Install squid dan cisco WCCP di Freebsd

By | August 13, 2008

Di artikel ini saya menggunakan WCCP version 2 di Cisco 3620 atau 7206 router dan Squid-2.6.STABLE18 yang jalan di FreeBSD-6.3.

Cisco WCCP (Web Cache Control Protocol) version 2 di gunakan untuk meneruskan web requests dari clients ke 1 atau lebih Squid proxy servers. Dengan WCCP, kita bisa membuat “cache cluster” untuk load balancing, scaling, dan fault tolerance.

sebagai contoh, kita mempunyai 2 proxy severs, jika 1 proxy server down, WCCP akan meredirects clients requests ke proxy server yang lain.
Dalam kondisi terburuk ke dua proxy servers kita down, WCCP akan merouting clients web requests langsung tanpa melalui proxy jadi langsung dari cisco router.

Note: Hanya Cisco IOS Release 12.1 ke atas yang bisa menggunakan Version 1 (WCCPv1) atau Version 2 (WCCPv2) WCCP.

1. Asumsi di sini Freebsd dan squid sudah terinstall serta berjalan dengan baik, kita perlu menambahkan protocol gre di freebsd. caranya dengan perintah berikut :

ifconfig gre0 create
ifconfig gre0 IP.OF.SQUID.BOX 10.20.30.40 netmask 255.255.255.255 link2 tunnel IP.OF.SQUID.BOX IP.OF.CISCO.ROUTER up

2. Configur juga WCCP di squid. Tambahkan baris berikut di squid.conf

wccp2_router IP.OF.CISCO.ROUTER

wccp2_forwarding_method 1
wccp2_return_method 1
wccp2_service standard 0

3. Buat rule firewall untuk redirect web requests ke Squid port 3128 port via GRE tunnel.
Ubah semua rule yang sedang aktif dengan script berikut :

#!/bin/sh

##### Start of rc.firewall script ######

##Ubah network interfaces dan IP addresses sesuai dengan kondisi network anda!

NET_IF=”em0″
IPFW=”/sbin/ipfw -q”

#IP of Proxy Server
IF_ADDR=”192.168.0.10″

NTP_SERVER=”192.168.0.55″

PROXY_NET=”192.168.0.0/27″

ALL_NET=”192.168.0.0/24″
CLIENT_NET=”192.168.0.128/25″
WIRELESS_NET=”172.16.0.128/25″
ADMIN_NET=”192.168.0.48/28″
SSH_PORT=”12345″

LOCALHOST=”127.0.0.1″

$IPFW -f flush

$IPFW add allow all from any to any via lo0

$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 via gre0 in

$IPFW add fwd 127.0.0.1,3128 ip from any to any via gre0 in
$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in
$IPFW add fwd 127.0.0.1,3128 tcp from any to any http in via gre0

#$IPFW add permit ip from any to any
$IPFW add allow all from $IF_ADDR to any

#$IPFW add fwd 127.0.0.1,3128 ip from any to any via gre0 in
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any http in via gre0
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in
#$IPFW add permit ip from any to any

#Allow local DNS caching
$IPFW add allow udp from $ALL_NET to any 53

$IPFW add allow udp from any 53 to $IF_ADDR
$IPFW add allow tcp from any 53 to $IF_ADDR

$IPFW add allow all from any to any out via $NET_IF

#######For DNS
#Allow DNS Query
$IPFW add allow udp from $ALL_NET 53 to $IF_ADDR
$IPFW add allow udp from $WIRELESS_NET 53 to $IF_ADDR

#For Proxy access
#$IPFW add fwd 127.0.0.1,3128 tcp from any to any 80 in

$IPFW add allow tcp from $ALL_NET to any 3128 in via $NET_IF
$IPFW add allow tcp from $WIRELESS_NET to any 3128 in via $NET_IF

#####Allow Established session
$IPFW add allow tcp from any to any in via $NET_IF established

#$IPFW add allow tcp from any to $IF_ADDR 113

#For ICP Query
$IPFW add allow UDP from $PROXY_NET to $PROXY_NET 3130

$IPFW add allow udp from $NTP_SERVER 123 to $IF_ADDR

###Only needed for Experimental Multicast
#$IPFW add allow all from 224.9.9.1 to any
#$IPFW add allow all from any to 224.9.9.1
#$IPFW add allow all from me to 224.9.9.1

#######For SSH

$IPFW add allow tcp from $ADMIN_NET to $IF_ADDR $SSH_PORT

#for snmpwalk from Admin network
$IPFW add allow udp from $ADMIN_NET to me 3001
$IPFW add allow udp from $ADMIN_NET to me 161
$IPFW add allow udp from $ADMIN_NET to me 161
$IPFW add allow udp from $LOCALHOST to me 3001
$IPFW add allow udp from $LOCALHOST to me 161

###########
$IPFW add allow ICMP from $ALL_NET to any
$IPFW add allow ICMP from $WIRELESS_NET to any
#################################################

###Only if you want the world to send ICMP packets to your server!!

#ipfw add allow icmp from any to any icmptypes 8
#ipfw add allow icmp from any to any

$IPFW add allow all from $ADMIN_NET to me
$IPFW add allow all from me to $ADMIN_NET

$IPFW add 65533 deny log all from any to any

############# End of rc.firewall ###############

4. Configur WCCP di Cisco router

Global Configuration

Router (config)#  ip wccp version 2

Router (config)#  ip wccp web-cache redirect-list 160

Access-List 160

permit ip 192.168.0.0 0.0.0.255 any

permit ip 172.16.0.0 0.0.0.255 any

Router (config)#   interface fastethernet 0/0
Router(config-if)# ip wccp web-cache redirect in

Router# write

5. Restart Squid dan reload firewall. Jika tidak ada error selamat deh WCCP2 sudah jalan di FreeBSD dengan  Squid-2.6.STABLE18.

selamat… selamat … 🙂