Re: [squid-users] Forwarding loop detected issue

Hi Amos,

Thanks for your reply. Ill try to explain better what im trying to do here.

| You don't appear to have a:
| Squid1->DG->Squid2 setup
|
| you do appear to have a:
| Squid1 -> Internet or DG -> Squid1 -> Internet setup.
|
| Is there any particular reason you need to have two squid?
| The current feedback config appears to be needlessly complicated for any
| use I can think of right now for having two instances of squid running.

In the scenario DG(port 8081) --> Squid(port 3128)
Clients are using the proxy on proxy_ip:8081

Since Dansguardian cant handle NTML auth if I don't use 2 Squid instances then
it will show on DG access log only the IP of the client and not the username.

DG access log will look like this (only IP is logged):
2009.2.4 15:12:01 - 192.168.20.11 http://adimgs.sapo.pt/2009/odisseias/massagem.jpg *SCANNED* GET 1956

and on the Squid access log it will always show the localhost since the connenction comes from DG:
1233760323.286 8 127.0.0.1 TCP_MISS/200 1597 GET http://h.s.sl.pt/pub/botao.html?rand=&tile=36871 - DIRECT/213.13.146.180 text/html

This would prevent me of doing reports on users usage and use I think delay pools.

In the scenario Squid1(port 3128 for ntml_auth) -> DG(port 8081) --> Squid2(port 8080 for cache)
Clients are using the proxy on proxy_ip:3128

DG access log will look like this (now user and IP are logged):
2009.2.4 16:01:12 rnuno 192.168.20.11 http://imgs.sapo.pt/images/footer/pt.gif *SCANNED* GET 804

and on the Squid access log:
1233763558.911 0 192.168.20.11 TCP_DENIED/407 2169 GET http://cache02.stormap.sapo.pt/vidstore02/thumbnais/66/91/02/15666_eDQus.jpg - NONE/- text/html
1233763558.917 21 127.0.0.1 TCP_MISS/200 2860 GET http://cache01.stormap.sapo.pt/vidstore02/thumbnais/05/64/67/ma_swing.jpg - DIRECT/212.55.154.131 image/jpeg

So basically this setup is working in a way that allows me to do my reports and use delay pools
but the error keeps on my log I thought that I has doing something wrong on the cache_peer line.

2009/02/04 16:09:15| WARNING: Forwarding loop detected for:
Client: 127.0.0.1 http_port: 127.0.0.1:8080
GET http://cache03.stormap.sapo.pt/vidstore03/thumbnais/57/ed/03/731347_L4An1.jpg HTTP/1.0
Accept: */*
Referer: http://videos.sapo.pt/
Accept-Language: en-US
UA-CPU: x86
Accept-Encoding: identity,gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: cache03.stormap.sapo.pt
Cookie: _swa_v=158287575757761020; _swa_uv=3752565023748371500
Via: 1.1 squid-ntml:8080 (squid/2.7.STABLE3)
X-Forwarded-For: 192.168.20.11
Proxy-Authorization: Basic cm51bm86bm9wYXNzd29yZA==
Cache-Control: max-age=259200
X-Forwarded-For: 192.168.20.11

I made some changes according to your advice but i still get the error. Do you have any suggestion
on how to fix it or maybe another way to do what i want?

Below is the conf's files im using now.

Thank you once more.

regards,
-- Ricardo

My changes in dansguardian.conf:
filterip = 127.0.0.1
filterport = 8081
proxyip = 127.0.0.1
proxyport = 8080
usernameidmethodproxyauth = on

# SQUID.CONF
# -----------------------------------------------------------------------------
unique_hostname squid-cache
http_port 8080

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

cache_mem 1024 MB
maximum_object_size 8096 KB

cache_dir ufs /cache/squid 20000 16 256
access_log /var/log/squid/access.log squid

cache_peer 127.0.0.1 parent 8081 0 no-digest no-netdb-exchange name=squid-cache no-query login=*:nopassword

acl localhost src 127.0.0.1
#cache_peer_access squid-cache deny localhost

include /etc/squid/squid-ntml.conf

#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

acl NTLMUsers proxy_auth REQUIRED
acl rede_interna src 192.168.20.0/24
acl h_trabalho time MTWHF 08:00-18:00
acl downloads url_regex -i .exe .mp3 .vqf .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov .iso

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow NTLMUsers

http_access deny all
http_reply_access allow all
icp_access allow all

coredump_dir /var/spool/squid

# SQUID-NTML.CONF
# -----------------------------------------------------------------------------

unique_hostname squid-ntml
http_port 3128

cache_dir null /dev/null

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 15
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Moonlight Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

pid_filename /var/run/squid-ntml.pid
Received on Wed Feb 04 2009 - 17:07:14 MST