[squid-users] Forward loop when intercepting mode to proxy traffic to local VM
jblank at twu.net
jblank at twu.net
Wed Jun 22 11:13:56 UTC 2016
Hey all,
Thanks to a bizarre client requirement (don't ask, it's head-hurty), I am
required to maintain a legacy server which only supports obsolete SHA-1
encryption. To keep things relatively safe, I'm attempting to contain the
problem within a VM and use Squid on the VM's host to "re-encrypt"
incoming traffic.
That is:
Outside world talks SHA2 to Squid; Squid internally talks SHA1 to the VM;
Squid gets the response from the VM and passes it along (re-encrypting it
to SHA2).
At least, that's the idea. But forget about SSL/encryption for the moment;
I can't even get this concept working with plain old unencrypted HTTP.
The VM is running locally, and accessible via host-only networking on
192.168.1.101. I set up a local /etc/hosts alternative JUST for
Squid's use, which tells Squid that "myhost.mydomain.com" is actually
192.168.1.101. Yet Squid seems to be ignoring this. Incoming requests for
http://myhost.mydomain.com/ throw a standard Squid "Access Denied."
page. cache.log reveals the presence of a forward loop:
-------
2016/06/22 06:48:47 kid1| WARNING: Forwarding loop detected for:
GET /favicon.ico HTTP/1.1
Host: myhost.mydomain.com
Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Accept: */*
Referer: http://myhost.mydomain.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Via: 1.1 myhost (squid/3.4.8)
X-Forwarded-For: 1.2.3.4
Cache-Control: no-cache
Connection: keep-alive
2016/06/22 06:48:47 kid1| ERROR: No forward-proxy ports configured.
2016/06/22 06:48:47 kid1| ERROR: No forward-proxy ports configured.
-------
access.log, meanwhile, reports:
1466592527.367 0 5.6.7.8 TCP_MISS/403 3917 GET
http://myhost.mydomain.com/favicon.ico - HIER_NONE/- text/html
1466592527.367 0 1.2.3.4 TCP_MISS/403 4000 GET
http://myhost.mydomain.com/favicon.ico - ORIGINAL_DST/5.6.7.8 text/html
(Here, "5.6.7.8" is the EXTERNAL IP address of the VM host-- i.e., the
actual "outside world" IP of myhost.mydomain.com, as opposed to the
internal-only 192.168.1.101 which it should be translated into. "1.2.3.4"
is the IP of my workstation running my Web browser.)
Below is the ENTIRE text of my /etc/squid3/squid.conf; at one point in
this process, I got so frustrated that I pared it down to the absolute
minimum.
---
hosts_file /etc/squid3/squid_hosts
always_direct allow all
cache deny all
acl FROM_ALL src all
acl TO_LOCAL dst 127.0.0.1
acl TO_LOCAL dst 192.168.1.101
http_access allow FROM_ALL
http_access allow TO_LOCAL
http_access deny all
http_port 80 intercept
---
I've been bashing my head against this problem all evening to no effect. I
am fairly sure I could simply solve my problem by writing a miniscule
proxy script in PHP, Perl or Python, and using Apache's mod_rewrite rules
to point all incoming Web requests through said proxy script. But I'd
really rather not "re-invent the wheel"; I'd really rather use Squid.
Any help would be very much appreciated!
Best,
Jessica
More information about the squid-users
mailing list