[squid-users] Another "Forwarding loop detected" issue
Matus UHLAR - fantomas
uhlar at fantomas.sk
Wed Nov 6 10:59:03 UTC 2019
>On 06/11/2019 09:39, Matus UHLAR - fantomas wrote:
>>>>>On 5/11/19 10:40 pm, Nick Howitt wrote:
>>>>>>I am trying to help someone who is running squid-3.5.20-12 on a
>>>>>>standalone server with the dansguardian content filter and suddenly
>>>>>>recently has been getting a lot of messages like:
>>>>>>
>>>>>> 2019/10/31 13:48:14 kid1| WARNING: Forwarding loop detected for:
>>>>>> HEAD / HTTP/1.0
>>>>>> Via: 1.0 HSFilterHyperos7.haftr.local (squid/3.5.20)
>>>>>> Cache-Control: max-age=259200
>>>>>> Connection: keep-alive
>>>>>> X-Forwarded-For: 10.10.1.2
>>>>>> Host: 10.10.1.2:8080
>>>>>>
>>>>>>
>>>>>>The access log looks something like:
>>>>>>
>>>>>> 1572545946.383 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>>>> http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>>>> 1572545946.477 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>>>> http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>>>> 1572545946.493 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>>>> http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>>>>
>>>>>>(but these are for different transactions - they are all the
>>>>>>same apart
>>>>>>from the timestamps)
>>
>>
>>>>On 05/11/2019 10:44, Amos Jeffries wrote:
>>>>>That is what a forwarding loop looks like in the access.log.
>>
>>>>>>The content filter listens on port 8080 and squid on 3128.
>>>>>>The machine
>>>>>>is on 10.10.1.2
>>How does your schema look like?
>>How does your content filter work?
>>
>>The logs above show that someone from local machins (content-filter) is
>>using squid to access local machine port 8080, which should be your
>>content
>>filter.
>>That looks much like a loop, connections from squid or content
>>filter that
>>are going back to content filter via squid
On 06.11.19 09:54, Nick Howitt wrote:
>The set up is eth0 (10.10.1.2:8080) -> Content filter (dansguardian)
>-> Squid (port 3128) -> eth0 -> gateway
I understand this as:
client
->
10.10.1.2:8080 aka Content filter (dansguardian)
->
10.10.1.2:3128 aka squid
->
the net.
>If what you are saying is right then a firewall rule blocking source
>10.10.1.2 to 10.10.1.2:8080 may work
apparently, but I don't understand why would anyone from 10.10.1.2 to
10.10.1.2:8080.
Is it any HTTP client running on 10.10.1.2 ? Then it's ok.
Is it squid or dansguardian ? Then something is broken in your setup, or,
any client is requesting 10.10.1.2:8080 which should apparently be disabled
in squid config.
> I am not sure if it would be in
>the FORWARD or INPUT chain
INPUT chain, since it's connection from to local IP, unless it's redirected
connection.
But IIRC you have said your clients have proxy configured.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.
More information about the squid-users
mailing list