[squid-dev] PROXY protocol and TPROXY, can they go together?

Amos Jeffries squid3 at treenet.co.nz
Tue May 15 19:36:53 UTC 2018

On 16/05/18 02:09, Eliezer Croitoru wrote:
> Hey Squid-Dev,
> I am in the middle of writing a load balancer \ router (almost done) for
> squid with TPROXY in it.
> The load balancer sits on the Squid machine and intercepts the connections.
> I want to send Squid instances a new connection on a PROXY protocol
> enabled http_port but that squid will use TPROXY on the outgoing
> connection based on the PROXY protocol details.
> Would it be possible? I think it should but not sure.

Maybe. Since both software are on the same machine it should get past
the kernel protections against arbitrary spoofing.

You will have to check that BOTH dst-IP:port and src-IP:port pairs are
correctly relayed by the PROXY protocol. If not the TPROXY will end up
with mangled socket state and undefined behaviour (probably breakage).

> My plan is to try and load balance connections between multiple squid
> instances\workers for filtering purposes and PIN each of the instances
> to a CPU (20+ cores Physical host).
> How reasonable is this idea?

You don't need a custom LB. iptables is sufficient, or other firewalls
if you have a non-Linux machine.


You should be able to fit those LB lines into a normal TPROXY config.
Just replace the "-j REDIRECT" with the "-j TPROXY --tproxy-mark ...".


More information about the squid-dev mailing list