Re: [squid-users] forward loop

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 05 Feb 2012 00:03:50 +1300

On 4/02/2012 8:02 p.m., Mustafa Raji wrote:
> hi Pieter
> this is my configuration file,
>
> #define access list for network
> acl my_network src 192.168.12.0/24
> acl my_network src 192.168.7.0/24
> acl my_network src 192.168.40.0/24
> acl my_network src 10.10.10.0/24
>
> #allow http access for the network
> http_access allow my_network
>
> #squid default acl configuration
> acl all src all

"all" is pre-defined in Squid-3. Remove the above line to silence those
startup and reconfigure warnings you are getting about it.

> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

Please read

the reconsider why you placed the "allow my_network" access permission
above these basic security controls.

> http_access deny all
> http_port 3128 intercept
> http_port 8080
>
> #cache configuration
> #define core dump directory
> visible_hostname squidtest
> coredump_dir /var/coredump
>
> #define cache replacement policy
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
>
> #define cache memory
> cache_mem 512 MB
>
> #define squid log files
> access_log /var/log/squid3/access.log
> emulate_httpd_log off

"emulate_httpd_log" is deprecated for many years. OFF is also its
default value. Remove this.

> cache_store_log none
>
> #include /etc/squid3/refresh.conf
> cache_log /var/log/squid3/cache.log
>
> #define cache direcotry
> cache_dir aufs /var/squid/aufs1 5000 16 256
> cache_dir aufs /var/squid/aufs2 5000 16 256
> cache_dir aufs /var/squid/aufs3 5000 16 256
>
>
> maximum_object_size 512 MB
>
>
> ipcache_size 5120
>
> cache_swap_low 85
> cache_swap_high 95
>
> cache_mgr mustafa.raji_at_yahoo.com
> cachemgr_passwd xxxxx all
>
> thank you with my best regards

This config shows the loop is outside of Squid. Please re-check your NAT
interception rules. They MUST begin with a rule permitting Squid to
bypass the intercept.

Given that you have Debian system locations for your files I will assume
your NAT rules need to look like these:
   http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

Amos

>
>
> --- On Thu, 2/2/12, Pieter De Wit wrote:
>
>> From: Pieter De Wit
>> Hi Mustafa,
>>
>> Can you please post your squid.conf ? (Remove all comments
>> and passwords
>> etc)
>>
>> Cheers,
>>
>> Pieter
>>
>> On 2/02/2012 23:04, Mustafa Raji wrote:
>>> hi
>>> please i have a forward loop warning in my cache.log
>> what is the cause of it
>>> i check the internet and find the cause is using peer
>> squid configuration and the two cache server has the same
>> visible_hostname but i never used the peer in my
>> configuration i have one cache server with intercept
>> configuration please can you tell me what is causes to the
>> cache forward loop the warning message is from cache.log
>>> 2012/02/02 12:02:23| WARNING: Forwarding loop detected
>> for:
>>> POST
>> /2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bnpuss,ConnType=KeepAlive
>> HTTP/1.1
>>> Accept: */*
>>> Content-Type: application/octet-stream
>>> User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Win32)
>>> UserAgent: blugro2relay.groove.microsoft.com
>>> Content-Length: 22
>>> Pragma: no-cache
>>> Expires: 0
>>> Host: 192.168.40.2:3128
>>> Via: 1.0 squidtest (squid/3.1.11), 1.1 squidtest
>> (squid/3.1.11), 1.1 squidtest (squid/3.1.11)
>>> X-Forwarded-For: 192.168.40.1, 192.168.40.2,
>> 192.168.40.2
>>> Cache-Control: no-cache, max-age=0
>>> Connection: keep-alive
>>>
>>> and this error continues to appear with increasing the
>> values of via and x-forward-for
>>> my access.log file show this information at the same
>> time of the loop
>>> the ip 192.168.40.2 is the CacheServer ip
>>>
>>> Thu Feb 2 12:02:23 2012 0
>> 192.168.40.1 TCP_IMS_HIT/304 287 GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl -
>> NONE/- application/pkix-crl
>>> Thu Feb 2 12:02:24 2012 898
>> 192.168.40.1 TCP_MISS/400 237 POST http://65.55.122.232/ - DIRECT/65.55.122.232 -
>>> Thu Feb 2 12:02:24 2012 8
>> 192.168.40.2 NONE/400 69168 NONE error:request-too-large -
>> NONE/- text/html
>>> Thu Feb 2 12:02:24 2012
>> 19 192.168.40.2 TCP_MISS/400 69275 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>> Thu Feb 2 12:02:24 2012
>> 23 192.168.40.2 TCP_MISS/400 69377 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>> Thu Feb 2 12:02:24 2012
>> 26 192.168.40.2 TCP_MISS/400 69479 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>> Thu Feb 2 12:02:24 2012
>> 30 192.168.40.2 TCP_MISS/400 69581 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>> Thu Feb 2 12:02:24 2012
>> 34 192.168.40.2 TCP_MISS/400 69683 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>> Thu Feb 2 12:02:24 2012
>> 37 192.168.40.2 TCP_MISS/400 69785 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>> Thu Feb 2 12:02:24 2012
>> 41 192.168.40.2 TCP_MISS/400 69887 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>> Thu Feb 2 12:02:24 2012
>> 44 192.168.40.2 TCP_MISS/400 69989 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>> Thu Feb 2 12:02:24 2012
>> 48 192.168.40.2 TCP_MISS/400 70091 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>> Thu Feb 2 12:02:24 2012
>> 51 192.168.40.2 TCP_MISS/400 70193 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>> Thu Feb 2 12:02:24 2012
>> 55 192.168.40.2 TCP_MISS/400 70295 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>> Thu Feb 2 12:02:24 2012
>> 58 192.168.40.2 TCP_MISS/400 70397 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
>>>
>>>
>>> after that this status appear to me in cache.log
>>>
>>> 2012/02/02 12:02:33| statusIfComplete: Request not yet
>> fully sent "POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/3m4dy9mseq7e9h39xecabcaqj24zjcgw4zts55s,ConnType=LongLived"
>>> and in 12:02:35 the server is return to work normally
>>>
>>> please can you help me in finding what is the cause of
>> this warning
>>
>>
Received on Sat Feb 04 2012 - 11:04:03 MST

This archive was generated by hypermail 2.2.0 : Sat Feb 04 2012 - 12:00:02 MST