I am new to iptables so I tried the following.
I changed the listning port on the proxy to 3127, so that I do not need to change the DNAT on the router.
The router does a DNAT to 3128.
I then ran the following command on the Squid server, iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 3127
I now do not see the forward loop errors any more but I do get TCP_MISS/503
I can still browse vie the proxy by connecting to port 8080 so I know there is no rules blocking me.
The fact the I get results in the access.log indicates to me that the redirection is happening.
-----Original Message-----
From: Ewan Sadie
Sent: 03 April 2013 03:21 PM
To: squid-users_at_squid-cache.org
Subject: [squid-users] RE: Squid 3.3 WARNING: Forwarding loop detected for:
Hi All
Did the handling of intercept change since Squid 3.2.x?
Based on this article http://myconfigure.blogspot.com/2013/03/transparent-squid-332-on-ubuntu-1210.html, it seems that you have to do a rediect on the Squid box itself as well as on the router.
Is this the case? I do not want to over complicate the setup with an aditional firewall as well.
-----Original Message-----
From: Ewan Sadie
Sent: 02 April 2013 10:59 AM
To: squid-users_at_squid-cache.org
Subject: [squid-users] Squid 3.3 WARNING: Forwarding loop detected for:
Hi All
I am trying to get ssl-bump to work in transparent mode.
I am getting the below error in Squid 3.3.3 with normal interception even though a similar config works in 3.1.
The config works in normal proxy mode. If I define the proxy port 8080 in the browser, I get the dynamic SSL cert and all is working.
If however I define a transparent proxy (destination NAT to 3128), the intercept does not work, this is with intercept only, I am not even testing ssl-bump yet.
I also have issues with the upstream proxy in this squid version but I commented that out for now to limit the issues I have.
The custom external_acl_type works and I am able to transparently authenticate users on the intercept. You can see the username in the access.log (HTTP only)
The whole reason I am testing 3.3 is that I want to transparently intercept SSL with authentication.
NAT is done on the wifi controller for both the Squid 3.1 and 3.3 instance. Same rules for both Squid proxy servers.
ERROR CACHE.LOG:
2013/04/02 10:16:46 kid1| WARNING: Forwarding loop detected for:
GET / HTTP/1.1
Host: www.ibm.com
User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Via: 1.1 10.3.184.29 (squid/3.3.3)
X-Forwarded-For: 10.9.3.13
Cache-Control: max-age=0
Connection: keep-alive
2013/04/02 10:16:48 kid1| WARNING: Forwarding loop detected for:
GET /Artwork/SN.png HTTP/1.1
Host: www.squid-cache.org
User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Accept: */*
Referer: http://www.ibm.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Via: 1.1 10.3.184.29 (squid/3.3.3)
X-Forwarded-For: 10.9.3.13
Cache-Control: max-age=0
Connection: keep-alive
ACCESS.LOG during error
1364892066.152 0 10.9.3.13 TCP_MISS/403 4072 GET http://www.ibm.com/ esadie HIER_DIRECT/10.3.184.29 text/html
1364892066.208 0 10.3.184.29 TCP_MISS/403 4005 GET http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
1364892066.208 0 10.9.3.13 TCP_MISS/403 4112 GET http://www.squid-cache.org/Artwork/SN.png esadie HIER_DIRECT/10.3.184.29 text/html
CONFIG:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl 6-1 src 10.3.184.0/24
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl wifinet src 10.9.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow 6-1
external_acl_type wifi_user %SRC /etc/squid3/aruba_ldap acl whitelist dstdomain "/etc/squid3/site.whitelist.txt"
acl wifi_auth external wifi_user REQUIRED http_access allow wifi_auth http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all icp_access deny all htcp_access deny all
#Had to define this I had errors indicating the items were missing. As if the defaults do not apply.
acl ssl::certHasExpired ssl_error X509_V_ERR_CERT_HAS_EXPIRED acl ssl::certNotYetValid ssl_error X509_V_ERR_CERT_NOT_YET_VALID acl ssl::certDomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH acl ssl::certUntrusted ssl_error X509_V_ERR_INVALID_CA X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY X509_V_ERR_CERT_UNTRUSTED acl ssl::certSelfSigned ssl_error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_sign signUntrusted ssl::certUntrusted
##Dynamic certificate portion
## run the command "/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db" to create the cert database. Make sure the folders and file can be written to by the proxy.
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5
visible_hostname 10.3.184.29
http_port 8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/myCA.pem key=/etc/squid/myCA.pem #http_port 8080 http_port 3128 intercept
ssl_bump server-first all
# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
always_direct allow all
#Upstream proxy server
#cache_peer 10.3.0.11 parent 80 0 login=*:password no-query default #acl INSIDE_IP dst 10.0.0.0/8 192.168.0.0/16 196.31.3.128/25 #always_direct allow INSIDE_IP #never_direct allow all
hierarchy_stoplist cgi-bin ?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
icp_port 3130
forwarded_for on
follow_x_forwarded_for allow localhost
coredump_dir /var/spool/squid
# MEMORY CACHE OPTIONS
cache_mem 1024 MB
#maximum_object_size_in_memory 16 KB
#memory_replacement_policy heap GDSF
# DISK CACHE OPTIONS
#cache_replacement_policy heap LFUDA
cache_dir aufs /cache 160000 64 256
#store_dir_select_algorithm least-load
#minimum_object_size 16 KB
#maximum_object_size 512 MB
#cache_swap_low 97
#cache_swap_high 99
#LOGFILE OPTIONS
access_log stdio:/var/log/squid/access.log squid
COMPILE PARAMETERS: I got these from some forum on the internet.
./configure --prefix=/usr --exec-prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --sysconfdir=/etc/squid --datadir=/usr/share/squid --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/lib/squid --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --x-includes=/usr/include --x-libraries=/usr/lib --enable-shared=yes --enable-static=no --enable-carp --enable-storeio=aufs,ufs --enable-removal-policies=heap,lru --disable-icmp --disable-delay-pools --disable-esi --enable-icap-client --enable-useragent-log --enable-referer-log --disable-wccp --enable-wccpv2 --disable-kill-parent-hack --enable-snmp --enable-cachemgr-hostname=localhost --enable-arp-acl --disable-htcp --disable-forw-via-db --disable-follow-x-forwarded-for --enable-cache-digests --disable-poll --enable-epoll --enable-linux-netfilter --disable-ident-lookups --enable-default-hostsfile=/etc/hosts --with-default-user=squid --with-large-files --enable-mit=/usr --with-logdir=/var/log/squid --enable-http-violations --enable-zph-qos --with-filedescriptors=65536 --enable-gnuregex --enable-async-io=64 --with-aufs-threads=64 --with-pthreads --with-aio --enable-default-err-languages=English --enable-err-languages=English --enable-underscores --enable-ssl --enable-ssl-crtd
Received on Wed Apr 03 2013 - 14:16:20 MDT
This archive was generated by hypermail 2.2.0 : Thu Apr 04 2013 - 12:00:04 MDT