Hello,
Squid detects forwarding loops in most configurations, but breaks
them (using a customizable HTTP_FORBIDDEN response) only when working as
an accelerator. Squid does not break loops when working as a transparent
proxy. Interestingly enough, the breaking code comment (in the patch
below) says that both cases are covered. Perhaps the exclusion of
transparent mode was not done on purpose.
I understand that forwarding loops in transparent environment are
usually caused by misconfiguration. However, when an admin is unable to
fix the problem promptly, should not we help her by breaking the loop?
Please note that a persistent loop is going to be broken anyway, when
the Via and X-Forwarded-For headers exceed header size limit, but that
wastes a lot of resources and may also crash Squid.
Should we break forwarding loops in transparent mode?
Thank you,
Alex.
=== modified file 'src/client_side_reply.cc'
--- src/client_side_reply.cc 2009-04-10 09:23:50 +0000
+++ src/client_side_reply.cc 2009-06-24 20:33:37 +0000
@@ -640,7 +640,8 @@
/*
* Deny loops when running in accelerator/transproxy mode.
*/
- if (http->flags.accel && r->flags.loopdetect) {
+ if (r->flags.loopdetect &&
+ (http->flags.accel || http->flags.transparent)) {
http->al.http.code = HTTP_FORBIDDEN;
err =
clientBuildError(ERR_ACCESS_DENIED, HTTP_FORBIDDEN, NULL,
Received on Fri Jun 26 2009 - 17:59:54 MDT
This archive was generated by hypermail 2.2.0 : Sat Jun 27 2009 - 12:00:04 MDT