Search squid archive

Re: RE: Squid 3.3 WARNING: Forwarding loop detected for:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 4/04/2013 3:16 a.m., Ewan Sadie wrote:

I am new to iptables so I tried the following.
I changed the listning port on the proxy to 3127, so that I do not need to change the DNAT on the router.
The router does a DNAT to 3128.


What you have done:

 Router receives a packet saying:
  client 192.168.0.2 connnect to website 1.2.3.4:80
  router NAT removes 1.2.3.4:80 and adds 192.168.0.1:3128

 Squid box receives a packet saying:
  client 192.168.0.1 connect to website 192.168.0.1:3128
  Squid box NAT removes 192.168.0.1:3128 and adds 192.168.0.1:3127

 Squid receives packet saying:
  client 192.168.0.1 connect to website 192.168.0.1:3127
the box NAT system informs Squid the packet destination was originally 192.168.0.1:3128
... there is a result. NAT is working perfectly fine *on the Squid box*. So failure warnings do not appear. 

But where does Squid connect?
The HTTP Host: header cannot be trusted much in interception mode (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0801). Squid-3.2 and later will verify that 192.168.0.2:3128 IP address NAT delivered belongs to the Host: header domain before allowing the Host: header to be used. When it fails (as it will fail 100% on your system) Squid will be transparent and pass the request on t the same place the cleint was connection.
On your system Squid is transparently relaying the intercepted traffic to the web server it is being told exists at 192.168.0.1:3128.
Routers need to *route* the port 80 traffic to the Squid box *without* using NAT. 


Amos

I then ran the following command on the Squid server, iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 3127

I now do not see the forward loop errors any more but I do get TCP_MISS/503
I can still browse vie the proxy by connecting to port 8080 so I know there is no rules blocking me.
The fact the I get results in the access.log indicates to me that the redirection is happening.




-----Original Message-----
From: Ewan Sadie


Hi All

Did the handling of intercept change since Squid 3.2.x?
Based on this article http://myconfigure.blogspot.com/2013/03/transparent-squid-332-on-ubuntu-1210.html, it seems that you have to do a rediect on the Squid box itself as well as on the router.
Is this the case?  I do not want to over complicate the setup with an aditional firewall as well.


Switch "as well as" for "istead of" and you will have the right idea.

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux