Re: [squid-users] OpenBSD + PF + Squid: forwarding loop

From: Loïc BLOT <loic.blot_at_unix-experience.fr>
Date: Fri, 31 May 2013 06:34:17 +0200

Hello Rob,
I use OpenBSD and squid 3.3.4 in production environment, you'll exactly
what you need here:
http://www.unix-experience.fr/2013/create-a-powerfull-proxy-cache-with-squid-and-openbsd-2/#sthash.9SpWE1kn.dpbs
Have a nice day

-- 
Best regards,
Loïc BLOT, 
UNIX systems, security and network expert
http://www.unix-experience.fr
Le jeudi 30 mai 2013 à 18:14 -0700, Rob Sheldon a écrit :
> Hi,
> 
> I'm a Squid newbie. I have an OpenBSD firewall running pf with multiple 
> outbound interfaces doing some connection pooling. I'm trying to get 
> Squid/SquidGuard up and running as a transparent proxy; I've been using 
> this guide: http://www.kernel-panic.it/openbsd/proxy/proxy4.html
> 
> I've run into a problem I don't understand and it's driving me bugnuts. 
> Hoping somebody can help sort me out.
> 
> If I set "http_port 3139", do no redirects in pf, and manually 
> configure my browser to use the firewall LAN side on 3139 as a proxy, 
> everything works just fine. If I change http_port to "3139 intercept", 
> turn on rdr in pf for just my test IP address (only!), and turn off my 
> browser's proxy config, I get "access denied" errors back from Squid, 
> along with complaints about forwarding loops. There's no goofy proxy 
> peering, no other redirects in pf ... I can't for the life of me figure 
> out where the loop is happening.
> 
> Here's the pf rule I'm using to activate the redirect for my test IP:
> 
> pass in quick on $if_int proto tcp from 192.168.0.209 to any port www 
> rdr-to 192.168.0.1 port 3139
> 
> ...And here's my squid.conf, sans comments (I've stripped it down a bit 
> trying to figure this out):
> 
> acl localnet src 10.0.0.0/8
> acl localnet src 172.16.0.0/12
> acl localnet src 192.168.0.0/16
> acl localnet src fc00::/7
> acl localnet src fe80::/10
> 
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT
> 
> http_access allow all
> 
> http_port 3128
> http_port 3139 intercept
> 
> visible_hostname firewall.local
> 
> ...When testing, I'll toggle "intercept" on or off on the second 
> http_port config along with the rdr in pf.
> 
> What I'm seeing when running "squid -d 1 -N" is e.g.,
> 
> 2013/05/30 17:19:03| WARNING: Forwarding loop detected for:
> POST / HTTP/1.1
> Host: ocsp.verisign.com
> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20100101 
> Firefox/10.0.12 Iceweasel/10.0.12
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Content-Length: 115
> Content-Type: application/ocsp-request
> Via: 1.1 firewall.local (squid/3.2.7)
> X-Forwarded-For: 192.168.0.209
> Cache-Control: max-age=259200
> Connection: keep-alive
> 
> The only rule I'm changing in pf between the two scenarios is the rdr 
> rule for my IP only, so I don't think the loop is happening anywhere in 
> pf. I must have something in squid.conf seriously goofed up, but I 
> haven't been able to figure it out.
> 
> Any help?
> 
> Thanks,
> 
> - R.
> 

Received on Fri May 31 2013 - 04:27:41 MDT

This archive was generated by hypermail 2.2.0 : Fri May 31 2013 - 12:00:08 MDT