This tutorial will help you setting up a couple of outbound Squid proxy sibling servers running on CentOS 6.3 and have them connected to your gateway using WCCP.
1. Prerequisites
You have a Cisco gateway that supports WCCP.2. Preliminary notes
- The DNS domain in this will be example.com
- Server 1 is named proxy1.example.com with an IP of 172.22.16.2
- Server 2 is named proxy2.example.com with an IP of 172.22.16.3
- Local DNS with an address of 172.22.16.4
- The Gateway address is 172.22.16.254
- The install media used is CentOS 6.3 minimal
3. CentOS setup
First off we need to install CentOS to both servers. Configure the
drive(s) anyway you like just as long as you leave enough free space for
Squid to run properly. Once the minimal install is complete configure network connectivity on both servers.
proxy1.example.com
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=”eth0” BOOTPROTO=”none” ONBOOT=”yes” IPADDR=”172.22.16.2” NETMASK=”255.255.255.0” GATEWAY=”172.22.16.254”
proxy2.example.com
vi /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=”eth0” BOOTPROTO=”none” ONBOOT=”yes” IPADDR=”172.22.16.3” NETMASK=”255.255.255.0” GATEWAY=”172.22.16.254”
Both servers
vi /etc/resolv.conf
domain example.com search example.com nameserver 172.22.16.4
If you are not running a local DNS server or you cannot register your
server addresses then you will need to program the hosts file on each
server. If you can register the server eth0 addresses with the DNS, do
it now and skip coding the hosts file.
/etc/hosts
127.0.0.1 localhost 172.22.16.2 proxy1.example.com 172.22.16.3 proxy2.example.com
Next get your system current
yum update
yum install nano squid
I use vi as the primary text editor from this point forth, but you can use whichever particular text editor is your preferred editor.
4. Squid setup
Now that we have the basic servers setup, updated, and have our software installed lets get our Squid siblings talking and ready to take some traffic. Start with the squid.conf filevi /etc/squid/squid.conf
#Set ACL for Squid siblings
acl squidPeers 172.22.16.2/32
acl squidPeers 172.22.16.3/32
http 3128 transparent
wccp2_router 172.22.16.254
wccp_version 4
wccp2_service standard 0
#Set WCCP to use GRE
wccp2_forwarding_method 1
wccp2_return_method 1
#ICP options
icp_port 3130
icp_access allow squidPeers
#Set Squid siblings
cache_peer sibling 3128 3130 proxy-only
Replace with the appropriate entry. For example the line on proxy1.example.com would read:
cache_peer proxy2.example.com sibling 3128 3130 proxy-only
5. Network
The basic configuration for your local IP communication should already be complete. If it wasn’t then your yum update process and installs from above would not have worked. This is going to cover setting up the GRE tunnel for your squid to communicate to the gateway properly.For the tunnel to get added properly we need to start off by making a modification to one of the ifconfig initialization scripts.
On both servers
vi /etc/sysconfig/network-scripts/ifup-tunnel
# Create the tunnel
# The outer addresses are those of the underlying (public) network.
/sbin/ip tunnel add “$DEVICE” mode “$MODE” \
${MY_OUTER_IPADDR:+local “$MY_OUTER_IPADDR”} \
${PEER_OUTER_IPADDR:+remote “$PEER_OUTER_IPADDR”} \
${LOCAL_DEVICE:+dev “$LOCAL_DEVICE”} \
${KEY:+key “$KEY} ${TTL:+ttl “$TTL”}
With that modification we can now create the GRE interface script
On proxy1.example.com
vi /etc/sysconfig/network-scripts/ifcfg-gre1
DEVICE=”gre1”
TYPE=”GRE”
DEVICETYPE=”tunnel”
ONBOOT=”yes”
MY_INNER_IPADDR=”172.22.254.2/24”
MY_OUTER_IPADDR=”172.22.88.2”
PEER_OUTER_IPADDR=”172.22.254.1”
MTU=”1476”
LOCAL_DEVICE=”eth0”
The configuration on proxy2.exmaple.com is nearly identical
On proxy2.example.com
scp proxy1.example.com:/etc/sysconfig/network-scripts/ifcfg-gre1 /etc/sysconfig/network-scripts/ifcfg-gre1
vi /etc/sysconfig/network-scripts/ifcfg-gre1
MY_INNER_IPADDR=”172.22.254.3/24” MY_OUTER_IPADDR=”172.22.88.3” PEER_OUTER_IPADDR=”172.22.254.1”
The PEER_OUT_IPADDR is the router identifier. On the Cisco gateway this is the first IP programmed in the config. You can easily discover this router ID by running
show ip wccp
Now we have to modify a system filter to ensure that the GRE packets coming to eth0 are not discarded by the system. Add the following lines to the system control file.
On both servers
nano /etc/sysctrl.conf
net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.gre1.ip_filter = 0
6. IPTables
Now we need to make sure that not only will our Squid system be able to communicate with each other and the network, but that the http traffic is reaching the right port.
On both servers
vi /etc/sysconfig/iptables
Under the filter tables add the following
-A INPUT -m udp -p udp --dport 2048 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 3128 -j ACCEPT
-A INPUT -m udp -p udp --dport 3130 -j ACCEPT
Now add a nat table to the configuration to direct the web traffic to the Squid port.
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 COMMIT
7. Server wrap up
The last thing to do on the server is ensure that everything will startup again on its own in the case of a system reboot.On both servers
chkconfig --levels 235 squid on
At this point restart the server and ensure that everything has started up properly
First we’ll check Squid is running
/etc/init.d/squid status
squid is running (pid xxxxxx)
ip tunnel
On proxy1.example.com
gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 172.22.254.1 local 172.22.88.2 dev eth0 ttl inherit
On proxy2.example.com
gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 172.22.254.1 local 172.22.88.2 dev eth0 ttl inherit
ifconfig gre1 | grep inet
On proxy1.example.com
inet addr:172.22.254.2 P-t-P:172.22.254.2 Mask:255.255.255.0
On proxy2.example.com
inet addr:172.22.254.3 P-t-P:172.22.254.3 Mask:255.255.255.0
Tunnels are up and squid is running. Time to get some traffic directed at the new proxies.
8. Cisco setup
The configuration on the Cisco gateway is very simple. Configuration is minimal thanks to the nature of WCCP. First off create access-list for the squid peers and attach them to the web-cache group. Enter configure mode on the Ciscoaccess-list 10 permit 172.22.88.2 access-list 10 permit 172.22.88.3 ip wccp web-cache group-ist 10
Next create the redirect rule. This configuration will direct the entire
subnet through the Squid systems, but we have to exclude the Squid
servers themselves to avoid creating a loop.
access-list 120 remark ACL for WCCP proxy access-list 120 remark Squid proxies bypass WCCP access-list 120 deny ip host 172.22.88.2 access-list 120 deny ip host 172.22.88.3 access-list 120 remark Proxy LAN clients port 80 only access-list 120 permit tcp 172.22.88.0 0.0.0.255 any eq 80 access-list 120 remark all others bypass WCCP access-list 120 deny ip any any ip wccp web-cache redirect-list 120
Before we turn the redirect on on an interface make sure that the Squid proxies are advertising their presence to the gateway. Exit from configure mode on the Cisco and run the following
show ip wccp web-cache detail
You should see both servers listed and available
Enter back into configure mode and turn on the web-cache for the subnet. The LAN interface in this case is GigabitEthernet 0/0 on VLAN 5.
interface GE0/0.5
ip wccp web-cache redirect in
For a quick test: open up a web page from a system that goes through the gateway handling WCCP. You should see the traffic registered in the Squid access log.
tail /var/log/squid/access.log