Re: [squid-users] Forwarding loop on squid 3.3.8

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 07 Aug 2014 01:52:08 +1200

On 7/08/2014 1:26 a.m., Karma sometimes Hurts wrote:
> Greetings,
>
> I'm trying to setup a transparent proxy on Squid 3.3.8, Ubuntu Trusty
> 14.04 from the official APT official repository. All boxes including
> the Squid box are under the same router, but the squid box is on a
> different server than the clients. Seems that for some reason the
> configuration on the squid3 box side is missing something, as a
> forwarding loop is produced.
>
> This is the configuration of the squid3 box:
>
> visible_hostname squidbox.localdomain.com
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow all
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access allow all
> http_port 3128 intercept
> http_port 0.0.0.0:3127
>
> This rule has been added to the client's boxes:
>
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
> 192.168.1.100:3128

Thats the problem. NAT is required on the Squid box *only*.

>
> 192.168.1.100 corresponds to the squid3 box. In the log below
> 192.168.1.20 is one of the clients.

When receiving intercepted traffic current Squid validate the
destination IP address against the claimed Host: header domain DNS
records to avoid several nasty security vulnerabilities connecting to
that Host domain. If that fails the traffic is instead relayed to the
original IP:port address in the TCP packet. That address arriving into
your Squid box was 192.168.1.100:3128 ... rinse, repeat ...

Use policy routing, or a tunnel (GRE, VPN, etc) that does not alter the
packet src/dst IP addresses to get traffic onto the Squid box.

Amos
Received on Wed Aug 06 2014 - 13:52:27 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 06 2014 - 12:00:04 MDT