[squid-users] Squid 3.3 WARNING: Forwarding loop detected for:

From: Ewan Sadie <ESadie_at_metropolitan.co.za>
Date: Tue, 2 Apr 2013 08:59:21 +0000

Hi All

I am trying to get ssl-bump to work in transparent mode.
I am getting the below error in Squid 3.3.3 with normal interception even though a similar config works in 3.1.

The config works in normal proxy mode. If I define the proxy port 8080 in the browser, I get the dynamic SSL cert and all is working.
If however I define a transparent proxy (destination NAT to 3128), the intercept does not work, this is with intercept only, I am not even testing ssl-bump yet.

I also have issues with the upstream proxy in this squid version but I commented that out for now to limit the issues I have.
The custom external_acl_type works and I am able to transparently authenticate users on the intercept. You can see the username in the access.log (HTTP only)

The whole reason I am testing 3.3 is that I want to transparently intercept SSL with authentication.

NAT is done on the wifi controller for both the Squid 3.1 and 3.3 instance. Same rules for both Squid proxy servers.

ERROR CACHE.LOG:

2013/04/02 10:16:46 kid1| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
Host: www.ibm.com
User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Via: 1.1 10.3.184.29 (squid/3.3.3)
X-Forwarded-For: 10.9.3.13
Cache-Control: max-age=0
Connection: keep-alive

2013/04/02 10:16:48 kid1| WARNING: Forwarding loop detected for:
GET /Artwork/SN.png HTTP/1.1
Host: www.squid-cache.org
User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Accept: */*
Referer: http://www.ibm.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Via: 1.1 10.3.184.29 (squid/3.3.3)
X-Forwarded-For: 10.9.3.13
Cache-Control: max-age=0
Connection: keep-alive

ACCESS.LOG during error
1364892066.152 0 10.9.3.13 TCP_MISS/403 4072 GET http://www.ibm.com/ esadie HIER_DIRECT/10.3.184.29 text/html
1364892066.208 0 10.3.184.29 TCP_MISS/403 4005 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
1364892066.208 0 10.9.3.13 TCP_MISS/403 4112 GET http://www.squid-cache.org/Artwork/SN.png esadie HIER_DIRECT/10.3.184.29 text/html

CONFIG:

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl 6-1 src 10.3.184.0/24
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl wifinet src 10.9.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow 6-1
external_acl_type wifi_user %SRC /etc/squid3/aruba_ldap
acl whitelist dstdomain "/etc/squid3/site.whitelist.txt"
acl wifi_auth external wifi_user REQUIRED
http_access allow wifi_auth
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access deny all
htcp_access deny all

#Had to define this I had errors indicating the items were missing. As if the defaults do not apply.
acl ssl::certHasExpired ssl_error X509_V_ERR_CERT_HAS_EXPIRED
acl ssl::certNotYetValid ssl_error X509_V_ERR_CERT_NOT_YET_VALID
acl ssl::certDomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
acl ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY X509_V_ERR_CERT_UNTRUSTED
acl ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_sign signUntrusted ssl::certUntrusted

##Dynamic certificate portion
## run the command "/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db" to create the cert database. Make sure the folders and file can be written to by the proxy.
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5

visible_hostname 10.3.184.29
http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem key=/etc/squid/myCA.pem
#http_port 8080
http_port 3128 intercept

ssl_bump server-first all
# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

always_direct allow all
#Upstream proxy server
#cache_peer 10.3.0.11 parent 80 0 login=*:password no-query default
#acl INSIDE_IP dst 10.0.0.0/8 192.168.0.0/16 196.31.3.128/25
#always_direct allow INSIDE_IP
#never_direct allow all

hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130

forwarded_for on
follow_x_forwarded_for allow localhost

coredump_dir /var/spool/squid

# MEMORY CACHE OPTIONS
cache_mem 1024 MB
#maximum_object_size_in_memory 16 KB
#memory_replacement_policy heap GDSF

# DISK CACHE OPTIONS
#cache_replacement_policy heap LFUDA
cache_dir aufs /cache 160000 64 256
#store_dir_select_algorithm least-load
#minimum_object_size 16 KB
#maximum_object_size 512 MB
#cache_swap_low 97
#cache_swap_high 99

#LOGFILE OPTIONS
access_log stdio:/var/log/squid/access.log squid

COMPILE PARAMETERS: I got these from some forum on the internet.

./configure --prefix=/usr --exec-prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --sysconfdir=/etc/squid --datadir=/usr/share/squid --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/lib/squid --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --x-includes=/usr/include --x-libraries=/usr/lib --enable-shared=yes --enable-static=no --enable-carp --enable-storeio=aufs,ufs --enable-removal-policies=heap,lru --disable-icmp --disable-delay-pools --disable-esi --enable-icap-client --enable-useragent-log --enable-referer-log --disable-wccp --enable-wccpv2 --disable-kill-parent-hack --enable-snmp --enable-cachemgr-hostname=localhost --enable-arp-acl --disable-htcp --disable-forw-via-db --disable-follow-x-forwarded-for --enable-cache-digests --disable-poll --enable-epoll --enable-linux-netfilter --disable-ident-lookups --enable-default-hostsfile=/etc/hosts --with-default-user=squid --with-large-files --enable-mit=/usr --with-logdir=/var/log/squid --enable-http-violations --enable-zph-qos --with-filedescriptors=65536 --enable-gnuregex --enable-async-io=64 --with-aufs-threads=64 --with-pthreads --with-aio --enable-default-err-languages=English --enable-err-languages=English --enable-underscores --enable-ssl --enable-ssl-crtd
Received on Tue Apr 02 2013 - 09:01:13 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 12:00:13 MDT