Hi All Did the handling of intercept change since Squid 3.2.x? Based on this article http://myconfigure.blogspot.com/2013/03/transparent-squid-332-on-ubuntu-1210.html, it seems that you have to do a rediect on the Squid box itself as well as on the router. Is this the case? I do not want to over complicate the setup with an aditional firewall as well. -----Original Message----- From: Ewan Sadie Sent: 02 April 2013 10:59 AM To: squid-users@xxxxxxxxxxxxxxx Subject: Squid 3.3 WARNING: Forwarding loop detected for: Hi All I am trying to get ssl-bump to work in transparent mode. I am getting the below error in Squid 3.3.3 with normal interception even though a similar config works in 3.1. The config works in normal proxy mode. If I define the proxy port 8080 in the browser, I get the dynamic SSL cert and all is working. If however I define a transparent proxy (destination NAT to 3128), the intercept does not work, this is with intercept only, I am not even testing ssl-bump yet. I also have issues with the upstream proxy in this squid version but I commented that out for now to limit the issues I have. The custom external_acl_type works and I am able to transparently authenticate users on the intercept. You can see the username in the access.log (HTTP only) The whole reason I am testing 3.3 is that I want to transparently intercept SSL with authentication. NAT is done on the wifi controller for both the Squid 3.1 and 3.3 instance. Same rules for both Squid proxy servers. ERROR CACHE.LOG: 2013/04/02 10:16:46 kid1| WARNING: Forwarding loop detected for: GET / HTTP/1.1 Host: www.ibm.com User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us Accept-Encoding: gzip, deflate Via: 1.1 10.3.184.29 (squid/3.3.3) X-Forwarded-For: 10.9.3.13 Cache-Control: max-age=0 Connection: keep-alive 2013/04/02 10:16:48 kid1| WARNING: Forwarding loop detected for: GET /Artwork/SN.png HTTP/1.1 Host: www.squid-cache.org User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3 Accept: */* Referer: http://www.ibm.com/ Accept-Language: en-us Accept-Encoding: gzip, deflate Via: 1.1 10.3.184.29 (squid/3.3.3) X-Forwarded-For: 10.9.3.13 Cache-Control: max-age=0 Connection: keep-alive ACCESS.LOG during error 1364892066.152 0 10.9.3.13 TCP_MISS/403 4072 GET http://www.ibm.com/ esadie HIER_DIRECT/10.3.184.29 text/html 1364892066.208 0 10.3.184.29 TCP_MISS/403 4005 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html 1364892066.208 0 10.9.3.13 TCP_MISS/403 4112 GET http://www.squid-cache.org/Artwork/SN.png esadie HIER_DIRECT/10.3.184.29 text/html CONFIG: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl 6-1 src 10.3.184.0/24 acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl wifinet src 10.9.0.0/16 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow 6-1 external_acl_type wifi_user %SRC /etc/squid3/aruba_ldap acl whitelist dstdomain "/etc/squid3/site.whitelist.txt" acl wifi_auth external wifi_user REQUIRED http_access allow wifi_auth http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all icp_access deny all htcp_access deny all #Had to define this I had errors indicating the items were missing. As if the defaults do not apply. acl ssl::certHasExpired ssl_error X509_V_ERR_CERT_HAS_EXPIRED acl ssl::certNotYetValid ssl_error X509_V_ERR_CERT_NOT_YET_VALID acl ssl::certDomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH acl ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY X509_V_ERR_CERT_UNTRUSTED acl ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT sslproxy_flags DONT_VERIFY_PEER sslproxy_cert_sign signUntrusted ssl::certUntrusted ##Dynamic certificate portion ## run the command "/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db" to create the cert database. Make sure the folders and file can be written to by the proxy. sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 visible_hostname 10.3.184.29 http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem key=/etc/squid/myCA.pem #http_port 8080 http_port 3128 intercept ssl_bump server-first all # the following two options are unsafe and not always necessary: sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER always_direct allow all #Upstream proxy server #cache_peer 10.3.0.11 parent 80 0 login=*:password no-query default #acl INSIDE_IP dst 10.0.0.0/8 192.168.0.0/16 196.31.3.128/25 #always_direct allow INSIDE_IP #never_direct allow all hierarchy_stoplist cgi-bin ? refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern (cgi-bin|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 forwarded_for on follow_x_forwarded_for allow localhost coredump_dir /var/spool/squid # MEMORY CACHE OPTIONS cache_mem 1024 MB #maximum_object_size_in_memory 16 KB #memory_replacement_policy heap GDSF # DISK CACHE OPTIONS #cache_replacement_policy heap LFUDA cache_dir aufs /cache 160000 64 256 #store_dir_select_algorithm least-load #minimum_object_size 16 KB #maximum_object_size 512 MB #cache_swap_low 97 #cache_swap_high 99 #LOGFILE OPTIONS access_log stdio:/var/log/squid/access.log squid COMPILE PARAMETERS: I got these from some forum on the internet. ./configure --prefix=/usr --exec-prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --sysconfdir=/etc/squid --datadir=/usr/share/squid --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/lib/squid --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --x-includes=/usr/include --x-libraries=/usr/lib --enable-shared=yes --enable-static=no --enable-carp --enable-storeio=aufs,ufs --enable-removal-policies=heap,lru --disable-icmp --disable-delay-pools --disable-esi --enable-icap-client --enable-useragent-log --enable-referer-log --disable-wccp --enable-wccpv2 --disable-kill-parent-hack --enable-snmp --enable-cachemgr-hostname=localhost --enable-arp-acl --disable-htcp --disable-forw-via-db --disable-follow-x-forwarded-for --enable-cache-digests --disable-poll --enable-epoll --enable-linux-netfilter --disable-ident-lookups --enable-default-hostsfile=/etc/hosts --with-default-user=squid --with-large-files --enable-mit=/usr --with-logdir=/var/log/squid --enable-http-violations --enable-zph-qos --with-filedescriptors=65536 --enable-gnuregex --enable-async-io=64 --with-aufs-threads=64 --with-pthreads --with-aio --enable-default-err-languages=English --enable-err-languages=English --enable-underscores --enable-ssl --enable-ssl-crtd
