Re: forward loop

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 4/02/2012 8:02 p.m., Mustafa Raji wrote:
> hi Pieter
> this is my configuration file,
>
> #define access list for network
> acl my_network src 192.168.12.0/24
> acl my_network src 192.168.7.0/24
> acl my_network src 192.168.40.0/24
> acl my_network src 10.10.10.0/24
>
> #allow http access for the network
> http_access allow my_network
>
> #squid default acl configuration
> acl all src all

"all" is pre-defined in Squid-3. Remove the above line to silence those 
startup and reconfigure warnings you are getting about it.

> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports

Please read

the reconsider why you placed the "allow my_network" access permission 
above these basic security controls.

> http_access deny all
> http_port 3128 intercept
> http_port 8080
>
> #cache configuration
> #define core dump directory
> visible_hostname squidtest
> coredump_dir /var/coredump
>
> #define cache replacement policy
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
>
> #define cache memory
> cache_mem 512 MB
>
> #define squid log files
> access_log /var/log/squid3/access.log
> emulate_httpd_log off

"emulate_httpd_log" is deprecated for many years. OFF is also its 
default value. Remove this.

> cache_store_log none
>
> #include /etc/squid3/refresh.conf
> cache_log /var/log/squid3/cache.log
>
> #define cache direcotry
> cache_dir aufs /var/squid/aufs1 5000 16 256
> cache_dir aufs /var/squid/aufs2 5000 16 256
> cache_dir aufs /var/squid/aufs3 5000 16 256
>
>
> maximum_object_size 512 MB
>
>
> ipcache_size 5120
>
> cache_swap_low 85
> cache_swap_high 95
>
> cache_mgr mustafa.raji@xxxxxxxxx
> cachemgr_passwd xxxxx all
>
> thank you with my best regards


This config shows the loop is outside of Squid. Please re-check your NAT 
interception rules. They MUST begin with a rule permitting Squid to 
bypass the intercept.

Given that you have Debian system locations for your files I will assume 
your NAT rules need to look like these:
  http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat

Amos

> --- On Thu, 2/2/12, Pieter De Wit wrote:
>
> > From: Pieter De Wit
> > Hi Mustafa,
> >
> > Can you please post your squid.conf ? (Remove all comments
> > and passwords
> > etc)
> >
> > Cheers,
> >
> > Pieter
> >
> > On 2/02/2012 23:04, Mustafa Raji wrote:
> > > hi
> > > please i have a forward loop warning in my cache.log
> > what is the cause of it
> > > i check the internet and find the cause is using peer
> > squid configuration and the two cache server has the same
> > visible_hostname but i never used the peer in my
> > configuration i have one cache server with intercept
> > configuration please can you tell me what is causes to the
> > cache forward loop the warning message is from cache.log
> > > 2012/02/02 12:02:23| WARNING: Forwarding loop detected
> > for:
> > > POST
> > /2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bnpuss,ConnType=KeepAlive
> > HTTP/1.1
> > > Accept: */*
> > > Content-Type: application/octet-stream
> > > User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Win32)
> > > UserAgent: blugro2relay.groove.microsoft.com
> > > Content-Length: 22
> > > Pragma: no-cache
> > > Expires: 0
> > > Host: 192.168.40.2:3128
> > > Via: 1.0 squidtest (squid/3.1.11), 1.1 squidtest
> > (squid/3.1.11), 1.1 squidtest (squid/3.1.11)
> > > X-Forwarded-For: 192.168.40.1, 192.168.40.2,
> > 192.168.40.2
> > > Cache-Control: no-cache, max-age=0
> > > Connection: keep-alive
> > >
> > > and this error continues to appear with increasing the
> > values of via and x-forward-for
> > > my access.log file show this information at the same
> > time of the loop
> > > the ip 192.168.40.2 is the CacheServer ip
> > >
> > > Thu Feb  2 12:02:23 2012      0
> > 192.168.40.1 TCP_IMS_HIT/304 287 GET http://crl.microsoft.com/pki/crl/products/WinPCA.crl -
> > NONE/- application/pkix-crl
> > > Thu Feb  2 12:02:24 2012    898
> > 192.168.40.1 TCP_MISS/400 237 POST http://65.55.122.232/ - DIRECT/65.55.122.232 -
> > > Thu Feb  2 12:02:24 2012      8
> > 192.168.40.2 NONE/400 69168 NONE error:request-too-large -
> > NONE/- text/html
> > > Thu Feb  2 12:02:24 2012
> >     19 192.168.40.2 TCP_MISS/400 69275 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > Thu Feb  2 12:02:24 2012
> >     23 192.168.40.2 TCP_MISS/400 69377 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > Thu Feb  2 12:02:24 2012
> >     26 192.168.40.2 TCP_MISS/400 69479 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > Thu Feb  2 12:02:24 2012
> >     30 192.168.40.2 TCP_MISS/400 69581 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > Thu Feb  2 12:02:24 2012
> >     34 192.168.40.2 TCP_MISS/400 69683 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > Thu Feb  2 12:02:24 2012
> >     37 192.168.40.2 TCP_MISS/400 69785 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > Thu Feb  2 12:02:24 2012
> >     41 192.168.40.2 TCP_MISS/400 69887 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > Thu Feb  2 12:02:24 2012
> >     44 192.168.40.2 TCP_MISS/400 69989 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > Thu Feb  2 12:02:24 2012
> >     48 192.168.40.2 TCP_MISS/400 70091 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > Thu Feb  2 12:02:24 2012
> >     51 192.168.40.2 TCP_MISS/400 70193 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > Thu Feb  2 12:02:24 2012
> >     55 192.168.40.2 TCP_MISS/400 70295 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > Thu Feb  2 12:02:24 2012
> >     58 192.168.40.2 TCP_MISS/400 70397 POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/n7hngumkwg46fvvc2zuwzzcd6y43i3da4bn$
> > > after that this status appear to me in cache.log
> > >
> > > 2012/02/02 12:02:33| statusIfComplete: Request not yet
> > fully sent "POST http://192.168.40.2:3128/2.0/blugro2relay.groove.microsoft.com/3m4dy9mseq7e9h39xecabcaqj24zjcgw4zts55s,ConnType=LongLived";
> > > and in 12:02:35 the server is return to work normally
> > >
> > > please can you help me in finding what is the cause of
> > this warning