🔗 Squid 和 WCCPv2 连接到 7206VXR
🔗 目录
这是 Squid 2.6 与 Cisco 路由器通过 WCCPv2 进行透明代理 Web 流量的另一个工作示例。它不是 TPROXY 的示例,因此所有 Web 请求都来自代理 IP,而不是客户端 IP。
🔗 Cisco 信息
Cisco 路由器有六个到互联网的串行子接口; GigabitEthernet0/1 连接到 Web 代理服务器。客户端将在其他接口上。
WCCP 配置为在数据包尝试离开路由器并向上游传输时进行拦截。
Router (Cisco 7206VXR). 6 Subinterfaces to Internet
Version:
ROM: System Bootstrap, Version 12.3(4r)T3, RELEASE SOFTWARE (fc1)
BOOTLDR: 7200 Software (C7200-KBOOT-M), Version 12.3(9), RELEASE SOFTWARE (fc2)
Configuration (only relevant sections)
ip wccp web-cache redirect-list 190
(ip cef is enabled)
!
interface GigabitEthernet0/1
description web-proxy
ip address 10.15.163.10 255.255.255.252
duplex auto
speed auto
media-type rj45
no negotiation auto
!
interface Serial1/0.1 point-to-point
ip wccp web-cache redirect out
!
interface Serial1/0.2 point-to-point
ip wccp web-cache redirect out
!
interface Serial1/0.3 point-to-point
ip wccp web-cache redirect out
!
interface Serial1/0.4 point-to-point
ip wccp web-cache redirect out
!
interface Serial1/0.5 point-to-point
ip wccp web-cache redirect out
!
interface Serial1/0.6 point-to-point
ip wccp web-cache redirect out
!
interface Serial1/0.25 point-to-point
ip wccp web-cache redirect out
!
access-list 190 permit tcp 10.15.128.0 0.0.63.255 any eq www
access-list 190 permit tcp 10.15.128.0 0.0.63.255 any eq 8000
access-list 190 permit tcp 10.15.128.0 0.0.63.255 any eq 8080
🔗 Squid 配置文件
像这样粘贴配置文件
http_port 3128 transparent
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 512 MB
maximum_object_size 96 KB
cache_dir aufs /var/spool/squid 25000 16 256
access_log /var/spool/squid/squid_access.log squid
cache_log /var/log/squid_cache.log
cache_store_log none
debug_options ALL,1
client_netmask 255.255.255.0
hosts_file /etc/hosts
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
acl CONNECT method CONNECT
acl the_network src 10.15.128.0/18
acl the_Servers dst 10.15.128.0/18
acl AdminBoxes src 10.15.138.45
http_access allow manager localhost
http_access allow manager AdminBoxes
http_access deny manager
http_access allow purge localhost
http_access allow purge AdminBoxes
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
cache deny the_Servers
http_access allow the_network
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access deny all
miss_access deny !the_network
cache_mgr squid@example.com
cache_effective_user proxy
cache_effective_group proxy
visible_hostname squid.example.com
logfile_rotate 7
store_avg_object_size 14 KB
client_db off
always_direct allow the_network
error_directory /usr/share/squid/errors/Spanish
wccp2_router 10.15.163.10
wccp_version 4
wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0
uri_whitespace encode
strip_query_terms on
coredump_dir /home/proxy
ie_refresh on
🔗 配置 GRE 隧道
需要在路由器和 Web 代理之间建立 GRE 隧道。通过隧道,代理接收路由器拦截的 HTTP 流量。
当路由器有多个接口时,会出现一个小小的复杂性,因为隧道必须针对正确的 IP 地址建立。Cisco 路由器用于选择其隧道末端的 IP 地址的决策机制尚不清楚。因此,我们在代理服务器上设置了多个隧道,使用 iptables 记下了哪个隧道在传输流量(只有一个会),并删除了不需要的隧道。
隧道在物理接口 eth0 启动时建立。在 Debian 中,它配置在文件 /etc/network/interfaces 中。在同一个文件中,调用了使透明重定向到 Web 代理并保护服务器的 netfilter 规则。
iface eth0 inet static
address 10.15.163.9
netmask 255.255.255.252
network 10.15.163.8
broadcast 10.15.163.11
gateway 10.15.163.10
pre-up ( \
/sbin/modprobe ip_conntrack ; \
/sbin/modprobe iptable_nat ; \
/sbin/iptables-restore < /etc/default/iptables ; \
)
post-up ( \
/sbin/ip link set eth0 mtu 1476 ; \
/sbin/ip tunnel add wccp1 mode gre remote 10.10.103.254 \
local 10.15.163.9 dev eth0 ; \
/sbin/ip addr add 10.15.163.9 dev wccp1 ; \
/sbin/ip link set wccp1 up ; \
/sbin/sysctl -w net.ipv4.conf.wccp1.rp_filter=0 ; \
/sbin/sysctl -w net.ipv4.conf.eth0.rp_filter=0 ; \
)
pre-down ( \
/sbin/ip link set wccp1 down ; \
/sbin/ip tunnel del wccp1 ; \
)
最后是 netfilter 规则 (/etc/default/iptables)。它们大致排序,以便命中次数更多的规则排在前面。
# Generated by iptables-save v1.3.6 on Wed Mar 14 14:56:26 2007
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Established connections
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# GRE tunnel traffic
-A INPUT -s 10.10.103.254 -d 10.15.163.9 -p gre -j ACCEPT
# HTTP rerouted requests
-A INPUT -s 10.15.128.0/255.255.192.0 -p tcp -m tcp --dport 3128 -j ACCEPT
# UDP DNS replies
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
# Accept some ICMP echo request / 10 request per second
-A INPUT -p icmp -m limit --limit 10/sec --limit-burst 10 -j ACCEPT
# WCCP traffic
-A INPUT -s 10.15.163.10 -p udp -m udp --sport 2048 --dport 2048 -j ACCEPT
# Incoming HTTP traffic from origin servers
-A INPUT -s ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -s ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --sport 8000 -j ACCEPT
-A INPUT -s ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --sport 8080 -j ACCEPT
# TCP DNS replies. Just in case
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
# SSH conection from admin server
-A INPUT -s 10.15.138.45 -p tcp -m tcp --dport 22 -j ACCEPT
# Reject other SSH connections (optional)
-A INPUT -s ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable
# Reject HTTP request from outside my network (optional)
-A INPUT -s ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --dport 3128 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --dport 8000 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --dport 8080 -j REJECT --reject-with icmp-port-unreachable
# Accept some traceroute. 3 per second
-A INPUT -p udp -m udp --dport 33434:33445 -m limit --limit 3/sec --limit-burst 3 -j ACCEPT
# Log everything else, maybe add explicit rules to block certain traffic.
# Unnecesary but useful monitoring
-A INPUT -j LOG
# Accept forwarded requests.
# Totally unnecesary, but allows for basic monitoring.
-A FORWARD -s 10.15.128.0/255.255.192.0 -d ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 10.15.128.0/255.255.192.0 -d ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --dport 3128 -j ACCEPT
-A FORWARD -s 10.15.128.0/255.255.192.0 -d ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --dport 8000 -j ACCEPT
-A FORWARD -s 10.15.128.0/255.255.192.0 -d ! 10.15.128.0/255.255.192.0 -p tcp -m tcp --dport 8080 -j ACCEPT
COMMIT
# Completed on Wed Mar 14 14:56:26 2007
# Generated by iptables-save v1.3.6 on Wed Mar 14 14:56:26 2007
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Reroute HTTP requests to the proxy server
-A PREROUTING -i wccp1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i wccp1 -p tcp -m tcp --dport 8000 -j REDIRECT --to-ports 3128
-A PREROUTING -i wccp1 -p tcp -m tcp --dport 8080 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Wed Mar 14 14:56:26 2007
🔗 致谢
感谢 Nicolas Ruiz <<nicolas@ula.ve>> 的贡献。
⚠️ Disclaimer: Any example presented here is provided "as-is" with no support
or guarantee of suitability. If you have any further questions about
these examples please email the squid-users mailing list.
类别: ConfigExample
导航:网站搜索、网站页面、分类、🔼 向上