[squid-users] Squid versions and FreeBSD-10.1 headache

Odhiambo Washington odhiambo at gmail.com
Fri Jan 23 14:11:48 UTC 2015 

On 23 January 2015 at 16:53, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 24/01/2015 2:47 a.m., Odhiambo Washington wrote:
> > On 23 January 2015 at 16:40, Amos Jeffries <squid3 at treenet.co.nz>
> > wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>
> >> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
> >>> On 23 January 2015 at 16:07, Amos Jeffries
> >>> <squid3 at treenet.co.nz> wrote:
> >>>
> >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >>>>
> >>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
> >>>>>
> >>>>> Once more. You CANNOT have neither web-server nor other
> >>>>> service with listening port 80 on the same host as
> >>>>> transparent Squid proxy. This is one and only reason you
> >>>>> have looping.
> >>>>>
> >>>>
> >>>> That is not correct. It can be done, but depends on how the
> >>>> firewall operates and what ruleset is used.
> >>>>
> >>>> One has to intercept traffic transiting the machine, but
> >>>> ignore traffic destined *to* or *from* the local machines
> >>>> running processes.
> >>>>
> >>>>> Look. On my transparent 3.4.11 (which was early 2.7)
> >>>>> IPFilter redirects 80 port to proxy. My web server on the
> >>>>> same host listens only 8080, 8088 and 8888 ports. No one
> >>>>> service except NAT is using 80 port.
> >>>>>
> >>>>> And finally I have no looping 4 years.
> >>>>>
> >>>>> Obvious, is it?
> >>>>>
> >>>>
> >>>> Maybe there was, maybe there wasn't.
> >>>>
> >>>> Squid-2.7 ignored a lot of NAT related errors and even
> >>>> silently did some Very Bad Things(tm) - none of which
> >>>> Squid-3.2+ will allow to happen anymore.
> >>>>
> >>>>
> >>>> Odhiambo: I suspect it might be related to your use of "rdr"
> >>>> firewall rules. In OpenBSD PF at least rdr rules do not work
> >>>> properly and divert-to rules needs to be used instead
> >>>> (divert-to can be used for either TPROXY or NAT Squid
> >>>> listening ports on BSD).
> >>>>
> >>>
> >>>
> >>> I am thinking Squid-3.2+ is evil :-)
> >>>
> >>> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And
> >>> my IPFilter rules are here: http://pastebin.com/JQ77X01H
> >>>
> >>> I need to figure out why squid is DENYing all access ..
> >>>
> >>
> >> Can you update me on what the squid -v output is from the Squid
> >> build you are having issues with pleae?
> >>
> >> Amos
> >>
> >
> > root at mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache:
> > Version 3.5.1-20150120-r13736 Service Name: squid configure
> > options:  '--prefix=/opt/squid35' '--enable-removal-policies=lru
> > heap' '--disable-epoll' '--enable-auth' '--enable-auth-basic=DB
> > NCSA PAM PAM POP3 SSPI' '--enable-external-acl-helpers=session
> > unix_group file_userip' '--enable-auth-negotiate=kerberos'
> > '--with-pthreads' '--enable-storeio=ufs diskd rock aufs'
> > '--enable-delay-pools' '--enable-snmp' '--with-openssl=/usr'
> > '--enable-forw-via-db' '--enable-cache-digests' '--enable-wccpv2'
> > '--enable-follow-x-forwarded-for' '--with-large-files'
> > '--enable-large-cache-files' '--enable-esi' '--enable-kqueue'
> > '--enable-icap-client' '--enable-kill-parent-hack' '--enable-ssl'
> > '--enable-leakfinder' '--enable-ssl-crtd'
> > '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics'
> > '--enable-stacktraces' '--enable-zph-qos' '--enable-eui'
> > '--enable-pf-transparent' 'CC=clang' 'CXX=clang++'
> > --enable-ltdl-convenience
> >
>
> Okay. Can you explicitly add --disable-ipf-transparent
> - --disable-ipfw-transparent and see if that helps.
>
> Also in squid.conf adding debugs_options ALL,1 89,9  will show just
> the NAT lookup results where things are going wrong.
>

So, before I recompile, we can look at the debug output:

2015/01/23 17:07:45| storeLateRelease: released 0 objects
2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128, destination/me= 192.168.2.115:58632
2015/01/23 17:07:46.959| Intercept.cc(293) PfInterception: address NAT
divert-to: local=192.168.2.254:13128 remote=192.168.2.115:58632 FD 14 flag
s=33
2015/01/23 17:07:49.179| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128, destination/me= 192.168.2.254:39850
2015/01/23 17:07:49.179| Intercept.cc(293) PfInterception: address NAT
divert-to: local=192.168.2.254:13128 remote=192.168.2.254:39850 FD 18 flag
s=33
2015/01/23 17:07:49.179| WARNING: Forwarding loop detected for:
GET
/crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCPg-PjQGwE5gQ9QUn12pYvFn6PDmZgXxNF7VvigznwvJ8WaXIAcdCCqy0GvWdiTCOtn1gMu-J79t3vAXEydkC0WAMZSmuVMGd3ZQxF_Ho
se6F8g4c8bJYmPZA/extension_1_4_6_758.crx HTTP/1.1
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Sun, 01 Apr 2007 07:00:00 GMT
Range: bytes=3436183-3841157
User-Agent: Microsoft BITS/7.5
Host: cache.pack.google.com
Via: 1.1 aardvark (squid)
X-Forwarded-For: 192.168.2.115
Cache-Control: max-age=259200
Connection: keep-alive


2015/01/23 17:07:49.260| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128, destination/me= 192.168.2.115:58634
2015/01/23 17:07:49.260| Intercept.cc(293) PfInterception: address NAT
divert-to: local=192.168.2.254:13128 remote=192.168.2.115:58634 FD 14 flag
s=33
2015/01/23 17:07:49.260| WARNING: Forwarding loop detected for:
GET
/crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCPg-PjQGwE5gQ9QUn12pYvFn6PDmZgXxNF7VvigznwvJ8WaXIAcdCCqy0GvWdiTCOtn1gMu-J79t3vAXEydkC0WAMZSmuVMGd3ZQxF_Ho
se6F8g4c8bJYmPZA/extension_1_4_6_758.crx HTTP/1.1
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Sun, 01 Apr 2007 07:00:00 GMT
Range: bytes=3436183-3841157
User-Agent: Microsoft BITS/7.5
Host: cache.pack.google.com
Via: 1.1 aardvark (squid)
X-Forwarded-For: 192.168.2.115
Cache-Control: max-age=259200
Connection: keep-alive


2015/01/23 17:07:49.350| Intercept.cc(362) Lookup: address BEGIN:
me/client= 192.168.2.254:13128, destination/me= 192.168.2.115:58636
2015/


So there must be a way to deal with this loop in PF




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150123/acbb717d/attachment-0001.html>

More information about the squid-users mailing list