[squid-users] forwarding loop using squidguard from Matteo Villari on 2005-05-31 (squid-users)

From: Matteo Villari <villari@dont-contact.us>
Date: Tue, 31 May 2005 13:26:39 +0200

Hi all.
I'm trying to use squidguard to strip out jsessionid field from some
URLs. I've configured squidguard to strip the part of a URL containing
;jsessionid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.tomcat1
The problem is that when squid passes an URL containing this field to
squidguard it generate a warning of forwarding loop and shows an error
page access denied depending (i think) on error 111 connection refused.
Please help me....thanks a lot,Matteo Villari

That is my squid.conf file

http_port 80
http_port 8180
icp_port 0
htcp_port 0
log_ip_on_direct off
mime_table /usr/local/squid/etc/mime.conf
log_mime_hdrs on
useragent_log /usr/local/squid/logs/useragent.log
debug_options ALL,1 33,2 28,9
log_fqdn on
pinger_program /bin/ping
redirect_program /usr/local/squidguard/bin/squidGuard
redirect_rewrites_host_header off
acl session url_regex jsessionid
redirector_access allow session
auth_param basic casesensitive off
refresh_pattern . 0 20% 4320
half_closed_clients off
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl purge method PURGE
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
http_access allow all
http_reply_access allow all
icp_access allow all
cache_effective_user villari
cache_effective_group villari
visible_hostname Villari
httpd_accel_host 192.168.11.224
httpd_accel_port 8180
httpd_accel_single_host on
httpd_accel_with_proxy off
httpd_accel_uses_host_header on
cachemgr_passwd matteo info stats/object
query_icmp on
always_direct allow !session
offline_mode off
strip_query_terms off
coredump_dir /usr/local/squid/cache
relaxed_header_parser warn

and that are entries in my log files:

access.log

1117538216.703 1 192.168.11.233 TCP_DENIED/403 1482 GET http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml - NONE/- text/html [User-Agent: Opera/7.54 (Windows NT 5.1; U) %5bit%5d\r\nHost: 192.168.11.233:8180\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: it, en\r\nAccept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nReferer: http://192.168.11.233/jetspeed\r\nVia: 1.1 Villari:80 (squid/2.5.STABLE9-20050503)\r\nX-Forwarded-For: 192.168.11.243\r\nCache-Control: max-age=259200\r\nConnection: keep-alive\r\n] [HTTP/1.0 403 Forbidden\r\nServer: squid/2.5.STABLE9-20050503\r\nMime-Version: 1.0\r\nDate: Tue, 31 May 2005 11:16:56 GMT\r\nContent-Type: text/html\r\nContent-Length: 1189\r\nExpires: Tue, 31 May 2005 11:16:56 GMT\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\n\r]
1117538216.704 611 192.168.11.243 TCP_MISS/403 1510 GET http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml;jsessionid=6723643B0FA2C4AA2D9A22C433B5ACCA.tomcat1 - DIRECT/192.168.11.233 text/html [User-Agent: Opera/7.54 (Windows NT 5.1; U) %5bit%5d\r\nHost: 192.168.11.233:8180\r\nAccept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: it, en\r\nAccept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\nReferer: http://192.168.11.233/jetspeed\r\nConnection: Keep-Alive, TE\r\nTE: deflate, gzip, chunked, identity, trailers\r\n] [HTTP/1.0 403 Forbidden\r\nServer: squid/2.5.STABLE9-20050503\r\nMime-Version: 1.0\r\nDate: Tue, 31 May 2005 11:16:56 GMT\r\nContent-Type: text/html\r\nContent-Length: 1189\r\nExpires: Tue, 31 May 2005 11:16:56 GMT\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nX-Cache: MISS from Villari\r\nConnection: keep-alive\r\n\r]

cache.log

2005/05/31 13:16:56| The request GET http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml;jsessionid=6723643B0FA2C4AA2D9A22C433B5ACCA.tomcat1 is ALLOWED, because it matched 'all'
2005/05/31 13:16:56| aclCheck: checking 'redirector_access allow session'
2005/05/31 13:16:56| aclMatchAclList: checking session
2005/05/31 13:16:56| aclMatchAcl: checking 'acl session url_regex jsessionid'
2005/05/31 13:16:56| aclMatchRegex: checking 'http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml;jsessionid=6723643B0FA2C4AA2D9A22C433B5ACCA.tomcat1'
2005/05/31 13:16:56| aclMatchRegex: looking for 'jsessionid'
2005/05/31 13:16:56| aclMatchAclList: returning 1
2005/05/31 13:16:56| aclCheck: match found, returning 1
2005/05/31 13:16:56| aclCheckCallback: answer=1
2005/05/31 13:16:56| aclCheckFast: list: (nil)
2005/05/31 13:16:56| aclCheckFast: no matches, returning: 1
2005/05/31 13:16:56| aclCheck: checking 'always_direct allow !session'
2005/05/31 13:16:56| aclMatchAclList: checking !session
2005/05/31 13:16:56| aclMatchAcl: checking 'acl session url_regex jsessionid'
2005/05/31 13:16:56| aclMatchRegex: checking 'http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml'
2005/05/31 13:16:56| aclMatchRegex: looking for 'jsessionid'
2005/05/31 13:16:56| aclMatchAclList: returning 1
2005/05/31 13:16:56| aclCheck: match found, returning 1
2005/05/31 13:16:56| aclCheckCallback: answer=1
2005/05/31 13:16:56| aclCheck: checking 'http_access allow all'
2005/05/31 13:16:56| aclMatchAclList: checking all
2005/05/31 13:16:56| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2005/05/31 13:16:56| aclMatchIp: '192.168.11.233' found
2005/05/31 13:16:56| aclMatchAclList: returning 1
2005/05/31 13:16:56| aclCheck: match found, returning 1
2005/05/31 13:16:56| aclCheckCallback: answer=1
2005/05/31 13:16:56| The request GET http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml is ALLOWED, because it matched 'all'
2005/05/31 13:16:56| aclCheck: checking 'redirector_access allow session'
2005/05/31 13:16:56| aclMatchAclList: checking session
2005/05/31 13:16:56| aclMatchAcl: checking 'acl session url_regex jsessionid'
2005/05/31 13:16:56| aclMatchRegex: checking 'http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml'
2005/05/31 13:16:56| aclMatchRegex: looking for 'jsessionid'
2005/05/31 13:16:56| aclMatchAclList: no match, returning 0
2005/05/31 13:16:56| aclCheck: checking 'redirector_access deny !session'
2005/05/31 13:16:56| aclMatchAclList: checking !session
2005/05/31 13:16:56| aclMatchAcl: checking 'acl session url_regex jsessionid'
2005/05/31 13:16:56| aclMatchRegex: checking 'http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml'
2005/05/31 13:16:56| aclMatchRegex: looking for 'jsessionid'
2005/05/31 13:16:56| aclMatchAclList: returning 1
2005/05/31 13:16:56| aclCheck: match found, returning 0
2005/05/31 13:16:56| aclCheckCallback: answer=0
2005/05/31 13:16:56| WARNING: Forwarding loop detected for:
GET /jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml HTTP/1.0

User-Agent: Opera/7.54 (Windows NT 5.1; U) [it]

Host: 192.168.11.233:8180

Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

Accept-Language: it, en

Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1

Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0

Referer: http://192.168.11.233/jetspeed

Via: 1.1 Villari:80 (squid/2.5.STABLE9-20050503)

X-Forwarded-For: 192.168.11.243

Cache-Control: max-age=259200

Connection: keep-alive

2005/05/31 13:16:56| aclCheckFast: list: 0x8228a50
2005/05/31 13:16:56| aclMatchAclList: checking all
2005/05/31 13:16:56| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2005/05/31 13:16:56| aclMatchIp: '192.168.11.243' found
2005/05/31 13:16:56| aclMatchAclList: returning 1
2005/05/31 13:16:56| aclCheckFast: list: 0x822c348
2005/05/31 13:16:56| aclMatchAclList: checking all
2005/05/31 13:16:56| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2005/05/31 13:16:56| aclMatchIp: '192.168.11.243' found
2005/05/31 13:16:56| aclMatchAclList: returning 1
2005/05/31 13:16:56| The reply for GET http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml is ALLOWED, because it matched 'all'

and squidguard.conf

#
# Configuration File for SquidGuard
#
# Created with the SquidGuard Configuration Webmin Module
# Copyright (C) 2001 by Tim Niemueller <tim@niemueller.de>
# http://www.niemueller.de/webmin/modules/squidguard/
#
# File created on 27/Mag/2005 15:39
#

dbhome /var/lib/squidguard
logdir /var/log/squidguard

rewrite prova {
s@;jsessionid=[0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z].tomcat1@ @i
log /var/log/squidguard/riscrivi
}

acl {
        default {
                pass any
                rewrite prova
                }
}
Received on Tue May 31 2005 - 05:54:47 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:04 MDT