Squid Forwarding loop detected

2014-12-03 by dongnan

环境描述

# 操作系统
head -n1 /etc/issue
CentOS release 6.3 (Final)

# 软件版本
rpm -qa | grep squid
squid-3.1.10-29.el6.x86_64

使用 Squid 配合 iptables 做正向(透明)代理。

局域网客户端需要通过 GateWay 做 NAT 转换方式访问外部 Internet。

Client ->  GateWay(Squid) -> Internet

问题描述

squid 正向代理功能正常，但是通过浏览器访问 squid 端口循环多次后提示如下错误: The requested URL could not be retrieved

Squid日志

tail /var/log/squid/cache.log

2014/12/03 15:18:25| WARNING: Forwarding loop detected for:
GET /favicon.ico HTTP/1.1^M
Host: 172.27.244.73:8000^M
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0^M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8^M
Accept-Language: en-US,en;q=0.5^M
Accept-Encoding: gzip, deflate^M
...省略

Squid 置文件(部分)

# should be allowed
acl localnet src 10.0.0.0/8          # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16  # RFC1918 possible internal network
acl localnet src fc00::/7              # RFC 4193 local private network range
acl localnet src fe80::/10            # RFC 4291 link-local (directly plugged) machines

解决方法日志说明访问 squid 时进入了循环，这是因为 squid.conf 默认配置文件, 定义信任的网络包含我的IP地址172.27.x.x，导致 squid 异常。

根据实际环境，注释不需要的网络地址，只允许 GateWay 访问 squid 例如 :

# should be allowed
#acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16        # RFC1918 possible internal network
#acl localnet src fc00::/7       # RFC 4193 local private network range
#acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
acl localnet src 172.27.244.37/32

验证

重新加载

squid -k parse 
/etc/init.d/squid reload

再次访问 squid 端口