[squid-users] Forward loop when intercepting mode to proxy traffic to local VM

jblank at twu.net jblank at twu.net
Wed Jun 22 11:13:56 UTC 2016


Hey all,

Thanks to a bizarre client requirement (don't ask, it's head-hurty), I am 
required to maintain a legacy server which only supports obsolete SHA-1 
encryption. To keep things relatively safe, I'm attempting to contain the 
problem within a VM and use Squid on the VM's host to "re-encrypt" 
incoming traffic.

That is:
Outside world talks SHA2 to Squid; Squid internally talks SHA1 to the VM; 
Squid gets the response from the VM and passes it along (re-encrypting it 
to SHA2).

At least, that's the idea. But forget about SSL/encryption for the moment; 
I can't even get this concept working with plain old unencrypted HTTP.

The VM is running locally, and accessible via host-only networking on 
192.168.1.101. I set up a local /etc/hosts alternative JUST for 
Squid's use, which tells Squid that "myhost.mydomain.com" is actually 
192.168.1.101. Yet Squid seems to be ignoring this. Incoming requests for 
http://myhost.mydomain.com/ throw a standard Squid "Access Denied." 
page. cache.log reveals the presence of a forward loop:

-------
2016/06/22 06:48:47 kid1| WARNING: Forwarding loop detected for:
GET /favicon.ico HTTP/1.1
Host: myhost.mydomain.com
Pragma: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Accept: */*
Referer: http://myhost.mydomain.com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Via: 1.1 myhost (squid/3.4.8)
X-Forwarded-For: 1.2.3.4
Cache-Control: no-cache
Connection: keep-alive


2016/06/22 06:48:47 kid1| ERROR: No forward-proxy ports configured.
2016/06/22 06:48:47 kid1| ERROR: No forward-proxy ports configured.
-------

access.log, meanwhile, reports:

1466592527.367      0 5.6.7.8 TCP_MISS/403 3917 GET 
http://myhost.mydomain.com/favicon.ico - HIER_NONE/- text/html
1466592527.367      0 1.2.3.4 TCP_MISS/403 4000 GET 
http://myhost.mydomain.com/favicon.ico - ORIGINAL_DST/5.6.7.8 text/html

(Here, "5.6.7.8" is the EXTERNAL IP address of the VM host-- i.e., the 
actual "outside world" IP of myhost.mydomain.com, as opposed to the 
internal-only 192.168.1.101 which it should be translated into. "1.2.3.4" 
is the IP of my workstation running my Web browser.)

Below is the ENTIRE text of my /etc/squid3/squid.conf; at one point in 
this process, I got so frustrated that I pared it down to the absolute 
minimum.

---
hosts_file /etc/squid3/squid_hosts
always_direct allow all
cache deny all
acl FROM_ALL src all
acl TO_LOCAL dst 127.0.0.1
acl TO_LOCAL dst 192.168.1.101
http_access allow FROM_ALL
http_access allow TO_LOCAL
http_access deny all
http_port 80 intercept
---

I've been bashing my head against this problem all evening to no effect. I 
am fairly sure I could simply solve my problem by writing a miniscule 
proxy script in PHP, Perl or Python, and using Apache's mod_rewrite rules 
to point all incoming Web requests through said proxy script. But I'd 
really rather not "re-invent the wheel"; I'd really rather use Squid.

Any help would be very much appreciated!

Best,

Jessica


More information about the squid-users mailing list