Re: [squid-users] OpenBSD + PF + Squid: forwarding loop

From: Rob Sheldon <rob_at_associatedtechs.com>
Date: Fri, 31 May 2013 15:19:04 -0700

On 2013-05-31 5:27, Marko Cupać wrote:
>
> Try setting squid to listen on loopback address:
>
> http_port 127.0.0.1:3128 intercept
>
> Redirect web traffic to loopback address in pf:
> pass in quick on $if_int inet proto tcp from 192.168.0.209 to any \
> port { www https } rdr-to 127.0.0.1 port 3128

No joy.

I'm pretty sure that I've just ruled out that it's anything at all to
do with pf or routing, other than maaaaybe the pooled outbound
connections (which only leaves me even more stumped). I enabled all
traffic in and out of loopback:

pass quick on lo0 proto tcp from any to any

...and I commented out the rdr rule(s) for anything Squid-related. Just
for extra measure I also commented out all other rdr rules, still no
change.

I set up the following http_port config in Squid:

http_port 127.0.0.1:3128
http_port 127.0.0.1:3139 intercept

...so Squid should be doing normal proxying on localhost 3128 and
interception proxying on 3139, yes?

To test it, on the firewall I, "telnet localhost 3128", and "GET
http://www.google.com/ HTTP/1.0", and this works as expected. BUT,
"telnet localhost 3139", and "GET / HTTP/1.0" followed by "Host:
www.google.com", and the forwarding loop error occurs.

This is driving me batty.

I also tcpdump'd lo0 while testing both 3128 and 3139, and I'm not
seeing any traffic outbound to 80 from that interface ... so I think
Squid must be attaching to another interface for outbound requests?
There doesn't seem to be a configuration option for that, it's possible
Squid's getting stuck in the pooled outbound interfaces somehow ... (I
did also try a site that wouldn't be cached by Squid, just to be sure.)

How can I troubleshoot this further? Is there a good way to look inside
of what Squid's doing when receiving and sending out requests?

- R.

-- 
[__ Robert Sheldon
[__ No Problem
[__ Information technology support and services
[__ (530) 575-0278
Received on Fri May 31 2013 - 22:19:07 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 01 2013 - 12:00:07 MDT