WCCP+squid+transparent proxy/Tproxy+centOS 6.5

WCCP (Web Cache Communication Protocol) is a Cisco protocol that enables it redirect traffic from the enduser’s point to a proxy server. A configured proxy server has advantages:

1. It reduces network bandwidth usage
from the Internet.
2. Filtering: as traffic goes through
the proxy server it will enable you
filter certain websites.
3. Monitoring: you will be able to know what users are doing and track them on the proxy server.

WCCP is a cisco protocol used between a Cisco router and a proxy server to redirect traffic and communicate with the proxy server. The proxy is configured to tell the router that it is “alive” and ready to serve webpages. It’s also used to determine when the proxy is down. The cisco router is WCCP enabled which makes the WCCP server while the squid proxy is the WCCP client. The aim of this tutorial is to first explain how WCCP is used to forward traffic to the squid proxy and the configuration steps of the Cisco router along with the proxy using Squid on a Linux system. The flow diagram will further highlight our config process.

image

We set the cisco router and proxy server to both run WCCP. The squid proxy is configured to announce itself to the router that it is using UDP port 2048 and the router responds. The two modes of traffic must not be confused i.e. the WCCP process and squid process that communicate with each other for status and service information. If you have configured them on different subnets, HTTP traffic received from the WCCP client by the router is encapsulated into a GRE tunnel and further forwarded to the GRE interface that we will create later.

image

If a client wants to access the Internet, it creates a TCP SYN packet for the destination which the Cisco router will recognize:

image

It should also be noted that without WCCP the forwarded TCP SYN packets would be forwarded directly to the Internet. If we are running WCCP, the router will forward the TCP SYN from the host to the proxy server:

image

GRE Tunnelling

The packets can change when forwarded to a different subnet. To prevent packets from changing you can use GRE tunneling to communicate between hosts from the internet and the WCCP server and set your router to debug level to check if the squid box and WCCP are talking. If the host and the server exist on the same subnet, a different path of communication known as layer2 redirection can be used either through a dedicated or a sub-interface.

image

The source IP address of the packet is not altered during any request and from the clients point of view, you will be able to view the real IP address of the host on the Internet, NOT the proxy server!

image

Squid proxy server

Squid is a very popular proxy server that is used by a lot of ISPs. It supports HTTP, HTTPS, FTP and of course WCCP. It obtains speed by caching copies of rendered web pages and stores them serving users instead of having the actual webserver regenerate dynamic content. It is primarily used on hosts with adequate space on the hard drive and may not be suitable for small servers with limited space.

Things to check:
1.make sure selinux is disabled
 troubleshooting:
 # vim /etc/sysconfig/selinux
 Change the line that says
 “SELINUX=enforcing”
 to this:
 SELINUX=disabled

Just in case, reboot your server and install squid:

# yum install squid

Squid is in the default repositories as a pre-packaged software so you don’t have to worry about compiling it yourself. To be sure, you should check if your squid version supports WCCP and it is advisable to obtain and setup the most stable squid binary from the squid.org repository and create separate partition(s) on the file system where it will actually store its cache. And mount the partitions afterwards with specific options that will help increase performance. If it’s installed by default, you can proceed this with the following grep command:

# squid -v | grep enable-linux-netfilter | grep enable-wccpv2

If you see this output your squid version supports WCCP and confirm that squid is running by issuing

# service squid start
 Starting
 squid:
 ....
 [ OK ]

After rebooting you want to make sure that squid is still running, you can use chkconfig for this:

# chkconfig squid on

You can check files for squid in the
/var/log folder to see if it is having any issues:

# cat /var/log/squid/squid.out

The “squid.out” logfile will show all errors and configurations you may have skipped.

# vim /etc/sysconfig/iptables

Squid uses by default port 3128 and we are going to configure it so that whenever someone connects to port 80 it will be redirected to port 3128. This will be possible if we create some NAT rules:

*nat
 :PREROUTING ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
 COMMIT

In the filter section you should add a line that allows incoming connections to TCP port 3128:

-A INPUT -m tcp -p tcp --dport 3128 -j ACCEPT

And don’t forget to add an entry that allows GRE traffic between the Cisco router and Squid:

-A INPUT -s 192.168.1.254 -d 192.168.1.253 -p gre -j ACCEPT

WCCP iptables rules need to be created

iptables -A INPUT -i gre0 -j ACCEPT
 iptables -A INPUT -i gre -j ACCEPT
 iptables -A INPUT -i eth0 -p gre -j ACCEPT
 iptables -A INPUT -s 192.168.1.254 -p udp --dport 2048 -j ACCEPT

Then run iptables start command

# service iptables start

This is also the right time to check our configuration to see if clients can request a webpage from the proxy server to check if squid is working:

# squidclient -h 192.168.1.253 -p 3128

Meanwhile you can check the”access.log” to find out what is going on:

# tail /var/log/squid/access.log

You also need to configure your squid.conf options

# vim /etc/squid/squid.conf

Look for this line and uncomment it:

#http_port 3128

the following lines and do not forget to include acl section.

visible_hostname Server1
 http_port 3128 tproxy transparent

Configure WCCP related items

wccp2_router 192.168.1.254
 wccp2_forwarding_method gre
 wccp2_return_method gre wccp2_service standard 0
 wccp2_assignment_method 1

By default squid fowards Client IPs to the respective websites. If you are a bit security minded, you can configure your proxy as anonymous. This will hide clients IPs being served by the proxy and forward only IPs configured on the squid server, or on the firewall server. Find the following line:

forwarded_for on

Change this to:

forwaded_for off

Save your configuration and exit, we also need to create the GRE interface:

# vim /etc/sysconfig/network-scripts/ifcfg-gre0

Add the following lines:

 MY_INNER_IPDEVICE=gre0
 TYPE=GRE
 DEVICETYPE=tunnel
 ONBOOT=ADDR=192.168.1.253
 MY_OUTER_IPADDR=192.168.1.253
 PEER_OUTER_IPADDR=192.168.1.254

CentOS (and probably most Linux distributions) don’t allow IP forwarding: Open the following file:

# vim /etc/sysctl.conf

And change the line below from 0 to 1:

net.ipv4.ip_forward = 1

And we need to add additional lines: but first we bring up the GRE interface

ifup gre0

enable IP forwarding, disable route packet filters between interfaces

echo 1 > /proc/sys/net/ipv4/ip_forward
 echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
 echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
 echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
 echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter

The following line redirects all http packets which exit gre0 to port 3128 on the local Squid server.

iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 \
 -j DNAT --to-destination 192.168.1.253:3128

First we will enable version 2:

WCCP (config)#ip wccp version 2

To activate the access-lists for WCCP for clients you need to use the following commands:

access-list 10 permit 192.168.1.252
 access-list 10 permit 192.168.1.253
 ip wccp web-cache group-list 10

Next we define an access list to define which hosts have access to the proxies and those denied access to WCCP, all other hosts on192.168.1.0/24 have access to proxy when going to port 80, and squid proxy 192.168.1.253 is denied.

access-list 120 remark ACL for WCCP proxy access
 access-list 120 remark Squid proxies bypass WCCP
 access-list 120 deny ip host 192.168.1.253 any
 access-list 120 deny ip host 192.168.1.252 any
 access-list 120 remark LAN clients proxy port 80 only
 access-list 120 permit tcp 192.168.1.0 0.0.0.255 any eq 80
 access-list 120 remark all others bypass WCCP
 access-list 120 deny ip any any
 !

! Assign ACL to WCCP

 ip wccp web-cache redirect-list 120

Now set WCCP version 2:

ip wccp version 2

Verify the configuration – it should be active on version 2

Router#sh ip wccp
 Global WCCP information:
 Router information:
 Router Identifier: -not yet determined-
 Protocol Version: 2.0
 Service Identifier: web-cache
 Number of Service Group Clients: 0
 Number of Service Group Routers: 0
 Total Packets s/w Redirected: 0
Process: 0
Fast: 0
CEF: 0
Redirect access-list: 120
Total Packets Denied Redirect: 0
Total Packets Unassigned: 0
Group access-list: -none-
Total Messages Denied to Group: 0
Total Authentication failures: 0
Total Bypassed Packets Received: 0
Router#

The last step is enable WCCPproxying is to remove the configuration from the interface
(Fastethernet/0 in this case):

 int f0
 !
 ip wccp web-cache redirect in
Advertisements

Comments are closed.

%d bloggers like this: