0

I have a web application, and I'd like to limit file upload size.

I thought I'd try using squid for this, via its directive request_body_size_max.

I have my webserver running on port 8080, and I've installed squid 3.1.19 on the same server (Ubuntu 12.04 LTS). The server is running on Amazon's EC2, if that makes any difference.

squid.conf contains:

http_port 3128 transparent

I added to IPTables:

iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 3128

When I visit the webserver, the result in squid's logs, is:

Forwarding loop detected.

What do I need to do to prevent this? thanks...

Plutext
  • 143
  • 1
  • 9

1 Answers1

1

The problem is when squid tries to connect to the web server (on port 8080) it's request is also redirected to itself. You must limit the scope of the REDIRECT rule (e.g. based on the incoming interface).

If the outside interface on your server is eth0 change the rule like this:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j REDIRECT --to-port 3128

Update: On the second thought looks like I'm wrong. Local (127.0.0.1) traffic doesn't go through the PREROUTING chain.

How did you tell squid what upstream web server to use?

skarap
  • 733
  • 5
  • 7
  • Thanks for the reply; I did try "-i eth0"; I probably should have included that in the question. I'm not explicitly telling squid what upstream server to use. It seems to know that from the incoming HTTP request. – Plutext May 11 '13 at 11:52
  • 1
    Have you tried to do proper http accelerator setup (not transparent proxy)? You can have a look [here](http://wiki.squid-cache.org/ConfigExamples/Reverse/BasicAccelerator). Basically you replace the `http_port` directive with `http_port 3128 accel defaultsite=your.main.website.name no-vhost`. Add something like `cache_peer 127.0.0.1 parent 8080 0 no-query originserver name=myServer` and proper `http_access` and `cache_peer_access` directives. – skarap May 11 '13 at 15:50
  • Great suggestion. That worked nicely, thank you! I also needed iptables -t nat -A OUTPUT --src 0/0 -p tcp --dport 80 -j REDIRECT --to-port 8080. Now to get the client to respect the 413 response... – Plutext May 11 '13 at 22:44