Re: [squid-users] Fwd: New to FreeBSD, Squid experiencing request loops

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 25 Aug 2014 13:51:03 +1200

On 25/08/2014 12:37 p.m., orientalsniper wrote:
> Hello all, I'm having the same problem as this guy:
>
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-transparent-proxy-with-one-nic-access-denied-problem-td4664881.html
>
> When I try to access a website I get a Access Denied by Squid message
> and in the access.log I see I'm getting a forwarding loop error.
>
> But we have different network setup and he's using Ubuntu. I'm running Squid 3.4
>
> I'm running 2 VM's: 1 for pfSense and the other for FreeBSD (nginx + squid)
>
> I have the following network:
> WAN1 + WAN2 in pfSense
> 10.0.0.1/24 (LAN1 in pfSense)
> 10.1.0.1/24 (LAN2 in pfSense)
> 10.2.0.1/24 (LAN3 in pfSense) ----> (connecting to nginx+squid[10.2.0.2] VM)
>

What is nginx in the mix for?
 and what is pfSense doing?
 where are the NATs happening? **

** you must have at least three layers of NAT for that described setup
to work:
  clients-->10.2.0.2 (for delivery to nginx)
  10.2.0.2:80 -> 10.2.0.2:3128 (nginx outgoing MITM capture to Squid)
  127.0.0.1 -> 10.2.0.2
  10.2.0.2 -> Internet

> My squid.conf:

(elided the comments for you so we can read it easier.)

>
> acl whatismyip dstdomain whatismyip.cc
> http_access allow whatismyip
>
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl WORK-PC srcdomain 10.1.0.3

10.1.0.3 is not a domain name. It is an IP address. Use src ACL type.

>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
>
> http_access allow localnet
> http_access allow localhost
>
> http_port 10.2.0.2:3128 intercept
>
> cache_dir ufs /var/squid/cache/squid 100 16 256
> coredump_dir /var/squid/cache/squid
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> cache_effective_user squid
> cache_effective_group squid
> check_hostnames off
> unique_hostname squidcache
> dns_nameservers 8.8.8.8
> tcp_outgoing_address 127.0.0.1
>

127.0.0.1 is not a globally routable IP address. Nor can it be NAT'ed to
one. Outgoing traffic from Squid to any other host is guaranteed to fail
delivery.

Amos
Received on Mon Aug 25 2014 - 01:51:26 MDT

This archive was generated by hypermail 2.2.0 : Mon Aug 25 2014 - 12:00:09 MDT