Re: Is it a loop bug or not? Sorry missing part. from Eliezer Croitoru on 2013-02-10 (squid-dev)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Sun, 10 Feb 2013 22:13:27 +0200

On 2/2/2013 6:23 AM, Amos Jeffries wrote:
> On 2/02/2013 1:42 p.m., Eliezer Croitoru wrote:
>> On 2/2/2013 2:35 AM, Eliezer Croitoru wrote:
<SNIP>
>> Sorry missing part.
>>
>> When I am doing it using as forward proxy and use the url to the
>> intercept port 3127 i'm getting into a loop:
>> accessing: http://www1.home:3127/squid-internal-mgr/menu
>>
>> 1359765678.173 88894 192.168.10.100 TCP_MISS_ABORTED/000 0 GET
>> http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -
>> 1359765678.269 88966 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
>> http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -
>> ........ sme miss abort for a very very long time =\
>>
>
> Ah. Interesting. The pattern is that it is supposed to be just the
> visible_hostname value plus the internal manager path.
>
> When you add port it breaks the visible_hostname to URL matching and
> Squid relays it onwards to what it thinks is the origin server.
>
> You should have the intercept port listened on by Squid firewalled so
> direct connections to it cannot succeed. If you are using DROP to do
> that you will see these timeouts, if you are using REJECT you will get a
> fast fail result. If you don't have it firewalled properly the lopo
> detectino in Squid should kick in.
>
>
> PS. we had a proposal a while back to to visible_hostname matching per
> listening port. But this breaks forwarding loop detection a bit.
>
>
> Amos
I have tried trunk for the next rules as a safety and it seems to work fine.
##start conf
http_port 0.0.0.0:3127 intercept name=intercept
http_port 0.0.0.0:3128
http_port 0.0.0.0:3129 tproxy name=tproxy

acl intercept_ports myportname intercept tproxy

http_access deny manager intercept_ports
http_access allow manager localhost
http_access deny manager
##end conf

The main problem is that squid tries to connect the local intercept port.
In this case specifically I can use iptables to block traffic from
localhost to localhost on the dst port of 3127 or 3128 but it stil
causes and almost endless loop that tries to connect again and again not
related to iptables but to squid loop prevention.

I think that squid should be by default able to detect a loop with this
specific "character".

And as an example to what it does:

1360526890.476 262596 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -
1360526890.803 262921 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -
1360526891.139 263254 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -
1360526891.474 263575 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -

I think this logs talks for itself pretty well.

The only ways to stop squid from retrying these is by reload or restart.
but reloading is not stopping the main issue which is the mem + FD + cpu
consumption(various situations).

What do you think? A warning in docs is good enough or fixing it?

Regards,

-- 
Eliezer Croitoru
http://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

Received on Sun Feb 10 2013 - 20:14:22 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 12 2013 - 12:00:12 MST