Date: Mon, 26 Nov 2012 19:40:08 +0100 From: Leslie Jensen <leslie@eskk.nu> To: Volodymyr Kostyrko <c.kworr@gmail.com> Cc: freebsd questions list <freebsd-questions@freebsd.org> Subject: Re: Anyone using squid and pf? Message-ID: <50B3B788.6040801@eskk.nu> In-Reply-To: <50B338B2.3090600@gmail.com> References: <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Volodymyr Kostyrko skrev 2012-11-26 10:38: > 24.11.2012 17:39, Leslie Jensen: >> >> I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same >> configuration file now gives me errors in cache.log when one tries to >> access any site, and of course no access! >> >> 2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for: >> >> Reverting back to 3.1 works. >> >> I know there are some changes in 3.2 that does this >> >> + 3.2 intercept port receiving forward-proxy requests will reject them >> due to NAT failure/lies. >> >> + 3.2 Host header validation *will* reject if forward traffic is >> validated as being intercepted. >> >> I would appreciate suggestions for changes to squid.conf so that squid >> will work for me with version 3.2. > > When switching to 3.2 I had to split listening ports - one for > transparency and one for the local machine. However this doesn't looks > like your case. > > Can you please provide relevant parts of pf.conf and full log output, > not just the first line? > Just to clarify. I'm running pf and squid on the same machine. Yes I've also split the listening ports. http_port 172.18.0.1:8080 intercept http_port 127.0.0.1:8080 Output from cache.log: 2012/11/24 14:10:09 kid1| WARNING: Forwarding loop detected for: GET /Artwork/SN.png HTTP/1.1 Host: www.squid-cache.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: sv-se,sv;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Referer: http://www.aftonbladet.se/ Via: 1.1 "FQDN machine name" (squid/3.2.3) X-Forwarded-For: 172.18.0.100 Cache-Control: max-age=259200 Connection: keep-alive Rules from pf.conf -------------------------------------------- # macros ext_if="xl0" int_if="bge0" tcp_services="{ 22, 993, 5910:5917 }" tcp_priv_services="{ 389, 443 }" proxy_services = "{ 21, 80 }" icmp_types="{ echoreq unreach squench timex }" internal_net = "172.18.0.0/16" proxy = "172.18.0.1" proxyport="8021" # tables table <goodguys> persist table <sshguard> persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -> $proxy port 8080 # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from !($ext_if) to any -> ($ext_if) # filter rules block in log on $ext_if all block drop in log quick inet6 all block drop out log quick inet6 all block in log quick on $ext_if from <sshguard> label "ssh bruteforce" # Allow traffic through SQUID pass in log on $int_if inet proto tcp from $internal_net to $proxy port 8080 keep state pass out log on $ext_if inet proto tcp from $proxy to any port $proxy_services keep state # pass out pass out log # ICMP answers (traffic) needs to be passed: pass in inet proto icmp all icmp-type $icmp_types keep state # traffic must be passed to and from the internal network pass in log quick on $int_if # Thanks /Leslie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50B3B788.6040801>