Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid3 looping issue

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 758 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dgcom
      last edited by

      Hi!

      I am running pfSense 2.1 with Squid 3.1.20 pkg 2.0.6 (latest, I think) and some other packages for some time already and Squid was working fine… until I hit an issue today.

      My Squid is configured for transparent mode and is listening on port 8080, otherwise it is pretty standard, default configuration.

      I was visiting VMWare document archive today and my browser timed out at one point and some users complained about internet access.

      I started looking for proxy logs - nothing really in access log, but I found cache.log (which is not exposed in pfSense UI for some reason) and this is what was there:

      2014/03/26 16:51:14| Warning: likely forwarding loop with http://localhost:8080/help/topic/com.vmware.ICbase/images/vmware_favicon.ico
      

      And squid process blowout all available memory and lots of CPU. The particular URI does not really matter, any request to http://localhost: <squid_port>should cause this looping.

      Since I disabled VIA header, squid was not logging the requests, but even without that it was clear that looping is because squid is trying to forward the request through itself again - just because request matched local squid endpoint…

      I was able to solve it by adding localhost to ACL Blacklist, but is there nicer workaround?

      With PAC files and usual browser config this is usually avoided, since localhost requests won't be forwarded to the proxy, but possibility exist to make such requests and bring your proxy down with single request - DoOS by internal user.

      Some workaround should probably be included in the package by default.</squid_port>

      DG

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.