Re: Forwarding loop detected issue

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Ricardo Nuno wrote:
> Hi all,
>
> I'm new to squid so bare with me. I just setup squid according to these instructions:
> http://www.howtoforge.com/dansguardian-with-multi-group-filtering-and-squid-with-ntlm-auth-on-debian-etch-p2

Oh dear.

> The setup is working but my logs are fill with these errors for every connection:
>
> 2009/02/03 17:20:15| WARNING: Forwarding loop detected for:
> Client: 127.0.0.1 http_port: 127.0.0.1:3128
> GET internal://lis.moonlight.lan/squid-internal-periodic/store_digest HTTP/1.0
> Accept: application/cache-digest
> Accept: text/html
> Via: 0.0 lis.moonlight.lan:3128 (squid/2.7.STABLE3)
> X-Forwarded-For: unknown
> Host: 127.0.0.1:8081
> Authorization: Basic Kjpub3Bhc3N3b3Jk
> Cache-Control: max-age=259200
> Connection: Close
>
> I know that these error is because of my cache_peer line iv been searching the web for the
> solution of this issue and i tried to separate the configs of the 2 squid instances but wen
> i did it the setup stop working.

See the 'include' directive which allows a section of squid.conf to be 
shared between two squid, each with their own squid.conf.

> Does this error will hurt the performance of Squid how can i fix it without breaking the 
> squi1+DG+squid2 setup? 

You don't appear to have a:
  Squid1->DG->Squid2 setup

you do appear to have a:
  Squid1 -> Internet or DG -> Squid1 -> Internet setup.

Is there any particular reason you need to have two squid?
The current feedback config appears to be needlessly complicated for any 
use I can think of right now for having two instances of squid running.

> regards,
> --Ricardo
>
> Squid Cache: Version 2.7.STABLE3
> DansGuardian 2.8.0.6
>
> My dansguardian.conf changes:
>
> filterip =
> filterport = 8081
> proxyip = 127.0.0.1
> proxyport = 3128
> usernameidmethodproxyauth = on
> forwardedfor = on
>
>
> Below is my squid.conf:
>
> http_port 127.0.0.1:3128 transparent

So what does your NAT table contain?
'transparent' does not fit with dansguardian being explicitly configured 
to pass back to the proxy on that port.

NP: if you also follow the transparent intercept recommendations passing 
stuff directly to dansguardian you end up opening a backdoor channel. 
Turning your box into a two-stage open proxy with partial anonymization.


> http_port 8080
>
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>
> cache_mem 1024 MB
> maximum_object_size 8096 KB
>
> cache_dir ufs /cache/squid 20000 16 256
> access_log /var/log/squid/access.log squid
>
> cache_peer 127.0.0.1 parent 8081 0 no-query login=*:nopassword

You are missing "no-digest no-netdb-exchange name=uniqPeer"

And also:
  acl localhost src 127.0.0.1
  cache_peer_access uniqPeer deny localhost

maybe also:
  acl interceptPort myport 3128
  cache_peer_access uniqPeer deny interceptPort

> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 15
> auth_param ntlm keep_alive on
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Proxy Server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern .               0       20%     4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443          # https
> acl SSL_ports port 563          # snews
> acl SSL_ports port 873          # rsync
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl Safe_ports port 631         # cups
> acl Safe_ports port 873         # rsync
> acl Safe_ports port 901         # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> acl NTLMUsers proxy_auth REQUIRED
> acl rede_interna src 192.168.20.0/24
> acl h_trabalho time MTWHF 08:00-18:00
> acl downloads url_regex -i .exe .mp3 .vqf .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov .iso
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow localhost
> http_access allow NTLMUsers
>
> http_access deny all
> http_reply_access allow all
> icp_access allow all
>
> forwarded_for off

Turning off one of the features which detect breakage loops and request 
tracing.

> cache_effective_user proxy

> cache_effective_group proxy

Breaking winbind privileges.
http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM#head-b97c45f4010166071a17e433b4433cd642defc1f

... and all that crazy winbind hack in the tutorial becomes useless.

> coredump_dir /var/spool/squid

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
  Current Beta Squid 3.1.0.5