RE: [squid-users] Problems with interception cache on Solaris

From: Joe Kattner <[email protected]>
Date: Tue, 6 Nov 2001 09:27:22 -0500

Thanks Henrik,

The test you gave started working, in that it was generating squid error
pages on the telnet session, from a host on the same segment, but it still
was not intercepting (no hits in the squid log) for any other hosts.

The problem was on the Cisco 6509. We were using rpf on the vlan interface.
So, for anyone else having these problems, You need to have 'ip verify
unicast reverse-path' off for it to work properly.

Thanks again for the help!

--Joe

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Saturday, November 03, 2001 5:16 AM
To: Joe Kattner
Cc: 'squid-users@squid-cache.org'
Subject: Re: [squid-users] Problems with interception cache on Solaris

I can't see any obvious errors.

I would suggest you start by verifying the netfilter operation.
Configure a host on the same lan segment as the proxy with a host route
for 192.168.0.1 via the proxy server, then
telnet 192.168.0.1 80
ENTER SOME JUNK

If the above gives you a Squid error page then the interception is
working just fine.

Hmm.. thinking. Maybe you need to enable IP-forwarding for ipfilter to
work properly.

Regards
Henrik Nordstr�m
Squid Hacker

Joe Kattner wrote:
>
> Hello All,
>
> Need some help setting up an interception cache. Everything is set up as
> below, the requests are getting from the network to ipfilter on the squid
> server, but they're not making it to squid, or squid isn't doing anything
> with them.
>
> There is no problem with communication from the squid server outbound, and
> have reverted back to using a regular cache, which is working fine.
>
> Thanks, any help is greatly appreciated!
>
> --Joe
>
> bash-2.03# uname -a
> SunOS cdptproxy 5.7 Generic_106541-14 sun4u sparc SUNW,Ultra-2
>
> bash-2.03# /usr/local/squid/bin/squid -v
> Squid Cache: Version 2.4.STABLE2
> Built with: ./configure --prefix=/usr/local/squid --enable-ipf-transparent
> --enable-storeio=diskd,ufs
>
> Configured ipfilter 3.4.21 on the server:
> # Redirect direct web traffic to local web server.
> rdr hme0 24.48.58.222/32 port 80 -> 24.48.58.222 port 80 tcp
> # Redirect everything else to squid on port 8080
> rdr hme0 0.0.0.0/0 port 80 -> 24.48.58.222 port 3128 tcp
>
> bash-2.03# /sbin/ipnat -f /etc/ipnat.rules
>
> bash-2.03# ls -al /devices/pseudo/ipf@0:ipnat
> crw-r--r-- 1 root squid 65, 1 Nov 1 22:19
> /devices/pseudo/ipf@0:ipnat
>
> bash-2.03# /sbin/ipnat -l
> List of active MAP/Redirect filters:
> rdr hme0 24.48.58.222/32 port 80 -> 24.48.58.222 port 80 tcp
> rdr hme0 0.0.0.0/0 port 80 -> 24.48.58.222 port 3128 tcp
>
> List of active sessions:
>
> Using a policy map on the router to point to the proxy server:
> Cisco Internetwork Operating System Software
> IOS (tm) MSFC Software (C6MSFC-JSV-M), Version 12.1(5a)E, EARLY DEPLOYMENT
> RELEASE SOFTWARE (fc1)
>
> route-map proxy-redirect permit 20
> match ip address redirects
> set ip next-hop 24.48.58.222
>
> ip access-list extended redirects
> deny tcp host 24.48.58.222 any eq www
> permit tcp any any eq www
> Configured squid per the faq:
>
> http_port 3128
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
Received on Tue Nov 06 2001 - 07:26:53 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:03:55 MST