On 27.11.18 08:33, Phillip McCollum wrote:
I have a deployment in AWS in where a VPC has a transparent proxy deployed, which forwards 80/443 requests to a parent proxy in another VPC, which I then need to forward to another parent proxy (SaaS provider). Essentially: [[Client PC]] --> [[Squid Proxy (10.52.0.20)]] --> [[Parent Squid Proxy (10.52.0.168)]] --> [[Parent SaaS Proxy]] This is being done to centralize proxy functions and limit the number of public IPs that the parent SaaS needs to whitelist. I'm getting "Access Denied" messages and a review of Squid Parent proxy access.log shows the following common errors: HTTP: 2018/11/27 16:22:54 kid1| WARNING: Forwarding loop detected for: GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Cookie: B=8nra62ldvb83a&b=3&s=ik Via: 1.1 squid (squid/3.5.27)
what are names of your proxies? you must set different visible_name or at least unique_name so proxy knows it's not contacting itself.
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3129 0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 3130 35 2100 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443 redir ports 3031
the intercepting (often called transparent) proxy must have direct access to world or parent proxy. Redirecting it back will create a loop. -- Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
