On 05/11/2019 11:07, Nick Howitt wrote:
On 05/11/2019 10:44, Amos Jeffries wrote:
On 5/11/19 10:40 pm, Nick Howitt wrote:
I am trying to help someone who is running squid-3.5.20-12 on a
standalone server with the dansguardian content filter and suddenly
recently has been getting a lot of messages like:
2019/10/31 13:48:14 kid1| WARNING: Forwarding loop detected for:
HEAD / HTTP/1.0
Via: 1.0 HSFilterHyperos7.haftr.local (squid/3.5.20)
Cache-Control: max-age=259200
Connection: keep-alive
X-Forwarded-For: 10.10.1.2
Host: 10.10.1.2:8080
The access log looks something like:
1572545946.383 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
1572545946.477 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
1572545946.493 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
(but these are for different transactions - they are all the same apart
from the timestamps)
That is what a forwarding loop looks like in the access.log.
The content filter listens on port 8080 and squid on 3128. The machine
is on 10.10.1.2
All the other posts I've seen seem to be for transparent mode or where
there is a User Agent string. I have found nothing to cover this
scenario. How can I troubleshoot to fix it and what information do you
need from me to help diagnose?
Something is telling Squid the origin server being contacted exists at
10.10.1.2:8080. You can see that in the Host header of the message.
I would trace the traffic flow from the client to Squid.
But isn't everything coming to 8080 as that is the proxy you'd set up
in the browser? I'm afraid I don't understand how proxying works at
the packet level. I see nothing before these messages to indicate the
packets are coming from elsewhere. A cut down startup log looks like:
<snip>
2019/10/31 13:47:40 kid1| helperOpenServers: Starting 5/5
'ext_unix_group_acl' processes
2019/10/31 13:47:40 kid1| HTCP Disabled.
2019/10/31 13:47:40 kid1| Finished loading MIME types and icons.
2019/10/31 13:47:40 kid1| Accepting HTTP Socket connections at
local=[::1]:3128 remote=[::] FD 2021 flags=9
2019/10/31 13:47:40 kid1| Accepting HTTP Socket connections at
local=127.0.0.1:3128 remote=[::] FD 2022 flags=9
2019/10/31 13:47:40 kid1| Accepting HTTP Socket connections at
local=10.10.1.2:3128 remote=[::] FD 2023 flags=9
2019/10/31 13:48:12 kid1| WARNING: Forwarding loop detected for:
HEAD / HTTP/1.0
Via: 1.0 HSFilterHyperos7.haftr.local (squid/3.5.20)
Cache-Control: max-age=259200
Connection: keep-alive
X-Forwarded-For: 10.10.1.2
Host: 10.10.1.2:8080
2019/10/31 13:48:14 kid1| WARNING: Forwarding loop detected for:
HEAD / HTTP/1.0
Via: 1.0 HSFilterHyperos7.haftr.local (squid/3.5.20)
Cache-Control: max-age=259200
Connection: keep-alive
X-Forwarded-For: 10.10.1.2
Host: 10.10.1.2:8080
Is there anything I can look for in my logs or do I need to do some
sort of tcpdump with some filters?
Thanks,
Nick
At the moment the wpad file is not pointing to the proxy server so no
machines should be using it. I have tried a:
tcpdump -vvvnnn -A -i eth0 port 8080 -s 1500
This gives me bursts of:
07:50:47.569305 IP (tos 0x0, ttl 128, id 56718, offset 0, flags
[DF], proto TCP (6), length 52)
10.10.11.215.64857 > 10.10.1.2.8080: Flags [S], cksum 0x389b
(correct), seq 625662051, win 64240, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0
E..4..@....H
..
...Y..%J.c........8...............
07:50:47.569419 IP (tos 0x0, ttl 64, id 7161, offset 0, flags [DF],
proto TCP (6), length 40)
10.10.1.2.8080 > 10.10.11.215.64857: Flags [R.], cksum 0x744b
(correct), seq 0, ack 1, win 0, length 0
E..(..@.@...
..
.....Y....%J.dP...tK..
From what I've researched so far there are no http headers in these
packets. The proxy is 10.10.1.2. Does this mean 10.10.11.215 could be
the offending machine if no other machines should be using the proxy? Or
do I need to do something cleverer with my tcpdump?
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
