Re: Another "Forwarding loop detected" issue

[Nick Howitt <nick@xxxxxxxxxxxxx>]

On 06/11/2019 09:39, Matus UHLAR - fantomas wrote:
> > > > On 5/11/19 10:40 pm, Nick Howitt wrote:
> > > > > I am trying to help someone who is running squid-3.5.20-12 on a
> > > > > standalone server with the dansguardian content filter and suddenly
> > > > > recently has been getting a lot of messages like:
> > > > >
> > > > >     2019/10/31 13:48:14 kid1| WARNING: Forwarding loop detected for:
> > > > >     HEAD / HTTP/1.0
> > > > >     Via: 1.0 HSFilterHyperos7.haftr.local (squid/3.5.20)
> > > > >     Cache-Control: max-age=259200
> > > > >     Connection: keep-alive
> > > > >     X-Forwarded-For: 10.10.1.2
> > > > >     Host: 10.10.1.2:8080
> > > > >
> > > > >
> > > > > The access log looks something like:
> > > > >
> > > > >     1572545946.383 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
> > > > >     http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
> > > > >     1572545946.477 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
> > > > >     http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
> > > > >     1572545946.493 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
> > > > >     http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
> > > > >
> > > > > (but these are for different transactions - they are all the same 
> > > > > apart
> > > > > from the timestamps)
>
>
> > > On 05/11/2019 10:44, Amos Jeffries wrote:
> > > > That is what a forwarding loop looks like in the access.log.
>
> > > > > The content filter listens on port 8080 and squid on 3128. The 
> > > > > machine
> > > > > is on 10.10.1.2
>
> \On 05.11.19 12:57, Nick Howitt wrote:
> > At the moment the wpad file is not pointing to the proxy server so no 
> > machines should be using it. I have tried a:
> >
> >   tcpdump -vvvnnn -A -i eth0 port 8080 -s 1500
> >
> >
> > This gives me bursts of:
> >
> >   07:50:47.569305 IP (tos 0x0, ttl 128, id 56718, offset 0, flags
> >   [DF], proto TCP (6), length 52)
> >        10.10.11.215.64857 > 10.10.1.2.8080: Flags [S], cksum 0x389b
>
> > From what I've researched so far there are no http headers in these 
> > packets. The proxy is 10.10.1.2. Does this mean 10.10.11.215 could be 
> > the offending machine if no other machines should be using the proxy? 
> > Or do I need to do something cleverer with my tcpdump?
>
> I don't think so.
>
> How does your schema look like?
> How does your content filter work?
>
> The logs above show that someone from local machins (content-filter) is
> using squid to access local machine port 8080, which should be your 
> content
> filter.
> That looks much like a loop, connections from squid or content filter 
> that
> are going back to content filter via squid
The set up is eth0 (10.10.1.2:8080) -> Content filter (dansguardian) -> 
Squid (port 3128) -> eth0 -> gateway

If what you are saying is right then a firewall rule blocking source 
10.10.1.2 to 10.10.1.2:8080 may work. I am not sure if it would be in 
the FORWARD or INPUT chain and I don't know if it would cause collateral 
damage. It also does not explain why only recently it started going 
wrong. The machine has been rebuilt now and I am waiting for it to 
trigger again, upgrading from ClearOS6.x (a Centos derivative) to 
ClearOS 7.6 (which will soon update to 7.7).

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users