[squid-users] squid transparent proxy forward loop

Juan Carvajal B. juan at mediaarchitecture.org
Wed Oct 24 12:28:02 UTC 2018


Thank you so much Matus,

we were indeed missing a DNS service:

Your proxy is already listening on port 80 and 443 for directly
receiving traffic to any domain with a DNS entry of 192.168.0.188.

best,

*Juan Carlos*

*Join our mailing list
<http://lists.mediaarchitecture.org/?p=subscribe&id=1> (Max 1-mail / month)*



Am Mo., 22. Okt. 2018 um 15:12 Uhr schrieb Amos Jeffries <
squid3 at treenet.co.nz>:

> On 23/10/18 1:26 AM, Juan Carvajal B. wrote:
> > Dear list,
> >
> > I hope you can give me some hints for my current task.
> >
> > I would like to achieve the following:
> >
> > 1. A user comes with the own device, for example phone or table.
> > 2. The user connects to our own WLAN network
> > 4. The user enters the addres of our website
> > 3. The user can only access our website, which is hosted in a sever *not
> > connected* to the internet.
> >
> > We have the following set up
> >
> > Tablets / phones <---> WLAN router <---> server
> >
> > please note that there is *no* connection to internet. The server is
> > connected to the "internet" port of the router.
> >
> > The server runs ubuntu & apache.
> >
> > I've been trying to achieve this with squid but I get a **warning of a
> > forwarding loop**. I do not know what I'm doing wrong.
> >
> > I'm following this:
> > https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
> > https://wiki.squid-cache.org/SquidFaq/ReverseProxy
> >
> > Here are my conf files:
> >
> > ****squid.conf****
> >
>
>
> >     visible_hostname squid.proxy
>
> I have seen other people using this "squid.proxy" as the FQDN of their
> proxy. It is likely that your chosen proxy hostname is not unique.
>
> Since this is a reverse-proxy it is best to set this to the FQDN of the
> primary website you are proxying.
>
>
>
> >     http_port 3128 intercept
> >     http_port 192.168.0.188:80 accel
> > defaultsite=our.domain.org
> >     http_port 192.168.0.188:443 accel
> > defaultsite=our.domain.org
>
> The above should be https_port and requires the TLS certificate for the
> domain being virtual-hosted.
>
> see
> <https://wiki.squid-cache.org/ConfigExamples/Reverse/HttpsVirtualHosting>
> which
> I added just yesterday.
>
>
> >     cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
> >     acl our_sites dstdomain our.domain.org
> >     http_access allow our_sites
> >     cache_peer_access myAccel allow our_sites
> >     cache_peer_access myAccel deny all
>
> Move the above custom configuration down to ...
>
> >     acl SSL_ports port 443
> >     acl CONNECT method CONNECT
> >     http_access deny !Safe_ports
>
> You do not have any definition of Safe_ports above. It should contain at
> least 80 and 443 for your proxy.
>
> >     http_access deny CONNECT !SSL_ports
> >     http_access allow localhost manager
> >     http_access deny manager
>
> ... here.
>
>
> You are missing good rules for traffic arriving on the port 3128. The
> below "allow all" is very bad.
>
>
> >     http_access allow localhost
> >     http_access allow all
>
> That should be:
>
>  http_access deny all
>
>
> ...
>
> > ****IPTABLES****
> >
> >     # your proxy IP
> >     SQUIDIP=192.168.0.188
> >     # your proxy listening port
> >     SQUIDPORT=3128
> >     iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
> >     iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
> > --to-port $SQUIDPORT
> >
>
> Here is your problem. You have not bypassed the traffic Squid is sending
> to 127.0.0.1:80.
>
> Traffic to/from localhost does not use global IP addresses such as
> 192.168.0.188. Thus Squid's attempts to send traffic to Apache is being
> looped back into port 3128 by iptables.
>
>
> What is the point of all this interception anyway?
>
> Your proxy is already listening on port 80 and 443 for directly
> receiving traffic to any domain with a DNS entry of 192.168.0.188.
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181024/44142daa/attachment.html>


More information about the squid-users mailing list