On Tue, Feb 18, 2014 at 10:30 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 18/02/2014 1:16 p.m., Nikolai Gorchilov wrote:
>> Hi Spyros,
>>
>> Seems you're experiencing request loops, that are unrelated to your ACLs
>>
>> Looking at the logs, we can clearly see pairs of requests for same
>> url. Like this:
>> 1392590890.301 0 192.168.1.20 TCP_MISS/403 4158 GET
>> http://www.tvxs.gr/ - HIER_NONE/- text/html
>> 1392590890.302 1 192.168.1.1 TCP_MISS/403 4263 GET
>> http://www.tvxs.gr/ - HIER_DIRECT/192.168.1.20 text/html
>>
>> As the logging happens at the end of transaction, records are ordered
>> by finish time, not start. They actually started in reverse order:
>> 1. First came the request from 192.168.1.1 for http://www.tvxs.gr/.
>> 2. As it was considered a MISS, your Squid decided to go directly to
>> the destination server (thus hierarchy code HIER_DIRECT)
>> 3. PROBLEM! PROBLEM! Surprisingly, Squid resolves www.tvxs.gr as
>> 192.168.1.20 and fires the request towards this IP!
>
> Sadly, NOT surprising:
>
> A) kernel NAT records on the Squid box indicate that no NAT alterations
> to the TCP packet took place there.
>
> B) TCP packet indicates that destination server is 192.168.1.20.
>
> ==> forward DIRECTly to original destination server (192.168.1.20).
If Squid is running in intercept mode, I don't see a reason it cares
about dst ip. IMHO it has to resolve the host name and forward the
request there.
>> 4. Boom! This is how the same request arrives again, this time from
>> source IP 192.168.1.20 (Squid itself). We have a loop!
>> 5. Squid detects the loop (something like "WARNING: Forwarding loop
>> detected" in cache.log) and generates internal error response like
>> HTTP/403 Forbidden, using ERR_ACCESS_DENIED or alike. Thus hierarchy
>> code is HIER_NONE.
>
>
> "SECURITY ALERT: Host header forgery detected" should also be showing up
> on the initial request processing. Since Squid validates whether
> (192.168.1.20 == www.tvxs.gr) => FAIL.
Isn't this message only available when running TPROXY?
> http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
>
>
> Although something strange is still going on. Squid should be logging
> the hierarchy details as ORIGINAL_DST instead of DIRECT.
>
>
>> 6. The error returns in the first instance of this request after 1ms,
>> and Squid returns it to the original caller (TCP_MISS/403).
>>
>> I don't have clear idea what is the root cause of the loop, but I'd do:
>
> NAT interception occuring on the OpenWRT makes critical IP address
> details unavailable to Squid.
>
> The proper way is to use policy routing on the OpenWRT and only do the
> interception on the Squid box.
>
> OpenWRT config:
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
>
>
> Squid box config:
>
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxDnat
> OR
> http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
>
> HTH
> Amos
>
Received on Tue Feb 18 2014 - 10:33:52 MST
This archive was generated by hypermail 2.2.0 : Tue Feb 18 2014 - 12:00:06 MST