On 30/08/11 08:07, Igor Rafael wrote:
> Hello,
> What might be causing this Warning?!
>
> "WARNING: Forwarding loop detected for:
> Client: 192.168.15.251 http_port: 192.168.15.202:3128"
>
http://wiki.squid-cache.org/SquidFaq/TroubleShooting#What_is_a_forwarding_loop.3F
>
> See my config file :
<snip>
> # Scenario 3. Mesh
> #cache_peer 192.168.15.200 parent 3128 0 no-query round-robin
> cache_peer 192.168.15.253 sibling 3128 3130 no-digest proxy-only
> cache_peer 192.168.15.252 sibling 3128 3130 no-digest proxy-only
> cache_peer 192.168.15.251 sibling 3128 3130 no-digest proxy-only
> #prefer_direct off
> ### END Scenario 3 ###
<snip>
>
> # Basic configuration
> http_port 3128 transparent
It appears that this proxy is configured to perform BOTH of the traffic
operations which can lead to traffic loops.
I highly recommend using two http_port entries. 3128 for sibling
communications and moving the "transparent" to a second randomly chosen
port number. Your NAT settings will need updating to match that port.
If this is a Linux box there are iptables mangle security rules that
need to be applied as well. Please compare your NAT settings against the
recommended configs:
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
Possibly the loop was from a peer. You will need to find out why the
request is coming from this proxy into the peers and back out again
here. And some way to prevent it happening.
miss_access may be useful, wither here or in the siblings. It
prevents certain requests being relayed through the proxy using it.
>
> acl all src 0.0.0.0/0.0.0.0
Please use "acl all src all" if you have an old Squid. Or remove if this
is a 3.x release.
> icp_access deny all
> http_access allow all
Ouch. VERY unsafe. This is an open proxy. Whatever the firewall
situation around it is. Once that is breached this setup is a gaping
security hole to anywhere.
I highly recommend creating an ACL of the LAN IPs from which you
accept traffic (ie the default localnet or our_networks definitions) and
changing that "allow all" into "allow localnet"
Amos
-- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.15 Beta testers wanted for 3.2.0.10Received on Tue Aug 30 2011 - 05:08:33 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 30 2011 - 12:00:02 MDT