Home / / Set Up Squid Siblings On CentOS 6.3 With WCCP

Set Up Squid Siblings On CentOS 6.3 With WCCP

, ,
http://techsupportpk.blogspot.com/2013/05/set-up-squid-siblings-on-centos-63-with.html

This tutorial will help you setting up a couple of outbound Squid proxy sibling servers running on CentOS 6.3 and have them connected to your gateway using WCCP.

1. Prerequisites

You have a Cisco gateway that supports WCCP.

2. Preliminary notes

  • The DNS domain in this will be example.com
  • Server 1 is named proxy1.example.com with an IP of 172.22.16.2
  • Server 2 is named proxy2.example.com with an IP of 172.22.16.3
  • Local DNS with an address of 172.22.16.4
  • The Gateway address is 172.22.16.254
  • The install media used is CentOS 6.3 minimal

3. CentOS setup

First off we need to install CentOS to both servers. Configure the drive(s) anyway you like just as long as you leave enough free space for Squid to run properly. Once the minimal install is complete configure network connectivity on both servers.

proxy1.example.com

vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=”eth0”
BOOTPROTO=”none”
ONBOOT=”yes”
IPADDR=”172.22.16.2”
NETMASK=”255.255.255.0”
GATEWAY=”172.22.16.254”

proxy2.example.com

vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=”eth0”
BOOTPROTO=”none”
ONBOOT=”yes”
IPADDR=”172.22.16.3”
NETMASK=”255.255.255.0”
GATEWAY=”172.22.16.254”

Both servers

vi /etc/resolv.conf
domain example.com
search example.com
nameserver 172.22.16.4

If you are not running a local DNS server or you cannot register your server addresses then you will need to program the hosts file on each server. If you can register the server eth0 addresses with the DNS, do it now and skip coding the hosts file.

/etc/hosts

127.0.0.1  localhost 
172.22.16.2  proxy1.example.com
172.22.16.3  proxy2.example.com
 
Next get your system current
yum update

And install the basic packages that will be used.
yum install nano squid

I use vi as the primary text editor from this point forth, but you can use whichever particular text editor is your preferred editor.

4. Squid setup

Now that we have the basic servers setup, updated, and have our software installed lets get our Squid siblings talking and ready to take some traffic. Start with the squid.conf file

vi /etc/squid/squid.conf

#Set ACL for Squid siblings
acl squidPeers 172.22.16.2/32
acl squidPeers 172.22.16.3/32
http 3128 transparent
wccp2_router 172.22.16.254
wccp_version 4
wccp2_service standard 0
#Set WCCP to use GRE
wccp2_forwarding_method 1
wccp2_return_method 1
#ICP options
icp_port 3130
icp_access allow squidPeers
#Set Squid siblings
cache_peer  sibling 3128 3130 proxy-only

Replace with the appropriate entry. For example the line on proxy1.example.com would read:
cache_peer proxy2.example.com sibling 3128 3130 proxy-only
 

5. Network

The basic configuration for your local IP communication should already be complete. If it wasn’t then your yum update process and installs from above would not have worked. This is going to cover setting up the GRE tunnel for your squid to communicate to the gateway properly.

For the tunnel to get added properly we need to start off by making a modification to one of the ifconfig initialization scripts.
 
On both servers
vi /etc/sysconfig/network-scripts/ifup-tunnel

# Create the tunnel
# The outer addresses are those of the underlying (public) network.
/sbin/ip tunnel add “$DEVICE” mode “$MODE” \
    ${MY_OUTER_IPADDR:+local “$MY_OUTER_IPADDR”} \
    ${PEER_OUTER_IPADDR:+remote “$PEER_OUTER_IPADDR”} \
    ${LOCAL_DEVICE:+dev “$LOCAL_DEVICE”} \
    ${KEY:+key “$KEY} ${TTL:+ttl “$TTL”}

With that modification we can now create the GRE interface script
On proxy1.example.com

vi /etc/sysconfig/network-scripts/ifcfg-gre1
DEVICE=”gre1”
TYPE=”GRE”
DEVICETYPE=”tunnel”
ONBOOT=”yes”
MY_INNER_IPADDR=”172.22.254.2/24”
MY_OUTER_IPADDR=”172.22.88.2”
PEER_OUTER_IPADDR=”172.22.254.1”
MTU=”1476”
LOCAL_DEVICE=”eth0”

The configuration on proxy2.exmaple.com is nearly identical
On proxy2.example.com

scp proxy1.example.com:/etc/sysconfig/network-scripts/ifcfg-gre1 /etc/sysconfig/network-scripts/ifcfg-gre1

vi /etc/sysconfig/network-scripts/ifcfg-gre1
MY_INNER_IPADDR=”172.22.254.3/24”
MY_OUTER_IPADDR=”172.22.88.3”
PEER_OUTER_IPADDR=”172.22.254.1”

The PEER_OUT_IPADDR is the router identifier. On the Cisco gateway this is the first IP programmed in the config. You can easily discover this router ID by running

show ip wccp

Now we have to modify a system filter to ensure that the GRE packets coming to eth0 are not discarded by the system. Add the following lines to the system control file.

On both servers
nano /etc/sysctrl.conf

net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.gre1.ip_filter = 0
 

6. IPTables

Now we need to make sure that not only will our Squid system be able to communicate with each other and the network, but that the http traffic is reaching the right port.

On both servers
vi /etc/sysconfig/iptables

Under the filter tables add the following 
 
-A INPUT -m udp -p udp --dport 2048 -j ACCEPT 
-A INPUT -m tcp -p tcp --dport 3128 -j ACCEPT 
-A INPUT -m udp -p udp --dport 3130 -j ACCEPT

Now add a nat table to the configuration to direct the web traffic to the Squid port.

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT
 

7. Server wrap up

The last thing to do on the server is ensure that everything will startup again on its own in the case of a system reboot.
 
On both servers 

chkconfig --levels 235 squid on

At this point restart the server and ensure that everything has started up properly
First we’ll check Squid is running
/etc/init.d/squid status

squid is running (pid xxxxxx)

Next ensure the IP tunnel was created successfully
ip tunnel

On proxy1.example.com

gre0:  gre/ip  remote any  local any  ttl  inherit  nopmtudisc
gre1: gre/ip  remote 172.22.254.1  local 172.22.88.2  dev eth0 ttl inherit

On proxy2.example.com 

gre0:  gre/ip  remote any  local any  ttl  inherit  nopmtudisc
gre1: gre/ip  remote 172.22.254.1  local 172.22.88.2  dev eth0 ttl inherit
 
ifconfig gre1 | grep inet
 
On proxy1.example.com
 
inet addr:172.22.254.2  P-t-P:172.22.254.2  Mask:255.255.255.0
 
On proxy2.example.com
 
inet addr:172.22.254.3  P-t-P:172.22.254.3  Mask:255.255.255.0
 
Tunnels are up and squid is running. Time to get some traffic directed at the new proxies.

8. Cisco setup

The configuration on the Cisco gateway is very simple. Configuration is minimal thanks to the nature of WCCP. First off create access-list for the squid peers and attach them to the web-cache group. Enter configure mode on the Cisco

access-list 10 permit 172.22.88.2 access-list 10 permit 172.22.88.3 ip wccp web-cache group-ist 10 
 
Next create the redirect rule. This configuration will direct the entire
subnet through the Squid systems, but we have to exclude the Squid 
servers themselves to avoid creating a loop. 
access-list 120 remark ACL for WCCP proxy
access-list 120 remark Squid proxies bypass WCCP
access-list 120 deny ip host 172.22.88.2
access-list 120 deny ip host 172.22.88.3
access-list 120 remark Proxy LAN clients port 80 only
access-list 120 permit tcp 172.22.88.0 0.0.0.255 any eq 80
access-list 120 remark all others bypass WCCP
access-list 120 deny ip any any
ip wccp web-cache redirect-list 120
 
Before we turn the redirect on on an interface make sure that the Squid 
proxies are advertising their presence to the gateway. Exit from 
configure mode on the Cisco and run the following
 
show ip wccp web-cache detail
 
You should see both servers listed and available
Enter back into configure mode and turn on the web-cache for the subnet. The LAN interface in this case is GigabitEthernet 0/0 on VLAN 5.
interface GE0/0.5

ip wccp web-cache redirect in

That’s it. You’re done.
For a quick test: open up a web page from a system that goes through the gateway handling WCCP. You should see the traffic registered in the Squid access log.

 tail /var/log/squid/access.log
 
Powered by Blogger.