Hi,
I'm a Squid newbie. I have an OpenBSD firewall running pf with multiple
outbound interfaces doing some connection pooling. I'm trying to get
Squid/SquidGuard up and running as a transparent proxy; I've been using
this guide: http://www.kernel-panic.it/openbsd/proxy/proxy4.html
I've run into a problem I don't understand and it's driving me bugnuts.
Hoping somebody can help sort me out.
If I set "http_port 3139", do no redirects in pf, and manually
configure my browser to use the firewall LAN side on 3139 as a proxy,
everything works just fine. If I change http_port to "3139 intercept",
turn on rdr in pf for just my test IP address (only!), and turn off my
browser's proxy config, I get "access denied" errors back from Squid,
along with complaints about forwarding loops. There's no goofy proxy
peering, no other redirects in pf ... I can't for the life of me figure
out where the loop is happening.
Here's the pf rule I'm using to activate the redirect for my test IP:
pass in quick on $if_int proto tcp from 192.168.0.209 to any port www
rdr-to 192.168.0.1 port 3139
...And here's my squid.conf, sans comments (I've stripped it down a bit
trying to figure this out):
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow all
http_port 3128
http_port 3139 intercept
visible_hostname firewall.local
...When testing, I'll toggle "intercept" on or off on the second
http_port config along with the rdr in pf.
What I'm seeing when running "squid -d 1 -N" is e.g.,
2013/05/30 17:19:03| WARNING: Forwarding loop detected for:
POST / HTTP/1.1
Host: ocsp.verisign.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20100101
Firefox/10.0.12 Iceweasel/10.0.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 115
Content-Type: application/ocsp-request
Via: 1.1 firewall.local (squid/3.2.7)
X-Forwarded-For: 192.168.0.209
Cache-Control: max-age=259200
Connection: keep-alive
The only rule I'm changing in pf between the two scenarios is the rdr
rule for my IP only, so I don't think the loop is happening anywhere in
pf. I must have something in squid.conf seriously goofed up, but I
haven't been able to figure it out.
Any help?
Thanks,
- R.
--
[__ Robert Sheldon
[__ No Problem
[__ Information technology support and services
[__ (530) 575-0278
