Re: transproxy <-> squid looping!!! from Yar Tikhiy on 1998-05-22 (squid-users)

From: Yar Tikhiy <yar@dont-contact.us>
Date: Fri, 22 May 1998 19:30:15 +0400 (MSD)

Andrew wrote:
> I don't know if many ppl have found this, but here it goes...
>
> I'm running transproxy with ipfilter on freebsd3.0
> Ipfilter is set up on "transparent.proxy.com" to take http requests on port
> 80 and divert them to the transproxy daemon on port 81 which again sends
> the http requests to squid.
> This works fine as a transparent proxy :)
>
> BUT!!!
>
> when you type http://transparent.proxy.com/ into the browser, it causes
> squid to loop and it will slow down and finally crash.
>
> Has anyone else found this problem and maybe found a way to fix it?
>

I wish I saw it in the FAQ. I had a very similar problem once,
solved it and told about it to the community.

You must just disable all possible looping paths. It can be done either
with squid's access lists or with system's IP filter. The obvious paths
are:
- Squid to itselt via all the machine's interfaces including loopback
which can be used by malicious whackers;

- Squid to redirected port (i.e. 80), via all the interfaces;

- Squid to transproxy port (i.e. 81), again via all the interfaces
(or via the interface transproxy is bind to with the '-b' option);

The commands (or acess lists) are obvious except one minor
moment: if you filter loopback-to-loopback traffic with IP filter
then you'll no longer be able to use local cachemgr.cgi.
I prefer filtering the traffic in such a way:

http_access allow manager localhost
http_access deny localhost
http_access deny manager !localhost

where "localhost" is "src 127.0.0.1/255.255.255.255" (why so weird
notation? i'd like 127.0.0.1/32 (-; However, cisco's access-list
notation is even weirder ;-)))

The above example may not work if you use the "tcp-outgoing-address foo"
squid's option. In that case you should filter the source address foo
instead of 127.0.0.1.

SY, Yar

P.S. Your squid's crash indicates its weakness. My one did loop,
but never crashed ;-p

P.P.S. Will a local ICP storm happen if a malicious whacker sends
an ICP packet with src == dst == my proxy? :-)

-----------------------------------------------------------------
Yaroslav Tikhiy, <yar@radio-msu.net> | Radio-MSU | Moscow, Russia
Received on Fri May 22 1998 - 08:40:41 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:40:19 MST