[squid-users] Squid with SMP, CARP and a forwarding loop

Mike.Hodgkinson at solnet.co.nz Mike.Hodgkinson at solnet.co.nz
Fri Oct 30 00:45:36 UTC 2015

I have been attempting to setup a squid forward proxy with one frontend 
and two backends as per configuration example 

My issue is that only the first attempt comes from the cache and then 
additional requests are downloaded direct by the frontend instead of from 
the backend caches. I suspect it is due to a detected forwarding loop 
which shows up in the logs:

2015/10/30 13:07:49.239 kid1| 44,3| peer_select.cc(137) peerSelect: 
2015/10/30 13:07:49.239 kid1| 20,3| store.cc(466) lock: peerSelect locked 
key 64AAA11C8DEF57153B10BA2C9D2F3D60 e:=XIWV/0x7f7bfee2e730*3
2015/10/30 13:07:49.240 kid1| 44,3| peer_select.cc(441) peerSelectFoo: GET
2015/10/30 13:07:49.240 kid1| 44,3| peer_select.cc(468) peerSelectFoo: 
peerSelectFoo: direct = DIRECT_YES (forwarding loop detected)
2015/10/30 13:07:49.240 kid1| 44,3| peer_select.cc(477) peerSelectFoo: 
peerSelectFoo: direct = DIRECT_YES
2015/10/30 13:07:49.240 kid1| 44,2| peer_select.cc(258) 
peerSelectDnsPaths: Find IP destination for:' via

I can force the backend caches to be used successfully with this option 
"never_direct allow all" however I would like to resolve the underlying 

I have no iptables configured on this server and have made sure the 
environment variable http_proxy is not set. Also I have tested this on 
Squid 3.4.8 and 3.5.10 on Debian.

My config is below:
debug_options = ALL,3
cachemgr_passwd eight22 all
acl localnet src
acl localnet src
acl localnet src
acl localnet src fe80::/10
acl squid_servers src
acl SSL_ports port 443          # https
acl SSL_ports port 8443         # Unifi/Non-standard https
acl SSL_ports port 5222         # Jabber
acl SSL_ports port 10000        # Webmin
acl SSL_ports port 10443        # Non-standard https
acl SSL_ports port 18080        # PMX
acl SSL_ports port 28443        # PMX
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
workers 3
if ${process_number} = 1
include /etc/squid/squid-frontend.conf
include /etc/squid/squid-backend.conf
http_access deny all
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

http_port 3128
http_port 3129 tproxy
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow localnet
http_access allow squid_servers
htcp_access allow squid_servers
htcp_access deny all
cache_peer parent 4002 0 carp login=PASS name=backend-kid2 
cache_peer parent 4003 0 carp login=PASS name=backend-kid3 
prefer_direct off
nonhierarchical_direct off
memory_replacement_policy heap LRU
cache_mem 2048 MB
access_log /var/log/squid3/frontend.access.log
cache_log /var/log/squid3/frontend.cache.log
visible_hostname frontend.cloud.solnet.nz

http_port 127.0.01:400${process_number}
http_access allow localhost
cache_mem 5 MB
cache_replacement_policy heap LFUDA
maximum_object_size 1 GB
cache_dir rock /cache/rock 20480 max-size=32768
cache_dir aufs /cache/${process_number} 20480 128 128 min-size=32769
visible_hostname backend${process_number}.cloud.solnet.nz
access_log /var/log/squid3/backend${process_number}.access.log
cache_log /var/log/squid3/backend${process_number}.cache.log

I did have visible_hostname set to backend.cloud.solnet.nz but that did 
not help either.

1446163673.780    491 TCP_MISS/200 756381 GET 
http://asylum-inc.net/WoT/2013-03-03_00006.jpg - CARP/ image/jpeg
1446163676.750   1580 TCP_MISS/200 756224 GET 
http://asylum-inc.net/WoT/2013-03-03_00006.jpg - HIER_DIRECT/ 
1446163681.498   3059 TCP_MISS/200 756224 GET 
http://asylum-inc.net/WoT/2013-03-03_00006.jpg - HIER_DIRECT/ 

Any assistance is appreciated.


Mike Hodgkinson
Internal Support Engineer

Mobile  +64 21 754 339
Phone  +64 4 462 5064
Email   mike.hodgkinson at solnet.co.nz

Solnet Solutions Limited
Level 12, Solnet House
70 The Terrace, Wellington 6011
PO Box 397, Wellington 6140


This email may contain information intended for the sole use of
the original recipient. Please respect this when sharing or
disclosing this email's contents with any third party. If you
believe you have received this email in error, please delete it
and notify the sender or postmaster at solnetsolutions.co.nz as
soon as possible. The content of this email does not necessarily
reflect the views of Solnet Solutions Ltd.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20151030/d5c378a9/attachment.html>

More information about the squid-users mailing list