[squid-dev] Basic tests results for the proxy protocol with squid.

Amos Jeffries squid3 at treenet.co.nz
Wed Apr 15 10:48:05 UTC 2015


On 16/03/2015 4:32 a.m., Eliezer Croitoru wrote:
> Hey Amos,
> 
> The setup I have used to test the proxy protocol is:
> - 192.168.10.0/24 network.
> - 192.168.10.131 basic forward proxy client(firefox)
> - 192.168.10.151 haproxy+squid host
> 
> The haproxy is listening on port 13128 which is open on the FW.
> The squid instance is listening on ports 3128 and 23128.
> The settings for squid is from the release notes:
>  acl frontend src 127.0.0.1
>  http_port 23128 require-proxy-header
>  proxy_protocol_access allow frontend
> 
> While I have not found "proxy_protocol_access" at all in:
> http://www.squid-cache.org/Doc/config/
> 
> Now indeed as you mentioned I was curios about this weird state which a
> forward proxy would even look at the original_dst when in a forward
> proxy mode it should not even be looked at.
> What is even more weird is that the first request is being logged as
> from 192.168.10.151 and the second is from 192.168.10.131.
> Since the same issue happens when there is no default gateway I would
> assume something is probably not happening as it was planned.
> For each and every request there should be only one request happening.
> 
> I have never used the proxy protocol and my assumption is that there is
> one of two:
> - haproxy bad handling of the request
> - squid issue with the proxy protocol handling.
> 
> I have seen that most server software which implements the proxy
> protocol do use version 1 and not 2(at least the open source I have seen).
> 
> My next step would be to add a more detailed logs into the haproxy
> instance and run TCPDUMP to make sure what is passing on the wires.
> 
> Eliezer
> 

Yuhua Wu just did some testing and found the TPROXY intercept flag was
being incorrectly set to true (ouch, mea culpa). This could have been
breaking things in several ways

If you would like please test again and see if trunk is now working past
the issues you found earlier. I've still not found the time to get it
done, sorry.

Though please also note that the "intercept" and "accel" mode flags need
to be set (or not) to match what type of traffic HAProxy is receiving on
its inbound. Which is a little different from normal.

Amos


More information about the squid-dev mailing list