On 15/01/2013 5:00 a.m., Leslie Jensen wrote:
2013-01-14 16:05, Eliezer Croitoru skrev:
On 1/14/2013 1:48 PM, Leslie Jensen wrote:
I've now upgraded squid to 3.2 and rewritten the firewall rule that
resulted in a forwarding loop.
Unfortunately I've got no access now and I can't see where I've made
the
error.
The browser says squid is rejecting the requests:
Access control configuration prevents your request from being
allowed at
this time.
1358162295.975 0 172.18.0.1 TCP_MISS/403 4052 GET
http://www.skatteverket.se/ - HIER_NONE/- text/html
1358162295.976 11 172.18.0.102 TCP_MISS/403 4137 GET
http://www.skatteverket.se/ - HIER_DIRECT/172.18.0.1 text/html
1358162296.110 0 172.18.0.1 TCP_MISS/403 4166 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
1358162296.110 99 172.18.0.102 TCP_MISS/403 4251 GET
http://www.squid-cache.org/Artwork/SN.png - HIER_DIRECT/172.18.0.1
text/html
1358162296.219 0 172.18.0.1 TCP_MISS/403 4058 GET
http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html
1358162296.219 1 172.18.0.102 TCP_MISS/403 4143 GET
http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1
text/html
1358162296.239 0 172.18.0.1 TCP_MISS/403 4090 GET
http://www.skatteverket.se/favicon.ico - HIER_NONE/- text/html
1358162296.240 1 172.18.0.102 TCP_MISS/403 4175 GET
http://www.skatteverket.se/favicon.ico - HIER_DIRECT/172.18.0.1
text/html
Look closly.. it's not squid.
if it was squid you would have seen TCP_DENIED.
you get a TCP_MISS which squid is ok with but a remote server DENIES you
with a 403 response.
Looking even closer there is a HEIR_NONE showing the frst TCP_MISS we
from Squid.
I think there are two bugs here:
1) the Host verification logic is resulting in TCP_MISS being logged
instead of TCP_DENIED on its 403 rejection.
2) his firewall intercept rules are catching Squid outbound traffic and
redirecting it to Squid.
I would say it looks pretty bad since every request seems to go into
squid from two IP addresses which is like a loop.. but one which squid
can not recognize from an unknown reason.
172.18.0.1 is Squids own IP.
What have you done in the firewall to prevent the forwarding loop?
By the way did you tried to have a rule that allows all web requests
from the local machine of the proxy to not be intercepted?
Regards,
Eliezer
I've tried two things.
First I disabled the rule that redirects the web traffic so that it
goes directly to the Internet.
It works.
Then with the above rule still disabled I made the browser aware of
the proxy by setting it manually in the browser settings.
Then I get the same behaviour.
I'm aware that tcp_miss should not be squid but with the redirecting
rule disabled I do not quite understand where it goes wrong.
I'll look into your suggestion and see if it helps.
Thanks :-)
/Leslie