Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid3 looping issue

    pfSense Packages
    1
    1
    509
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dgcom last edited by

      Hi!

      I am running pfSense 2.1 with Squid 3.1.20 pkg 2.0.6 (latest, I think) and some other packages for some time already and Squid was working fine… until I hit an issue today.

      My Squid is configured for transparent mode and is listening on port 8080, otherwise it is pretty standard, default configuration.

      I was visiting VMWare document archive today and my browser timed out at one point and some users complained about internet access.

      I started looking for proxy logs - nothing really in access log, but I found cache.log (which is not exposed in pfSense UI for some reason) and this is what was there:

      2014/03/26 16:51:14| Warning: likely forwarding loop with http://localhost:8080/help/topic/com.vmware.ICbase/images/vmware_favicon.ico

      And squid process blowout all available memory and lots of CPU. The particular URI does not really matter, any request to http://localhost: <squid_port>should cause this looping.

      Since I disabled VIA header, squid was not logging the requests, but even without that it was clear that looping is because squid is trying to forward the request through itself again - just because request matched local squid endpoint…

      I was able to solve it by adding localhost to ACL Blacklist, but is there nicer workaround?

      With PAC files and usual browser config this is usually avoided, since localhost requests won't be forwarded to the proxy, but possibility exist to make such requests and bring your proxy down with single request - DoOS by internal user.

      Some workaround should probably be included in the package by default.</squid_port>

      DG

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy