Re: [squid-users] request loop back in the access file from Amos Jeffries on 2012-03-01 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 01 Mar 2012 22:34:49 +1300

On 01.03.2012 21:00, Mustafa Raji wrote:
> hi
> i have some problem with squid cache server
> the problem is the requests are looped inside the access.log
> file when i activate squid server, the server was working
> normally in the last days, this day i noticed a slow
> performance in web browsing when i checked the cache.log no
> error or any warning is logged, only a few queue congestion
> warning which is normally because it's test server and the
> cache dir is in the same sata hard drive, but checking the
> access.log file it's logs so many repeated requests as shown
>
> 1330586819.008 0 192.168.40.1
> TCP_HIT/302 972 GET
>
> http://o-o.preferred.fra02s05.v24.lscache1.c.youtube.com/videoplayback?
> - NONE/- text/html
<snip>
>
> this is just sample of the access.log file, these requests
> are infinite, now when i activate the cache server these
> request are increased abnormally, the server is configured
> in intercept mode, when i connect to the server using manual
> configuration in the web browser (intercept mode disabled)
> the cache server work normally, so i thing it's iptables
> rules problem my iptables rule are
> first rule, for destination nat to convert traffic to port
> 3128
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
> --to-destination 192.168.40.2:3128
> and the second rule is for preventing forwarding loops in
> mangle table
> iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j
> DROP

This does not prevent forwarding loops like you think. It prevents
machines contacting your intercept port directly (ie for the nasty URL
http://192.168.40.2:3128/).

To prevent forwarding loops in squid.conf you have "via on" (the
default is "on"). And in iptables you add:
iptables -t nat -A PREROUTING -p tcp -s XX --dport 80 -j ACCEPT
...
where "XX" is the outgoing IP your Squid uses (192.168.40.2? or
192.168.40.1?), and you place this rule *in front* of the DNAT rule.

>
> i have one interface to the internet and to the clients
> using mikrotik dnat rule , so i don't need for MASQUERADE ,

MASQUERADE is there to make the NAT changes symmetrical. DNAT is only
changing the destination IP;port on packets from the client. The ones
from squid to client needs SNAT performed to "undo" the change.
MASQUERADE takes care of that automatically without having to setup a
SNAT rule for every unique destination IP:port you change with DNAT.

client --- DNAT -----> Squid <--->Internet
<--MASQUERADE ---/

Also you said "using mikrotik dnat rule". Does that mean your NAT is
being done by the Mikrotik instead of the Squid box? that is bad. Use
policy routing or WCCP to push the packets unchanged to the Squid box
instead.

Amos
Received on Thu Mar 01 2012 - 09:34:53 MST

This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 12:00:06 MST