Re: Suggestion

From: kendall <kendall@dont-contact.us>
Date: Wed, 10 Dec 1997 16:24:15 +1100 (EST)

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 9 Dec 1997, Henrik Nordstrom wrote:

> * Clients giving various malformed/strange requests
> * Servers responding in strange/inconsistent ways

this is hardly the result of a controlled environment (quite the opposite
at times around here, i'm afraid), however: i have just been confronted with
a problem involving the following setup:

[..warning: this gets technical (or at least convoluted...)..]

 - linux 2.0.31 server with ip address 203.29.72.50
 - second host ip 203.29.72.51 aliased to host server using linux ip alias
 - apache 1.2 virtual host set up on second host 203.29.72.51
 - squid 1.1.17 running as per norm
 - tproxy directing all requests for 0.0.0.0/0 80 to squid, i.e.

      ipfwadm -I -a accept -S 0.0.0.0/0 -D 0.0.0.0/0 80 -P tcp -r 81
      in.tproxyd -s 81 -r system 203.29.72.50 3128

 - an ipfw rule over-riding that to accept directly all requests for
   our main web server, i.e.

      ipfwadm -I -a acc -D 203.29.72.50 80 -P tcp

now, i only put the last rule in because it seemed to make sense to not
send local requests for local pages through our proxy. however, what i
didn't consider was that the rules as they stand were dangerously
general - this only became clear when i noticed squid complaining about a
loop, and that we had about 100 in.tproxys running.

gurus reading this have probably realised already, but the loops were caused
by requests for our virtual server, which i hadn't thought to except from
the broad redirection rules.

so, in case someone else is wondering where all those loop errors are coming
from, make sure that you are a little careful about exactly what you
redirect to squid... obviously, don't try to redirect requests for your
local server. i guess i'm just lucky i accidently avoided this for our
main 'real' web server...

by the way, the solution is a second acceptance rule:

      ipfwadm -I -a acc -D 203.29.72.51 80 -P tcp

my question (finally) is: why do i need these exception rules?

the way i figure it, a request for our local server comes in from a dial-up
(ppp connected) machine, and gets redirected through tproxy to squid. why
does this cause problems?

- --
    If you could read fast enough, this would be a subliminal message...
  Kendall Lister, Systems Operator for Charon I.S. - kendall@charon.net.au
  Charon Information Services - Friendly, Cheap Internet Access: 9589 6055
              'Verse & Prose' - http://kendall.charon.net.au/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by mkpgp2.1, a Pine/PGP interface.

iQCVAwUBNI4nYOz9jt33pOIpAQGM+gP+MRnqMf1qI7RiQ+JCiXEbJ5m+vRK5Y++T
PYEi4RkLCMufKbjANyLLD30y3yjLdp3pPigfddevXpl1gCZnQ9bAKJY5ce3dQxTN
fW+GkKQuvS2n3gbvDGZFdbdfoREWHqlXhS9PMiCC/9uQV2oHJzz8gJ5/srp/VodZ
steGNdokQIs=
=WzlO
-----END PGP SIGNATURE-----
Received on Tue Dec 09 1997 - 21:27:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:54 MST