On Sun, 17 Apr 2011 23:21:44 +0600, AZHAR CHOWDHURY wrote:
> Hi Amos,
> OK, it was my fault that I posted before run in real network with
> WCCP. We are running Squid+tproxy under Policy Based routing without
> any major trouble (pls see below of problem are we facing).
> This week we will move squid from PBR to Wccp. The mentioned example
> based on vlan dot1q, let me dig with cisco and will raise if face any
> problem.
>
> 1. If we run squid with default conf file, we got cache host name in
> "www.whatismyip.com", to avoid that we added following in squid.conf
> file:
> forwarded_for off
I think "forwarded_for" should be enough.
Possibly also "via off". Though that is not usually required for
hotmail (may have changed, the last good analysis was a year or so ago).
<snip>
>
> Now, there is no cache/squid host name in "whatismyip.com", but in
> hotmail/live.com's email service inbox no message open, it's shown
> a error that another ip accessing the same page.
Does it say which one? Are you absolutely certain that TPROXY is
working? (this error will appear when WCCP is active but TPROXY fails).
> I guess we need to add another "request_header_access" rule, any clue
> on it.
> Is "http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html" the
> final
> list of all HEADER LIST?
Hotmail with WCCP pretty much requires TPROXY to be working.
Alternatively if your client machine is a Windows box using IPv6 to
talk to Squid-3.1. Windows will by default choose to use "privacy" IPs
which rotate through time-based cryptographic hashes embeded in the IP
address. As often as every 15 minutes, not retaining one for more than
90 minutes at a stretch. That will show up in the X-Forwarded-For.
Setting "forwarded_for transparent" will prevent the proxy IP being
inserted.
Setting "forwarded_for delete" will erase the header entirely and
prevent the "privacy" address from breaking the hotmail-end checks.
Other things to check:
* Check that "balance_on_multiple_ip" is turned OFF in squid.conf. In
3.1 this is the default, but you may have an older config from when it
was default to being in the file and set on.
What that does is make Squid send each request to a different remote
server hosting the website. Hotmail require all traffic to arrive at
consistent receiving servers. They appear not to care of HTTPS and HTTP
go to different ones, but it has to be consistently going to the same
place.
>
> 2. What is safe filedescriptors value I should use?
>
Depends on you and your OS. Anything below 16 million appears safe on
Linux.
Amos
Received on Mon Apr 18 2011 - 03:37:26 MDT
This archive was generated by hypermail 2.2.0 : Mon Apr 18 2011 - 12:00:03 MDT