Squid forwarding loop

Squid forwarding loop
« kdy: 02. 06. 2021, 10:53:22 »
Ahoj,

narazil jsem pri reseni jedne veci na neco, co jsem zatim nedogoogloval.

Kód: [Vybrat]
access.log
1622623123.458    481 client_ip TCP_MISS/000 0 HEAD http://proxy_ip:3128/ - DIRECT/proxy_ip -
1622623123.459    481 proxy_ip TCP_MISS/000 0 HEAD http://proxy_ip:3128/ - DIRECT/proxy_ip -
1622623123.459    481 proxy_ip TCP_MISS/000 0 HEAD http://proxy_ip:3128/ - DIRECT/proxy_ip -
1622623123.459    481 proxy_ip TCP_MISS/000 0 HEAD http://proxy_ip:3128/ - DIRECT/proxy_ip -
1622623123.459    481 proxy_ip TCP_MISS/000 0 HEAD http://proxy_ip:3128/ - DIRECT/proxy_ip -
1622623123.460    480 proxy_ip TCP_MISS/000 0 HEAD http://proxy_ip:3128/ - DIRECT/proxy_ip -
...

cache.log
2021/06/02 10:38:43| IpIntercept.cc(137) NetfilterInterception:  NF getsockopt(SO_ORIGINAL_DST) failed on FD 297: (92) Protocol not available
2021/06/02 10:38:43| WARNING: Forwarding loop detected for:
HEAD / HTTP/1.1
Via: 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.20), 1.1 proxy_ip (squid/3.1.
...
X-Forwarded-For: client_ip, proxy_ip, proxy_ip, proxy_ip, proxy_ip, proxy_ip, proxy_ip, proxy_ip, proxy_ip, proxy_ip, proxy_ip, proxy_ip, proxy_ip, proxy_ip,...

Mam uz pripravene nove verze proxy, ale nez to pujde do produkce, chvili to potrva. Nikdo nehlasi problem, takze se nemam ceho chytnout. Nenapada nekoho, co tohle muze zpusobit? Klienti pouzivaji automatickou konfiguraci proxy via wpad.

Diky


McFly

  • ****
  • 396
    • Zobrazit profil
    • E-mail
Re:Squid forwarding loop
« Odpověď #1 kdy: 02. 06. 2021, 11:13:34 »
Nepomohlo by?

Kód: [Vybrat]
acl squidport port 3128
acl squidtarget dstdomain proxy.firma.cz
acl squidip dst 10.0.0.2

# prevent dos loop
http_access deny CONNECT squidip squidport
http_access deny CONNECT squidtarget squidport

Re:Squid forwarding loop
« Odpověď #2 kdy: 02. 06. 2021, 13:29:20 »
Pouze, kdyz vyradim CONNECT z acl, pricemz to pravidlo mam jako prvni acl. Jinak zrejme to ma nejakou souvislost se stateful/stateless viz https://stackoverflow.com/questions/56575936/how-http-proxy-should-handle-head-requests .

Stacilo by mi prerusit tu smycku uz po prvni pruchodu, ale jeste nevim, jak toho docilit (asi Via?), aniz bych zaroven ty hlavicky pustil ven.