[squid-users] Forwarding loop on squid 3.3.8

From: Karma sometimes Hurts <karma.sometimes.hurts_at_gmail.com>
Date: Wed, 6 Aug 2014 14:26:24 +0100

Greetings,

I'm trying to setup a transparent proxy on Squid 3.3.8, Ubuntu Trusty
14.04 from the official APT official repository. All boxes including
the Squid box are under the same router, but the squid box is on a
different server than the clients. Seems that for some reason the
configuration on the squid3 box side is missing something, as a
forwarding loop is produced.

This is the configuration of the squid3 box:

  visible_hostname squidbox.localdomain.com
  acl SSL_ports port 443
  acl Safe_ports port 80 # http
  acl Safe_ports port 21 # ftp
  acl Safe_ports port 443 # https
  acl Safe_ports port 70 # gopher
  acl Safe_ports port 210 # wais
  acl Safe_ports port 1025-65535 # unregistered ports
  acl Safe_ports port 280 # http-mgmt
  acl Safe_ports port 488 # gss-http
  acl Safe_ports port 591 # filemaker
  acl Safe_ports port 777 # multiling http
  acl CONNECT method CONNECT
  http_access allow all
  http_access deny !Safe_ports
  http_access deny CONNECT !SSL_ports
  http_access allow localhost manager
  http_access deny manager
  http_access allow localhost
  http_access allow all
  http_port 3128 intercept
  http_port 0.0.0.0:3127

This rule has been added to the client's boxes:

  iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
192.168.1.100:3128

192.168.1.100 corresponds to the squid3 box. In the log below
192.168.1.20 is one of the clients.

2014/08/06 15:13:05| Starting Squid Cache version 3.3.8 for
x86_64-pc-linux-gnu...
2014/08/06 15:13:27.900| client_side.cc(2316) parseHttpRequest: HTTP
Client local=192.168.1.100:3128 remote=192.168.1.20:54341 FD 8
flags=33
2014/08/06 15:13:27.901| client_side.cc(2317) parseHttpRequest: HTTP
Client REQUEST:
---------
GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PREF=ID=119a6e25e6eccb3b:U=95e37afd611b606e:FF=0:TM=1404500940:LM=1404513627:S=r7E-Xed2muOOp-ay;
NID=67=M5geOtyDtp5evLidOfam1uzfhl6likehxjXo7KcamK8c5jXptfx9zJc-5L7jhvYvnfTvtXYJ3yza7cE8fRq2x0iyVEHN9Pn2hz9urrC_Qt_xNH6IQCoT-3-eXTwb2h4f;
OGPC=5-25:
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

----------
2014/08/06 15:13:27.902| http.cc(2204) sendRequest: HTTP Server
local=192.168.1.100:43140 remote=192.168.1.100:3128 FD 11 flags=1
2014/08/06 15:13:27.902| http.cc(2205) sendRequest: HTTP Server REQUEST:
---------
GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PREF=ID=119a6e25e6eccb3b:U=95e37afd611b606e:FF=0:TM=1404500940:LM=1404513627:S=r7E-Xed2muOOp-ay;
NID=67=M5geOtyDtp5evLidOfam1uzfhl6likehxjXo7KcamK8c5jXptfx9zJc-5L7jhvYvnfTvtXYJ3yza7cE8fRq2x0iyVEHN9Pn2hz9urrC_Qt_xNH6IQCoT-3-eXTwb2h4f;
OGPC=5-25:
Via: 1.1 squidbox.localdomain.com (squid/3.3.8)
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

----------
2014/08/06 15:13:27.902| client_side.cc(2316) parseHttpRequest: HTTP
Client local=192.168.1.100:3128 remote=192.168.1.100:43140 FD 13
flags=33
2014/08/06 15:13:27.902| client_side.cc(2317) parseHttpRequest: HTTP
Client REQUEST:
---------
GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PREF=ID=119a6e25e6eccb3b:U=95e37afd611b606e:FF=0:TM=1404500940:LM=1404513627:S=r7E-Xed2muOOp-ay;
NID=67=M5geOtyDtp5evLidOfam1uzfhl6likehxjXo7KcamK8c5jXptfx9zJc-5L7jhvYvnfTvtXYJ3yza7cE8fRq2x0iyVEHN9Pn2hz9urrC_Qt_xNH6IQCoT-3-eXTwb2h4f;
OGPC=5-25:
Via: 1.1 squidbox.localdomain.com (squid/3.3.8)
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

----------
2014/08/06 15:13:27.903| client_side.cc(1377) sendStartOfMessage: HTTP
Client local=192.168.1.100:3128 remote=192.168.1.100:43140 FD 13
flags=33
2014/08/06 15:13:27.903| client_side.cc(1378) sendStartOfMessage: HTTP
Client REPLY:
---------
HTTP/1.1 403 Forbidden
Server: squid/3.3.8
Mime-Version: 1.0
Date: Fri, 18 Jul 2014 10:33:27 GMT
Content-Type: text/html
Content-Length: 3932
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en-US
X-Cache: MISS from squidbox.localdomain.com
X-Cache-Lookup: MISS from squidbox.localdomain.com:3127
Via: 1.1 squidbox.localdomain.com (squid/3.3.8)
Connection: keep-alive

----------
2014/08/06 15:13:27.903| ctx: enter level 0: 'http://www.google.com/'
2014/08/06 15:13:27.903| http.cc(761) processReplyHeader: HTTP Server
local=192.168.1.100:43140 remote=192.168.1.100:3128 FD 11 flags=1
2014/08/06 15:13:27.903| http.cc(762) processReplyHeader: HTTP Server REPLY:
---------

*Access denied page*

Squid3 is trying to connect to itself, why? No other iptables rules
are added neither on the client or server side.

What could be causing this loop?

James
Received on Wed Aug 06 2014 - 13:26:31 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 06 2014 - 12:00:04 MDT