[squid-users] squid transparent proxy forward loop

Discussion:

Juan Carvajal B.

2018-10-22 12:26:19 UTC

Dear list,

I hope you can give me some hints for my current task.

I would like to achieve the following:

1. A user comes with the own device, for example phone or table.
2. The user connects to our own WLAN network
4. The user enters the addres of our website
3. The user can only access our website, which is hosted in a sever *not
connected* to the internet.

We have the following set up

Tablets / phones <---> WLAN router <---> server

please note that there is *no* connection to internet. The server is
connected to the "internet" port of the router.

The server runs ubuntu & apache.

I've been trying to achieve this with squid but I get a **warning of a
forwarding loop**. I do not know what I'm doing wrong.

I'm following this:
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
https://wiki.squid-cache.org/SquidFaq/ReverseProxy

Here are my conf files:

****squid.conf****

http_port 3128 intercept
http_port 192.168.0.188:80 accel defaultsite=our.domain.org
http_port 192.168.0.188:443 accel defaultsite=our.domain.org
cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
acl our_sites dstdomain our.domain.org
http_access allow our_sites
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all
visible_hostname squid.proxy
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localhost
http_access allow all
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

****apache ports.conf****

#With Squid
Listen 127.0.0.1:80

#Without Squid
#Listen 80

<IfModule ssl_module>
Listen 443
</IfModule>

<IfModule mod_gnutls.c>
Listen 443
</IfModule>

****IPTABLES****

# your proxy IP
SQUIDIP=192.168.0.188
# your proxy listening port
SQUIDPORT=3128
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port
$SQUIDPORT

apache: 2.4.18
squid: 3.5.12
ubuntu: 16.04

Thank you for your help!

*Juan Carlos Carvajal*

*Join our mailing list
<http://lists.mediaarchitecture.org/?p=subscribe&id=1> (Max 1-mail / month)*

Matus UHLAR - fantomas

2018-10-22 12:54:23 UTC

Permalink

Post by Juan Carvajal B.
1. A user comes with the own device, for example phone or table.
2. The user connects to our own WLAN network
4. The user enters the addres of our website
3. The user can only access our website, which is hosted in a sever *not
connected* to the internet.

well, if user enters address of your website, of course the user can only
access your website.
you apparently mean "user enters address of aany site".

Post by Juan Carvajal B.
Tablets / phones <---> WLAN router <---> server
please note that there is *no* connection to internet. The server is
connected to the "internet" port of the router.

in this case it's also obious that user can not access any other site...

Post by Juan Carvajal B.
I've been trying to achieve this with squid but I get a **warning of a
forwarding loop**. I do not know what I'm doing wrong.

forwarding loop happens, when squid connects to itself instead of internet.

Post by Juan Carvajal B.
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

maybe you have redirected connections from squid proxy back to the squid
proxy?

Post by Juan Carvajal B.
https://wiki.squid-cache.org/SquidFaq/ReverseProxy

why do you follow reverse proxy configuration when you don't configure
reverse proxy?

--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.

Amos Jeffries

2018-10-22 13:12:01 UTC

Permalink

Post by Juan Carvajal B.
Dear list,
I hope you can give me some hints for my current task.
1. A user comes with the own device, for example phone or table.
2. The user connects to our own WLAN network
4. The user enters the addres of our website
3. The user can only access our website, which is hosted in a sever *not
connected* to the internet.
We have the following set up
Tablets / phones <---> WLAN router <---> server
please note that there is *no* connection to internet. The server is
connected to the "internet" port of the router.
The server runs ubuntu & apache.
I've been trying to achieve this with squid but I get a **warning of a
forwarding loop**. I do not know what I'm doing wrong.
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
https://wiki.squid-cache.org/SquidFaq/ReverseProxy
****squid.conf****
visible_hostname squid.proxy

I have seen other people using this "squid.proxy" as the FQDN of their
proxy. It is likely that your chosen proxy hostname is not unique.

Since this is a reverse-proxy it is best to set this to the FQDN of the
primary website you are proxying.

Post by Juan Carvajal B.
    http_port 3128 intercept
    http_port 192.168.0.188:80 accel
defaultsite=our.domain.org
    http_port 192.168.0.188:443 accel
defaultsite=our.domain.org

The above should be https_port and requires the TLS certificate for the
domain being virtual-hosted.

see
<https://wiki.squid-cache.org/ConfigExamples/Reverse/HttpsVirtualHosting> which
I added just yesterday.

Post by Juan Carvajal B.
    cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
    acl our_sites dstdomain our.domain.org
    http_access allow our_sites
    cache_peer_access myAccel allow our_sites
    cache_peer_access myAccel deny all

Move the above custom configuration down to ...

Post by Juan Carvajal B.
    acl SSL_ports port 443
    acl CONNECT method CONNECT
    http_access deny !Safe_ports

You do not have any definition of Safe_ports above. It should contain at
least 80 and 443 for your proxy.

Post by Juan Carvajal B.
    http_access deny CONNECT !SSL_ports
    http_access allow localhost manager
    http_access deny manager

... here.

You are missing good rules for traffic arriving on the port 3128. The
below "allow all" is very bad.

Post by Juan Carvajal B.
http_access allow localhost
http_access allow all

That should be:

http_access deny all

...

Post by Juan Carvajal B.
****IPTABLES****
    # your proxy IP
    SQUIDIP=192.168.0.188
    # your proxy listening port
    SQUIDPORT=3128
    iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
--to-port $SQUIDPORT

Here is your problem. You have not bypassed the traffic Squid is sending
to 127.0.0.1:80.

Traffic to/from localhost does not use global IP addresses such as
192.168.0.188. Thus Squid's attempts to send traffic to Apache is being
looped back into port 3128 by iptables.

What is the point of all this interception anyway?

Your proxy is already listening on port 80 and 443 for directly
receiving traffic to any domain with a DNS entry of 192.168.0.188.

Amos

Juan Carvajal B.

2018-10-24 12:28:02 UTC

Permalink

Thank you so much Matus,

we were indeed missing a DNS service:

Your proxy is already listening on port 80 and 443 for directly
receiving traffic to any domain with a DNS entry of 192.168.0.188.

best,

*Juan Carlos*

*Join our mailing list
<http://lists.mediaarchitecture.org/?p=subscribe&id=1> (Max 1-mail / month)*

Am Mo., 22. Okt. 2018 um 15:12 Uhr schrieb Amos Jeffries <

Post by Amos Jeffries

I have seen other people using this "squid.proxy" as the FQDN of their
proxy. It is likely that your chosen proxy hostname is not unique.
Since this is a reverse-proxy it is best to set this to the FQDN of the
primary website you are proxying.

Post by Juan Carvajal B.
http_port 3128 intercept
http_port 192.168.0.188:80 accel
defaultsite=our.domain.org
http_port 192.168.0.188:443 accel
defaultsite=our.domain.org

The above should be https_port and requires the TLS certificate for the
domain being virtual-hosted.
see
<https://wiki.squid-cache.org/ConfigExamples/Reverse/HttpsVirtualHosting> which
I added just yesterday.

Post by Juan Carvajal B.
cache_peer 127.0.0.1 parent 80 0 no-query originserver name=myAccel
acl our_sites dstdomain our.domain.org
http_access allow our_sites
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all

Move the above custom configuration down to ...

Post by Juan Carvajal B.
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports

You do not have any definition of Safe_ports above. It should contain at
least 80 and 443 for your proxy.

Post by Juan Carvajal B.
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

... here.
You are missing good rules for traffic arriving on the port 3128. The
below "allow all" is very bad.

Post by Juan Carvajal B.
http_access allow localhost
http_access allow all

http_access deny all
...

Post by Juan Carvajal B.
****IPTABLES****
# your proxy IP
SQUIDIP=192.168.0.188
# your proxy listening port
SQUIDPORT=3128
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT
--to-port $SQUIDPORT

Here is your problem. You have not bypassed the traffic Squid is sending
to 127.0.0.1:80.
Traffic to/from localhost does not use global IP addresses such as
192.168.0.188. Thus Squid's attempts to send traffic to Apache is being
looped back into port 3128 by iptables.
What is the point of all this interception anyway?
Your proxy is already listening on port 80 and 443 for directly
receiving traffic to any domain with a DNS entry of 192.168.0.188.
Amos
_______________________________________________
squid-users mailing list
http://lists.squid-cache.org/listinfo/squid-users