[squid-users] Can cache_peer be localhost?

Amos Jeffries squid3 at treenet.co.nz
Sat Feb 17 10:17:01 UTC 2018 

On 17/02/18 15:05, Peng Yu wrote:
> Hi, I have the following configuration. When I access port 3129 and it
> is localhost's turn in the round-robin, then the access will fail. Is
> there a way to make it work?
> 
> $ grep -v '^#' squid.conf|grep -v '^$'
...
> http_port 3128

This port receives localhost:3128 traffic.

> http_port 3129
> acl port_3129_acl myportname 3129
> cache_peer server1 parent 3128 0 round-robin no-query name=server1_3128
> cache_peer_access server1_3128 allow port_3129_acl
> cache_peer localhost parent 3128 0 round-robin no-query name=localhost_3128
> cache_peer_access localhost_3128 allow port_3129_acl

Now you have an infinite forwarding loop.

 client -> Squid (3129) -> Squid (3128) -> Squid (3128) ... repeat forever.

 Of that second 50%:  50% will go to serer1 and 50% loops back, repeat
to infinity.
 So in total 50% + 25% + 12.5% + ... of traffic goes to server1.

Can you see why this type of config is harmful?


...
> forwarded_for delete

... and you are deleting the X-Forwarded-For header whose purpose is in
part to show you how these loops are happening.


To answer your question it is not possible to work the way you seem to
expect, and that can be proven mathematically

Since you have two peers and round-robin each time a loop happens 50% of
traffic goes to server1, 50% loops back into this Squid.

In other words:
 50% of traffic goes to server1 on ts first time through.
 50% of traffic loops back through localhost to this Squid.

 25% of traffic goes to server1 on its second loop.
 ...

 12.5% of traffic goes to server1 on its third loop.
 ...

 and so on until 99.99999...% of traffic is going to server1, with
increasingly small amounts of traffic taking looping just one more time.

Each loop consumes 2 TCP ports and ~256KB of RAM. So if anything were
done to permit the looping to happen at some point very early the
machine would completely run out of either TCP sockets or RAM.

Those are both shared resources possibly needed by other software on the
machine. If either is consumed completely by Squid looping the OS
encounters horrible problems, up to and including the kernel crashing.


Luckily you are leaving the Via header in place which Squid uses to
block looping traffic before it causes serious damage to the machine.


Amos

More information about the squid-users mailing list