Author: Alex Rousskov <rousskov@measurement-factory.com>

Break forwarding loops for "transparent" or "intercept" http_ports.

Squid detected forwarding loops in most configurations, but broke
them (using a customizable HTTP_FORBIDDEN response) only when working as
an accelerator. Squid now breaks loops when working as a transparent
proxy as well.

A persistent loop is going to be broken anyway, when the Via and
X-Forwarded-For headers exceed header size limit, but that wastes a lot of
resources and may also crash misconfigured Squids.

TODO: Consider breaking all loops, regardless of the http_port options.

TODO: Consider adding a specific and/or configurable error page for this case
instead of using hard-coded ACCESS_DENIED.

diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc
index f1f908ee4606854e5e8558cdb90c8b48bb677d11..d39ec6a830a005aea63ca396c6265f9f3dbe85ac 100644 (file)
--- a/src/client_side_reply.cc
+++ b/src/client_side_reply.cc
@@ -637,10 +637,9 @@ clientReplyContext::processMiss()
         return;
     }
 
-    /*
-     * Deny loops when running in accelerator/transproxy mode.
-     */
-    if (http->flags.accel && r->flags.loopdetect) {
+    /// Deny loops for accelerator and interceptor. TODO: deny in all modes?
+    if (r->flags.loopdetect &&
+        (http->flags.accel || http->flags.intercepted)) {
         http->al.http.code = HTTP_FORBIDDEN;
         err =
             clientBuildError(ERR_ACCESS_DENIED, HTTP_FORBIDDEN, NULL,