On 23 January 2015 at 16:53, Amos Jeffries <squ...@treenet.co.nz> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 24/01/2015 2:47 a.m., Odhiambo Washington wrote: > > On 23 January 2015 at 16:40, Amos Jeffries <squ...@treenet.co.nz> > > wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >> > >> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote: > >>> On 23 January 2015 at 16:07, Amos Jeffries > >>> <squ...@treenet.co.nz> wrote: > >>> > >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >>>> > >>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote: > >>>>> > >>>>> Once more. You CANNOT have neither web-server nor other > >>>>> service with listening port 80 on the same host as > >>>>> transparent Squid proxy. This is one and only reason you > >>>>> have looping. > >>>>> > >>>> > >>>> That is not correct. It can be done, but depends on how the > >>>> firewall operates and what ruleset is used. > >>>> > >>>> One has to intercept traffic transiting the machine, but > >>>> ignore traffic destined *to* or *from* the local machines > >>>> running processes. > >>>> > >>>>> Look. On my transparent 3.4.11 (which was early 2.7) > >>>>> IPFilter redirects 80 port to proxy. My web server on the > >>>>> same host listens only 8080, 8088 and 8888 ports. No one > >>>>> service except NAT is using 80 port. > >>>>> > >>>>> And finally I have no looping 4 years. > >>>>> > >>>>> Obvious, is it? > >>>>> > >>>> > >>>> Maybe there was, maybe there wasn't. > >>>> > >>>> Squid-2.7 ignored a lot of NAT related errors and even > >>>> silently did some Very Bad Things(tm) - none of which > >>>> Squid-3.2+ will allow to happen anymore. > >>>> > >>>> > >>>> Odhiambo: I suspect it might be related to your use of "rdr" > >>>> firewall rules. In OpenBSD PF at least rdr rules do not work > >>>> properly and divert-to rules needs to be used instead > >>>> (divert-to can be used for either TPROXY or NAT Squid > >>>> listening ports on BSD). > >>>> > >>> > >>> > >>> I am thinking Squid-3.2+ is evil :-) > >>> > >>> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And > >>> my IPFilter rules are here: http://pastebin.com/JQ77X01H > >>> > >>> I need to figure out why squid is DENYing all access .. > >>> > >> > >> Can you update me on what the squid -v output is from the Squid > >> build you are having issues with pleae? > >> > >> Amos > >> > > > > root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache: > > Version 3.5.1-20150120-r13736 Service Name: squid configure > > options: '--prefix=/opt/squid35' '--enable-removal-policies=lru > > heap' '--disable-epoll' '--enable-auth' '--enable-auth-basic=DB > > NCSA PAM PAM POP3 SSPI' '--enable-external-acl-helpers=session > > unix_group file_userip' '--enable-auth-negotiate=kerberos' > > '--with-pthreads' '--enable-storeio=ufs diskd rock aufs' > > '--enable-delay-pools' '--enable-snmp' '--with-openssl=/usr' > > '--enable-forw-via-db' '--enable-cache-digests' '--enable-wccpv2' > > '--enable-follow-x-forwarded-for' '--with-large-files' > > '--enable-large-cache-files' '--enable-esi' '--enable-kqueue' > > '--enable-icap-client' '--enable-kill-parent-hack' '--enable-ssl' > > '--enable-leakfinder' '--enable-ssl-crtd' > > '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics' > > '--enable-stacktraces' '--enable-zph-qos' '--enable-eui' > > '--enable-pf-transparent' 'CC=clang' 'CXX=clang++' > > --enable-ltdl-convenience > > > > Okay. Can you explicitly add --disable-ipf-transparent > - --disable-ipfw-transparent and see if that helps. > > Also in squid.conf adding debugs_options ALL,1 89,9 will show just > the NAT lookup results where things are going wrong. > So, before I recompile, we can look at the debug output: 2015/01/23 17:07:45| storeLateRelease: released 0 objects 2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.115:58632 2015/01/23 17:07:46.959| Intercept.cc(293) PfInterception: address NAT divert-to: local=192.168.2.254:13128 remote=192.168.2.115:58632 FD 14 flag s=33 2015/01/23 17:07:49.179| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.254:39850 2015/01/23 17:07:49.179| Intercept.cc(293) PfInterception: address NAT divert-to: local=192.168.2.254:13128 remote=192.168.2.254:39850 FD 18 flag s=33 2015/01/23 17:07:49.179| WARNING: Forwarding loop detected for: GET /crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCPg-PjQGwE5gQ9QUn12pYvFn6PDmZgXxNF7VvigznwvJ8WaXIAcdCCqy0GvWdiTCOtn1gMu-J79t3vAXEydkC0WAMZSmuVMGd3ZQxF_Ho se6F8g4c8bJYmPZA/extension_1_4_6_758.crx HTTP/1.1 Accept: */* Accept-Encoding: identity If-Unmodified-Since: Sun, 01 Apr 2007 07:00:00 GMT Range: bytes=3436183-3841157 User-Agent: Microsoft BITS/7.5 Host: cache.pack.google.com Via: 1.1 aardvark (squid) X-Forwarded-For: 192.168.2.115 Cache-Control: max-age=259200 Connection: keep-alive 2015/01/23 17:07:49.260| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.115:58634 2015/01/23 17:07:49.260| Intercept.cc(293) PfInterception: address NAT divert-to: local=192.168.2.254:13128 remote=192.168.2.115:58634 FD 14 flag s=33 2015/01/23 17:07:49.260| WARNING: Forwarding loop detected for: GET /crx/blobs/QwAAAHF3InbmK-wFIemaY3I3BCPg-PjQGwE5gQ9QUn12pYvFn6PDmZgXxNF7VvigznwvJ8WaXIAcdCCqy0GvWdiTCOtn1gMu-J79t3vAXEydkC0WAMZSmuVMGd3ZQxF_Ho se6F8g4c8bJYmPZA/extension_1_4_6_758.crx HTTP/1.1 Accept: */* Accept-Encoding: identity If-Unmodified-Since: Sun, 01 Apr 2007 07:00:00 GMT Range: bytes=3436183-3841157 User-Agent: Microsoft BITS/7.5 Host: cache.pack.google.com Via: 1.1 aardvark (squid) X-Forwarded-For: 192.168.2.115 Cache-Control: max-age=259200 Connection: keep-alive 2015/01/23 17:07:49.350| Intercept.cc(362) Lookup: address BEGIN: me/client= 192.168.2.254:13128, destination/me= 192.168.2.115:58636 2015/ So there must be a way to deal with this loop in PF -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
