[squid-users] erroneous detection of forwarding loop in accelerator configuration

From: Chris Lightfoot <chris@dont-contact.us>
Date: Thu, 8 Jun 2006 15:20:53 +0100

I have a squid 2.5.9 setup used as an HTTP accelerator in
front of a site which was previously served by apache
alone. For various reasons some parts of the site are
served using mod_proxy in apache, calling back into itself
(typically this is so that we can cross a privilege
boundary, since apache can only set suexec UIDs on a
per-virtual-domain basis).

So, the previous configuration worked like this:

    client makes request to http://www1.example.com/foo
    apache for www1 makes subrequest to http://www2.example.com/bar
    apache for www2 processes request

now we have this:

    client makes request to http://www1.example.com/foo
    squid accepts request, passes it to apache
    apache for www1 makes subrequest to http://www2.example.com/bar
    squid accepts requests but notices that it's named in
    the Via: header, so rejects it because of a forwarding

Now, in this case there is no forwarding loop, because
squid previously processed the request for
www1.example.com, not for www2.example.com. But squid just
checks whether it appears in the Via: header and does not
compare any other headers.

I've temporarily fixed this by adding ProxyVia block to
the apache config, but of course this means that squi is
unlikely to be able to detect a *real* forwarding loop if
we ever accidentally create one. Suggestions? It might be
possible to hack something up based on whether
X-Forwarded-Host: differs from Host: but that's a bit

``If you're of average intelligence,
  you've already outwitted most burglars.'' (Chris MacKenzie)
Received on Thu Jun 08 2006 - 08:20:56 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Jul 01 2006 - 12:00:01 MDT