Search squid archive

squid "internal?" loop - with no firewall nat going on..?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I just setup a squid trying to get it to work in intercept mode..

I seem to hit some squid internal loop where it goes haywire internally somehow?

When I access it via port 3129 (tried from both localhost and from another host - same problem) - using

curl -H "Host: www.bt.dk" http://ip-of-squid-box/

the request just hangs..

I enabled debug logging and can see squid logging this:
----------
2015/03/10 13:07:47.028 kid1| client_side.cc(2407) parseHttpRequest: HTTP Client local=127.0.0.1:3129 remote=127.0.0.1:45060 FD 17 flags=33 2015/03/10 13:07:47.028 kid1| client_side.cc(2408) parseHttpRequest: HTTP Client REQUEST:
---------
GET / HTTP/1.1
User-Agent: curl/7.29.0
Accept: */*
Host: www.bt.dk
X-Forwarded-For: 127.0.0.1
Cache-Control: max-age=259200
Connection: keep-alive


----------
2015/03/10 13:07:47.028 kid1| client_side_request.cc(759) clientAccessCheckDone: The request GET http://www.bt.dk/ is ALLOWED; last ACL checked: localhost 2015/03/10 13:07:47.028 kid1| client_side_request.cc(734) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW 2015/03/10 13:07:47.028 kid1| client_side_request.cc(759) clientAccessCheckDone: The request GET http://www.bt.dk/ is ALLOWED; last ACL checked: localhost 2015/03/10 13:07:47.028 kid1| FwdState.cc(124) FwdState: Forwarding client request local=127.0.0.1:3129 remote=127.0.0.1:45060 FD 17 flags=33, url=http://www.bt.dk/ 2015/03/10 13:07:47.028 kid1| peer_select.cc(286) peerSelectDnsPaths: Found sources for 'http://www.bt.dk/' 2015/03/10 13:07:47.028 kid1| peer_select.cc(287) peerSelectDnsPaths: always_direct = ALLOWED 2015/03/10 13:07:47.028 kid1| peer_select.cc(288) peerSelectDnsPaths: never_direct = DENIED 2015/03/10 13:07:47.028 kid1| peer_select.cc(294) peerSelectDnsPaths: ORIGINAL_DST = local=0.0.0.0 remote=127.0.0.1:3129 flags=1 2015/03/10 13:07:47.028 kid1| peer_select.cc(301) peerSelectDnsPaths: timedout = 0 2015/03/10 13:07:47.028 kid1| TcpAcceptor.cc(220) doAccept: New connection on FD 14 2015/03/10 13:07:47.028 kid1| TcpAcceptor.cc(295) acceptNext: connection on local=[::]:3129 remote=[::] FD 14 flags=41 2015/03/10 13:07:47.029 kid1| http.cc(2219) sendRequest: HTTP Server local=127.0.0.1:45061 remote=127.0.0.1:3129 FD 18 flags=1 2015/03/10 13:07:47.029 kid1| http.cc(2220) sendRequest: HTTP Server REQUEST:
---------
GET / HTTP/1.1
User-Agent: curl/7.29.0
Accept: */*
Host: www.bt.dk
X-Forwarded-For: 127.0.0.1, 127.0.0.1
Cache-Control: max-age=259200
Connection: keep-alive

When I then ctrl-c the client request..
it ends with
X-Forwarded-For: error, 127.0.0.1, 127.0.0.1, (and 100+ of , 127.0.0.1)
##########################################
end log output snippet
##########################################

and the logs keep going with X-Forwarded-For getting , 127.0.0.1 added ad infinitum..

I tcpdump'ed and saw no output from squid - so it seems to be an internal loop in squid.

My config is:
# predefined ACLs
#acl localhost src 127.0.0.1 ::1
#acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

# predefined http_accesses
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# user-defined ACLs

# user-defined http_accesses
http_access allow localnet
http_access allow localhost
http_access deny all

# user-defined icp_access

# user-defined http_port
http_port 3128

# user-defined tcp_outgoing_addresses

# user-defined cache-dirs
# general settings
hierarchy_stoplist             cgi-bin ?
coredump_dir                   /var/spool/squid
maximum_object_size_in_memory  512 KB
maximum_object_size            4096 KB
#ignore_expect_100              off
cache_mgr                      root
client_persistent_connections  on
server_persistent_connections  on
#forwarded_for                  on
via                            off
access_log                     /var/log/squid/access.log squid

cache_mem                      256 MB
cache_store_log                /var/log/squid/store.log
cache_log                      /var/log/squid/cache.log
cache                          deny all

refresh_pattern                ^ftp:              1440    20%    10080
refresh_pattern                ^gopher:           1440     0%     1440
refresh_pattern                -i (/cgi-bin/|\?)     0     0%        0
refresh_pattern                .                     0    20%     4320


# user-defined configuration settings from config_hash
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /etc/ssl/certs/cache/ -M 4MB
sslcrtd_children               8 startup=1 idle=1
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/ca.private cert=/etc/squid/ca.cert
sslproxy_flags                 DONT_VERIFY_PEER
always_direct                  allow all
http_port                      3129 intercept
shutdown_lifetime              3
sslproxy_cert_error            allow all
ssl_bump                       server-first all


p.s. it's a self-compiled squid-3.4.9 on centos 7.

--
Regards,
Klavs Klavsen, GSEC - kl@xxxxxxx - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
  --Henry Spencer

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux