[squid-users] [3.5x]: identd lookup made before proxy_protocol checking and failed [help]

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 6 10:26:34 UTC 2017


On 2017-01-06 22:12, David Touzeau wrote:
> Added in bugtrack
> 
> http://bugs.squid-cache.org/show_bug.cgi?id=4657
> 
> 
> -----Message d'origine-----
> De : David Touzeau
> 
> Hi,
> 
> We need to use ident daemon in order to authenticate users.
> 
> Squid works fine when computers are directly connected to the proxy.
> 
> We have added HaProxy * * * Load-balancer * * * using *proxy_protocol*
> between users and 2 Squid proxies With the load balancer, squid want
> to query identd port directly on the load balancer but not on the
> client source IP address.
> If you see this piece of logs, you can see that the source client
> address is correctly understood by Squid but * * after * *  the ident
> verification.
> 
> 
> How can i fix this behaviour ?

IDENT relies on using the exact random TCP port from the connection the 
client opened to HAProxy being used as part of the IDENT connection back 
to the client.

Since there is HAProxy between Squid and the client, Squid will be 
unable to open the port already in use by the HAProxy client-connection.

So, HAProxy has to be the agent doing the IDENT lookup and sending the 
ident info to Squid - probably as part of the PROXY wrapper.

Amos


More information about the squid-users mailing list