[squid-users] Squid 3.4.8 - Forwarding loop detected - Squid doesn't forward request to outside

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 15 11:12:32 UTC 2015


On 15/04/2015 10:21 p.m., Keyvan Hedayati wrote:
> Hi
> I'm having trouble setting a transparent proxy in our network.
> For testing I've asked our net admin to transparently forward all of my
> http traffic to squid port but when I try to open a page I get *Access
> Denied *error and a warring about Forwarding loop.
> As you can see in tcpdump squid sends request to it's machine and not to
> outside and I've no idea why this happens.
> Can you help my about this? I feel like I'm missing something tiny here.
> 
> Squid box: 172.16.1.5
> My box: 192.168.10.122
> 
> Thanks
> 
> -------------------- tcpdump -ntAi any port ! 22
> IP 192.168.10.122.59550 > 172.16.1.5.3128: Flags [S], seq 1494863721, win
> 29200, options [mss 1460,sackOK,TS val 5421406 ecr 0,nop,wscale 7], length 0

Wheres the origin server IP?

 google.com:80 != 172.16.1.5:3128

If you are performing NAT on a machine other than the Squid box you are
guaranteed to get this type of forwarding loop.


One of these almost identical configs is the correct Squid box config
for you:
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect>
 <http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat>

DNAT is best if you have static IPs in a high-peformance situation,
REDIRECT if you have DHCP assigned / dynamic proxy IPs or are unsure
what the final machine IP will be (ie plug-n-play proxy device).


You also need the router changed to *route* the packets to the Squid
machine without NAT'ing them in any way. There may be other devices
along the packet path needing updates to handle the new route properly,
your sysadmin should know what to do about all that.

Amos



More information about the squid-users mailing list