[squid-dev] [Issue Report] Squid forward request to 0.0.0.0/8

Amos Jeffries squid3 at treenet.co.nz
Thu Jun 5 10:49:03 UTC 2025 

On 5/06/25 20:04, Yang, Chao wrote:
> 
> I found there are lots of strange log when I register SUSE as below(/ 
> var/log/squid/access.log):
> 
> / 
> ===================================================================================================================/
> 
> /1749103351.951      3 172.31.47.207 TCP_DENIED/403 3804 CONNECT 
> 0.0.10.40:1 - HIER_NONE/- text/html/
> 

Squid received the HTTP request "CONNECT 0.0.10.40:1".

The port 1 is forbidden by SSL_ports, so Squid sent a 403 Denied response.


> /1749103366.975      4 172.31.47.207 TCP_DENIED/403 3802 CONNECT 
> 0.0.9.96:7 - HIER_NONE/- text/html/
> 

Squid received the HTTP request "CONNECT 0.0.9.96:7".

The port 7 is forbidden by SSL_ports, so Squid sent a 403 Denied response.


> /1749103375.466  59932 172.31.47.207 TCP_TUNNEL/503 0 CONNECT 
> 0.0.9.102:443 - HIER_DIRECT/0.0.9.102 -/
> 

Squid received the HTTP request "CONNECT 0.0.9.102:443".

The port 443 is valid for HTTPS, so Squid opened a tunnel to that server 
(successfully). The connection closed after 59.9 seconds, with no data 
sent to the client.


> / 
> ===================================================================================================================/
> 
> After I edited the config file(/etc/squid/squid.conf) and add the following:
> 
>      acl invalid_dst dst 0.0.0.0/8
> 
>      http_access deny invalid_dst
> 
> I could register SUSE without any error.


The error is something inside the SUSE zypper or the plugin it is using 
to access their cloud services. Whoever coded it did not expect that IP 
address range to work in "public" Internet.

Squid is just trying to do what it is told to do. It looks to me like it 
is working.



> 
> When I access Amazon S3 using squid instance, there is no any strange IP 
> in the access log.
> 

That being an entirely different company and/or web service. One can 
expect them to be different.


> I checked /etc/hosts and no any information of "0.0.0.0/8"
> 

Those IPs are being sent to Squid directly by the "registercloudguest" 
software.  Why, is a different question and should be taken up with the 
SUSE people or whoever wrote the zypper plugin that tool is using.



> *Action Required:*
> 
> Do you know why squid forward request to 0.0.0.0/8?
> 

As you have discovered that range is used by Cloud services. Typically 
for internal messaging. In some of the environments Squid operates it is 
treated as equivalent to a LAN range for VMs.


Cheers
Amos

More information about the squid-dev mailing list