Search squid archive

Re: Forwarding loop on squid 3.3.8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 7/08/2014 1:26 a.m., Karma sometimes Hurts wrote:
> Greetings,
> 
> I'm trying to setup a transparent proxy on Squid 3.3.8, Ubuntu Trusty
> 14.04 from the official APT official repository. All boxes including
> the Squid box are under the same router, but the squid box is on a
> different server than the clients. Seems that for some reason the
> configuration on the squid3 box side is missing something, as a
> forwarding loop is produced.
> 
> This is the configuration of the squid3 box:
> 
>   visible_hostname squidbox.localdomain.com
>   acl SSL_ports port 443
>   acl Safe_ports port 80          # http
>   acl Safe_ports port 21          # ftp
>   acl Safe_ports port 443         # https
>   acl Safe_ports port 70          # gopher
>   acl Safe_ports port 210         # wais
>   acl Safe_ports port 1025-65535  # unregistered ports
>   acl Safe_ports port 280         # http-mgmt
>   acl Safe_ports port 488         # gss-http
>   acl Safe_ports port 591         # filemaker
>   acl Safe_ports port 777         # multiling http
>   acl CONNECT method CONNECT
>   http_access allow all
>   http_access deny !Safe_ports
>   http_access deny CONNECT !SSL_ports
>   http_access allow localhost manager
>   http_access deny manager
>   http_access allow localhost
>   http_access allow all
>   http_port 3128 intercept
>   http_port 0.0.0.0:3127
> 
> This rule has been added to the client's boxes:
> 
>   iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination
> 192.168.1.100:3128

Thats the problem. NAT is required on the Squid box *only*.

> 
> 192.168.1.100 corresponds to the squid3 box. In the log below
> 192.168.1.20 is one of the clients.


When receiving intercepted traffic current Squid validate the
destination IP address against the claimed Host: header domain DNS
records to avoid several nasty security vulnerabilities connecting to
that Host domain. If that fails the traffic is instead relayed to the
original IP:port address in the TCP packet. That address arriving into
your Squid box was 192.168.1.100:3128 ... rinse, repeat ...

Use policy routing, or a tunnel (GRE, VPN, etc) that does not alter the
packet src/dst IP addresses to get traffic onto the Squid box.

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux