Break forwarding loops for "transparent" or "intercept" http_ports.

Squid detected forwarding loops in most configurations, but broke
them (using a customizable HTTP_FORBIDDEN response) only when working as
an accelerator. Squid now breaks loops when working as a transparent
proxy as well.

A persistent loop is going to be broken anyway, when the Via and
X-Forwarded-For headers exceed header size limit, but that wastes a lot of
resources and may also crash misconfigured Squids.

TODO: Consider breaking all loops, regardless of the http_port options.

TODO: Consider adding a specific and/or configurable error page for this case
instead of using hard-coded ACCESS_DENIED.

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index e75c349aaba0d9ae9b5aa03cc9078984cfdd76c7..ae0ec8eeef4b3d4773c569174648f2f1022246fe 100644 (file)
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -650,10 +650,9 @@ clientReplyContext::processMiss()
         return;
     }
 
-    /**
-     * Deny loops when running in accelerator/transproxy mode.
-     */
-    if (http->flags.accel && r->flags.loopdetect) {
+    /// Deny loops for accelerator and interceptor. TODO: deny in all modes?
+    if (r->flags.loopdetect &&
+        (http->flags.accel || http->flags.intercepted)) {
         http->al.http.code = HTTP_FORBIDDEN;
         err = clientBuildError(ERR_ACCESS_DENIED, HTTP_FORBIDDEN, NULL, http->getConn()->peer, http->request);
         createStoreEntry(r->method, request_flags());