Set Up Squid Siblings On CentOS 6.3 With WCCP - Page 2
On this page
This tutorial is part 2 of the configuration. Be sure to start with part 1.
5. Network
The basic configuration for your local IP communication should already be complete. If it wasn’t then your yum update process and installs from above would not have worked. This is going to cover setting up the GRE tunnel for your squid to communicate to the gateway properly.
For the tunnel to get added properly we need to start off by making a modification to one of the ifconfig initialization scripts.
On both servers
nano /etc/sysconfig/network-scripts/ifup-tunnel
# Create the tunnel # The outer addresses are those of the underlying (public) network. /sbin/ip tunnel add “$DEVICE” mode “$MODE” \ ${MY_OUTER_IPADDR:+local “$MY_OUTER_IPADDR”} \ ${PEER_OUTER_IPADDR:+remote “$PEER_OUTER_IPADDR”} \ ${LOCAL_DEVICE:+dev “$LOCAL_DEVICE”} \ ${KEY:+key “$KEY} ${TTL:+ttl “$TTL”}
WIth that modification we can now create the GRE interface script
On proxy1.example.com
nano /etc/sysconfig/network-scripts/ifcfg-gre1
DEVICE=”gre1” TYPE=”GRE” DEVICETYPE=”tunnel” ONBOOT=”yes” MY_INNER_IPADDR=”192.168.254.2/24” MY_OUTER_IPADDR=”192.168.88.2” PEER_OUTER_IPADDR=”192.168.254.1” MTU=”1476” LOCAL_DEVICE=”eth0”
The configuration on proxy2.exmaple.com is nearly identical
On proxy2.example.com
scp proxy1.example.com:/etc/sysconfig/network-scripts/ifcfg-gre1 /etc/sysconfig/network-scripts/ifcfg-gre1
nano /etc/sysconfig/network-scripts/ifcfg-gre1
MY_INNER_IPADDR=”192.168.254.3/24” MY_OUTER_IPADDR=”192.168.88.3” PEER_OUTER_IPADDR=”192.168.254.1”
The PEER_OUT_IPADDR is the router identifier. On the Cisco gateway this is the first IP programmed in the config. You can easily discover this router ID by running
show ip wccp
Now we have to modify a system filter to ensure that the GRE packets coming to eth0 are not discarded by the system. Add the following lines to the system control file.
On both servers
nano /etc/sysctrl.conf
net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.gre1.ip_filter = 0
6. IPTables
Now we need to make sure that not only will our Squid system be able to communicate with each other and the network, but that the http traffic is reaching the right port.
On both servers
nano /etc/sysconfig/iptables
Under the filter tables add the following
-A INPUT -m udp -p udp --dport 2048 -j ACCEPT -A INPUT -m tcp -p tcp --dport 3128 -j ACCEPT -A INPUT -m udp -p udp --dport 3130 -j ACCEPT
Now add a nat table to the configuration to direct the web traffic to the Squid port.
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i gre1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 COMMIT
7. Server wrap up
The last thing to do on the server is ensure that everything will startup again on its own in the case of a system reboot.
On both servers
chkconfig --levels 235 squid on
At this point restart the server and ensure that everything has started up properly
First we’ll check Squid is running
/etc/init.d/squid status
squid is running (pid xxxxxx)
Next ensure the IP tunnel was created successfully
ip tunnel
On proxy1.example.com
gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 192.168.254.1 local 192.168.88.2 dev eth0 ttl inherit
On proxy2.example.com
gre0: gre/ip remote any local any ttl inherit nopmtudisc gre1: gre/ip remote 192.168.254.1 local 192.168.88.2 dev eth0 ttl inherit
ifconfig gre1 | grep inet
On proxy1.example.com
inet addr:192.168.254.2 P-t-P:192.168.254.2 Mask:255.255.255.0
On proxy2.example.com
inet addr:192.168.254.3 P-t-P:192.168.254.3 Mask:255.255.255.0
Tunnels are up and squid is running. Time to get some traffic directed at the new proxies.
8. Cisco setup
The configuration on the Cisco gateway is very simple. Configuration is minimal thanks to the nature of WCCP. First off create access-list for the squid peers and attach them to the web-cache group. Enter configure mode on the Cisco
access-list 10 permit 192.168.88.2 access-list 10 permit 192.168.88.3 ip wccp web-cache group-ist 10
Next create the redirect rule. This configuration will direct the entire subnet through the Squid systems, but we have to exclude the Squid servers themselves to avoid creating a loop.
access-list 120 remark ACL for WCCP proxy access-list 120 remark Squid proxies bypass WCCP access-list 120 deny ip host 192.168.88.2 access-list 120 deny ip host 192.168.88.3 access-list 120 remark Proxy LAN clients port 80 only access-list 120 permit tcp 192.168.88.0 0.0.0.255 any eq 80 access-list 120 remark all others bypass WCCP access-list 120 deny ip any any ip wccp web-cache redirect-list 120
Before we turn the redirect on on an interface make sure that the Squid proxies are advertising their presence to the gateway. Exit from configure mode on the Cisco and run the following
show ip wccp web-cache detail
You should see both servers listed and available
Enter back into configure mode and turn on the web-cache for the subnet. The LAN interface in this case is GigabitEthernet 0/0 on VLAN 5.
interface GE0/0.5
ip wccp web-cache redirect in
That’s it. You’re done.
For a quick test: open up a web page from a system that goes through the gateway handling WCCP. You should see the traffic registered in the SQuid access log.
tail /var/log/squid/access.log