Edoardo COSTA SANSEVERINO wrote:
> Hi all,
>
> I'm getting the following error and I just can't figure out what I'm
> doing wrong. It worked for a while but now i get the following error:
>
> Browser error
> -------------
> ERROR
> The requested URL could not be retrieved
>
> While trying to retrieve the URL: http://test.example.com/
>
> The following error was encountered:
>
> * Access Denied.
>
> Access control configuration prevents your request from being
> allowed at this time. Please contact your service provider if you feel
> this is incorrect.
>
> Your cache administrator is webmaster.
> Generated Tue, 29 Jun 2010 08:01:45 GMT by localhost (squid/3.0.STABLE8)
>
>
> Squid Error
> -----------
> 2010/06/29 07:41:22.244| The request GET http://test.example.com/ is
> ALLOWED, because it matched 'sites_server_web'
> 2010/06/29 07:41:22.244| WARNING: Forwarding loop detected for:
> GET / HTTP/1.0
> Host: test.example.com
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3)
> Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Referer: http://test.example.com/
> Cookie: __utma=156214138.2072416337.1256440668.1263421087.1270454401.17;
> SESS404422c7e13985ed9850bca1343102d6=e6b996d3bf323193fec6e785a3356d1c;
> SESS4986f0d90a6abbc6006cc25a814fe1a8=1c1956864db4e7636f3e8b185b6dd6cc
> Pragma: no-cache
> Via: 1.1 localhost (squid/3.0.STABLE8)
> X-Forwarded-For: 192.168.1.10
> Cache-Control: no-cache, max-age=259200
> Connection: keep-alive
>
>
> 2010/06/29 07:41:22.245| The reply for GET http://test.example.com/ is
> ALLOWED, because it matched 'sites_server_web'
>
>
> My current setup is as follows. I made the page request on the laptop
> to [VMs1].
>
>
> setup
> -----
>
>
> [VMs1]--[Server/Squid/DNS/FW 1]--{ Internet }---[Server/Squid/DNS/FW
> 2]-+--[VMs2]
>
> |
>
> +--[LAN]--[Laptop]
>
Diagram got a bit mangled. I'm guessing the Laptop was on network VMs1?
>
>
> The following squid config is for [Server 1]
>
> squid.conf
> ----------
> https_port 91.185.133.180:443 accel cert=/etc/ssl/mail.example.com.crt
> key=/etc/ssl/mail.example.com.pem defaultsite=mail.example.com vhost
> protocol=https
> http_port 91.185.133.180:80 accel defaultsite=test.example.com vhost
>
> cache_peer 192.168.122.11 parent 443 0 no-query no-digest originserver
> login=PASS ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on
> name=server_mail
> cache_peer 192.168.122.12 parent 80 0 no-query originserver login=PASS
> name=server_web
>
> acl sites_server_mail dstdomain mail.example.com
> http_access allow sites_server_mail
> cache_peer_access server_mail allow sites_server_mail
> cache_peer_access server_mail deny all
>
> acl sites_server_web dstdomain test.example.com test.foobar.eu
> test1.example.com
> http_access allow sites_server_web
> cache_peer_access server_web allow sites_server_web
> cache_peer_access server_web deny all
>
> forwarded_for on
>
> cache_store_log none
> debug_options ALL,2
>
>
> The following config is for [Server 2]
>
> squid.conf
> ----------
> https_port 192.168.1.3:443 accel
> cert=/etc/ssl/certs/deb03.example.com.crt
> key=/etc/ssl/private/deb03.example.com.pem defaultsite=deb03.example.com
> vhost protocol=https
> http_port 192.168.1.1:80 accel defaultsite=deb02.example.com vhost
> http_port 192.168.1.1:80 accel defaultsite=oldwww.example.com vhost
>
> cache_peer 192.168.122.3 parent 443 0 no-query originserver login=PASS
> ssl sslversion=3 sslflags=DONT_VERIFY_PEER front-end-https=on name=srv03
> cache_peer 192.168.122.2 parent 80 0 no-query originserver name=srv02
> cache_peer 192.168.122.11 parent 80 0 no-query originserver name=srv01
>
> acl https proto https
> acl sites_srv01 dstdomain oldwww.example.com
> acl sites_srv03 dstdomain deb03.example.com
> acl sites_srv02 dstdomain deb02.example.com second.example.com
>
> http_access allow sites_srv01
> http_access allow sites_srv03
> http_access allow sites_srv02
> cache_peer_access srv01 allow sites_srv01
> cache_peer_access srv03 allow sites_srv03
> cache_peer_access srv02 allow sites_srv02
>
> forwarded_for on
>
> ### Transparent proxy
> http_port 192.168.1.1:3128 transparent
> acl lan_network src 192.168.1.0/24
> acl localnet src 127.0.0.1/255.255.255.255
> http_access allow lan_network
> http_access allow localnet
>
> cache_dir ufs /var/spool/squid3 1500 16 256
> ###
>
> #cache_store_log none
> debug_options ALL,2
>
>
> I simply can't see where the loop is. Could someone explain this to me
> or point me to the right documentation. I had a look arround but found
> no relevant answer.
There are two things which may be happening:
1) Your NAT interception rules may be catching proxy #2 outbound
requests and looping it back into #2.
** FIX: Make sure that all the proxy machine IPv4 are listed in the
NAT bypass rules.
2) to identify a loop Squid uses the _unique_ machine name as
displayed in the Via: header "1.1 localhost (squid/3.0.STABLE8)" to
check that the request did not come from itself. Unfortunately the
machine hostname is set to "localhost" which is actually harmful as you
can see.
** FIX: ensure that the command "hostname" produces a unique name for
each machine.
** WORKAROUND for distros which hard-code "localhost":
explicitly configure unique_hostname and/or visible_hostname to
different things in each of the proxies.
Good practice is to use the machine FQDN for uniqueness.
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4Received on Tue Jun 29 2010 - 11:07:22 MDT
This archive was generated by hypermail 2.2.0 : Tue Jun 29 2010 - 12:00:03 MDT