[squid-users] Re: TPROXY surf as client
Eliezer Croitoru-2 wrote On 06/21/2014 06:12 PM, Amos Jeffries wrote: TCP does not permit that. The SYN-ACK will fail. Amos Unless it will come from the proxy server but still it's not recommended and in many cases is even illegal and can be considered as a real series crime and abusive use of IP address. Eliezer Thanks . Please more description . I want to run the script on proxy server . it may use same iptables rules which squid uses for tproxy job . Please guide me . -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-surf-as-client-tp4666439p4666446.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: TPROXY surf as client
On 22/06/2014 6:26 p.m., Omid Kosari wrote: Eliezer Croitoru-2 wrote On 06/21/2014 06:12 PM, Amos Jeffries wrote: TCP does not permit that. The SYN-ACK will fail. Amos Unless it will come from the proxy server but still it's not recommended and in many cases is even illegal and can be considered as a real series crime and abusive use of IP address. Eliezer Thanks . Please more description . I want to run the script on proxy server . it may use same iptables rules which squid uses for tproxy job . Please guide me . Omid, What do you hope to achieve with this? Amos
[squid-users] Re: TPROXY surf as client
I want to create fake traffic for website with 1000 different ip's within few minutes . Something like you say to 1000 different clients/IPs to surf that site from 11:00 to 11:15 . I want to achieve this with help of squid tproxy and without need to disconnect users . Squid is doing something like that with tproxy because users requests routed to it . so it could do that job if a script runs on squid box . I just don't know how to spoof requested source ip in that script . -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-surf-as-client-tp4666439p4666448.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: TPROXY surf as client
On 22/06/2014 6:55 p.m., Omid Kosari wrote: I want to create fake traffic for website with 1000 different ip's within few minutes . Something like you say to 1000 different clients/IPs to surf that site from 11:00 to 11:15 . I want to achieve this with help of squid tproxy and without need to disconnect users . Squid is the wrong tool to be using here. You want to look at hacking and attack tools - that is what you will be doing, and why it is illegal in most cases. Squid is doing something like that with tproxy because users requests routed to it . so it could do that job if a script runs on squid box . I just don't know how to spoof requested source ip in that script . Squid is only opening outbound socket, marking it with setsockopt(IP_TRANSPARENT), then using bind() to set the outgoing IP. Everything else is limited by normal TCP/IP and routing operations within the network. Note that Squid specifying the outgoing IP on any particular request is a non-standard use of HTTP. Normal HTTP combines the client requests into persistent connections. Causing a few long-lived TCP connections to servers with a large number of pipelined transactions on each. For testing server capacity against TPROXY input it is suficient to make the server listen on localhost interface and setup a tool like Polygraph to use 127.0.*.* IPs for opening connections (or the fc00::* range in IPv6). Amos
Re: [squid-users] Re: TPROXY surf as client
On 06/22/2014 09:55 AM, Omid Kosari wrote: I want to create fake traffic for website with 1000 different ip's within few minutes . Something like you say to 1000 different clients/IPs to surf that site from 11:00 to 11:15 . I want to achieve this with help of squid tproxy and without need to disconnect users . Squid is doing something like that with tproxy because users requests routed to it . so it could do that job if a script runs on squid box . I just don't know how to spoof requested source ip in that script . Squid is not the place for this reasearch. You can look at examples for tproxy codes in tproxy lists or examples from individual users on the internet. Regards, Eliezer
[squid-users] Re: TPROXY surf as client
Amos Jeffries wrote User and IP address are not the same thing. TPROXY only deals with IP addresses, not users. I mean exactly the ip address . Is there a way to send request as user source ip while user is online ? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-surf-as-client-tp4666439p4666441.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: TPROXY surf as client
On 21/06/2014 11:35 p.m., Omid Kosari wrote: Amos Jeffries wrote User and IP address are not the same thing. TPROXY only deals with IP addresses, not users. I mean exactly the ip address . Is there a way to send request as user source ip while user is online ? TCP does not permit that. The SYN-ACK will fail. Amos
Re: [squid-users] Re: TPROXY surf as client
On 06/21/2014 06:12 PM, Amos Jeffries wrote: TCP does not permit that. The SYN-ACK will fail. Amos Unless it will come from the proxy server but still it's not recommended and in many cases is even illegal and can be considered as a real series crime and abusive use of IP address. Eliezer
[squid-users] Re: tproxy and DNS
well , but what is the benefit of that ?? - Mr.Ahmad -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/tproxy-and-DNS-tp4661670p4661694.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: tproxy and DNS
On 21/08/2013 10:34 p.m., Ahmad wrote: well , but what is the benefit of that ?? TPROXY is an abbreviation of Transparent PROXY. It is the *real* behaviour behind the term. To make as few alterations to the traffic flow as possible. The NAT interception proxy behaviour has been confused with transparency for so long that it has been updated to do the same by default so that we can more easily re-use the transparent option on http_port later without causing issues on old config files. Amos
Re: [squid-users] Re: TPROXY
In general tproxy works on: Fedora(any version 10+) Centos(5.9+) Ubuntu(9.10+) Gentoo(for very long time) Debian(5+) Slax(XX) etc.. lots of systems works but you just don't know how to configure them... What routing settings have you used?? take a loot at this script and change the modules exists on ubuntu: ##start #!/bin/sh -x echo loading modules requierd for the tproxy modprobe ip_tables modprobe xt_tcpudp modprobe nf_tproxy_core modprobe xt_mark #modprobe xt_MARK modprobe xt_TPROXY modprobe xt_socket modprobe nf_conntrack_ipv4 sysctl net.netfilter.nf_conntrack_acct sysctl net.netfilter.nf_conntrack_acct=1 echo setting routing tables for tproxy ip route flush table 100 ip rule del fwmark 1 lookup 100 ip rule add fwmark 1 lookup 100 ip -f inet route add local default dev lo table 100 echo flushing any exiting rules iptables -t mangle -F iptables -t mangle -X DIVERT echo creating iptables rules iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --tproxy-mark 0x1/0x1 echo flushing routing cache ip route flush cache ##end This is a 100% working tproxy script!!. Maybe your routing system remembers the routing cache and you need to flush it. In many cases this can be the reason. Also take your time and have a look at: http://freevideolectures.com/Course/2998/Linux-Fundamentals/19 which is a 3+ lectures on how to install squid and\or\with squidguard as transparent proxy. I hope to put my script later on the wiki to help others understand how to make it work. Eliezer On 6/3/2013 2:40 PM, alvarogp wrote: Hi, I have followed the same steps that in the previous case but changing the Operating System. Tried on: - Fedora 18 - Kernel 3.6.10 - IPtables 1.4.16 - Squid 3.3.5 with Tproxy Unfortunately, is the same situation that when I was using Ubuntu. The users can reach Internet only if Squid is working, but any activity is registered in the file access.log. Is it possible that Fedora's kernel has the same problem than Ubuntu? Regards, Alvaro -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-tp4658393p4660396.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: TPROXY
Thanks for the information Eliezer. I am gonna take a look to it. Alvaro -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-tp4658393p4660403.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: TPROXY
Hi, I have followed the same steps that in the previous case but changing the Operating System. Tried on: - Fedora 18 - Kernel 3.6.10 - IPtables 1.4.16 - Squid 3.3.5 with Tproxy Unfortunately, is the same situation that when I was using Ubuntu. The users can reach Internet only if Squid is working, but any activity is registered in the file access.log. Is it possible that Fedora's kernel has the same problem than Ubuntu? Regards, Alvaro -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-tp4658393p4660396.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: TPROXY
alvarogp wrote Hello, I have the next configuration: - Ubuntu 12.04 with 2 interfaces eth0 (local) and eth1 (internet access) - IPtables 1.4.12 - Squid 3.3.4 with Tproxy With Iptables I have configured the proxy to forward the traffic from the local LAN (eth0) to the outside world (eth1). The configuration is: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT echo 1 /proc/sys/net/ipv4/ip_forward To configure and install Tproxy I have followed the tutorial described in the wiki: ./configure --enable-linux-netfilter net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 For squid.conf, I have maintained the configuration my default adding to it: http_port 3128 http_port 3129 tproxy If Squid is running, the packets from the local LAN are routed correctly and the web pages are showed perfectly. The problem I have is that this accesses are not reflected in the access.log and cache.log, so could be possible that squid is not caching any cacheable content? I read one other post from a guy who had a very similar problem: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-TPROXY-and-empty-access-log-td1036667.html If I do the same that him specifying in the user's browser the proxy, activity (ABORTED request for each web I have tried to access) is reflected in access.log. The time out expires and the local LAN users cannot access to Internet. All the information needed please tell me. Thank you in advance, Alvaro Hi, Does anyone know some configuration guide to configure Squid with TProxy in the wiki? The three that I only know are: http://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_Squid_Configuration http://wiki.squid-cache.org/Features/Tproxy4 I have followed the steps of the last one. Is it possible that I am confused and Squid is not able to cache if is working with TProxy? Thank you in advance. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-tp4658393p4660274.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: TPROXY
From: alvarogp alvarix...@gmail.com To: squid-users@squid-cache.org Sent: Tuesday, 28 May 2013 1:28 PM Subject: [squid-users] Re: TPROXY alvarogp wrote Hello, I have the next configuration: - Ubuntu 12.04 with 2 interfaces eth0 (local) and eth1 (internet access) - IPtables 1.4.12 - Squid 3.3.4 with Tproxy With Iptables I have configured the proxy to forward the traffic from the local LAN (eth0) to the outside world (eth1). The configuration is: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT echo 1 /proc/sys/net/ipv4/ip_forward To configure and install Tproxy I have followed the tutorial described in the wiki: ./configure --enable-linux-netfilter net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 For squid.conf, I have maintained the configuration my default adding to it: http_port 3128 http_port 3129 tproxy If Squid is running, the packets from the local LAN are routed correctly and the web pages are showed perfectly. The problem I have is that this accesses are not reflected in the access.log and cache.log, so could be possible that squid is not caching any cacheable content? I have had exact same problem when I was trying TPROXY with similar configuration. Squid would route packets but not LOG anything in access log. If I stop squid then clients cant access any website. (this indicates that packets are indeed routing through squid). I gave up later on. I might give it a try again after few days. Amm.
Re: [squid-users] Re: TPROXY
On 28/05/2013 8:11 p.m., Amm wrote: From: alvarogp alvarix...@gmail.com To: squid-users@squid-cache.org Sent: Tuesday, 28 May 2013 1:28 PM Subject: [squid-users] Re: TPROXY alvarogp wrote Hello, I have the next configuration: - Ubuntu 12.04 with 2 interfaces eth0 (local) and eth1 (internet access) - IPtables 1.4.12 - Squid 3.3.4 with Tproxy With Iptables I have configured the proxy to forward the traffic from the local LAN (eth0) to the outside world (eth1). The configuration is: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT echo 1 /proc/sys/net/ipv4/ip_forward To configure and install Tproxy I have followed the tutorial described in the wiki: ./configure --enable-linux-netfilter net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 For squid.conf, I have maintained the configuration my default adding to it: http_port 3128 http_port 3129 tproxy If Squid is running, the packets from the local LAN are routed correctly and the web pages are showed perfectly. The problem I have is that this accesses are not reflected in the access.log and cache.log, so could be possible that squid is not caching any cacheable content? I have had exact same problem when I was trying TPROXY with similar configuration. Squid would route packets but not LOG anything in access log. If I stop squid then clients cant access any website. (this indicates that packets are indeed routing through squid). access.log would indicate that none of them are actually making it to the Squid process. Perhapse the Ubuntu kernel version has a bug which makes the packets work when *some* process it listening on the required port, but the packets actually not getting there. Or perhapse TCP packets are sending the HTTP reuqest through Squid and Squid relaying it but the response not going back to Squid (direct back to client). In that event Squid would wait for some time (read/write timeouts are 15 minutes long) before logging the failed HTTP transaction. That could be caused by some bad configuration on a router outside of the Squid machine. Amos
[squid-users] Re: TPROXY
Amos Jeffries-2 wrote On 28/05/2013 8:11 p.m., Amm wrote: From: alvarogp lt; alvarix.gp@ gt; To: squid-users@ Sent: Tuesday, 28 May 2013 1:28 PM Subject: [squid-users] Re: TPROXY alvarogp wrote Hello, I have the next configuration: - Ubuntu 12.04 with 2 interfaces eth0 (local) and eth1 (internet access) - IPtables 1.4.12 - Squid 3.3.4 with Tproxy With Iptables I have configured the proxy to forward the traffic from the local LAN (eth0) to the outside world (eth1). The configuration is: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT echo 1 /proc/sys/net/ipv4/ip_forward To configure and install Tproxy I have followed the tutorial described in the wiki: ./configure --enable-linux-netfilter net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 For squid.conf, I have maintained the configuration my default adding to it: http_port 3128 http_port 3129 tproxy If Squid is running, the packets from the local LAN are routed correctly and the web pages are showed perfectly. The problem I have is that this accesses are not reflected in the access.log and cache.log, so could be possible that squid is not caching any cacheable content? I have had exact same problem when I was trying TPROXY with similar configuration. Squid would route packets but not LOG anything in access log. If I stop squid then clients cant access any website. (this indicates that packets are indeed routing through squid). access.log would indicate that none of them are actually making it to the Squid process. Perhapse the Ubuntu kernel version has a bug which makes the packets work when *some* process it listening on the required port, but the packets actually not getting there. Or perhapse TCP packets are sending the HTTP reuqest through Squid and Squid relaying it but the response not going back to Squid (direct back to client). In that event Squid would wait for some time (read/write timeouts are 15 minutes long) before logging the failed HTTP transaction. That could be caused by some bad configuration on a router outside of the Squid machine. Amos Thank you Amos, I will try with other configuration in that case. Alvaro -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-tp4658393p4660279.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: TPROXY
From: Amos Jeffries squ...@treenet.co.nz To: squid-users@squid-cache.org Sent: Tuesday, 28 May 2013 4:15 PM Subject: Re: [squid-users] Re: TPROXY On 28/05/2013 8:11 p.m., Amm wrote: From: alvarogp alvarix...@gmail.com To: squid-users@squid-cache.org Sent: Tuesday, 28 May 2013 1:28 PM Subject: [squid-users] Re: TPROXY alvarogp wrote: If Squid is running, the packets from the local LAN are routed correctly and the web pages are showed perfectly. The problem I have is that this accesses are not reflected in the access.log and cache.log, so could be possible that squid is not caching any cacheable content? I have had exact same problem when I was trying TPROXY with similar configuration. Squid would route packets but not LOG anything in access log. If I stop squid then clients cant access any website. (this indicates that packets are indeed routing through squid). access.log would indicate that none of them are actually making it to the Squid process. Perhapse the Ubuntu kernel version has a bug which makes the packets work when *some* process it listening on the required port, but the packets actually not getting there. Actually I had tried on Fedora 16 kernel version is 3.6.X. So now this bug is in Ubuntu as well as Fedora? Dont remember squid version but it was 3.2 series. Or perhapse TCP packets are sending the HTTP reuqest through Squid and Squid relaying it but the response not going back to Squid (direct back to client). In that event Squid would wait for some time (read/write timeouts are 15 minutes long) before logging the failed HTTP transaction. That could be caused by some bad configuration on a router outside of the Squid machine. May be, I dont know what was happening. As I didnt give it much thought that time. I will try again this week end and report back. This time I will wait for 15 minutes. Thanks Amm.
[squid-users] Re: TPROXY
Hello, I have the next configuration: - Ubuntu 12.04 with 2 interfaces eth0 (local) and eth1 (internet access) - IPtables 1.4.12 - Squid 3.3.4 with Tproxy With Iptables I have configured the proxy to forward the traffic from the local LAN (eth0) to the outside world (eth1). The configuration is: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT echo 1 /proc/sys/net/ipv4/ip_forward To configure and install Tproxy I have followed the tutorial described in the wiki: ./configure --enable-linux-netfilter net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 For squid.conf, I have maintained the configuration my default adding to it: http_port 3128 http_port 3129 tproxy If Squid is running, the packets from the local LAN are routed correctly and the web pages are showed perfectly. The problem I have is that this accesses are not reflected in the access.log and cache.log, so could be possible that squid is not caching any cacheable content? I read one other post from a guy who had a very similar problem: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-TPROXY-and-empty-access-log-td1036667.html If I do the same that him specifying in the user's browser the proxy, activity (ABORTED request for each web I have tried to access) is reflected in access.log. The time out expires and the local LAN users cannot access to Internet. All the information needed please tell me. Thank you in advance, Alvaro -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TPROXY-tp4658393p4660211.html Sent from the Squid - Users mailing list archive at Nabble.com.
[squid-users] Re: tproxy and disable-pmtu-discovery=always
I have kernel 3.5.0-25 so there is no need disable-pmtu-discovery=always in tproxy port ? Is it 100% safe . please explain more . -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/tproxy-and-disable-pmtu-discovery-always-tp3753485p4658810.html Sent from the Squid - Users mailing list archive at Nabble.com.
Re: [squid-users] Re: tproxy and disable-pmtu-discovery=always
On 3/03/2013 9:40 p.m., Omid Kosari wrote: I have kernel 3.5.0-25 so there is no need disable-pmtu-discovery=always in tproxy port ? Is it 100% safe . please explain more . Nothing is that safe. Even breathing. All humans suffer from oxygen poisoning. Please enquire of the netfilter mailing list for more on ICMP and TPROXY. I am aware they fixed several ICMP related issues found in the early TPROXY kernels. Whether there is any outstanding issues is not clear. Amos
[squid-users] Re: TPROXY Configuration
Please, ignore this post. I found I need to add more configuration as in http://wiki.squid-cache.org/ConfigExamples/UbuntuTproxy4Wccp2#Linux_and_Squid_Configuration On Wed, Feb 6, 2013 at 9:27 AM, Roman Gelfand rgelfa...@gmail.com wrote: I have configured the tproxy as follows, but it appears packets are not hitting squid. Please note, the wccp configuration on the router is already working with squid http_port transparent configuration and, obviously, different iptables configuration. Any help is appreciated. Thanks in advance. squid.conf --- http_port 3228 tproxy https_port 3229 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/certs/domain.crt key=/etc/ssl/private/domain.key # FortiGate interface of wccp wccp2_router 192.168.5.1 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=src_ip_hash priority=240 ports=80,443 wccp2_service dynamic 95 wccp2_service_info 95 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80,443 # tunneling method GRE for forward traffic wccp2_forwarding_method 1 # tunneling method GRE for return traffic wccp2_return_method 1 # Assignemment method (default), only relevant if multiple caches used wccp2_assignment_method 1 # wccp weight (default) ,only relevant if multiple caches used wccp2_weight 1 # which interface to use for WCCP (0.0.0.0 determines the interface from routing) wccp2_address 0.0.0.0 rc.local --- modprobe ip_gre modprobe ip_tables modprobe x_tables ip tunnel add wccp0 mode gre remote 192.168.5.1 local 192.168.5.21 dev eth0 ip addr add 192.168.5.21/32 dev wccp0 ip link set wccp0 up # Route to send the content back to the GRE tunnel route add -net {wan interface ip} netmask 255.255.255.255 dev wccp0 # Disabling reverse path filtering and enable routing in the kernel echo 0 /proc/sys/net/ipv4/conf/wccp0/rp_filter echo 1 /proc/sys/net/ipv4/ip_forward # Setup the redirection of traffic from the GRE tunnel to squid port 3128 iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3228 iptables -t mangle -A PREROUTING -i wccp0 -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3229 exit 0
[squid-users] Re: Tproxy + wccp + tcp_outgoing_address
sön 2009-04-19 klockan 03:52 -0400 skrev Vivek: I have configured two squid servers in tproxy+wccp mode and its working fine. I am using squid 2.7 (ctt proxy) and gre tunnel. Browsing is very slow compare than normal tproxy+bridge mode. I assume the problem is both incoming and outgoing traffic passed via eth0 (Gigabit Ethernet ). I kind of doubt you have more than 900Mbps of traffic. I have an idea to use eth1 interface and change the tcp_outgoing_address from eth0 ip to eth1 ip. Won't help. The problem is something else. Is it possible? Ofcourse, but it's not as simple as tcp_outgoing_address. . or any other way to avoid this bottleneck First step is to identify the cause to the bottleneck. 1. How is the performance if you configure the browser to use the proxy? 2. Have you verified cabling, switch negotiation etc? Regards Henrik
[squid-users] Re: Tproxy + wccp + tcp_outgoing_address
Henrik, Thanks for your reply. I will check all the things you had mention. Get you back to you if i need. Thanks again for your reply. Regards Vivek -Original Message- From: Henrik Nordstrom hen...@henriknordstrom.net To: Vivek vivek...@aol.in Cc: squid-users@squid-cache.org Sent: Sun, 19 Apr 2009 1:42 pm Subject: Re: Tproxy + wccp + tcp_outgoing_address sön 2009-04-19 klockan 03:52 -0400 skrev Vivek: I have configured two squid servers in tproxy+wccp mode and its working fine. I am using squid 2.7 (ctt proxy) and gre tunnel. Browsing is very slow compare than normal tproxy+bridge mode. I assume the problem is both incoming and outgoing=2 0traffic passed via eth0 (Gigabit Ethernet ). I kind of doubt you have more than 900Mbps of traffic. I have an idea to use eth1 interface and change the tcp_outgoing_address from eth0 ip to eth1 ip. Won't help. The problem is something else. Is it possible? Ofcourse, but it's not as simple as tcp_outgoing_address. . or any other way to avoid this bottleneck First step is to identify the cause to the bottleneck. 1. How is the performance if you configure the browser to use the proxy? 2. Have you verified cabling, switch negotiation etc? Regards Henrik You are invited to Get a Free AOL Email ID. - http://webmail.aol.in