[squid-users] Another "Forwarding loop detected" issue

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Nov 6 09:39:59 UTC 2019 

>>>On 5/11/19 10:40 pm, Nick Howitt wrote:
>>>>I am trying to help someone who is running squid-3.5.20-12 on a
>>>>standalone server with the dansguardian content filter and suddenly
>>>>recently has been getting a lot of messages like:
>>>>
>>>>    2019/10/31 13:48:14 kid1| WARNING: Forwarding loop detected for:
>>>>    HEAD / HTTP/1.0
>>>>    Via: 1.0 HSFilterHyperos7.haftr.local (squid/3.5.20)
>>>>    Cache-Control: max-age=259200
>>>>    Connection: keep-alive
>>>>    X-Forwarded-For: 10.10.1.2
>>>>    Host: 10.10.1.2:8080
>>>>
>>>>
>>>>The access log looks something like:
>>>>
>>>>    1572545946.383 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>>    http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>>    1572545946.477 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>>    http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>>    1572545946.493 120000 10.10.1.2 TCP_MISS_ABORTED/000 0 HEAD
>>>>    http://10.10.1.2:8080/ - HIER_DIRECT/10.10.1.2 -
>>>>
>>>>(but these are for different transactions - they are all the same apart
>>>>from the timestamps)


>>On 05/11/2019 10:44, Amos Jeffries wrote:
>>>That is what a forwarding loop looks like in the access.log.

>>>>The content filter listens on port 8080 and squid on 3128. The machine
>>>>is on 10.10.1.2

\On 05.11.19 12:57, Nick Howitt wrote:
>At the moment the wpad file is not pointing to the proxy server so no 
>machines should be using it. I have tried a:
>
>   tcpdump -vvvnnn -A -i eth0 port 8080 -s 1500
>
>
>This gives me bursts of:
>
>   07:50:47.569305 IP (tos 0x0, ttl 128, id 56718, offset 0, flags
>   [DF], proto TCP (6), length 52)
>        10.10.11.215.64857 > 10.10.1.2.8080: Flags [S], cksum 0x389b

>From what I've researched so far there are no http headers in these 
>packets. The proxy is 10.10.1.2. Does this mean 10.10.11.215 could be 
>the offending machine if no other machines should be using the proxy? 
>Or do I need to do something cleverer with my tcpdump?

I don't think so.

How does your schema look like?
How does your content filter work?

The logs above show that someone from local machins (content-filter) is
using squid to access local machine port 8080, which should be your content
filter. 

That looks much like a loop, connections from squid or content filter that
are going back to content filter via squid



-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.

More information about the squid-users mailing list