[squid-users] how to avoid logging loops in a sandwich conf? from nils toedtmann on 2002-10-15 (squid-users)

From: nils toedtmann <ntoedtmann@dont-contact.us>
Date: Tue, 15 Oct 2002 19:24:09 +0200

Hi,

we are using a so called "squid-sandwich" around a non-caching virus-scanning
http-proxy that floods its logs with "WARNING: Forwarding loop detected".
Our setup:

client (!= localhost) --> squid --> virus scanner --> squid --> webserver

The squid uses virusscanner (localhost:13128) as parent, if request is not
originated by localhost. virusscanner uses squid as parent (see conf below)

We really want to avoid setting up two squids on the same machine (two pid-
files, adjusting the startup-files to that ...) that would be too ugly.

And we really need the squid on both sides of the scanner: it's caching mech'
is poor and it does not now about http-auth (so squid on the client side),
it's dns-lookup and http-->ftp proxying are buggy (so squid on the server
side).

It works fine for us, but unfortunately, we cannot stop squid from whining
about "WARNING: Forwarding loop detected for:" in it's logs. We did not find

* an option to use different hostnames on the different IPs or ports
(i think that would be the best solution)

* an option for disabling setting the "via" header

* an option for "do not complain about loops, they're ok"

in the docs/faq (maybe we overlooked it).

So: HOW TO SETUP A SQUID-SANDWICH USING _ONE_ SQUID NOT COMPLANING
ABOUT LOOPS?

See below for parts of our squid.conf (as You see, we got confused about
"always_direct allow" and "never_direct deny". Maybe somebody can
solve that miracle ...)

Regards, /nils.

### /etc/squid/squid.conf ##############################

visible_hostname http-proxy.marcant.net

icp_port 0

cache_peer 127.0.0.1 parent 13128 0 default
ftp_passive off

hierarchy_stoplist cgi-bin ?

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl localnet src 10.0.0.0/255.0.0.0

acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 1025-65535 # unpriviledged ports
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY
no_cache deny localhost

icp_access deny all

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

always_direct allow CONNECT
always_direct allow localhost
always_direct deny all

never_direct deny CONNECT
never_direct deny localhost
never_direct allow all

###################################################

-- 
nils toedtmann
technische abteilung
marcant internet-services gmbh <http://www.marcant.net>

Received on Tue Oct 15 2002 - 11:24:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:42 MST