On 15/01/2013 5:00 a.m., Leslie Jensen wrote:
>
>
> 2013-01-14 16:05, Eliezer Croitoru skrev:
>> On 1/14/2013 1:48 PM, Leslie Jensen wrote:
>>>
>>> I've now upgraded squid to 3.2 and rewritten the firewall rule that
>>> resulted in a forwarding loop.
>>>
>>> Unfortunately I've got no access now and I can't see where I've made
>>> the
>>> error.
>>>
>>> The browser says squid is rejecting the requests:
>>> Access control configuration prevents your request from being
>>> allowed at
>>> this time.
>>>
>>>
>>> 1358162295.975 0 172.18.0.1 TCP_MISS/403 4052 GET
>>> http://www.skatteverket.se/ - HIER_NONE/- text/html
>>> 1358162295.976 11 172.18.0.102 TCP_MISS/403 4137 GET
>>> http://www.skatteverket.se/ - HIER_DIRECT/172.18.0.1 text/html
>>> 1358162296.110 0 172.18.0.1 TCP_MISS/403 4166 GET
>>> http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
>>> 1358162296.110 99 172.18.0.102 TCP_MISS/403 4251 GET
>>> http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/172.18.0.1
>>> text/html
>>> 1358162296.219 0 172.18.0.1 TCP_MISS/403 4058 GET
>>> http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html
>>> 1358162296.219 1 172.18.0.102 TCP_MISS/403 4143 GET
>>> http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1
>>> text/html
>>> 1358162296.239 0 172.18.0.1 TCP_MISS/403 4090 GET
>>> http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html
>>> 1358162296.240 1 172.18.0.102 TCP_MISS/403 4175 GET
>>> http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1
>>> text/html
>>>
>>
>> Look closly.. it's not squid.
>> if it was squid you would have seen TCP_DENIED.
>> you get a TCP_MISS which squid is ok with but a remote server DENIES you
>> with a 403 response.
Looking even closer there is a HEIR_NONE showing the frst TCP_MISS we
from Squid.
I think there are two bugs here:
1) the Host verification logic is resulting in TCP_MISS being logged
instead of TCP_DENIED on its 403 rejection.
2) his firewall intercept rules are catching Squid outbound traffic and
redirecting it to Squid.
>>
>> I would say it looks pretty bad since every request seems to go into
>> squid from two IP addresses which is like a loop.. but one which squid
>> can not recognize from an unknown reason.
172.18.0.1 is Squids own IP.
>>
>> What have you done in the firewall to prevent the forwarding loop?
>>
>> By the way did you tried to have a rule that allows all web requests
>> from the local machine of the proxy to not be intercepted?
>>
>> Regards,
>> Eliezer
>
> I've tried two things.
>
> First I disabled the rule that redirects the web traffic so that it
> goes directly to the Internet.
>
> It works.
>
> Then with the above rule still disabled I made the browser aware of
> the proxy by setting it manually in the browser settings.
>
> Then I get the same behaviour.
>
> I'm aware that tcp_miss should not be squid but with the redirecting
> rule disabled I do not quite understand where it goes wrong.
>
> I'll look into your suggestion and see if it helps.
>
> Thanks :-)
>
> /Leslie
>
>
>
Received on Mon Jan 14 2013 - 22:42:02 MST
This archive was generated by hypermail 2.2.0 : Tue Jan 15 2013 - 12:00:04 MST
