Linux – Squid 3 – Tproxy – WCCP – Cisco
Written by vaheeD on December 24, 2012
Squid-3.1
cd /usr/src wget -c http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.15.tar.gz tar xf squid-3.1.15.tar.gz cd squid-3.1.15 ulimit -HSn 16384 ulimit -HSd unlimited ./configure \ --prefix=/usr/local/squid \ --enable-forward-log \ --enable-follow-x-forwarded-for \ --enable-snmp \ --enable-linux-netfilter \ --enable-http-violations \ --enable-delay-pools \ --enable-storeio=diskd,aufs,ufs \ --with-large-files \ --enable-large-cache-files \ --with-filedescriptors=16384 \ --enable-async-io=128 \ --enable-removal-policies=lru,heap \ --enable-useragent-log \ --enable-referer-log \ --enable-err-languages=English \ --enable-default-err-language=English \ --enable-zph-qos \ --enable-icap-client \ && make && make install cp /usr/local/squid/etc/squid.conf{,.bak}
/usr/local/squid/etc/squid.conf
# Minimum ACL configuration acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Protect innocent web applications running on the # proxy server who think the only one who can access # services on "localhost" is a local user http_access deny to_localhost # Clients access rules acl localnet src 192.168.123.240/28 192.168.84.0/28 http_access allow localnet http_access allow localhost # Finally deny all other access to this proxy http_access deny all # Deny all ICP requests to this proxy icp_access deny all # Deny all HTCP requests to this proxy htcp_access deny all # Squid normall listener #http_port 3128 http_port 3128 tcpkeepalive=60,10,6 # TPROXY spoof listener #http_port 3129 tproxy http_port 3129 tproxy tcpkeepalive=60,10,6 disable-pmtu-discovery=transparent # Override /etc/resolv.conf #dns_nameservers 8.8.8.8 # Protect dynamic content hierarchy_stoplist cgi-bin ? dll aspx # Cache memory should be at most half of RAM size in MB cache_mem 11264 MB # These objects should be kept in memory maximum_object_size_in_memory 40 KB # Which objects are replaced when memory space is needed cache_replacement_policy heap LFUDA memory_replacement_policy heap LFUDA # Disk swap directories cache_dir aufs /cache/1 122880 512 2048 cache_dir aufs /cache/2 122880 512 2048 cache_dir aufs /cache/3 122880 512 2048 cache_dir aufs /cache/4 122880 512 2048 # These objects should be kept on hard disk maximum_object_size 65536 KB # Water marks for cache object replacement cache_swap_high 95 cache_swap_low 93 # Logfile format logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %un %Sh/%<A %mt # Access log address access_log /usr/local/squid/var/logs/access.log squid # Number of old logfiles logfile_rotate 0 # Watchdog configs #acl watchdog src 192.168.0.17 #log_access deny watchdog # Leave coredumps in the first cache dir coredump_dir /cache/1 # Continues downloading abort quick_abort_min 16 KB quick_abort_max 16 KB quick_abort_pct 98 # Time-to-Live for failed requests negative_ttl 3 minutes # How log shuold cache positive DNS responses positive_dns_ttl 1 hours # Maximum size for HTTP headers request_header_max_size 100 KB # Shutdown pending time shutdown_lifetime 15 seconds # Administrator cache_mgr [email protected] # Hostname visible_hostname CacheServer # Don't show version in error pages httpd_suppress_version_string on # Costume error pages #error_directory /usr/local/squid/share/errors/mine/ # SNMP settings for MRTG access acl mrtg src 127.0.0.1 # 192.168.0.17 acl snmppublic snmp_community public snmp_access allow snmppublic mrtg snmp_access deny all snmp_port 3401 # Inter Cache Communication Protocol icp_port 0 # Hyper Text Caching Protocol discovery htcp_port 0 # Water marks for the IP cache ipcache_size 40960 ipcache_high 95 ipcache_low 90 # Parallel requests from a pipeline. pipeline_prefetch on # Close immediately half-closed connections half_closed_clients off # Transparent Headers forwarded_for transparent via off # Mark HIT packets qos_flows local-hit=0x30 # Purge: squidclient -m PURGE http://www.google.com acl purge method PURGE http_access allow purge localhost http_access deny purge # Web Services workaround ignore_expect_100 on # Maximum connection limit of single client IP #client_ip_max_connections -1 # eCAP Gzip (UNSTABLE) #ecap_enable on #ecap_service gzip_service respmod_precache 0 ecap://www.vigos.com/ecap_gzip #loadable_modules /usr/local/lib/ecap_adapter_gzip.so #acl GZIP_HTTP_STATUS http_status 200 #adaptation_access gzip_service allow GZIP_HTTP_STATUS wccp2_router 172.16.106.233 wccp2_forwarding_method gre wccp2_return_method gre wccp2_service dynamic 80 wccp2_service_info 80 protocol=tcp flags=src_ip_hash priority=240 ports=80 wccp2_service dynamic 90 wccp2_service_info 90 protocol=tcp flags=dst_ip_hash,ports_source priority=240 ports=80 # Refresh patterns (refresh-ims) # Image files refresh_pattern -i \.png$ 10080 90% 43200 refresh_pattern -i \.gif$ 10080 90% 43200 refresh_pattern -i \.jpg$ 10080 90% 43200 refresh_pattern -i \.jpeg$ 10080 90% 43200 refresh_pattern -i \.bmp$ 10080 90% 43200 refresh_pattern -i \.tif$ 10080 90% 43200 refresh_pattern -i \.tiff$ 10080 90% 43200 # Compressed files refresh_pattern -i \.zip$ 10080 90% 43200 refresh_pattern -i \.rar$ 10080 90% 43200 refresh_pattern -i \.tar$ 10080 90% 43200 refresh_pattern -i \.gz$ 10080 90% 43200 refresh_pattern -i \.tgz$ 10080 90% 43200 refresh_pattern -i \.z$ 10080 90% 43200 refresh_pattern -i \.arj$ 10080 90% 43200 refresh_pattern -i \.lha$ 10080 90% 43200 refresh_pattern -i \.lzh$ 10080 90% 43200 # Binary files refresh_pattern -i \.exe$ 10080 90% 43200 refresh_pattern -i \.msi$ 10080 90% 43200 # Multimedia files refresh_pattern -i \.mp3$ 10080 90% 43200 refresh_pattern -i \.wav$ 10080 90% 43200 refresh_pattern -i \.mid$ 10080 90% 43200 refresh_pattern -i \.midi$ 10080 90% 43200 refresh_pattern -i \.ram$ 10080 90% 43200 refresh_pattern -i \.ra$ 10080 90% 43200 refresh_pattern -i \.mov$ 10080 90% 43200 refresh_pattern -i \.avi$ 10080 90% 43200 refresh_pattern -i \.wmv$ 10080 90% 43200 refresh_pattern -i \.mpg$ 10080 90% 43200 refresh_pattern -i \.mpeg$ 10080 90% 43200 refresh_pattern -i \.swf$ 10080 90% 43200 # Document files refresh_pattern -i \.pdf$ 10080 90% 43200 refresh_pattern -i \.ps$ 10080 90% 43200 refresh_pattern -i \.doc$ 10080 90% 43200 refresh_pattern -i \.ppt$ 10080 90% 43200 refresh_pattern -i \.pps$ 10080 90% 43200 # Default patterns refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
/etc/rc.d/rc.squid
#!/bin/bash # # /etc/rc.d/rc.squid # PIDFILE="/usr/local/squid/var/run/squid.pid" TIMEOUT=60 start() { echo -n 'Starting TPROXY Squid . . . ' PROCESS=$(ps -A | egrep ' squid$') if [ "$PROCESS" == "" ]; then if [ -f ${PIDFILE} ] ; then rm ${PIDFILE} fi fi ulimit -HSn 16384 ulimit -HSd unlimited /usr/local/squid/sbin/squid echo "Ok" } stop() { echo 'Stoping TPROXY Squid' /usr/local/squid/sbin/squid -k shutdown TIME=0 while [ "$TIME" != "$TIMEOUT" ] ; do TIME=$(( $TIME + 1 )) echo -n $TIME if [ "$(pgrep '^squid$')" == "" ]; then if [ -f ${PIDFILE} ] ; then rm ${PIDFILE} fi break else echo -n "." fi sleep 1 done killall squid &> /dev/null killall squid &> /dev/null killall squid &> /dev/null echo ".Ok" } case "$1" in 'start') start ;; 'stop') stop ;; 'restart') stop start ;; 'rotate') echo -n 'Rotating TPROXY Squid log files . . . ' /usr/local/squid/sbin/squid -k rotate echo "Ok" ;; *) echo "usage $0 start|stop|restart|rotate" ;; esac
/root/scripts/vlan.sh
#!/bin/bash PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin" # vlan config ifconfig eth0 0.0.0.0 up vconfig add eth0 976 ifconfig eth0.976 172.16.106.234 netmask 255.255.255.248 route add default gw 172.16.106.233
/root/scripts/gre-tunnel.sh
#!/bin/bash PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin" # Load NAT and GRE Modules #for MOD in $(/usr/bin/find /lib/modules/$(uname -r)/kernel/net -name "*nat*"); do # /usr/bin/echo Loading $(/usr/bin/basename $MOD .ko) # /sbin/modprobe $(/usr/bin/basename $MOD .ko) #done #for MOD in $(/usr/bin/find /lib/modules/$(uname -r)/kernel/net -name "*_gre.ko"); do # /usr/bin/echo Loading $(/usr/bin/basename $MOD .ko) # /sbin/modprobe $(/usr/bin/basename $MOD .ko) #done # Make GRE Tunnel between cache and router ROUTER=172.16.106.233 CACHE=172.16.106.234 modprobe ip_gre ip link set eth0.976 mtu 1476 ip tunnel add wccp0 mode gre remote $ROUTER local $CACHE dev eth0.976 ip addr add $CACHE dev wccp0 ip link set wccp0 up
/etc/rc.d/rc.local
#!/bin/sh # # /etc/rc.d/rc.local: Local system initialization script. # # Put any local startup commands in here. Also, if you have # anything that needs to be run at shutdown time you can # make an /etc/rc.d/rc.local_shutdown script and put those # commands in there. /root/scripts/vlan.sh /root/scripts/gre-tunnel.sh # use less swap memory echo 50 > /proc/sys/vm/swappiness # tcp keep alive tuning echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time echo 10 > /proc/sys/net/ipv4/tcp_keepalive_intvl echo 6 > /proc/sys/net/ipv4/tcp_keepalive_probes echo 65000 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo 1024 65000 > /proc/sys/net/ipv4/ip_local_port_range echo 1 > /proc/sys/net/ipv4/tcp_window_scaling echo 1 > /proc/sys/net/ipv4/tcp_timestamps echo 33554432 > /proc/sys/net/core/rmem_max echo 33554432 > /proc/sys/net/core/wmem_max echo 4096 87380 33554432 > /proc/sys/net/ipv4/tcp_rmem echo 4096 87380 33554432 > /proc/sys/net/ipv4/tcp_wmem echo 1 > /proc/sys/net/ipv4/tcp_no_metrics_save echo 3000 > /proc/sys/net/core/netdev_max_backlog echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 256960 > /proc/sys/net/core/rmem_default echo 256960 > /proc/sys/net/core/wmem_default echo 524288 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle # Start TPROXY Squid Cache Server: if [ -x /etc/rc.d/rc.squid ]; then /etc/rc.d/rc.squid start fi # TPROXY Divert iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 # TPROXY Route ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
/etc/rc.d/rc.local_shutdown
#!/bin/bash # Stop TPROXY Squid Cache server: if [ -x /etc/rc.d/rc.squid ]; then /etc/rc.d/rc.squid stop fi
/etc/logrotate.d/squid
/usr/local/squid/var/logs/access.log { daily rotate 186 start 1 copytruncate compress compresscmd /usr/bin/bzip2 compressext .bz2 compressoptions -sq9 dateext notifempty missingok } /usr/local/squid/var/logs/cache.log /usr/local/squid/var/logs/store.log { daily rotate 31 start 1 copytruncate compress compresscmd /usr/bin/bzip2 compressext .bz2 compressoptions -sq9 dateext notifempty missingok sharedscripts postrotate /usr/local/squid/sbin/squid -k rotate endscript }
Partitions & memory
# cat /etc/fstab /dev/cciss/c0d0p1 swap swap defaults 0 0 /dev/cciss/c0d0p2 / reiserfs defaults 1 1 /dev/cdrom /mnt/cdrom auto noauto,owner,ro 0 0 /dev/fd0 /mnt/floppy auto noauto,owner 0 0 devpts /dev/pts devpts gid=5,mode=620 0 0 proc /proc proc defaults 0 0 tmpfs /dev/shm tmpfs defaults 0 0 /dev/cciss/c0d0p5 /cache/1 reiserfs noatime,notail 1 2 /dev/cciss/c0d0p6 /cache/2 reiserfs noatime,notail 1 2 /dev/cciss/c0d0p7 /cache/3 reiserfs noatime,notail 1 2 /dev/cciss/c0d0p8 /cache/4 reiserfs noatime,notail 1 2 # df -h Filesystem Type Size Used Avail Use% Mounted on /dev/root reiserfs 21G 4.9G 16G 25% / tmpfs tmpfs 32G 0 32G 0% /dev/shm /dev/cciss/c0d0p5 reiserfs 182G 200M 182G 1% /cache/1 /dev/cciss/c0d0p6 reiserfs 182G 200M 182G 1% /cache/2 /dev/cciss/c0d0p7 reiserfs 182G 200M 182G 1% /cache/3 /dev/cciss/c0d0p8 reiserfs 191G 200M 190G 1% /cache/4 # free -m total used free shared buffers cached Mem: 64448 345 64102 0 20 122 -/+ buffers/cache: 201 64246 Swap: 65538 0 65538
First time lunch
mkdir /usr/local/squid/var/cache mkdir -p /cache/{1,2,3,4} chown -R nobody:nobody /cache chown -R nobody:nobody /usr/local/squid/var/logs chmod +x /etc/rc.d/rc.local_shutdown chmod +x /root/scripts/vlan.sh chmod +x /root/scripts/gre-tunnel.sh chmod +x /etc/rc.d/rc.squid /usr/local/squid/sbin/squid -z /etc/rc.d/rc.squid start
Cico Router 3845
# telnet 172.16.106.233 Trying 172.16.106.233... Connected to 172.16.106.233. Escape character is '^]'. User Access Verification Password: router3845>enable Password: router3845#show version Cisco IOS Software, 3800 Software (C3845-SPSERVICESK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2010 by Cisco Systems, Inc. Compiled Thu 28-Oct-10 21:00 by prod_rel_team ROM: System Bootstrap, Version 12.4(13r)T15, RELEASE SOFTWARE (fc1) router3845 uptime is 19 hours, 17 minutes System returned to ROM by power-on System image file is "flash:c3845-spservicesk9-mz.150-1.M4.bin" Last reload type: Normal Reload This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to [email protected]. Cisco 3845 (revision 1.0) with 487423K/36864K bytes of memory. Processor board ID FHK1504F0MJ 2 Gigabit Ethernet interfaces DRAM configuration is 64 bits wide with parity enabled. 447K bytes of NVRAM. 126976K bytes of ATA System CompactFlash (Read/Write) License Info: License UDI: ------------------------------------------------- Device# PID SN ------------------------------------------------- *0 CISCO3845-MB FOC14512NFP Configuration register is 0x2142 (will be 0x2102 at next reload) router3845#dir flash: Directory of flash:/ 1 -rw- 56307576 Jan 21 2011 09:39:36 +00:00 c3845-spservicesk9-mz.150-1.M4.bin 2 -rw- 2903 Jan 21 2011 09:49:14 +00:00 cpconfig-38xx.cfg 3 -rw- 2938880 Jan 21 2011 09:49:26 +00:00 cpexpress.tar 4 -rw- 1038 Jan 21 2011 09:49:32 +00:00 home.shtml 5 -rw- 122880 Jan 21 2011 09:49:40 +00:00 home.tar 6 -rw- 793739 Jan 21 2011 09:49:48 +00:00 256MB.sdf 7 -rw- 1697952 Jan 21 2011 09:50:02 +00:00 securedesktop-ios-3.1.1.45-k9.pkg 8 -rw- 415956 Jan 21 2011 09:50:14 +00:00 sslclient-win-1.1.4.176.pkg 129748992 bytes total (67457024 bytes free) router3845#sh run Building configuration... Current configuration : 1975 bytes ! ! Last configuration change at 23:08:10 UTC Wed Sep 21 2011 ! version 15.0 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname router3845 ! boot-start-marker boot-end-marker ! enable secret ********** enable password ********** ! no aaa new-model ! dot11 syslog ip source-route ! ! ip cef ! ! no ip domain lookup ip wccp web-cache ip wccp 80 redirect-list 100 ip wccp 90 redirect-list 100 no ipv6 cef multilink bundle-name authenticated ! ! ! ! voice-card 0 ! ! ! ! ! ! ! ! ! ! license udi pid CISCO3845-MB sn FOC14512NFP ! ! ! ! ! ! ! interface GigabitEthernet0/0 description to ne80(801) no ip address duplex full speed auto media-type sfp no negotiation auto no mop enabled ! interface GigabitEthernet0/0.998 description to cisco encapsulation dot1Q 998 ip address 172.16.106.226 255.255.255.252 ! interface GigabitEthernet0/1 no ip address duplex auto speed auto media-type rj45 ! interface GigabitEthernet0/1.975 description Clients-Network encapsulation dot1Q 975 ip address 10.92.107.6 255.255.255.252 ip wccp 80 redirect in ip wccp 90 redirect out ! interface GigabitEthernet0/1.976 description Squid-Tproxy-WCCP encapsulation dot1Q 976 ip address 172.16.106.233 255.255.255.248 ip wccp redirect exclude in ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 172.16.106.225 ip route 192.168.123.240 255.255.255.240 10.92.107.5 ip route 192.168.84.0 255.255.255.240 10.92.107.5 ! access-list 100 permit ip 192.168.123.240 0.0.0.15 any access-list 100 permit ip any 192.168.123.240 0.0.0.15 access-list 100 permit ip 192.168.84.0 0.0.0.15 any access-list 100 permit ip any 192.168.84.0 0.0.0.15 access-list 100 deny ip any any dialer-list 1 protocol ip permit ! snmp-server community ******** RO ! ! control-plane ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password ********** login ! scheduler allocate 20000 1000 end router3845#exit Connection closed by foreign host.
Transparency Test Script
http://devel.squid-cache.org/cgi-bin/test
Bookmarks
http://onlamp.com/pub/a/onlamp/2005/11/17/tcp_tuning.html?page=2
http://fasterdata.es.net/TCP-tuning//linux.html
http://fasterdata.es.net/TCP-tuning//TCP-tuning.html
http://pmoghadam.com