[squid-users] squid "internal?" loop - with no firewall nat going on..?

Klavs Klavsen kl at vsen.dk
Tue Mar 10 13:19:17 UTC 2015

Amos Jeffries wrote on 03/10/2015 01:50 PM:
> On 11/03/2015 1:29 a.m., Klavs Klavsen wrote:
>> Hi,
>> I just setup a squid trying to get it to work in intercept mode..
>> I seem to hit some squid internal loop where it goes haywire internally
>> somehow?
> You have explicitly configured Squid instructing it that traffic
> arriving on port 3129 has been intercepted.
> You then sent Squid a port-80 syntax message with TCP packet destination
> IP:port of
port 80 syntax?

> It is for this reason that all our interception tutorials state in bold
> that its a very good idea to firewall the 3129 port such that no
> software, even localhost may send traffic directly into it.

ahh.. I was hoping to have a loadbalancer in front of squid (haproxy) - 
to have failover, if squid server should fail..

I'm trying to read and understand:

when nat'ing - doesn't squid just get the rewritten package (which would 
have port 3129 in the tcp dest. port field?)

ie. how can it discern a package send directly to port 3129 - with data 
containing f.ex.:
GET / HTTP/1.1
Host: www.bt.dk

with one just sent directly to that port?

I seem to be failing to understand wherein the difference lies :(

I can see that one can choose to use GRE encapsulation - but that is 
stated to be optional..
Klavs Klavsen, GSEC - kl at vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer

More information about the squid-users mailing list