Hi list, I'm running Squid 3.3 on Linux as part of a wireless hotspot solution. The box has two network interfaces: one to the outside world, the other a private LAN with IP 10.0.0.1. On the LAN I'm using CoovaChilli as an active portal. I'd like to transparently intercept and cache web traffic from wifi clients. Coova has a configuration option for the IP and port of an optional proxy - all web traffic from wireless clients will be routed through this. I've set it to 10.0.0.1:3128 Here's my squid config: acl localnet src 10.0.0.0/255.0.0.0 # RFC1918 possible internal network acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow localnet http_access deny all http_port 10.0.0.1:3128 transparent http_port 10.0.0.1:3127 coredump_dir /var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 Unfortunately this throws "WARNING: Forwarding loop detected" warnings (and in the client's browser an "Access Denied" error from Squid) and I can't figure out why. Running Squid in debugging mode (level 2), here's what I see when one of the clients generates some Windows-related traffic 2014/07/10 13:43:57.438| client_side.cc(2316) parseHttpRequest: HTTP Client local=10.0.0.1:3128 remote=10.0.0.4:60976 FD 8 flags=33 2014/07/10 13:43:57.438| client_side.cc(2317) parseHttpRequest: HTTP Client REQUEST: --------- GET /ncsi.txt HTTP/1.1 Connection: Close User-Agent: Microsoft NCSI Host: www.msftncsi.com ---------- 2014/07/10 13:43:57.449| client_side_request.cc(786) clientAccessCheckDone: The request GET http://www.msftncsi.com/ncsi.txt is ALLOWED, because it matched 'localnet' 2014/07/10 13:43:57.449| client_side_request.cc(760) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW 2014/07/10 13:43:57.449| client_side_request.cc(786) clientAccessCheckDone: The request GET http://www.msftncsi.com/ncsi.txt is ALLOWED, because it matched 'localnet' 2014/07/10 13:43:57.450| forward.cc(121) FwdState: Forwarding client request local=10.0.0.1:3128 remote=10.0.0.4:60976 FD 8 flags=33, url=http://www.msftncsi.com/ncsi.txt 2014/07/10 13:43:57.451| peer_select.cc(289) peerSelectDnsPaths: Found sources for 'http://www.msftncsi.com/ncsi.txt' 2014/07/10 13:43:57.451| peer_select.cc(290) peerSelectDnsPaths: always_direct = DENIED 2014/07/10 13:43:57.451| peer_select.cc(291) peerSelectDnsPaths: never_direct = DENIED 2014/07/10 13:43:57.451| peer_select.cc(295) peerSelectDnsPaths: DIRECT = local=0.0.0.0 remote=10.0.0.1:3128 flags=1 2014/07/10 13:43:57.451| peer_select.cc(304) peerSelectDnsPaths: timedout = 0 2014/07/10 13:43:57.454| http.cc(2204) sendRequest: HTTP Server local=10.0.0.1:35439 remote=10.0.0.1:3128 FD 11 flags=1 2014/07/10 13:43:57.455| http.cc(2205) sendRequest: HTTP Server REQUEST: --------- GET /ncsi.txt HTTP/1.1 User-Agent: Microsoft NCSI Host: www.msftncsi.com Via: 1.1 c3me-pete (squid/3.3.8) X-Forwarded-For: 10.0.0.4 Cache-Control: max-age=259200 Connection: keep-alive ---------- 2014/07/10 13:43:57.456| client_side.cc(2316) parseHttpRequest: HTTP Client local=10.0.0.1:3128 remote=10.0.0.1:35439 FD 13 flags=33 2014/07/10 13:43:57.456| client_side.cc(2317) parseHttpRequest: HTTP Client REQUEST: --------- GET /ncsi.txt HTTP/1.1 User-Agent: Microsoft NCSI Host: www.msftncsi.com Via: 1.1 c3me-pete (squid/3.3.8) X-Forwarded-For: 10.0.0.4 Cache-Control: max-age=259200 Connection: keep-alive ---------- 2014/07/10 13:43:57.459| client_side_request.cc(786) clientAccessCheckDone: The request GET http://www.msftncsi.com/ncsi.txt is ALLOWED, because it matched 'localnet' 2014/07/10 13:43:57.459| client_side_request.cc(760) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW 2014/07/10 13:43:57.459| client_side_request.cc(786) clientAccessCheckDone: The request GET http://www.msftncsi.com/ncsi.txt is ALLOWED, because it matched 'localnet' 2014/07/10 13:43:57.459| WARNING: Forwarding loop detected for: GET /ncsi.txt HTTP/1.1 User-Agent: Microsoft NCSI Host: www.msftncsi.com Via: 1.1 c3me-pete (squid/3.3.8) X-Forwarded-For: 10.0.0.4 Cache-Control: max-age=259200 Connection: keep-alive 2014/07/10 13:43:57.460| errorpage.cc(1281) BuildContent: No existing error page language negotiated for ERR_ACCESS_DENIED. Using default error file. 2014/07/10 13:43:57.463| client_side_reply.cc(1974) processReplyAccessResult: The reply for GET http://www.msftncsi.com/ncsi.txt is ALLOWED, because it matched 'localnet' 2014/07/10 13:43:57.463| client_side.cc(1377) sendStartOfMessage: HTTP Client local=10.0.0.1:3128 remote=10.0.0.1:35439 FD 13 flags=33 2014/07/10 13:43:57.463| client_side.cc(1378) sendStartOfMessage: HTTP Client REPLY: --------- HTTP/1.1 403 Forbidden Server: squid/3.3.8 Mime-Version: 1.0 Date: Thu, 10 Jul 2014 12:43:57 GMT Content-Type: text/html Content-Length: 3279 X-Squid-Error: ERR_ACCESS_DENIED 0 Vary: Accept-Language Content-Language: en X-Cache: MISS from c3me-pete X-Cache-Lookup: MISS from c3me-pete:3127 Via: 1.1 c3me-pete (squid/3.3.8) Connection: keep-alive My firewall looks like so: Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 10.0.0.1 ACCEPT udp -- 0.0.0.0/0 10.0.0.1 udp dpt:53 ACCEPT udp -- 0.0.0.0/0 10.0.0.1 udp dpts:67:68 ACCEPT udp -- 0.0.0.0/0 255.255.255.255 udp dpts:67:68 ACCEPT tcp -- 0.0.0.0/0 10.0.0.1 tcp dpt:3128 ACCEPT tcp -- 0.0.0.0/0 10.0.0.1 tcp dpt:4990 ACCEPT tcp -- 0.0.0.0/0 10.0.0.1 tcp dpt:3990 DROP all -- 0.0.0.0/0 10.0.0.1 Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination --- Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 Any ideas what I'm doing wrong? I appreciate that this is a Squid mailing list, not CoovaChilli, but I don't think the problem is with Coova. Thanks, Pete
