Hi Spyros,
Seems you're experiencing request loops, that are unrelated to your ACLs
Looking at the logs, we can clearly see pairs of requests for same
url. Like this:
1392590890.301 0 192.168.1.20 TCP_MISS/403 4158 GET
http://www.tvxs.gr/ - HIER_NONE/- text/html
1392590890.302 1 192.168.1.1 TCP_MISS/403 4263 GET
http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
As the logging happens at the end of transaction, records are ordered
by finish time, not start. They actually started in reverse order:
1. First came the request from 192.168.1.1 for http://www.tvxs.gr/.
2. As it was considered a MISS, your Squid decided to go directly to
the destination server (thus hierarchy code HIER_DIRECT)
3. PROBLEM! PROBLEM! Surprisingly, Squid resolves www.tvxs.gr as
192.168.1.20 and fires the request towards this IP!
4. Boom! This is how the same request arrives again, this time from
source IP 192.168.1.20 (Squid itself). We have a loop!
5. Squid detects the loop (something like "WARNING: Forwarding loop
detected" in cache.log) and generates internal error response like
HTTP/403 Forbidden, using ERR_ACCESS_DENIED or alike. Thus hierarchy
code is HIER_NONE.
6. The error returns in the first instance of this request after 1ms,
and Squid returns it to the original caller (TCP_MISS/403).
I don't have clear idea what is the root cause of the loop, but I'd do:
1. make http_port 192.168.1.20:3128 intercept
2. study carefully DNS settings of both Ubuntu and OpenWRT:
- /etc/resolv.conf
- iptables: DNS interceptions and redirections (UDP & TCP port 53)
- change with other public DNS services
- tcpdump as much as possible ;-)
Hope this helps!
Best,
Niki
On Tue, Feb 18, 2014 at 12:05 AM, Spyros Vlachos <spyros86_at_gmail.com> wrote:
> Hello! Sorry but I am new to this list and I don't know if I have sent
> the mail correctly and iff anyone can see this. Is this the case?
> Sorry and thank you!
>
> On Mon, Feb 17, 2014 at 2:24 PM, Spyros Vlachos <spyros86_at_gmail.com> wrote:
>> Hello! Thank you in advance for your help.
>> I have a fairly simple home network setup.
>> I have a modem (192.168.2.254) that connects to the internet.
>> Connected to that modem through its own wan port
>> I have an openwrt router (192.168.1.1). My internal network is the
>> 192.168.1.0/24 one. On the router I have connected
>> an ubuntu 13.10 box (192.168.1.20) that acts as a squid proxy and dns
>> among other things. The ubuntu box has one network card.
>> I had successfully installed a transparent squid proxy by using DNAT
>> and SNAT on the router using the 12.04 version of ubuntu.
>> Because of some problems with my ups I tried to install ubuntu 13.10
>> which solved the ups problem but also
>> upgraded the squid package to 3.3.8 from 3.1.something . My squid
>> configuration is as follows:
>>
>> #--Squid server 192.168.1.20---------------------------------------------------
>> acl localnet src 192.168.1.0/24
>> acl SSL_ports port 443
>> acl Safe_ports port 80 # http
>> acl Safe_ports port 21 # ftp
>> acl Safe_ports port 443 # https
>> acl Safe_ports port 70 # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535 # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl squid-prime dstdomain "/etc/squid3/squid-prime.acl"
>> acl CONNECT method CONNECT
>> http_access deny !Safe_ports
>> http_access deny CONNECT !SSL_ports
>> http_access allow localhost manager
>> http_access deny manager
>> http_access deny squid-prime
>> http_access allow localnet
>> http_access allow localhost
>> http_access deny all
>> http_port 3128 #HAVE tried transparent and intercept but the problem persists
>> coredump_dir /var/spool/squid3
>> refresh_pattern ^ftp: 1440 20% 10080
>> refresh_pattern ^gopher: 1440 0% 1440
>> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>> refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
>> refresh_pattern . 0 20% 4320
>> dns_nameservers 8.8.8.8 #have tried to use the local dns 127.0.0.1 but
>> the same problem
>> #-------------------------------------------------------
>>
>> I have tried disabling the dns server of ubuntu because I have heard
>> of some problem it can cause to squid.
>>
>> My router (192.168.1.1) SNAT DNAT configuration is (openwrt luci gui)
>> 1) MATCH: From IP not 192.168.1.20 in lan Via any router IP at port 80
>> FORWARD TO: IP 192.168.1.20, port 3128 in lan
>> 2)MATCH: From any host in lan To IP 192.168.1.20, port 3128 in lan
>> Rewrite to source IP 192.168.1.1
>>
>> The error I get by using the above configurations is a constant Access
>> denied Error in the browser and in the
>> squid access log is
>> #---------------------------------------------------------------------
>> 92 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590851.593 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590856.653 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590856.653 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590861.742 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590861.742 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590866.878 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590866.878 26 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590871.903 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590871.903 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590876.893 0 192.168.1.20 TCP_MISS/403 3985 GET
>> http://notify7.dropbox.com/subscribe? - HIER_NONE/- text/html
>> 1392590876.893 1 192.168.1.1 TCP_MISS/403 4090 GET
>> http://notify7.dropbox.com/subscribe? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590876.992 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590876.993 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590878.600 0 192.168.1.20 TCP_MISS/403 4390 POST
>> http://safebrowsing.clients.google.com/safebrowsing/downloads? -
>> HIER_NONE/- text/html
>> 1392590878.601 26 192.168.1.1 TCP_MISS/403 4495 POST
>> http://safebrowsing.clients.google.com/safebrowsing/downloads? -
>> HIER_DIRECT/192.168.1.20 text/html
>> 1392590882.093 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590882.093 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590887.153 0 192.168.1.20 TCP_MISS/403 4088 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_NONE/- text/html
>> 1392590887.153 1 192.168.1.1 TCP_MISS/403 4193 GET
>> http://stokokkino.live24.gr/stokokkino? - HIER_DIRECT/192.168.1.20
>> text/html
>> 1392590889.524 0 192.168.1.20 TCP_MISS/403 4158 GET
>> http://www.tvxs.gr/ - HIER_NONE/- text/html
>> 1392590889.525 79 192.168.1.1 TCP_MISS/403 4263 GET
>> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
>> 1392590890.301 0 192.168.1.20 TCP_MISS/403 4158 GET
>> http://www.tvxs.gr/ - HIER_NONE/- text/html
>> 1392590890.302 1 192.168.1.1 TCP_MISS/403 4263 GET
>> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
>> #----------------------------------------------------------------------------------------------------
>>
>>
>>
>> Thank you in advance!
>>
>>
>>
>> --
>> Spyros Vlachos.
>
>
>
> --
> Spyros Vlachos.
Received on Tue Feb 18 2014 - 00:17:36 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 18 2014 - 12:00:06 MST