[squid-users] squid transparent proxy forward loop

Amos Jeffries squid3 at treenet.co.nz
Mon Oct 22 13:12:01 UTC 2018 

On 23/10/18 1:26 AM, Juan Carvajal B. wrote:
> Dear list,
> 
> I hope you can give me some hints for my current task.
> 
> I would like to achieve the following:
> 
> 1. A user comes with the own device, for example phone or table.
> 2. The user connects to our own WLAN network
> 4. The user enters the addres of our website
> 3. The user can only access our website, which is hosted in a sever *not
> connected* to the internet.
> 
> We have the following set up
> 
> Tablets / phones <---> WLAN router <---> server
> 
> please note that there is *no* connection to internet. The server is
> connected to the "internet" port of the router.
> 
> The server runs ubuntu & apache.
> 
> I've been trying to achieve this with squid but I get a **warning of a
> forwarding loop**. I do not know what I'm doing wrong.
> 
> I'm following this:
> https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
> https://wiki.squid-cache.org/SquidFaq/ReverseProxy
> 
> Here are my conf files:
> 
> ****squid.conf****
> 


>     visible_hostname squid.proxy

I have seen other people using this "squid.proxy" as the FQDN of their
proxy. It is likely that your chosen proxy hostname is not unique.

Since this is a reverse-proxy it is best to set this to the FQDN of the
primary website you are proxying.



>     http_port 3128 intercept
>     http_port 192.168.0.188:80 accel
> defaultsite=our.domain.org
>     http_port 192.168.0.188:443 accel
> defaultsite=our.domain.org

The above should be https_port and requires the TLS certificate for the
domain being virtual-hosted.

see
<https://wiki.squid-cache.org/ConfigExamples/Reverse/HttpsVirtualHosting> which
I added just yesterday.


>     cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
>     acl our_sites dstdomain our.domain.org
>     http_access allow our_sites
>     cache_peer_access myAccel allow our_sites
>     cache_peer_access myAccel deny all

Move the above custom configuration down to ...

>     acl SSL_ports port 443
>     acl CONNECT method CONNECT
>     http_access deny !Safe_ports

You do not have any definition of Safe_ports above. It should contain at
least 80 and 443 for your proxy.

>     http_access deny CONNECT !SSL_ports
>     http_access allow localhost manager
>     http_access deny manager

... here.


You are missing good rules for traffic arriving on the port 3128. The
below "allow all" is very bad.


>     http_access allow localhost
>     http_access allow all

That should be:

 http_access deny all


...

> ****IPTABLES****
> 
>     # your proxy IP
>     SQUIDIP=192.168.0.188
>     # your proxy listening port
>     SQUIDPORT=3128
>     iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
>     iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
> --to-port $SQUIDPORT
> 

Here is your problem. You have not bypassed the traffic Squid is sending
to 127.0.0.1:80.

Traffic to/from localhost does not use global IP addresses such as
192.168.0.188. Thus Squid's attempts to send traffic to Apache is being
looped back into port 3128 by iptables.


What is the point of all this interception anyway?

Your proxy is already listening on port 80 and 443 for directly
receiving traffic to any domain with a DNS entry of 192.168.0.188.


Amos

More information about the squid-users mailing list