RE: [squid-users] RE: Squid 3.3 WARNING: Forwarding loop detected for:

Hi Amos

Thanks for the response. The explenation was excellent.
The firewall in my case is an Aruba wireless controller. It has a web interface that does not have a "route only" option.
I will have to see if I can do it from the console on the controller.

I will post back when I get it working.

-----Original Message-----
From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Sent: 04 April 2013 04:56 AM
To: squid-users_at_squid-cache.org
Subject: Re: [squid-users] RE: Squid 3.3 WARNING: Forwarding loop detected for:

On 4/04/2013 3:16 a.m., Ewan Sadie wrote:
> I am new to iptables so I tried the following.
> I changed the listning port on the proxy to 3127, so that I do not need to change the DNAT on the router.
> The router does a DNAT to 3128.

What you have done:

  Router receives a packet saying:
   client 192.168.0.2 connnect to website 1.2.3.4:80
   router NAT removes 1.2.3.4:80 and adds 192.168.0.1:3128

  Squid box receives a packet saying:
   client 192.168.0.1 connect to website 192.168.0.1:3128
   Squid box NAT removes 192.168.0.1:3128 and adds 192.168.0.1:3127

  Squid receives packet saying:
   client 192.168.0.1 connect to website 192.168.0.1:3127
   the box NAT system informs Squid the packet destination was originally 192.168.0.1:3128

  ... there is a result. NAT is working perfectly fine *on the Squid box*. So failure warnings do not appear.

But where does Squid connect?

The HTTP Host: header cannot be trusted much in interception mode (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0801). Squid-3.2 and later will verify that 192.168.0.2:3128 IP address NAT delivered belongs to the Host: header domain before allowing the Host: header to be used. When it fails (as it will fail 100% on your system) Squid will be transparent and pass the request on t the same place the cleint was connection.

On your system Squid is transparently relaying the intercepted traffic to the web server it is being told exists at 192.168.0.1:3128.

Routers need to *route* the port 80 traffic to the Squid box *without*
using NAT.

Amos
> I then ran the following command on the Squid server, iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 3127
>
> I now do not see the forward loop errors any more but I do get TCP_MISS/503
> I can still browse vie the proxy by connecting to port 8080 so I know there is no rules blocking me.
> The fact the I get results in the access.log indicates to me that the redirection is happening.
>
>
>
>
> -----Original Message-----
> From: Ewan Sadie
>
>
> Hi All
>
> Did the handling of intercept change since Squid 3.2.x?
> Based on this article http://myconfigure.blogspot.com/2013/03/transparent-squid-332-on-ubuntu-1210.html, it seems that you have to do a rediect on the Squid box itself as well as on the router.
> Is this the case? I do not want to over complicate the setup with an aditional firewall as well.

Switch "as well as" for "istead of" and you will have the right idea.

Amos
Received on Thu Apr 04 2013 - 08:49:47 MDT