Search squid archive

Re: Warning

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 30/08/11 08:07, Igor Rafael wrote:

Hello,
What might be causing this Warning?!

"WARNING: Forwarding loop detected for:
Client: 192.168.15.251 http_port: 192.168.15.202:3128"



http://wiki.squid-cache.org/SquidFaq/TroubleShooting#What_is_a_forwarding_loop.3F




See my config file :

<snip>

# Scenario 3. Mesh
#cache_peer 192.168.15.200 parent 3128 0 no-query round-robin
cache_peer 192.168.15.253 sibling 3128 3130 no-digest proxy-only
cache_peer 192.168.15.252 sibling 3128 3130 no-digest proxy-only
cache_peer 192.168.15.251 sibling 3128 3130 no-digest proxy-only
#prefer_direct off
### END Scenario 3 ###

<snip>


# Basic configuration
http_port 3128 transparent
It appears that this proxy is configured to perform BOTH of the traffic operations which can lead to traffic loops.
I highly recommend using two http_port entries. 3128 for sibling communications and moving the "transparent" to a second randomly chosen port number. Your NAT settings will need updating to match that port.
If this is a Linux box there are iptables mangle security rules that need to be applied as well. Please compare your NAT settings against the recommended configs: 
  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
Possibly the loop was from a peer. You will need to find out why the request is coming from this proxy into the peers and back out again here. And some way to prevent it happening.
miss_access may be useful, wither here or in the siblings. It prevents certain requests being relayed through the proxy using it. 




acl all src 0.0.0.0/0.0.0.0
Please use "acl all src all" if you have an old Squid. Or remove if this is a 3.x release. 


icp_access deny all
http_access allow all
Ouch. VERY unsafe. This is an open proxy. Whatever the firewall situation around it is. Once that is breached this setup is a gaping security hole to anywhere.
I highly recommend creating an ACL of the LAN IPs from which you accept traffic (ie the default localnet or our_networks definitions) and changing that "allow all" into "allow localnet" 

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE9 or 3.1.15
  Beta testers wanted for 3.2.0.10
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux