Re: Is it a loop bug or not? Sorry missing part.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 12 Feb 2013 12:25:29 +1300

On 11/02/2013 9:13 a.m., Eliezer Croitoru wrote:
> On 2/2/2013 6:23 AM, Amos Jeffries wrote:
>> On 2/02/2013 1:42 p.m., Eliezer Croitoru wrote:
>>> On 2/2/2013 2:35 AM, Eliezer Croitoru wrote:
> <SNIP>
>>> Sorry missing part.
>>>
>>> When I am doing it using as forward proxy and use the url to the
>>> intercept port 3127 i'm getting into a loop:
>>> accessing: http://www1.home:3127/squid-internal-mgr/menu
>>>
>>> 1359765678.173 88894 192.168.10.100 TCP_MISS_ABORTED/000 0 GET
>>> http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -
>>> 1359765678.269 88966 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
>>> http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -
>>> ........ sme miss abort for a very very long time =\
>>>
>>
>> Ah. Interesting. The pattern is that it is supposed to be just the
>> visible_hostname value plus the internal manager path.
>>
>> When you add port it breaks the visible_hostname to URL matching and
>> Squid relays it onwards to what it thinks is the origin server.
>>
>> You should have the intercept port listened on by Squid firewalled so
>> direct connections to it cannot succeed. If you are using DROP to do
>> that you will see these timeouts, if you are using REJECT you will get a
>> fast fail result. If you don't have it firewalled properly the lopo
>> detectino in Squid should kick in.
>>
>>
>> PS. we had a proposal a while back to to visible_hostname matching per
>> listening port. But this breaks forwarding loop detection a bit.
>>
>>
>> Amos
> I have tried trunk for the next rules as a safety and it seems to work
> fine.
> ##start conf
> http_port 0.0.0.0:3127 intercept name=intercept
> http_port 0.0.0.0:3128
> http_port 0.0.0.0:3129 tproxy name=tproxy
>
> acl intercept_ports myportname intercept tproxy
>
> http_access deny manager intercept_ports
> http_access allow manager localhost
> http_access deny manager
> ##end conf
>
> The main problem is that squid tries to connect the local intercept port.
> In this case specifically I can use iptables to block traffic from
> localhost to localhost on the dst port of 3127 or 3128 but it stil
> causes and almost endless loop that tries to connect again and again
> not related to iptables but to squid loop prevention.
>
> I think that squid should be by default able to detect a loop with
> this specific "character".
>
> And as an example to what it does:
>
> 1360526890.476 262596 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
> http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -
> 1360526890.803 262921 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
> http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -
> 1360526891.139 263254 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
> http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -
> 1360526891.474 263575 127.0.0.1 TCP_MISS_ABORTED/000 0 GET
> http://www1.home:3127/squid-internal-mgr/menu - HIER_DIRECT/127.0.0.1 -
>
> I think this logs talks for itself pretty well.
>
> The only ways to stop squid from retrying these is by reload or restart.
> but reloading is not stopping the main issue which is the mem + FD +
> cpu consumption(various situations).
>
> What do you think? A warning in docs is good enough or fixing it?
>
> Regards,

What are via and visible_hostname configured to in your Squid? (or in
your /etc/resolv.conf for hostname)

Amos
Received on Mon Feb 11 2013 - 23:25:35 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 12 2013 - 12:00:12 MST