Ricardo Nuno wrote:
> Hi all,
>
> I'm new to squid so bare with me. I just setup squid according to these instructions:
> http://www.howtoforge.com/dansguardian-with-multi-group-filtering-and-squid-with-ntlm-auth-on-debian-etch-p2
>
Oh dear.
> The setup is working but my logs are fill with these errors for every connection:
>
> 2009/02/03 17:20:15| WARNING: Forwarding loop detected for:
> Client: 127.0.0.1 http_port: 127.0.0.1:3128
> GET internal://lis.moonlight.lan/squid-internal-periodic/store_digest HTTP/1.0
> Accept: application/cache-digest
> Accept: text/html
> Via: 0.0 lis.moonlight.lan:3128 (squid/2.7.STABLE3)
> X-Forwarded-For: unknown
> Host: 127.0.0.1:8081
> Authorization: Basic Kjpub3Bhc3N3b3Jk
> Cache-Control: max-age=259200
> Connection: Close
>
> I know that these error is because of my cache_peer line iv been searching the web for the
> solution of this issue and i tried to separate the configs of the 2 squid instances but wen
> i did it the setup stop working.
See the 'include' directive which allows a section of squid.conf to be
shared between two squid, each with their own squid.conf.
>
> Does this error will hurt the performance of Squid how can i fix it without breaking the
> squi1+DG+squid2 setup?
You don't appear to have a:
Squid1->DG->Squid2 setup
you do appear to have a:
Squid1 -> Internet or DG -> Squid1 -> Internet setup.
Is there any particular reason you need to have two squid?
The current feedback config appears to be needlessly complicated for any
use I can think of right now for having two instances of squid running.
>
> regards,
> --Ricardo
>
> Squid Cache: Version 2.7.STABLE3
> DansGuardian 2.8.0.6
>
> My dansguardian.conf changes:
>
> filterip =
> filterport = 8081
> proxyip = 127.0.0.1
> proxyport = 3128
> usernameidmethodproxyauth = on
> forwardedfor = on
>
>
> Below is my squid.conf:
>
> http_port 127.0.0.1:3128 transparent
So what does your NAT table contain?
'transparent' does not fit with dansguardian being explicitly configured
to pass back to the proxy on that port.
NP: if you also follow the transparent intercept recommendations passing
stuff directly to dansguardian you end up opening a backdoor channel.
Turning your box into a two-stage open proxy with partial anonymization.
> http_port 8080
>
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>
> cache_mem 1024 MB
> maximum_object_size 8096 KB
>
> cache_dir ufs /cache/squid 20000 16 256
> access_log /var/log/squid/access.log squid
>
> cache_peer 127.0.0.1 parent 8081 0 no-query login=*:nopassword
You are missing "no-digest no-netdb-exchange name=uniqPeer"
And also:
acl localhost src 127.0.0.1
cache_peer_access uniqPeer deny localhost
maybe also:
acl interceptPort myport 3128
cache_peer_access uniqPeer deny interceptPort
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 15
> auth_param ntlm keep_alive on
>
> auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Proxy Server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
>
> acl NTLMUsers proxy_auth REQUIRED
> acl rede_interna src 192.168.20.0/24
> acl h_trabalho time MTWHF 08:00-18:00
> acl downloads url_regex -i .exe .mp3 .vqf .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov .iso
>
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
>
> http_access allow localhost
> http_access allow NTLMUsers
>
> http_access deny all
> http_reply_access allow all
> icp_access allow all
>
> forwarded_for off
Turning off one of the features which detect breakage loops and request
tracing.
>
> cache_effective_user proxy
> cache_effective_group proxy
Breaking winbind privileges.
http://wiki.squid-cache.org/ConfigExamples/WindowsAuthenticationNTLM#head-b97c45f4010166071a17e433b4433cd642defc1f
... and all that crazy winbind hack in the tutorial becomes useless.
>
> coredump_dir /var/spool/squid
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.5Received on Wed Feb 04 2009 - 06:15:30 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 04 2009 - 12:00:01 MST