Feed on
Posts
Comments

First Thing First

  1. Get your WCCP-capable Cisco device setup as your internet router – I’m using a C3825 ISR running 15.1(4)M6…if you’re not using the same, your mileage may vary…

Configure CentOS

    1. Deploy CentOS (6.4 at the time of writing) using the method of your choice – I used the minimal install, which is very nearly sufficient…
      * optional: disable selinux (if you don’t do this, then you’ll need to hassle with selinux) and ip6tables (doubtful you’re running ipv6 – if you are, then you know how to manage it)…
    2. Squid needs to be configured with –enable-linux-netfilter and –enable-wccpv2, so let’s install squid via yum and ensure it has those config options:
      yum install squid
      squid -v | grep enable-linux-netfilter | grep enable-wccpv2
      * If you see any output, then those config options were found and you should be good to go!  If you don’t see any output, then make sure there are no typos (copy/paste the command) and try again.  If you still don’t see any output, then you’ll have to build squid from source – yippee for you! But, the package for CentOS 6 does include those config options, so I’m moving right along!
    3. Start squid to make sure everything works at defaults
      service squid start
      cat /var/log/squid/squid.out

      * No errors? -> Good stuff! … Errors? -> Happy troubleshooting!
    4. Once squid is running error free and you can successfully use it by manually configuring your browser to point at it, let’s make sure it’s set to boot in chkconfig:
      chkconfig squid on
    5. Now let’s make some squid config (/etc/squid/squid.conf) changes – comment the line “http_port 3128” and copy/paste the following below it (note: my router’s internal IP is 192.168.0.1, yours might be different):

# Transparent proxy via WCCPv2
http_port 3128 intercept
wccp2_router 192.168.0.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0

  • Create the GRE tunnel interface to be used for the wccp redirects from the router:
    vi /etc/sysconfig/network-scripts/ifcfg-gre0
    Paste the following contents (*note – I’m using 10.0.0.2 as the local IP for the GRE tunnel, but you should choose any IP address that’s not in use elsewhere on your network):
    DEVICE=gre0
    BOOTPROTO=static
    IPADDR=10.0.0.2
    NETMASK=255.255.255.252
    ONBOOT=yes
    IPV6INIT=no
  • Modify sysctl.conf to enable forwarding and disable route path filtering:
    # Controls IP packet forwarding
    net.ipv4.ip_forward = 1
    # Controls source route verification
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.gre0.rp_filter = 0
    net.ipv4.conf.eth0.rp_filter = 0
  • Modify iptables to redirect packets coming in via the GRE tunnel with a destination port of 80 and NOT destined for the local network:
    iptables -t nat -A PREROUTING -s 192.168.0.0/255.255.255.0 -d ! 192.168.0.0/255.255.255.0 -i gre0 -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:3128
  • Now restart squid and check /var/log/squid/squid.out for errors and resolve any that you find.

 

Configure WCCPv2 on 3825

  1. Set WCCP to version 2
    ip wccp version 2
  2. Create an access list to define the proxy server(s) on your network:
    access-list 2 permit 192.168.0.2
  3. Create another access list to define which hosts are subject to proxy and which hosts are denied/bypass (the proxy server(s) and any other clients you want to access the Internet w/o proxy.
    access-list 102 remark ACL for WCCP proxy
    access-list 102 remark Squid proxies bypass WCCP
    access-list 102 deny ip host 192.168.0.2 any
    access-list 102 remark Clients to proxy
    access-list 102 permit tcp 192.168.0.0 0.0.0.255 any eq 80
    access-list 102 remark All others bypass WCCP
    access-list 102 deny ip any any
  4. Apply the ACLs to WCCP
    ip wccp web-cache redirect-list 102 group-list 2
  5. Verify configuration:
    sh ip wccp
    you should see output similar to this:
    Global WCCP information: Router information:
    Router Identifier: -not yet determined-
    Protocol Version: 2.0
    Service Identifier: web-cache
    Number of Service Group Clients: 0
    Number of Service Group Routers: 0
    Total Packets s/w Redirected: 0
    Process: 0
    CEF: 0
    Service mode: Open
    Service Access-list: -none-
    Total Packets Dropped Closed: 0
    Redirect Access-list: 102
    Total Packets Denied Redirect: 0
    Total Packets Unassigned: 0
    Group Access-list: 2
    Total Messages Denied to Group: 0
    Total Authentication failures: 0
    Total GRE Bypassed Packets Received: 0

    * Note: Redirect Access-list and Group Access-list…
  6. …TO BE CONTINUED…

One Response to “Cisco WCCP + Squid (on CentOS) for Transparent Web Proxy”

  1. David Lim says:

    hi.. when are you planning to continued the guide?

Leave a Reply