Re: [squid-users] WARNING: Forwarding loop detected for: from Amos Jeffries on 2010-04-23 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 24 Apr 2010 13:54:01 +1200

Cami wrote:
> Hi All,
>
> I've been unsuccessfull at trying to fix what appears to be a nasty
> forwarding loop.
> After going through old posts concerning the matter, nothing seems to
> address the
> issue. Some information:
>
> The Squid proxy in question has 1 interface (eth0 10.3.0.251).
>
> We have a hardware router that sits infront of it and intercepts all
> traffic and redirects
> all traffic that comes through the router on port 80 and transparently
> redirects
> it to port 3128 on the proxy.

First breakage is doing NAT on a box where Squid is not running.
If you can do policy routing there to pass all non-Squid traffic to port
80 to squid box. Also called DMZ mode or port-specific bridging by some.

> I've setup iptables to redirect it to Squid:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT
> --to-port 3129

Why is port 3128 involved?
are you trying to catch people sending regular proxy requests to
external proxies?

If these are internal clients just trying to get to your Squid. Open its
port 3128 and let them connect directly and normal clients.

>
> Squid Cache: Version 3.1.1 config:
> http_port 3129 transparent
> visible_hostname lnx-proxy7.theweb.co.za
> half_closed_clients off
>
> Browsing "works fine" for most people. But occasionally i get the
> following in access.log
>
> 1272042637.252 9974 10.3.0.251 TCP_MISS/000 0 GET
> http://10.3.0.251:3128/ - DIRECT/10.3.0.251 -
> 1272042637.252 9974 10.3.0.251 TCP_MISS/000 0 GET
> http://10.3.0.251:3128/ - DIRECT/10.3.0.251 -
> 1272042637.253 9974 10.3.0.251 TCP_MISS/000 0 GET
> http://10.3.0.251:3128/ - DIRECT/10.3.0.251 -
> 1272042637.253 9974 10.3.0.251 TCP_MISS/000 0 GET
> http://10.3.0.251:3128/ - DIRECT/10.3.0.251 -
>
> In cache.log i see errors along the following:
>
> 2010/04/23 19:13:27| WARNING: Forwarding loop detected for:
> GET / HTTP/1.1
> Via: 1.1 lnx-proxy7.theweb.co.za (squid/3.1.1)
> X-Forwarded-For: 10.2.29.125
> Host: 10.3.0.251:3129
> Cache-Control: max-age=259200
> Connection: keep-alive
>
> 2010/04/23 19:13:27| WARNING: Forwarding loop detected for:
> GET / HTTP/1.1
> Host: 10.3.0.251:3129
> Via: 1.1 lnx-proxy7.theweb.co.za (squid/3.1.1), 1.1
> lnx-proxy7.theweb.co.za (squid/3.1.1)
> X-Forwarded-For: 10.2.29.125, 10.3.0.251
> Cache-Control: max-age=259200
> Connection: keep-alive
>
> 2010/04/23 19:13:27| WARNING: Forwarding loop detected for:
> GET / HTTP/1.1
> Host: 10.3.0.251:3129
> Via: 1.1 lnx-proxy7.theweb.co.za (squid/3.1.1), 1.1
> lnx-proxy7.theweb.co.za (squid/3.1.1), 1.1 lnx-proxy7.theweb.co.za
> (squid/3.1.1)
> X-Forwarded-For: 10.2.29.125, 10.3.0.251, 10.3.0.251
> Cache-Control: max-age=259200
> Connection: keep-alive
>
> And it keeps growing and growing. Does anyone have an ideas?

Your Squid is on the same side of the router as the clients yes?

You need to make a rule in the router which prevents capturing any
traffic from the Squid box. This needs to happen on the router before
any rules that catch the traffic.

There are some examples of how to setup iptables at
http://wiki.squid-cache.org/ConfigExamples/Intercept

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.1

Received on Sat Apr 24 2010 - 01:54:07 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 24 2010 - 12:00:05 MDT