Re: [squid-users] forwarding loop using squidguard

From: Matteo Villari <villari@dont-contact.us>
Date: Tue, 31 May 2005 16:56:37 +0200

Matteo Villari ha scritto:

> Hi all.
> I'm trying to use squidguard to strip out jsessionid field from some
> URLs. I've configured squidguard to strip the part of a URL containing
> ;jsessionid=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.tomcat1
> The problem is that when squid passes an URL containing this field to
> squidguard it generate a warning of forwarding loop and shows an error
> page access denied depending (i think) on error 111 connection refused.
> Please help me....thanks a lot,Matteo Villari
>
> That is my squid.conf file
>
> http_port 80
> http_port 8180
> icp_port 0
> htcp_port 0
> log_ip_on_direct off
> mime_table /usr/local/squid/etc/mime.conf
> log_mime_hdrs on
> useragent_log /usr/local/squid/logs/useragent.log
> debug_options ALL,1 33,2 28,9
> log_fqdn on
> pinger_program /bin/ping
> redirect_program /usr/local/squidguard/bin/squidGuard
> redirect_rewrites_host_header off
> acl session url_regex jsessionid
> redirector_access allow session
> auth_param basic casesensitive off
> refresh_pattern . 0 20% 4320
> half_closed_clients off
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl purge method PURGE
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> http_access allow all
> http_reply_access allow all
> icp_access allow all
> cache_effective_user villari
> cache_effective_group villari
> visible_hostname Villari
> httpd_accel_host 192.168.11.224
> httpd_accel_port 8180
> httpd_accel_single_host on
> httpd_accel_with_proxy off
> httpd_accel_uses_host_header on
> cachemgr_passwd matteo info stats/object
> query_icmp on
> always_direct allow !session
> offline_mode off
> strip_query_terms off
> coredump_dir /usr/local/squid/cache
> relaxed_header_parser warn
>
> and that are entries in my log files:
>
> access.log
>
> 1117538216.703 1 192.168.11.233 TCP_DENIED/403 1482 GET
> http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml
> - NONE/- text/html [User-Agent: Opera/7.54 (Windows NT 5.1; U)
> %5bit%5d\r\nHost: 192.168.11.233:8180\r\nAccept: text/html,
> application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg,
> image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: it,
> en\r\nAccept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6,
> *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity,
> *;q=0\r\nReferer: http://192.168.11.233/jetspeed\r\nVia: 1.1
> Villari:80 (squid/2.5.STABLE9-20050503)\r\nX-Forwarded-For:
> 192.168.11.243\r\nCache-Control: max-age=259200\r\nConnection:
> keep-alive\r\n] [HTTP/1.0 403 Forbidden\r\nServer:
> squid/2.5.STABLE9-20050503\r\nMime-Version: 1.0\r\nDate: Tue, 31 May
> 2005 11:16:56 GMT\r\nContent-Type: text/html\r\nContent-Length:
> 1189\r\nExpires: Tue, 31 May 2005 11:16:56 GMT\r\nX-Squid-Error:
> ERR_ACCESS_DENIED 0\r\n\r]
> 1117538216.704 611 192.168.11.243 TCP_MISS/403 1510 GET
> http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml;jsessionid=6723643B0FA2C4AA2D9A22C433B5ACCA.tomcat1
> - DIRECT/192.168.11.233 text/html [User-Agent: Opera/7.54 (Windows NT
> 5.1; U) %5bit%5d\r\nHost: 192.168.11.233:8180\r\nAccept: text/html,
> application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg,
> image/gif, image/x-xbitmap, */*;q=0.1\r\nAccept-Language: it,
> en\r\nAccept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6,
> *;q=0.1\r\nAccept-Encoding: deflate, gzip, x-gzip, identity,
> *;q=0\r\nReferer: http://192.168.11.233/jetspeed\r\nConnection:
> Keep-Alive, TE\r\nTE: deflate, gzip, chunked, identity, trailers\r\n]
> [HTTP/1.0 403 Forbidden\r\nServer:
> squid/2.5.STABLE9-20050503\r\nMime-Version: 1.0\r\nDate: Tue, 31 May
> 2005 11:16:56 GMT\r\nContent-Type: text/html\r\nContent-Length:
> 1189\r\nExpires: Tue, 31 May 2005 11:16:56 GMT\r\nX-Squid-Error:
> ERR_ACCESS_DENIED 0\r\nX-Cache: MISS from Villari\r\nConnection:
> keep-alive\r\n\r]
>
> cache.log
>
>
> 2005/05/31 13:16:56| The request GET
> http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml;jsessionid=6723643B0FA2C4AA2D9A22C433B5ACCA.tomcat1
> is ALLOWED, because it matched 'all'
> 2005/05/31 13:16:56| aclCheck: checking 'redirector_access allow session'
> 2005/05/31 13:16:56| aclMatchAclList: checking session
> 2005/05/31 13:16:56| aclMatchAcl: checking 'acl session url_regex
> jsessionid'
> 2005/05/31 13:16:56| aclMatchRegex: checking
> 'http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml;jsessionid=6723643B0FA2C4AA2D9A22C433B5ACCA.tomcat1'
>
> 2005/05/31 13:16:56| aclMatchRegex: looking for 'jsessionid'
> 2005/05/31 13:16:56| aclMatchAclList: returning 1
> 2005/05/31 13:16:56| aclCheck: match found, returning 1
> 2005/05/31 13:16:56| aclCheckCallback: answer=1
> 2005/05/31 13:16:56| aclCheckFast: list: (nil)
> 2005/05/31 13:16:56| aclCheckFast: no matches, returning: 1
> 2005/05/31 13:16:56| aclCheck: checking 'always_direct allow !session'
> 2005/05/31 13:16:56| aclMatchAclList: checking !session
> 2005/05/31 13:16:56| aclMatchAcl: checking 'acl session url_regex
> jsessionid'
> 2005/05/31 13:16:56| aclMatchRegex: checking
> 'http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml'
>
> 2005/05/31 13:16:56| aclMatchRegex: looking for 'jsessionid'
> 2005/05/31 13:16:56| aclMatchAclList: returning 1
> 2005/05/31 13:16:56| aclCheck: match found, returning 1
> 2005/05/31 13:16:56| aclCheckCallback: answer=1
> 2005/05/31 13:16:56| aclCheck: checking 'http_access allow all'
> 2005/05/31 13:16:56| aclMatchAclList: checking all
> 2005/05/31 13:16:56| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2005/05/31 13:16:56| aclMatchIp: '192.168.11.233' found
> 2005/05/31 13:16:56| aclMatchAclList: returning 1
> 2005/05/31 13:16:56| aclCheck: match found, returning 1
> 2005/05/31 13:16:56| aclCheckCallback: answer=1
> 2005/05/31 13:16:56| The request GET
> http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml
> is ALLOWED, because it matched 'all'
> 2005/05/31 13:16:56| aclCheck: checking 'redirector_access allow session'
> 2005/05/31 13:16:56| aclMatchAclList: checking session
> 2005/05/31 13:16:56| aclMatchAcl: checking 'acl session url_regex
> jsessionid'
> 2005/05/31 13:16:56| aclMatchRegex: checking
> 'http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml'
>
> 2005/05/31 13:16:56| aclMatchRegex: looking for 'jsessionid'
> 2005/05/31 13:16:56| aclMatchAclList: no match, returning 0
> 2005/05/31 13:16:56| aclCheck: checking 'redirector_access deny !session'
> 2005/05/31 13:16:56| aclMatchAclList: checking !session
> 2005/05/31 13:16:56| aclMatchAcl: checking 'acl session url_regex
> jsessionid'
> 2005/05/31 13:16:56| aclMatchRegex: checking
> 'http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml'
>
> 2005/05/31 13:16:56| aclMatchRegex: looking for 'jsessionid'
> 2005/05/31 13:16:56| aclMatchAclList: returning 1
> 2005/05/31 13:16:56| aclCheck: match found, returning 0
> 2005/05/31 13:16:56| aclCheckCallback: answer=0
> 2005/05/31 13:16:56| WARNING: Forwarding loop detected for:
> GET
> /jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml
> HTTP/1.0
>
> User-Agent: Opera/7.54 (Windows NT 5.1; U) [it]
>
> Host: 192.168.11.233:8180
>
> Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
> image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
>
> Accept-Language: it, en
>
> Accept-Charset: windows-1252, utf-8, utf-16, iso-8859-1;q=0.6, *;q=0.1
>
> Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
>
> Referer: http://192.168.11.233/jetspeed
>
> Via: 1.1 Villari:80 (squid/2.5.STABLE9-20050503)
>
> X-Forwarded-For: 192.168.11.243
>
> Cache-Control: max-age=259200
>
> Connection: keep-alive
>
>
>
> 2005/05/31 13:16:56| aclCheckFast: list: 0x8228a50
> 2005/05/31 13:16:56| aclMatchAclList: checking all
> 2005/05/31 13:16:56| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2005/05/31 13:16:56| aclMatchIp: '192.168.11.243' found
> 2005/05/31 13:16:56| aclMatchAclList: returning 1
> 2005/05/31 13:16:56| aclCheckFast: list: 0x822c348
> 2005/05/31 13:16:56| aclMatchAclList: checking all
> 2005/05/31 13:16:56| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
> 2005/05/31 13:16:56| aclMatchIp: '192.168.11.243' found
> 2005/05/31 13:16:56| aclMatchAclList: returning 1
> 2005/05/31 13:16:56| The reply for GET
> http://192.168.11.233:8180/jetspeed/media-type/html/user/anon/page/HOME_ArchivioEventiHomePage.psml
> is ALLOWED, because it matched 'all'
>
>
>
> and squidguard.conf
>
> #
> # Configuration File for SquidGuard
> #
> # Created with the SquidGuard Configuration Webmin Module
> # Copyright (C) 2001 by Tim Niemueller <tim@niemueller.de>
> # http://www.niemueller.de/webmin/modules/squidguard/
> #
> # File created on 27/Mag/2005 15:39
> #
>
> dbhome /var/lib/squidguard
> logdir /var/log/squidguard
>
>
> rewrite prova {
> s@;jsessionid=[0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z].tomcat1@
> @i
> log /var/log/squidguard/riscrivi
> }
>
>
> acl {
> default {
> pass any
> rewrite prova
> }
> }
>
>
>
>
>
>
>
>
>
Sorry if I insist.....Any suggestion? Please.....
Received on Tue May 31 2005 - 08:56:32 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:04 MDT