[squid-users] Another "Forwarding loop detected" issue
Nick Howitt
nick at howitts.co.uk
Wed Nov 6 09:54:31 UTC 2019
On 06/11/2019 09:39, Matus UHLAR - fantomas wrote:
>>>> On 5/11/19 10:40 pm, Nick Howitt wrote:
>>>>> I am trying to help someone who is running squid-3.5.20-12 on a
>>>>> standalone server with the dansguardian content filter and suddenly
>>>>> recently has been getting a lot of messages like:
>>>>>
>>>>> 2019/10/31 13:48:14 kid1| WARNING: Forwarding loop detected for:
>>>>> HEAD / HTTP/1.0
>>>>> Via: 1.0 HSFilterHyperos7.haftr.local (squid/3.5.20)
>>>>> Cache-Control: max-age=259200
>>>>> Connection: keep-alive
>>>>> X-Forwarded-For: 10.10.1.2
>>>>> Host: 10.10.1.2:8080
>>>>>
>>>>>
>>>>> The access log looks something like:
>>>>>
>>>>> 1572545946.383 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>>> http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>>> 1572545946.477 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>>> http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>>> 1572545946.493 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>>> http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>>>
>>>>> (but these are for different transactions - they are all the same
>>>>> apart
>>>>> from the timestamps)
>
>
>>> On 05/11/2019 10:44, Amos Jeffries wrote:
>>>> That is what a forwarding loop looks like in the access.log.
>
>>>>> The content filter listens on port 8080 and squid on 3128. The
>>>>> machine
>>>>> is on 10.10.1.2
>
> \On 05.11.19 12:57, Nick Howitt wrote:
>> At the moment the wpad file is not pointing to the proxy server so no
>> machines should be using it. I have tried a:
>>
>> tcpdump -vvvnnn -A -i eth0 port 8080 -s 1500
>>
>>
>> This gives me bursts of:
>>
>> 07:50:47.569305 IP (tos 0x0, ttl 128, id 56718, offset 0, flags
>> [DF], proto TCP (6), length 52)
>> 10.10.11.215.64857 > 10.10.1.2.8080: Flags [S], cksum 0x389b
>
>> From what I've researched so far there are no http headers in these
>> packets. The proxy is 10.10.1.2. Does this mean 10.10.11.215 could be
>> the offending machine if no other machines should be using the proxy?
>> Or do I need to do something cleverer with my tcpdump?
>
> I don't think so.
>
> How does your schema look like?
> How does your content filter work?
>
> The logs above show that someone from local machins (content-filter) is
> using squid to access local machine port 8080, which should be your
> content
> filter.
> That looks much like a loop, connections from squid or content filter
> that
> are going back to content filter via squid
>
>
>
The set up is eth0 (10.10.1.2:8080) -> Content filter (dansguardian) ->
Squid (port 3128) -> eth0 -> gateway
If what you are saying is right then a firewall rule blocking source
10.10.1.2 to 10.10.1.2:8080 may work. I am not sure if it would be in
the FORWARD or INPUT chain and I don't know if it would cause collateral
damage. It also does not explain why only recently it started going
wrong. The machine has been rebuilt now and I am waiting for it to
trigger again, upgrading from ClearOS6.x (a Centos derivative) to
ClearOS 7.6 (which will soon update to 7.7).
More information about the squid-users
mailing list