Cami wrote:
Hi All,
I've been unsuccessfull at trying to fix what appears to be a nasty
forwarding loop.
After going through old posts concerning the matter, nothing seems to
address the
issue. Some information:
The Squid proxy in question has 1 interface (eth0 10.3.0.251).
We have a hardware router that sits infront of it and intercepts all
traffic and redirects
all traffic that comes through the router on port 80 and transparently
redirects
it to port 3128 on the proxy.
First breakage is doing NAT on a box where Squid is not running.
If you can do policy routing there to pass all non-Squid traffic to port
80 to squid box. Also called DMZ mode or port-specific bridging by some.
I've setup iptables to redirect it to Squid:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT
--to-port 3129
Why is port 3128 involved?
are you trying to catch people sending regular proxy requests to
external proxies?
If these are internal clients just trying to get to your Squid. Open its
port 3128 and let them connect directly and normal clients.
Squid Cache: Version 3.1.1 config:
http_port 3129 transparent
visible_hostname lnx-proxy7.theweb.co.za
half_closed_clients off
Browsing "works fine" for most people. But occasionally i get the
following in access.log
1272042637.252 9974 10.3.0.251 TCP_MISS/000 0 GET
http://10.3.0.251:3128/ - DIRECT/10.3.0.251 -
1272042637.252 9974 10.3.0.251 TCP_MISS/000 0 GET
http://10.3.0.251:3128/ - DIRECT/10.3.0.251 -
1272042637.253 9974 10.3.0.251 TCP_MISS/000 0 GET
http://10.3.0.251:3128/ - DIRECT/10.3.0.251 -
1272042637.253 9974 10.3.0.251 TCP_MISS/000 0 GET
http://10.3.0.251:3128/ - DIRECT/10.3.0.251 -
In cache.log i see errors along the following:
2010/04/23 19:13:27| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
Via: 1.1 lnx-proxy7.theweb.co.za (squid/3.1.1)
X-Forwarded-For: 10.2.29.125
Host: 10.3.0.251:3129
Cache-Control: max-age=259200
Connection: keep-alive
2010/04/23 19:13:27| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
Host: 10.3.0.251:3129
Via: 1.1 lnx-proxy7.theweb.co.za (squid/3.1.1), 1.1
lnx-proxy7.theweb.co.za (squid/3.1.1)
X-Forwarded-For: 10.2.29.125, 10.3.0.251
Cache-Control: max-age=259200
Connection: keep-alive
2010/04/23 19:13:27| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
Host: 10.3.0.251:3129
Via: 1.1 lnx-proxy7.theweb.co.za (squid/3.1.1), 1.1
lnx-proxy7.theweb.co.za (squid/3.1.1), 1.1 lnx-proxy7.theweb.co.za
(squid/3.1.1)
X-Forwarded-For: 10.2.29.125, 10.3.0.251, 10.3.0.251
Cache-Control: max-age=259200
Connection: keep-alive
And it keeps growing and growing. Does anyone have an ideas?
Your Squid is on the same side of the router as the clients yes?
You need to make a rule in the router which prevents capturing any
traffic from the Squid box. This needs to happen on the router before
any rules that catch the traffic.
There are some examples of how to setup iptables at
http://wiki.squid-cache.org/ConfigExamples/Intercept
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.1
