Re: [squid-users] Fwd: New to FreeBSD, Squid experiencing request loops

2014-08-24 Thread Amos Jeffries
On 25/08/2014 12:37 p.m., orientalsniper wrote:
 Hello all, I'm having the same problem as this guy:
 When I try to access a website I get a Access Denied by Squid message
 and in the access.log I see I'm getting a forwarding loop error.
 But we have different network setup and he's using Ubuntu. I'm running Squid 
 I'm running 2 VM's: 1 for pfSense and the other for FreeBSD (nginx + squid)
 I have the following network:
 WAN1 + WAN2 in pfSense (LAN1 in pfSense) (LAN2 in pfSense) (LAN3 in pfSense)  (connecting to nginx+squid[] VM)

What is nginx in the mix for?
 and what is pfSense doing?
 where are the NATs happening? **

** you must have at least three layers of NAT for that described setup
to work:
  clients-- (for delivery to nginx) - (nginx outgoing MITM capture to Squid) - - Internet

 My squid.conf:

(elided the comments for you so we can read it easier.)

 acl whatismyip dstdomain
 http_access allow whatismyip
 acl SSL_ports port 443
 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 443 # https
 acl Safe_ports port 70 # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Safe_ports port 280 # http-mgmt
 acl Safe_ports port 488 # gss-http
 acl Safe_ports port 591 # filemaker
 acl Safe_ports port 777 # multiling http
 acl WORK-PC srcdomain is not a domain name. It is an IP address. Use src ACL type.

 http_access deny !Safe_ports
 http_access deny CONNECT !SSL_ports
 http_access allow localhost manager
 http_access deny manager
 http_access allow localnet
 http_access allow localhost
 http_port intercept
 cache_dir ufs /var/squid/cache/squid 100 16 256
 coredump_dir /var/squid/cache/squid
 refresh_pattern ^ftp:  1440   20%   10080
 refresh_pattern ^gopher:   1440   0%   1440
 refresh_pattern -i (/cgi-bin/|\?) 0   0%   0
 refresh_pattern .  0   20%   4320
 cache_effective_user squid
 cache_effective_group squid
 check_hostnames off
 unique_hostname squidcache
 tcp_outgoing_address is not a globally routable IP address. Nor can it be NAT'ed to
one. Outgoing traffic from Squid to any other host is guaranteed to fail


Re: [squid-users] Fwd: New to FreeBSD, Squid experiencing request loops

2014-08-24 Thread Amos Jeffries
On 25/08/2014 2:22 p.m., orientalsniper wrote:
 nginx is serving as reverse proxy listening on HTTP
 for some games patches.
 pfSense serves as firewall, captive portal and among other services.
 By NAT, I think you mean pfSense is doing it? pfSense is, and
 I have a NAT rule in pfSense to redirect all LAN2 HTTP traffic to (port 3128).

Great, that clarifies a lot.

The problem is that NAT is being done on a separate box from Squid. The
current Squid attempt to be as fully transparent as possible in
intercept/transparent mode. That includes ensuring the domain/IP the
client was contacting is actually the one Squid is using too - that is
mandatory due to CVE-2009-0801 issues.

With NAT on a separate box Squid only knows its own IP as the
destination. So on the outbound things get looped.

What you need to do to fix this is move the NAT rule changing port to
3128 onto the Squid VM. Have pfSense route port 80 traffic with
as the gateway router (policy routing) unless it came from in
the first place.

After that your proxy should be usable. But there are some additional
security issues that need resolving as well:

 1) renumber the interception port in Squid to something other than
3128. Squid needs to use 3128 for forward-proxy traffic from the
clients, manager API acces, icons, etc.

 2) update the Squid VM firewall to prevent external machines directly
accesing the intercept port you choose. It is only needed to be used by
packets between Squid and the firewall on the same machine. If any
outside machines do access it you will have looping problems and
potentially a DoS happening.

 WORK-PC ( ACL was redudant and I forgot to delete it, since
 it's part of
 Regarding tcp_outgoing_address that was one of my
 attempts to fix my issue, I've tried also.

You should not need to set outgoing IP at all. Remove that before
testing the above changes.