Search squid archive

Forward loop when intercepting mode to proxy traffic to local VM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey all,

Thanks to a bizarre client requirement (don't ask, it's head-hurty), I am required to maintain a legacy server which only supports obsolete SHA-1 encryption. To keep things relatively safe, I'm attempting to contain the problem within a VM and use Squid on the VM's host to "re-encrypt" incoming traffic.

That is:
Outside world talks SHA2 to Squid; Squid internally talks SHA1 to the VM; Squid gets the response from the VM and passes it along (re-encrypting it to SHA2).

At least, that's the idea. But forget about SSL/encryption for the moment; I can't even get this concept working with plain old unencrypted HTTP.

The VM is running locally, and accessible via host-only networking on 192.168.1.101. I set up a local /etc/hosts alternative JUST for Squid's use, which tells Squid that "myhost.mydomain.com" is actually 192.168.1.101. Yet Squid seems to be ignoring this. Incoming requests for http://myhost.mydomain.com/ throw a standard Squid "Access Denied." page. cache.log reveals the presence of a forward loop:

-------
2016/06/22 06:48:47 kid1| WARNING: Forwarding loop detected for:
GET /favicon.ico HTTP/1.1
Host: myhost.mydomain.com
Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Accept: */*
Referer: http://myhost.mydomain.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Via: 1.1 myhost (squid/3.4.8)
X-Forwarded-For: 1.2.3.4
Cache-Control: no-cache
Connection: keep-alive


2016/06/22 06:48:47 kid1| ERROR: No forward-proxy ports configured.
2016/06/22 06:48:47 kid1| ERROR: No forward-proxy ports configured.
-------

access.log, meanwhile, reports:

1466592527.367 0 5.6.7.8 TCP_MISS/403 3917 GET http://myhost.mydomain.com/favicon.ico - HIER_NONE/- text/html 1466592527.367 0 1.2.3.4 TCP_MISS/403 4000 GET http://myhost.mydomain.com/favicon.ico - ORIGINAL_DST/5.6.7.8 text/html

(Here, "5.6.7.8" is the EXTERNAL IP address of the VM host-- i.e., the actual "outside world" IP of myhost.mydomain.com, as opposed to the internal-only 192.168.1.101 which it should be translated into. "1.2.3.4" is the IP of my workstation running my Web browser.)

Below is the ENTIRE text of my /etc/squid3/squid.conf; at one point in this process, I got so frustrated that I pared it down to the absolute minimum.

---
hosts_file /etc/squid3/squid_hosts
always_direct allow all
cache deny all
acl FROM_ALL src all
acl TO_LOCAL dst 127.0.0.1
acl TO_LOCAL dst 192.168.1.101
http_access allow FROM_ALL
http_access allow TO_LOCAL
http_access deny all
http_port 80 intercept
---

I've been bashing my head against this problem all evening to no effect. I am fairly sure I could simply solve my problem by writing a miniscule proxy script in PHP, Perl or Python, and using Apache's mod_rewrite rules to point all incoming Web requests through said proxy script. But I'd really rather not "re-invent the wheel"; I'd really rather use Squid.

Any help would be very much appreciated!

Best,

Jessica
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux