[squid-users] Forward loop when intercepting mode to proxy traffic to local VM

Amos Jeffries squid3 at treenet.co.nz
Wed Jun 22 13:49:02 UTC 2016

On 22/06/2016 11:15 p.m., jblank wrote:
> Slight correction on the Subject (my bad); I meant "when using intercept
> mode", not "when intercepting mode".
> On Wed, 22 Jun 2016, jblank wrote:
>> Hey all,
>> Thanks to a bizarre client requirement (don't ask, it's head-hurty), I
>> am required to maintain a legacy server which only supports obsolete
>> SHA-1 encryption. To keep things relatively safe, I'm attempting to
>> contain the problem within a VM and use Squid on the VM's host to
>> "re-encrypt" incoming traffic.
>> That is:
>> Outside world talks SHA2 to Squid; Squid internally talks SHA1 to the
>> VM; Squid gets the response from the VM and passes it along
>> (re-encrypting it to SHA2).

Okay. That sounds simple. But the use of intercept implies things are a
bit more complex for Squids situation.

Is there a particular reason you are using interception?

The next TLS / HTTPS stages of your task would be much less headache to
do as a reverse-proxy.

>> At least, that's the idea. But forget about SSL/encryption for the
>> moment; I can't even get this concept working with plain old
>> unencrypted HTTP.
>> The VM is running locally, and accessible via host-only networking on
>> I set up a local /etc/hosts alternative JUST for
>> Squid's use, which tells Squid that "myhost.mydomain.com" is actually
>> Yet Squid seems to be ignoring this. Incoming requests
>> for http://myhost.mydomain.com/ throw a standard Squid "Access
>> Denied." page. cache.log reveals the presence of a forward loop:

Correct way to use a static link to a specific upstream is to use the
cache_peer directive to tell Squid about that link and any fancy stuff
about it.

So this config should just work for both http:// and https:// traffic
destined to the VM:

 # use the URL domain instead of raw-IPs
 acl VM_domains dstdomain example.com
 http_access allow VM_domains

 acl HTTPS proto HTTPS

 # The HTTP if you want it, remove these lines if not
 cache_peer parent 80 0 originserver name=VM_http
 cache_peer_access VM_http allow HTTPS VM_domains
 cache_peer_access VM_http deny all

 # The HTTPS if you want it. Should work as-is but might need
 # other ssl* options for specific TLS/SSL tuning. see the TLS section
 # of http://www.squid-cache.org/Doc/config/cache_peer/ for details.
 cache_peer parent 443 0 originserver ssl name=VM_https
 cache_peer_access VM_https allow !HTTPS VM_domains
 cache_peer_access VM_https deny all

Note that Squid does not need hosts file entries for this to work.

Also, the warning about forward proxy ports is because you dropped the
default "http_port 3128" line. Add it back (or use reverse-proxy) and
those will disappear.


More information about the squid-users mailing list