[squid-users] Forward loop when intercepting mode to proxy traffic to local VM

jblank at twu.net jblank at twu.net
Wed Jun 22 11:15:12 UTC 2016


Slight correction on the Subject (my bad); I meant "when using intercept 
mode", not "when intercepting mode".

On Wed, 22 Jun 2016, jblank at twu.net wrote:

> Hey all,
>
> Thanks to a bizarre client requirement (don't ask, it's head-hurty), I am 
> required to maintain a legacy server which only supports obsolete SHA-1 
> encryption. To keep things relatively safe, I'm attempting to contain the 
> problem within a VM and use Squid on the VM's host to "re-encrypt" 
> incoming traffic.
>
> That is:
> Outside world talks SHA2 to Squid; Squid internally talks SHA1 to the VM; 
> Squid gets the response from the VM and passes it along (re-encrypting it 
> to SHA2).
>
> At least, that's the idea. But forget about SSL/encryption for the moment; 
> I can't even get this concept working with plain old unencrypted HTTP.
>
> The VM is running locally, and accessible via host-only networking on 
> 192.168.1.101. I set up a local /etc/hosts alternative JUST for 
> Squid's use, which tells Squid that "myhost.mydomain.com" is actually 
> 192.168.1.101. Yet Squid seems to be ignoring this. Incoming requests for 
> http://myhost.mydomain.com/ throw a standard Squid "Access Denied." 
> page. cache.log reveals the presence of a forward loop:
>
> -------
> 2016/06/22 06:48:47 kid1| WARNING: Forwarding loop detected for:
> GET /favicon.ico HTTP/1.1
> Host: myhost.mydomain.com
> Pragma: no-cache
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) 
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
> Accept: */*
> Referer: http://myhost.mydomain.com/
> Accept-Encoding: gzip, deflate, sdch
> Accept-Language: en-US,en;q=0.8
> Via: 1.1 myhost (squid/3.4.8)
> X-Forwarded-For: 1.2.3.4
> Cache-Control: no-cache
> Connection: keep-alive
>
>
> 2016/06/22 06:48:47 kid1| ERROR: No forward-proxy ports configured.
> 2016/06/22 06:48:47 kid1| ERROR: No forward-proxy ports configured.
> -------
>
> access.log, meanwhile, reports:
>
> 1466592527.367      0 5.6.7.8 TCP_MISS/403 3917 GET 
> http://myhost.mydomain.com/favicon.ico - HIER_NONE/- text/html
> 1466592527.367      0 1.2.3.4 TCP_MISS/403 4000 GET 
> http://myhost.mydomain.com/favicon.ico - ORIGINAL_DST/5.6.7.8 text/html
>
> (Here, "5.6.7.8" is the EXTERNAL IP address of the VM host-- i.e., the 
> actual "outside world" IP of myhost.mydomain.com, as opposed to the 
> internal-only 192.168.1.101 which it should be translated into. "1.2.3.4" 
> is the IP of my workstation running my Web browser.)
>
> Below is the ENTIRE text of my /etc/squid3/squid.conf; at one point in 
> this process, I got so frustrated that I pared it down to the absolute 
> minimum.
>
> ---
> hosts_file /etc/squid3/squid_hosts
> always_direct allow all
> cache deny all
> acl FROM_ALL src all
> acl TO_LOCAL dst 127.0.0.1
> acl TO_LOCAL dst 192.168.1.101
> http_access allow FROM_ALL
> http_access allow TO_LOCAL
> http_access deny all
> http_port 80 intercept
> ---
>
> I've been bashing my head against this problem all evening to no effect. I 
> am fairly sure I could simply solve my problem by writing a miniscule 
> proxy script in PHP, Perl or Python, and using Apache's mod_rewrite rules 
> to point all incoming Web requests through said proxy script. But I'd 
> really rather not "re-invent the wheel"; I'd really rather use Squid.
>
> Any help would be very much appreciated!
>
> Best,
>
> Jessica
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


More information about the squid-users mailing list