I have a squid 2.5.9 setup used as an HTTP accelerator in
front of a site which was previously served by apache
alone. For various reasons some parts of the site are
served using mod_proxy in apache, calling back into itself
(typically this is so that we can cross a privilege
boundary, since apache can only set suexec UIDs on a
per-virtual-domain basis).
So, the previous configuration worked like this:
client makes request to http://www1.example.com/foo
apache for www1 makes subrequest to http://www2.example.com/bar
apache for www2 processes request
now we have this:
client makes request to http://www1.example.com/foo
squid accepts request, passes it to apache
apache for www1 makes subrequest to http://www2.example.com/bar
squid accepts requests but notices that it's named in
the Via: header, so rejects it because of a forwarding
loop
Now, in this case there is no forwarding loop, because
squid previously processed the request for
www1.example.com, not for www2.example.com. But squid just
checks whether it appears in the Via: header and does not
compare any other headers.
I've temporarily fixed this by adding ProxyVia block to
the apache config, but of course this means that squi is
unlikely to be able to detect a *real* forwarding loop if
we ever accidentally create one. Suggestions? It might be
possible to hack something up based on whether
X-Forwarded-Host: differs from Host: but that's a bit
nasty.
--
``If you're of average intelligence,
you've already outwitted most burglars.'' (Chris MacKenzie)
