RE: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with Yahoo/Hotmail login

From: Doron Shmaryahu <[email protected]>
Date: Mon, 17 Nov 2003 12:39:28 +0200

Hi,

Had the same problem with WCCP/FreeBSD. I use route maps now and all is
working 100%. It apparently has to do with the IOS version you use.

I spoke to the guys at cacheflow as I tested there product and they gave
me that answer. There is also a white paper on there site explaining
this problem. I have not changed the IOS yet so cant tell you if it
works or not.

Doron

-----Original Message-----
From: Clive Cleland [mailto:clivec@ipconnect.com.au]
Sent: 16 November 2003 03:50 AM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with
Yahoo/Hotmail login

Raphael

Try setting MSS = 1400 for TCP connections from your clients (use this
number if your normal MSS is 1500/1476). This is done on the squid
server, not the client machines, as it is negotiated during TCP
connection setup.

Under iptables, it is done using the following command:
        -A OUTPUT -d 1.2.3.0/24 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--set-mss 1400

I'm sorry I can't help with FreeBSD/ipfw. If you use 'ip route' to
setup routing, I believe it can also be done on a per-route basis.

The problem is that some sites use very large cookies. When the HTTP
request exceeds the size of one packet, the addition of the GRE header
makes the first packet too large, so it is dropped by the WCCP router.

By telling clients to limit their packet size, the addition of the GRE
overhead still results in legal packets. The smaller size should make
negligible difference in network performance, but perhaps you can tune
this to your needs? Also, you might be able to further restrict this to
just port 80 traffic?

Hopefully this at least gives you somewhere to look.

Clive

-----Original Message-----
From: Raphael Maseko [mailto:ralph@zamnet.zm]
Sent: Sunday, 16 November 2003 4:02 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Transparent Proxy on FreeBSD 4.9 problem with
Yahoo/Hotmail login

Hi Fellow Listers,

I have been running squid-2.5.STABLE4 with transparent proxying using
WCCP V1 on FreeBSD 4.6.2 without any problems.

I have now installed the same version on FreeBSD 4.9.

Unlike in the previous version where I had to apply patches and hacks to
get the gre packets stripped by my BSD box, I used the "pseudo-device
gre" option in the kernel and set up the tunnel using the following:

ifconfig gre0 create
ifconfig gre0 My_Squid_IP 10.20.30.1 netmask 255.255.255.255 link1
tunnel My_Squid_IP My_Router_IP up

and the following IPFW rules:

ipfw add 49 allow tcp from My_Squid_IP to any
ipfw add 50 fwd 127.0.0.1,3128 tcp from any to any 80 via gre0 in (The
ipfw is set to default to accept)

Here is a sample from the ipfw -a sh command:

00049 29586 2886034 allow tcp from My_Squid_IP to any
00050 29592 2493277 fwd 127.0.0.1,3128 tcp from any to any 80 in recv
gre0 65535 101631 65282581 allow ip from any to any

The transparent proxy is working fine except when it comes to logging
into sites like yahoo and hotmail and reading webmail. The main page is
accessed but stalls and eventually fails on authentication.

I suspect that this has something to do with the gre tunnel and the way
packets that are not supposed to be cached are being treated.

Has anyone run into this problem and if so how did you deal with it?
Please help.

Thanks in advance.

Ralph
Received on Mon Nov 17 2003 - 03:33:02 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:21 MST