Cisco ASA and Squid WCCP on Ubuntu

In order to use WCCP with Squid it must be built to support WCCP. Unfortunatly the default apt-get install squid(3) doesn’t support WCCP out of the box so it has to be BUILT FROM SOURCE

Assuming you’ve built Squid with WCCP support (using my guide or not) the following is how to get WCCP working between a Cisco ASA and Squid on Ubuntu.

There is a huge gotcha with the Cisco ASA, it only supports GRE and the Clients and Squid have to be in the same subnet…You can get around this by using multiple dynamic instances but for most of my audience I think this isn’t a problem. If I get requests for instructions on that perhaps I’ll look into it?

Here are the variables I’m working with:
LAN: 192.168.10.0/24
ASA LAN IP Address: 192.168.10.1
SQUID eth0 IP Address: 192.168.10.80

#1. Configure the ASA:
CLI:

access-list WCCP_SERVERS extended permit ip host 192.168.10.80 any 
access-list LAN_WCCP_REDIRECT extended permit tcp 192.168.10.0 255.255.255.0 any eq www
wccp web-cache redirect-list LAN_WCCP_Redirect group-list wccp_servers password *****
wccp interface LAN web-cache redirect in

Most guides will tell you that you need to deny the Squid LAN IP but that’s not true, the ASA will do it automagically.

#2. Configure Squid:
Add the following to /etc/squid/squid.conf:

http_port 3129 intercept
wccp2_router 192.168.10.1
wccp2_forwarding_method gre
wccp2_return_method gre
wccp2_service standard 0 password=*****

Reconfigure squid to use the new config:

squid -k reconfigure

Now here’s an important part that almost all guide fail to mention. The ASA will pick a Router Identifier of it’s highest addressed interface once squid tries to connect to it for WCCP. You need go get that Router Identifier from the ASA:

show wccp

For our purposes let’s say that Router Identifier is 192.168.254.1

We need to create a script that will run when eth0 comes up and create the GRE interface and permits the WCCP traffic…so let’s create the following file:
vi /etc/network/if-up.d/wccp.sh

#!/bin/bash
if [ "$IFACE" == "eth0" ]; then
    modprobe ip_gre
    ip tunnel add wccp0 mode gre remote 192.168.254.1 local 192.168.10.80 dev eth0
    ifconfig wccp0 192.168.10.80 netmask 255.255.255.255 up
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
    echo 0 > /proc/sys/net/ipv4/conf/wccp0/rp_filter
    iptables -t nat -A PREROUTING -i wccp0 -p tcp --dport 80 -j REDIRECT --to-port 3129
fi

Notice that I use the Router ID and not the LAN IP for the remote tunnel IP.

Finally, we need to tell the system to run that script with eth0 comes up. So edit the interfaces file (/etc/network/interfaces) and include the following line under iface eth0 inet:

post-up /etc/network/if-up.d/wccp.sh

You should now be able to restart networking (or just reboot the system) and it should be working.

Install Squid 3.5 from Source on Ubuntu 16.04

The following assumes a fresh install of Ubuntu 16.04.01 LTS.

First I’m going to modify the sources.list file of apt to allow downloading of sources in order to build dependencies for squid automatically.

sed -i 's/# deb-src/deb-src/g' /etc/apt/sources.list

Now I’m going to fully update the OS:

apt-get update
apt-get -y dist-upgrade
reboot

Next I would normally install the Hyper-V tools because my SQUID is going to be on a Hyper-V VM, but if you’re not using Hyper-V you can skip this:

apt-get -y install --install-recommends linux-virtual-lts-xenial linux-tools-virtual-lts-xenial linux-cloud-tools-virtual-lts-xenial

Now build the squid dependencies:

apt-get build-dep squid

At the time of this writing the latest stable version is 3.5.24 so download it:

wget http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.24.tar.gz

extract it:

tar -xzf squid-3.5.24.tar.gz
cd squid-3.5.24

Now we need to configure it and build it…in my case I wanted to add support for WCCP, which is why I needed to build from source…below is the default configuration options for squid if you just used apt-get install squid, modify it if you need/want:

./configure '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,smb_lm' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,unix_group,wbinfo_group' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--enable-build-info=Ubuntu linux' '--enable-linux-netfilter' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security'

In my case I was perfectly happy with the Ubuntu defaults so I just added ‘–enable-wccpv2’ to that list of configuration options in order to support WCCP.

Now you can make and install it:

make
make install

You can also optionally install the pinger:

make install-pinger

Now that Squid is installed you need to set some permissions:

chown -R proxy:proxy /etc/squid /var/log/squid

Those are the minimum permissions to set, however, if you plan on using caching also include your cache folder location.

Now in order to get Squid to start at boot do this:

cp ./tools/systemd/squid.service /etc/systemd/system/
systemctl enable squid

I suggest restarting the system at this point and verify everything comes up nicely.