Re: [squid-users] Warning from Amos Jeffries on 2011-08-29 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 30 Aug 2011 17:08:18 +1200

On 30/08/11 08:07, Igor Rafael wrote:
> Hello,
> What might be causing this Warning?!
>
> "WARNING: Forwarding loop detected for:
> Client: 192.168.15.251 http_port: 192.168.15.202:3128"
>

http://wiki.squid-cache.org/SquidFaq/TroubleShooting#What_is_a_forwarding_loop.3F

>
> See my config file :
<snip>
> # Scenario 3. Mesh
> #cache_peer 192.168.15.200 parent 3128 0 no-query round-robin
> cache_peer 192.168.15.253 sibling 3128 3130 no-digest proxy-only
> cache_peer 192.168.15.252 sibling 3128 3130 no-digest proxy-only
> cache_peer 192.168.15.251 sibling 3128 3130 no-digest proxy-only
> #prefer_direct off
> ### END Scenario 3 ###
<snip>
>
> # Basic configuration
> http_port 3128 transparent

It appears that this proxy is configured to perform BOTH of the traffic
operations which can lead to traffic loops.

I highly recommend using two http_port entries. 3128 for sibling
communications and moving the "transparent" to a second randomly chosen
port number. Your NAT settings will need updating to match that port.

  If this is a Linux box there are iptables mangle security rules that
need to be applied as well. Please compare your NAT settings against the
recommended configs:
   http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
   http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

Possibly the loop was from a peer. You will need to find out why the
request is coming from this proxy into the peers and back out again
here. And some way to prevent it happening.

miss_access may be useful, wither here or in the siblings. It
prevents certain requests being relayed through the proxy using it.

>
> acl all src 0.0.0.0/0.0.0.0

Please use "acl all src all" if you have an old Squid. Or remove if this
is a 3.x release.

> icp_access deny all
> http_access allow all

Ouch. VERY unsafe. This is an open proxy. Whatever the firewall
situation around it is. Once that is breached this setup is a gaping
security hole to anywhere.

I highly recommend creating an ACL of the LAN IPs from which you
accept traffic (ie the default localnet or our_networks definitions) and
changing that "allow all" into "allow localnet"

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.10

Received on Tue Aug 30 2011 - 05:08:33 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 30 2011 - 12:00:02 MDT