[squid-users] Another "Forwarding loop detected" issue

Nick Howitt nick at howitts.co.uk
Tue Nov 5 12:57:31 UTC 2019 

On 05/11/2019 11:07, Nick Howitt wrote:
>
>
> On 05/11/2019 10:44, Amos Jeffries wrote:
>> On 5/11/19 10:40 pm, Nick Howitt wrote:
>>> I am trying to help someone who is running squid-3.5.20-12 on a
>>> standalone server with the dansguardian content filter and suddenly
>>> recently has been getting a lot of messages like:
>>>
>>>     2019/10/31 13:48:14 kid1| WARNING: Forwarding loop detected for:
>>>     HEAD / HTTP/1.0
>>>     Via: 1.0 HSFilterHyperos7.haftr.local (squid/3.5.20)
>>>     Cache-Control: max-age=259200
>>>     Connection: keep-alive
>>>     X-Forwarded-For: 10.10.1.2
>>>     Host: 10.10.1.2:8080
>>>
>>>
>>> The access log looks something like:
>>>
>>>     1572545946.383 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>     http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>     1572545946.477 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>     http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>     1572545946.493 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>     http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>
>>> (but these are for different transactions - they are all the same apart
>>> from the timestamps)
>>>
>> That is what a forwarding loop looks like in the access.log.
>>
>>
>>> The content filter listens on port 8080 and squid on 3128. The machine
>>> is on 10.10.1.2
>>>
>>> All the other posts I've seen seem to be for transparent mode or where
>>> there is a User Agent string. I have found nothing to cover this
>>> scenario. How can I troubleshoot to fix it and what information do you
>>> need from me to help diagnose?
>>>
>> Something is telling Squid the origin server being contacted exists at
>> 10.10.1.2:8080. You can see that in the Host header of the message.
>>
>> I would trace the traffic flow from the client to Squid.
>>
> But isn't everything coming to 8080 as that is the proxy you'd set up 
> in the browser? I'm afraid I don't understand how proxying works at 
> the packet level. I see nothing before these messages to indicate the 
> packets are coming from elsewhere. A cut down startup log looks like:
>
>    <snip>
>    2019/10/31 13:47:40 kid1| helperOpenServers: Starting 5/5
>    'ext_unix_group_acl' processes
>    2019/10/31 13:47:40 kid1| HTCP Disabled.
>    2019/10/31 13:47:40 kid1| Finished loading MIME types and icons.
>    2019/10/31 13:47:40 kid1| Accepting HTTP Socket connections at
>    local=[::1]:3128 remote=[::] FD 2021 flags=9
>    2019/10/31 13:47:40 kid1| Accepting HTTP Socket connections at
>    local=127.0.0.1:3128 remote=[::] FD 2022 flags=9
>    2019/10/31 13:47:40 kid1| Accepting HTTP Socket connections at
>    local=10.10.1.2:3128 remote=[::] FD 2023 flags=9
>    2019/10/31 13:48:12 kid1| WARNING: Forwarding loop detected for:
>    HEAD / HTTP/1.0
>    Via: 1.0 HSFilterHyperos7.haftr.local (squid/3.5.20)
>    Cache-Control: max-age=259200
>    Connection: keep-alive
>    X-Forwarded-For: 10.10.1.2
>    Host: 10.10.1.2:8080
>
>
>    2019/10/31 13:48:14 kid1| WARNING: Forwarding loop detected for:
>    HEAD / HTTP/1.0
>    Via: 1.0 HSFilterHyperos7.haftr.local (squid/3.5.20)
>    Cache-Control: max-age=259200
>    Connection: keep-alive
>    X-Forwarded-For: 10.10.1.2
>    Host: 10.10.1.2:8080
>
>
> Is there anything I can look for in my logs or do I need to do some 
> sort of tcpdump with some filters?
>
> Thanks,
>
> Nick
At the moment the wpad file is not pointing to the proxy server so no 
machines should be using it. I have tried a:

    tcpdump -vvvnnn -A -i eth0 port 8080 -s 1500


This gives me bursts of:

    07:50:47.569305 IP (tos 0x0, ttl 128, id 56718, offset 0, flags
    [DF], proto TCP (6), length 52)
         10.10.11.215.64857 > 10.10.1.2.8080: Flags [S], cksum 0x389b
    (correct), seq 625662051, win 64240, options [mss 1460,nop,wscale
    8,nop,nop,sackOK], length 0
    E..4.. at ....H

    ..

    ...Y..%J.c........8...............
    07:50:47.569419 IP (tos 0x0, ttl 64, id 7161, offset 0, flags [DF],
    proto TCP (6), length 40)
         10.10.1.2.8080 > 10.10.11.215.64857: Flags [R.], cksum 0x744b
    (correct), seq 0, ack 1, win 0, length 0
    E..(.. at .@...

    ..

    .....Y....%J.dP...tK..


 From what I've researched so far there are no http headers in these 
packets. The proxy is 10.10.1.2. Does this mean 10.10.11.215 could be 
the offending machine if no other machines should be using the proxy? Or 
do I need to do something cleverer with my tcpdump?

More information about the squid-users mailing list