Re: [squid-users] Forwarding loop detected issue

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 5 Feb 2009 13:29:05 +1300 (NZDT)

>
> Hi Amos,
>
> Thanks for your reply. Ill try to explain better what im trying to do
> here.
>
> | You don't appear to have a:
> | Squid1->DG->Squid2 setup
> |
> | you do appear to have a:
> | Squid1 -> Internet or DG -> Squid1 -> Internet setup.
> |
> | Is there any particular reason you need to have two squid?
> | The current feedback config appears to be needlessly complicated for any
> | use I can think of right now for having two instances of squid running.
>
> In the scenario DG(port 8081) --> Squid(port 3128)
> Clients are using the proxy on proxy_ip:8081
>
> Since Dansguardian cant handle NTML auth if I don't use 2 Squid instances
> then
> it will show on DG access log only the IP of the client and not the
> username.
>
> DG access log will look like this (only IP is logged):
> 2009.2.4 15:12:01 - 192.168.20.11
> http://adimgs.sapo.pt/2009/odisseias/massagem.jpg *SCANNED* GET 1956
>
> and on the Squid access log it will always show the localhost since the
> connenction comes from DG:
> 1233760323.286 8 127.0.0.1 TCP_MISS/200 1597 GET
> http://h.s.sl.pt/pub/botao.html?rand=&tile=36871 - DIRECT/213.13.146.180
> text/html
>
> This would prevent me of doing reports on users usage and use I think
> delay pools.

I would have thought Squid->DG->Internet would be sufficient to meet those
needs. With the front squid doing cache+auth of stuff that gets past the
DG filtering. (and DG doing less work on cacheable things its already
scanned once).
Oh well. Lets get rid of your loop anyways.

>
> In the scenario Squid1(port 3128 for ntml_auth) -> DG(port 8081) -->
> Squid2(port 8080 for cache)
> Clients are using the proxy on proxy_ip:3128
>
> DG access log will look like this (now user and IP are logged):
> 2009.2.4 16:01:12 rnuno 192.168.20.11
> http://imgs.sapo.pt/images/footer/pt.gif *SCANNED* GET 804
>
> and on the Squid access log:
> 1233763558.911 0 192.168.20.11 TCP_DENIED/407 2169 GET
> http://cache02.stormap.sapo.pt/vidstore02/thumbnais/66/91/02/15666_eDQus.jpg
> - NONE/- text/html
> 1233763558.917 21 127.0.0.1 TCP_MISS/200 2860 GET
> http://cache01.stormap.sapo.pt/vidstore02/thumbnais/05/64/67/ma_swing.jpg
> - DIRECT/212.55.154.131 image/jpeg
>
> So basically this setup is working in a way that allows me to do my
> reports and use delay pools
> but the error keeps on my log I thought that I has doing something wrong
> on the cache_peer line.
>
> 2009/02/04 16:09:15| WARNING: Forwarding loop detected for:
> Client: 127.0.0.1 http_port: 127.0.0.1:8080
> GET
> http://cache03.stormap.sapo.pt/vidstore03/thumbnais/57/ed/03/731347_L4An1.jpg
> HTTP/1.0
> Accept: */*
> Referer: http://videos.sapo.pt/
> Accept-Language: en-US
> UA-CPU: x86
> Accept-Encoding: identity,gzip,deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
> 1.1.4322; .NET CLR 2.0.50727)
> Host: cache03.stormap.sapo.pt
> Cookie: _swa_v=158287575757761020; _swa_uv=3752565023748371500
> Via: 1.1 squid-ntml:8080 (squid/2.7.STABLE3)
> X-Forwarded-For: 192.168.20.11
> Proxy-Authorization: Basic cm51bm86bm9wYXNzd29yZA==
> Cache-Control: max-age=259200
> X-Forwarded-For: 192.168.20.11
>
> I made some changes according to your advice but i still get the error. Do
> you have any suggestion
> on how to fix it or maybe another way to do what i want?
>
> Below is the conf's files im using now.
>
> Thank you once more.
>
> regards,
> -- Ricardo
>
>
>
> My changes in dansguardian.conf:
> filterip = 127.0.0.1
> filterport = 8081
> proxyip = 127.0.0.1
> proxyport = 8080
> usernameidmethodproxyauth = on

Great DG goes (DG)8081 -> (Squid2):8080

>
> # SQUID.CONF
> #
> -----------------------------------------------------------------------------
> unique_hostname squid-cache
> http_port 8080
>

This is Squid2 then?

> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>
> cache_mem 1024 MB
> maximum_object_size 8096 KB
>
> cache_dir ufs /cache/squid 20000 16 256
> access_log /var/log/squid/access.log squid
>
> cache_peer 127.0.0.1 parent 8081 0 no-digest no-netdb-exchange
> name=squid-cache no-query login=*:nopassword
>
> acl localhost src 127.0.0.1
> #cache_peer_access squid-cache deny localhost
>

NP: Squid2 in your setup must NOT do any peering. Remember this is the
EXIT. All access is direct to the Internet. It's one and only client is
DG.

> include /etc/squid/squid-ntml.conf

Don't include any unique stuff into both configs.
If you need usernames logged at Squid2 at all use the fakeauth helper and
LoggingOnly setup on that squid:
 http://wiki.squid-cache.org/ConfigExamples/Authenticate/LoggingOnly

>
> #Suggested default:
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> acl NTLMUsers proxy_auth REQUIRED
> acl rede_interna src 192.168.20.0/24
> acl h_trabalho time MTWHF 08:00-18:00
> acl downloads url_regex -i .exe .mp3 .vqf .zip .rar .avi .mpeg .mpe .mpg
> .qt .ram .rm .iso .raw .wav .mov .iso
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow localhost
> http_access allow NTLMUsers
>
> http_access deny all
> http_reply_access allow all
> icp_access allow all
>
> coredump_dir /var/spool/squid
>
>
> # SQUID-NTML.CONF
> #
> -----------------------------------------------------------------------------
>
> unique_hostname squid-ntml
> http_port 3128
>

This is Squid1 right?

_this_ is the config which needs to contain the cache_peer settings
pointing at DG as a parent, using "never_direct allow all", and the local
network ranges that are allowed as clients etc.
The INPUT acts like a funnel, taking everything and forcing it down to a
single stream through to DG.

> cache_dir null /dev/null
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 15
> auth_param ntlm keep_alive on
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Moonlight Proxy Server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> pid_filename /var/run/squid-ntml.pid
>
Received on Thu Feb 05 2009 - 00:29:10 MST

This archive was generated by hypermail 2.2.0 : Thu Feb 05 2009 - 12:00:01 MST