Squid3 looping issue
I am running pfSense 2.1 with Squid 3.1.20 pkg 2.0.6 (latest, I think) and some other packages for some time already and Squid was working fine… until I hit an issue today.
My Squid is configured for transparent mode and is listening on port 8080, otherwise it is pretty standard, default configuration.
I was visiting VMWare document archive today and my browser timed out at one point and some users complained about internet access.
I started looking for proxy logs - nothing really in access log, but I found cache.log (which is not exposed in pfSense UI for some reason) and this is what was there:
2014/03/26 16:51:14| Warning: likely forwarding loop with http://localhost:8080/help/topic/com.vmware.ICbase/images/vmware_favicon.ico
And squid process blowout all available memory and lots of CPU. The particular URI does not really matter, any request to http://localhost: <squid_port>should cause this looping.
Since I disabled VIA header, squid was not logging the requests, but even without that it was clear that looping is because squid is trying to forward the request through itself again - just because request matched local squid endpoint…
I was able to solve it by adding localhost to ACL Blacklist, but is there nicer workaround?
With PAC files and usual browser config this is usually avoided, since localhost requests won't be forwarded to the proxy, but possibility exist to make such requests and bring your proxy down with single request - DoOS by internal user.
Some workaround should probably be included in the package by default.</squid_port>