<div dir="ltr"><div><div>Hi All,<br><br></div><div>As an addition to my yesterday's issue,<br><br></div>Tail -f cache.log, I am getting the following:<br><br>015/03/06 13:54:02| WARNING: Forwarding loop detected for:<br>GET /Artwork/SN.png HTTP/1.1<br>Host: <a href="http://www.squid-cache.org">www.squid-cache.org</a><br>Accept: image/webp,*/*;q=0.8<br>User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36<br>Referer: <a href="http://www.openbsd.org/">http://www.openbsd.org/</a><br>Accept-Encoding: gzip, deflate, sdch<br>Accept-Language: en-US,en;q=0.8,ar;q=0.6<br>Via: 1.1 ISN-PHC-CACHE (squid/3.5.2)<br>X-Forwarded-For: 10.0.0.23<br>Cache-Control: max-age=0<br>Connection: keep-alive<br><br><br>2015/03/06 13:54:02| WARNING: Forwarding loop detected for:<br>GET /favicon.ico HTTP/1.1<br>Host: <a href="http://www.openbsd.org">www.openbsd.org</a><br>Accept: */*<br>User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36<br>Accept-Encoding: gzip, deflate, sdch<br>Accept-Language: en-US,en;q=0.8,ar;q=0.6<br>Via: 1.1 ISN-PHC-CACHE (squid/3.5.2)<br>X-Forwarded-For: 10.0.0.23<br>Cache-Control: max-age=259200<br>Connection: keep-alive<br><br></div>Any ideas?<br><div><br><div><div><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Monah Baki</b> <span dir="ltr"><<a href="mailto:monahbaki@gmail.com">monahbaki@gmail.com</a>></span><br>Date: Thu, Mar 5, 2015 at 7:19 AM<br>Subject: squid intercept config<br>To: Squid Users <<a href="mailto:squid-users@squid-cache.org">squid-users@squid-cache.org</a>><br><br><br><div dir="ltr"><div><div><div><div><div><div><div>Hi all, can anyone verify if this is correct, need to make ure that users will be able to access the internet via the squid.<br><br></div>Running FreeBSD with a single interface with Squid-3.5.2 <br><br>Policy based routing on Cisco with the following:<br><p class="MsoNormal"><span style="color:rgb(0,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""><br></span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif"">interface GigabitEthernet0/0/1.1</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> encapsulation dot1Q 1 native</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> ip address 10.0.0.9 255.255.255.0</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> no ip redirects</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> no ip unreachables</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> ip nat inside</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> standby 1 ip 10.0.0.10</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> standby 1 priority 120</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> standby 1 preempt</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> standby 1 name HSRP</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> ip policy route-map CFLOW</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> </span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif"">ip access-list extended REDIRECT</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> deny   tcp host 10.0.0.24 any eq www</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> permit tcp host 10.0.0.23 any eq www</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> </span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif"">route-map CFLOW permit 10</span></span></p><p class="MsoNormal"><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> match ip address REDIRECT</span></span></p><span style="color:rgb(255,0,0)"><span style="font-size:11pt;font-family:"Calibri","sans-serif""> set ip next-hop 10.0.0.24<br><br></span></span></div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">In my /etc/pf.conf<br>rdr pass inet proto tcp from <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> to any port 80 -> 10.0.0.24 port 3129<br><br># block in<br>pass in log quick on bge0<br>pass out log quick on bge0<br>pass out keep state<br><br></font></span></div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">and finally in my squid.conf:<br>http_port 3128<br>http_port 3129 intercept<br><br><br><br></font></span></div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">And for testing purposes from the squid server:<br> ./squidclient -h 10.0.0.24 -p 3128 <a href="http://www.freebsd.org/" target="_blank">http://www.freebsd.org/</a><br></font></span></div><div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000"><br></font></span></div><div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">If I replace -p 3128 with -p 80, I get a access denied, and if I omit the -p 3128 completely, I can access the websites.<br></font></span></div><div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000"><br>tcpdump with (-p 3128)<br><br>13:15:02.681106 IP ISN-PHC-CACHE.44017 > wfe0.ysv.freebsd.org.http: Flags [.], ack 17377, win 1018, options [nop,nop,TS val 985588797 ecr 1054387720], length 0<br>13:15:02.681421 IP wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq 17377:18825, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448<br>13:15:02.681575 IP wfe0.ysv.freebsd.org.http > ISN-PHC-CACHE.44017: Flags [.], seq 18825:20273, ack 289, win 1040, options [nop,nop,TS val 1054387720 ecr 985588501], length 1448<br><br><br><br></font></span></div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">Did I miss anything?<br><br></font></span></div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">Thanks<span class=""><font color="#888888"><br></font></span></font></span></div><span class=""><font color="#888888"><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000">Monah<br></font></span><div><div><div><div><span style="font-size:11pt;font-family:"Calibri","sans-serif";color:red"><font color="#000000"><br></font></span></div></div></div></div></font></span></div>
</div><br></div></div></div></div>