Cisco WCCP2 with Squid Proxy and SquidGuard

Squid There are a number of good reasons for deploying proxies at work or at home

  • Restricting web access for specific sites
  • Reduce traffic volumes
  • Monitoring and Managing bandwidth
  • Optionally restrict when someone can surf the web
  • Many more

While searching the Internet for some Japanese cartoon monster with my nine years old son, I was shocked with the search results; animated boobs, adult videos and bad contents. I thought my $149 Linksys 4400N Content Filtering is good enough. NO NOT ALL
Luckily there are good open source communities out there, thanks to the open source Squid Proxy server team and all of the contributors.
Ok, so I have a Cisco 871w router and zBox a low power Ubuntu box for home Multimedia stuff such as BOXEE etc…

Let's get started

Installing Squid Proxy on Ubuntu is fairly easy, just follow the instructions below:

  • Open a terminal session or SSH to the box
  • Issue the following commands

Install the packages

sudo apt-get install squid3 squidguard  

Note: Assign the server static IP NOT DHCP, below you can see my configurations below.

Make a backup copy of the original configurations files

cp squid.conf squid.conf.org  
cd /etc/squid  
cp squidGuard.conf squidGuard.conf.org  

Open squid.conf with your favorite editor or create a new one and replace the content with the following file and change anything match your network.

http_port 3128 intercept  
cache_dir ufs /var/spool/squid3 7000 16 256  
cache_swap_low 90  
cache_swap_high 95  
dns_nameservers 8.8.8.8 4.2.2.2  
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf  
acl manager proto cache_object  
acl localhost src 127.0.0.1/32 ::1  
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1  
acl internal_network src  
acl internal_network src  
acl SSL_ports port 443  
acl Safe_ports port 80          # http  
acl Safe_ports port 21          # ftp  
acl Safe_ports port 443         # https  
acl Safe_ports port 70          # gopher  
acl Safe_ports port 210         # wais  
acl Safe_ports port 1025-65535  # unregistered ports  
acl Safe_ports port 280         # http-mgmt  
acl Safe_ports port 488         # gss-http  
acl Safe_ports port 591         # filemaker  
acl Safe_ports port 777         # multiling http  
acl CONNECT method CONNECT  
http_access allow manager localhost  
http_access allow internal_network  
http_access deny manager  
http_access deny !Safe_ports  
http_access deny CONNECT !SSL_ports  
http_access allow localhost  
http_access deny all  
hierarchy_stoplist cgi-bin ?  
coredump_dir /var/spool/squid3  
refresh_pattern ^ftp:           1440    20%     10080  
refresh_pattern ^gopher:        1440    0%      1440  
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0  
refresh_pattern .               0       20%     4320  
wccp2_router  
wccp_version 4  
wccp2_forwarding_method gre  
wccp2_return_method gre  
wccp2_assignment_method hash  
wccp2_service standard 0 password=C1sC0  
cache_mgr admin@home.lan  

Open squidGuard.conf file and replace it with the following contents

dbhome /var/lib/squidguard/db  
logdir /var/log/squid3  
dest adv {  
  domainlist adv/domains
  urllist adv/urls
}
dest aggressive {  
  domainlist aggressive/domains
  urllist aggressive/urls
}
dest drugs {  
  domainlist drugs/domains
  urllist drugs/urls
}
dest hacking {  
  domainlist hacking/domains
  urllist hacking/urls
}
dest porn {  
  domainlist porn/domains
  urllist porn/urls
}
dest redirector {  
  domainlist redirector/domains
  urllist redirector/urls
}
dest warez {  
  domainlist warez/domains
  urllist warez/urls
}
dest gamble {  
  domainlist gamble/domains
  urllist gamble/urls
}
dest spyware {  
  domainlist spyware/domains
  urllist spyware/urls
}
dest violence {  
  domainlist violence/domains
  urllist violence/urls
}
acl {  
  default {
    pass !adv !aggressive !drugs !hacking !porn !redirector !warez !gamble !spyware !violence all
    redirect http://10.10.100.8/accessdenied.html
  }
}

In addition the redirect statement in squidGuard.conf is pointed at the local server, you can host your own or create a block page to display it to users or hosted somewhere on the internet.

Create Black Lists update file

cd /usr/local/bin/  
vi ProxyGuardUpdate.sh  

Paste the following code

###############################################################
#!/bin/sh
#
squidGuardpath="/usr/bin/squidGuard"  
squidpath="/usr/sbin/squid3"  
tarpath="/bin/tar"  
chownpath="/bin/chown"  
dbhome="/var/lib/squidguard/db"     # like in squidGuard.conf  
squidGuardowner="proxy:proxy"  
workdir="/var/lib/squidguard/tmp"  
httpget="/usr/bin/wget"  
shallalogs="/var/log/squid3/shalla.log"  
shallaurl="http://squidguard.shalla.de/Downloads"  
####################################
if [ ! -d $workdir ]; then  
  mkdir -p $workdir
fi

if [ ! -f $tarpath ]  
 then echo "Could not locate tar."
      exit 1
fi

if [ ! -f $chownpath ]  
 then echo "Could not locate chown."
      exit 1
fi

if [ ! -d  $dbhome ]  
 then echo "Could not locate squid db directory."
        mkdir -p $dbhome
fi  
cd $workdir  
# download latest file - overwrite any existing file
echo 'Downloading new blacklists ...'  
$httpget -N $shallaurl/shallalist.tar.gz -a $shallalogs
# extract blacklists
$tarpath zxf shallalist.tar.gz
echo 'New list downloaded'  
# remove old databases
rm -Rf $dbhome/*  
# copy blacklists to db home
cp -R $workdir/BL/* $dbhome  
# build domains + urls db, then change ownership to squid user
echo 'Build databases ...'  
$squidGuardpath -C all
echo 'Database builds complete'  
$chownpath -R $squidGuardowner $dbhome
$squidpath -k reconfigure
echo 'Squid Proxy Server reconfigured'  
rm -Rf $workdir  
echo "done!"  
###############################################################

Make the script executable

chmod 4750 ProxyGuardUpdate.sh  

Run the script

ProxyGuardUpdate.sh  

You should see a successful message

Downloading new blacklists ...  
New list downloaded  
Build databases ...  
Database builds complete  
Squid Proxy Server reconfigured  
done!  

Start Squid server

/etc/init.d/squid3 start

GRE / WCCP

On Ubuntu or Debian is super easy to create GRE tunnel

cd to /etc/network  

Add the following to interfaces configuration file

auto gre1  
iface gre1 inet static  
address 127.0.0.2  
netmask 255.255.255.255  
pre-up ip tunnel add gre1 mode gre remote 172.16.100.32 local 10.10.100.8 dev eth0  
post-down ip tunnel del gre1  

Aright, now we need to redirect www traffic coming from the WCCP router on the gre1 interface to the Squid Proxy using IPTABLES
Here is my simple configuration in /etc/default/iptables

# /etc/default/iptables
# Allow in everything, from everywhere
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Reroute HTTP requests to the proxy server
-A PREROUTING -i gre1 -d 0/0 -p tcp -j DNAT --to-destination 10.10.100.8:3128
COMMIT  

Remember to make the script executable

chmod 755 /usr/local/bin/wccp_squid  

You can make it as a startup script or call it from /etc/rc.local
Open /etc/rc.local file and add /usr/local/bin/wccp_squid before exit 0 line
Lasst thing we need to add cron job to run the SquidGuardUpdate once a week

crontab -e  

Add the following line

0 0 * * 0 sh /usr/local/bin/ProxyLists.sh >> /var/log/squid3/updateslog  

Now we are ready to configure the router

SSH to your router or console
Here is my working WCCP configuration

ip wccp check services all  
ip wccp outbound-acl-check  
ip wccp web-cache redirect-list 125 group-list 10 mode closed password  xxxxxxxxxxxx  
!
interface Loopback0  
ip address 172.16.100.32 255.255.255.255  
no ip redirects  
!
interface BVI100  
description LAN  
ip address 10.10.100.1 255.255.255.0  
no ip redirects  
no ip unreachables  
no ip proxy-arp  
ip wccp web-cache redirect in  
ip nat inside  
ip virtual-reassembly  
!
EZ#show ip access-lists 10  
Standard IP access list 10  
    10 permit 10.10.100.8
!
EZ#show ip access-lists 125  
Extended IP access list 125  
    10 deny ip host 10.10.100.8 any
    20 permit tcp 10.10.100.0 0.0.0.255 any eq www
    30 permit tcp 10.10.100.0 0.0.0.255 any eq 443
    40 permit tcp 10.10.10.0 0.0.0.255 any eq 443
    50 permit tcp 10.10.10.0 0.0.0.255 any eq www
    60 deny ip any any
!

Basically in ACL 10 we only allow the squid server to talk to the WCCP router
In the ACL 125 we deny the squid itself, otherwise you will see www loop from the router to squid and from the squid to the router, and then we allow the internal network to use the WCCP on port 80 and 443
As you noticed I used loopback0 for the gre tunnel with the squid server
Note the password xxxxxxx should match the password in the squid.conf file

Good Luck!

Hassan El-Masri

Network Consultant Engineer

comments powered by Disqus