On 23 January 2015 at 16:53, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Okay. Can you explicitly add --disable-ipf-transparentOn 24/01/2015 2:47 a.m., Odhiambo Washington wrote:
> On 23 January 2015 at 16:40, Amos Jeffries <squid3@xxxxxxxxxxxxx>
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
>>> On 23 January 2015 at 16:07, Amos Jeffries
>>> <squid3@xxxxxxxxxxxxx> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>>
>>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
>>>>>
>>>>> Once more. You CANNOT have neither web-server nor other
>>>>> service with listening port 80 on the same host as
>>>>> transparent Squid proxy. This is one and only reason you
>>>>> have looping.
>>>>>
>>>>
>>>> That is not correct. It can be done, but depends on how the
>>>> firewall operates and what ruleset is used.
>>>>
>>>> One has to intercept traffic transiting the machine, but
>>>> ignore traffic destined *to* or *from* the local machines
>>>> running processes.
>>>>
>>>>> Look. On my transparent 3.4.11 (which was early 2.7)
>>>>> IPFilter redirects 80 port to proxy. My web server on the
>>>>> same host listens only 8080, 8088 and 8888 ports. No one
>>>>> service except NAT is using 80 port.
>>>>>
>>>>> And finally I have no looping 4 years.
>>>>>
>>>>> Obvious, is it?
>>>>>
>>>>
>>>> Maybe there was, maybe there wasn't.
>>>>
>>>> Squid-2.7 ignored a lot of NAT related errors and even
>>>> silently did some Very Bad Things(tm) - none of which
>>>> Squid-3.2+ will allow to happen anymore.
>>>>
>>>>
>>>> Odhiambo: I suspect it might be related to your use of "rdr"
>>>> firewall rules. In OpenBSD PF at least rdr rules do not work
>>>> properly and divert-to rules needs to be used instead
>>>> (divert-to can be used for either TPROXY or NAT Squid
>>>> listening ports on BSD).
>>>>
>>>
>>>
>>> I am thinking Squid-3.2+ is evil :-)
>>>
>>> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And
>>> my IPFilter rules are here: http://pastebin.com/JQ77X01H
>>>
>>> I need to figure out why squid is DENYing all access ..
>>>
>>
>> Can you update me on what the squid -v output is from the Squid
>> build you are having issues with pleae?
>>
>> Amos
>>
>
> root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache:
> Version 3.5.1-20150120-r13736 Service Name: squid configure
> options: '--prefix=/opt/squid35' '--enable-removal-policies=lru
> heap' '--disable-epoll' '--enable-auth' '--enable-auth-basic=DB
> NCSA PAM PAM POP3 SSPI' '--enable-external-acl-helpers=session
> unix_group file_userip' '--enable-auth-negotiate=kerberos'
> '--with-pthreads' '--enable-storeio=ufs diskd rock aufs'
> '--enable-delay-pools' '--enable-snmp' '--with-openssl=/usr'
> '--enable-forw-via-db' '--enable-cache-digests' '--enable-wccpv2'
> '--enable-follow-x-forwarded-for' '--with-large-files'
> '--enable-large-cache-files' '--enable-esi' '--enable-kqueue'
> '--enable-icap-client' '--enable-kill-parent-hack' '--enable-ssl'
> '--enable-leakfinder' '--enable-ssl-crtd'
> '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics'
> '--enable-stacktraces' '--enable-zph-qos' '--enable-eui'
> '--enable-pf-transparent' 'CC=clang' 'CXX=clang++'
> --enable-ltdl-convenience
>
- --disable-ipfw-transparent and see if that helps.
Also in squid.conf adding debugs_options ALL,1 89,9 will show just
the NAT lookup results where things are going wrong.
So, before I recompile, we can look at the debug output:
2015/01/23 17:07:45| storeLateRelease: released 0 objects
2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.115:58632
2015/01/23 17:07:46.959| Intercept.cc(293) PfInterception: address NAT divert-to: local=192.168.2.254:13128 remote=192.168.2.115:58632 FD 14 flag
s=33
2015/01/23 17:07:49.179| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.254:39850
2015/01/23 17:07:49.179| Intercept.cc(293) PfInterception: address NAT divert-to: local=192.168.2.254:13128 remote=192.168.2.254:39850 FD 18 flag
s=33
2015/01/23 17:07:49.179| WARNING: Forwarding loop detected for:
GET /crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCPg-PjQGwE5gQ9QUn12pYvFn6PDmZgXxNF7VvigznwvJ8WaXIAcdCCqy0GvWdiTCOtn1gMu-J79t3vAXEydkC0WAMZSmuVMGd3ZQxF_Ho
se6F8g4c8bJYmPZA/extension_1_4_6_758.crx HTTP/1.1
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Sun, 01 Apr 2007 07:00:00 GMT
Range: bytes=3436183-3841157
User-Agent: Microsoft BITS/7.5
Host: cache.pack.google.com
Via: 1.1 aardvark (squid)
X-Forwarded-For: 192.168.2.115
Cache-Control: max-age=259200
Connection: keep-alive
2015/01/23 17:07:49.260| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.115:58634
2015/01/23 17:07:49.260| Intercept.cc(293) PfInterception: address NAT divert-to: local=192.168.2.254:13128 remote=192.168.2.115:58634 FD 14 flag
s=33
2015/01/23 17:07:49.260| WARNING: Forwarding loop detected for:
GET /crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCPg-PjQGwE5gQ9QUn12pYvFn6PDmZgXxNF7VvigznwvJ8WaXIAcdCCqy0GvWdiTCOtn1gMu-J79t3vAXEydkC0WAMZSmuVMGd3ZQxF_Ho
se6F8g4c8bJYmPZA/extension_1_4_6_758.crx HTTP/1.1
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Sun, 01 Apr 2007 07:00:00 GMT
Range: bytes=3436183-3841157
User-Agent: Microsoft BITS/7.5
Host: cache.pack.google.com
Via: 1.1 aardvark (squid)
X-Forwarded-For: 192.168.2.115
Cache-Control: max-age=259200
Connection: keep-alive
2015/01/23 17:07:49.350| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.115:58636
2015/
So there must be a way to deal with this loop in PF
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users