc.local para dos ip's en el router y WCCPv2
### Increase TCP window ###
/sbin/sysctl -w net.inet.tcp.sendspace=32768
/sbin/sysctl -w net.inet.tcp.recvspace=65536
/sbin/sysctl -w net.inet.tcp.local_slowstart_flightsize=4
### Block Synflood Attacks ###
/sbin/sysctl -w kern.ipc.somaxconn=1024
/sbin/sysctl -w net.inet.ip.portrange.last=40000
/sbin/sysctl -w net.inet.tcp.delayed_ack=0
### Deny Redirects ###
/sbin/sysctl -w net.inet.icmp.drop_redirect=1
/sbin/sysctl -w net.inet.icmp.log_redirect=1
/sbin/sysctl -w net.inet.ip.redirect=0
#/sbin/sysctl -w net.inet6.ip6.redirect=0
### Deny Source Routing ###
/sbin/sysctl -w net.inet.ip.sourceroute=0
/sbin/sysctl -w net.inet.ip.accept_sourceroute=0
### Delete aged ARP ###
/sbin/sysctl -w net.link.ether.inet.max_age=1200
### Block SMURF attack ###
/sbin/sysctl -w net.inet.icmp.bmcastecho=0
### Block stealth port scans ###
/sbin/sysctl -w net.inet.tcp.blackhole=2
/sbin/sysctl -w net.inet.udp.blackhole=2
### Enable Firewall ###
ipfw add 1 allow gre from any to any frag
ipfw add 2 deny ip from any to any frag
ipfw add 3 deny ip from any to any ipoptions ssrr
ipfw add 3 deny ip from any to any ipoptions lsrr
ipfw add 12 allow all from my.personal.computer to me 22
ipfw add 12 deny all from any to me 22
ipfw add 14 allow tcp from 6.7.8.9 to any
ipfw add 14 allow all from any to any via lo0
ipfw add 15 fwd 127.0.0.1,3128 tcp from any to any 80 recv gre0
ipfw add 15 fwd 127.0.0.1,3128 tcp from any to any 80
ipfw add 16 allow udp from my.personal.computer to me 161
ipfw add 17 allow icmp from my.personal.computer to me
ipfw add 17 deny icmp from any to me
(5.) Restart Squid and reload your firewall. If all goes well, you will have a working WCCPv2 on your FreeBSD Box with Squid-2.6.STABLE13.
Espero les sirva de ayuda y disculpen que sea tan "pocho".
Thank's to
Tek Bahadur Limbu, for doing the original "how to".