WCCP (Web Cache Communication Protocol) is a Cisco protocol that enables it redirect traffic from the enduser’s point to a proxy server. A configured proxy server has advantages:
1. It reduces network bandwidth usage
from the Internet.
2. Filtering: as traffic goes through
the proxy server it will enable you
filter certain websites.
3. Monitoring: you will be able to know what users are doing and track them on the proxy server.
WCCP is a cisco protocol used between a Cisco router and a proxy server to redirect traffic and communicate with the proxy server. The proxy is configured to tell the router that it is “alive” and ready to serve webpages. It’s also used to determine when the proxy is down. The cisco router is WCCP enabled which makes the WCCP server while the squid proxy is the WCCP client. The aim of this tutorial is to first explain how WCCP is used to forward traffic to the squid proxy and the configuration steps of the Cisco router along with the proxy using Squid on a Linux system. The flow diagram will further highlight our config process.
We set the cisco router and proxy server to both run WCCP. The squid proxy is configured to announce itself to the router that it is using UDP port 2048 and the router responds. The two modes of traffic must not be confused i.e. the WCCP process and squid process that communicate with each other for status and service information. If you have configured them on different subnets, HTTP traffic received from the WCCP client by the router is encapsulated into a GRE tunnel and further forwarded to the GRE interface that we will create later.
If a client wants to access the Internet, it creates a TCP SYN packet for the destination which the Cisco router will recognize:
It should also be noted that without WCCP the forwarded TCP SYN packets would be forwarded directly to the Internet. If we are running WCCP, the router will forward the TCP SYN from the host to the proxy server:
The packets can change when forwarded to a different subnet. To prevent packets from changing you can use GRE tunneling to communicate between hosts from the internet and the WCCP server and set your router to debug level to check if the squid box and WCCP are talking. If the host and the server exist on the same subnet, a different path of communication known as layer2 redirection can be used either through a dedicated or a sub-interface.
The source IP address of the packet is not altered during any request and from the clients point of view, you will be able to view the real IP address of the host on the Internet, NOT the proxy server!
Squid proxy server
Squid is a very popular proxy server that is used by a lot of ISPs. It supports HTTP, HTTPS, FTP and of course WCCP. It obtains speed by caching copies of rendered web pages and stores them serving users instead of having the actual webserver regenerate dynamic content. It is primarily used on hosts with adequate space on the hard drive and may not be suitable for small servers with limited space.
Things to check: 1.make sure selinux is disabled troubleshooting: # vim /etc/sysconfig/selinux Change the line that says “SELINUX=enforcing” to this: SELINUX=disabled
Just in case, reboot your server and install squid:
# yum install squid
Squid is in the default repositories as a pre-packaged software so you don’t have to worry about compiling it yourself. To be sure, you should check if your squid version supports WCCP and it is advisable to obtain and setup the most stable squid binary from the squid.org repository and create separate partition(s) on the file system where it will actually store its cache. And mount the partitions afterwards with specific options that will help increase performance. If it’s installed by default, you can proceed this with the following grep command:
# squid -v | grep enable-linux-netfilter | grep enable-wccpv2
If you see this output your squid version supports WCCP and confirm that squid is running by issuing
# service squid start Starting squid: .... [ OK ]
After rebooting you want to make sure that squid is still running, you can use chkconfig for this:
# chkconfig squid on
You can check files for squid in the
/var/log folder to see if it is having any issues:
# cat /var/log/squid/squid.out
The “squid.out” logfile will show all errors and configurations you may have skipped.
# vim /etc/sysconfig/iptables
Squid uses by default port 3128 and we are going to configure it so that whenever someone connects to port 80 it will be redirected to port 3128. This will be possible if we create some NAT rules:
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 COMMIT
In the filter section you should add a line that allows incoming connections to TCP port 3128:
-A INPUT -m tcp -p tcp --dport 3128 -j ACCEPT
And don’t forget to add an entry that allows GRE traffic between the Cisco router and Squid:
-A INPUT -s 192.168.1.254 -d 192.168.1.253 -p gre -j ACCEPT
WCCP iptables rules need to be created
iptables -A INPUT -i gre0 -j ACCEPT iptables -A INPUT -i gre -j ACCEPT iptables -A INPUT -i eth0 -p gre -j ACCEPT iptables -A INPUT -s 192.168.1.254 -p udp --dport 2048 -j ACCEPT
Then run iptables start command
# service iptables start
This is also the right time to check our configuration to see if clients can request a webpage from the proxy server to check if squid is working:
# squidclient -h 192.168.1.253 -p 3128
Meanwhile you can check the”access.log” to find out what is going on:
# tail /var/log/squid/access.log
You also need to configure your squid.conf options
# vim /etc/squid/squid.conf
Look for this line and uncomment it:
the following lines and do not forget to include acl section.
visible_hostname Server1 http_port 3128 tproxy transparent
Configure WCCP related items
wccp2_router 192.168.1.254 wccp2_forwarding_method gre wccp2_return_method gre wccp2_service standard 0 wccp2_assignment_method 1
By default squid fowards Client IPs to the respective websites. If you are a bit security minded, you can configure your proxy as anonymous. This will hide clients IPs being served by the proxy and forward only IPs configured on the squid server, or on the firewall server. Find the following line:
Change this to:
Save your configuration and exit, we also need to create the GRE interface:
# vim /etc/sysconfig/network-scripts/ifcfg-gre0
Add the following lines:
MY_INNER_IPDEVICE=gre0 TYPE=GRE DEVICETYPE=tunnel ONBOOT=ADDR=192.168.1.253 MY_OUTER_IPADDR=192.168.1.253 PEER_OUTER_IPADDR=192.168.1.254
CentOS (and probably most Linux distributions) don’t allow IP forwarding: Open the following file:
# vim /etc/sysctl.conf
And change the line below from 0 to 1:
net.ipv4.ip_forward = 1
And we need to add additional lines: but first we bring up the GRE interface
enable IP forwarding, disable route packet filters between interfaces
echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter echo 0 > /proc/sys/net/ipv4/conf/gre0/rp_filter
The following line redirects all http packets which exit gre0 to port 3128 on the local Squid server.
iptables -t nat -A PREROUTING -i gre0 -p tcp -m tcp --dport 80 \ -j DNAT --to-destination 192.168.1.253:3128
First we will enable version 2:
WCCP (config)#ip wccp version 2
To activate the access-lists for WCCP for clients you need to use the following commands:
access-list 10 permit 192.168.1.252 access-list 10 permit 192.168.1.253 ip wccp web-cache group-list 10
Next we define an access list to define which hosts have access to the proxies and those denied access to WCCP, all other hosts on192.168.1.0/24 have access to proxy when going to port 80, and squid proxy 192.168.1.253 is denied.
access-list 120 remark ACL for WCCP proxy access access-list 120 remark Squid proxies bypass WCCP access-list 120 deny ip host 192.168.1.253 any access-list 120 deny ip host 192.168.1.252 any access-list 120 remark LAN clients proxy port 80 only access-list 120 permit tcp 192.168.1.0 0.0.0.255 any eq 80 access-list 120 remark all others bypass WCCP access-list 120 deny ip any any !
! Assign ACL to WCCP
ip wccp web-cache redirect-list 120
Now set WCCP version 2:
ip wccp version 2
Verify the configuration – it should be active on version 2
Router#sh ip wccp Global WCCP information: Router information: Router Identifier: -not yet determined- Protocol Version: 2.0 Service Identifier: web-cache Number of Service Group Clients: 0 Number of Service Group Routers: 0 Total Packets s/w Redirected: 0 Process: 0 Fast: 0 CEF: 0 Redirect access-list: 120 Total Packets Denied Redirect: 0 Total Packets Unassigned: 0 Group access-list: -none- Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 Router#
The last step is enable WCCPproxying is to remove the configuration from the interface
(Fastethernet/0 in this case):
int f0 ! ip wccp web-cache redirect in