[squid-users] HAProxy + Squid

Service MV service.mv at gmail.com
Thu Aug 15 20:46:00 UTC 2019 

Thank you, Amos. Taking into account your and Rafael's recommendations, I
configured HAProxy and Squid to use the PROXY protocol instead of
reformatting the messages.
At the moment I disabled authentication, due to internal requirements.
I had a hard time dealing with the HAProxy health checks, but I was able to
fix it.
However, by configuring Squid in this way, I had a last problem that I
didn't expect:
Squid reports the client's IP to my internet gateway instead of their own
IP.
It's true, I want to see my clients' IPs in Squid's log; but I want Squid's
IP to reach my gateway and not my clients'. This way I can make my clients
browse internet only through my proxies.

I'm really not sure if continuing with this configuration I'm doing will be
possible to achieve it.
I appreciate in advance any indication you can give me.


haproxy.cfg
global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd
listeners
    stats timeout 30s
    user haproxy
    group haproxy
    daemon
    maxconn 4000
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:
ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
    log global
    mode tcp
    option tcplog
    option  dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

frontend squid_in
    bind *:3128
    default_backend squid_pool

backend squid_pool
    balance source
    mode tcp
server px1 x.x.x.1:3128 check port 8181 send-proxy inter 2000 rise 2 fall 3
server px2 x.x.x.2:3128 check port 8181 send-proxy inter 2000 rise 2 fall 3


squid.conf
acl localnet src 192.168.12.1-192.168.13.254 # my clients IP's
acl localnet src 192.168.11.80 # haproxy IP

acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70      # gopher
acl Safe_ports port 210     # wais
#acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280     # http-mgmt
acl Safe_ports port 488     # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777     # multiling http
acl Safe_ports port 8181 # haproxy health checks port
acl CONNECT method CONNECT

# list of allowed domains
acl LS_whitedomains dstdomain "/etc/squid/acl/whitedomains.txt"

# list of bloqued domains
acl LS_blackdomains dstdomain "/etc/squid/acl/blackdomains.txt"
acl LS_malicius dstdomain "/etc/squid/acl/malicius.txt"
acl LS_porn dstdomain "/etc/squid/acl/porn.txt"

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
web applications running on the proxy server who think the only one who can
access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# implementation of access list policies
http_access deny LS_blackdomains
http_access allow LS_whitedomains
http_access deny LS_malicius
http_access deny LS_porn

# limit downloads to 10 Mb/s to the localnet network
delay_pools 1
delay_class 1 2
delay_parameters 1 1310720/1966080 917504/1310720
delay_access 1 allow localnet

# implementation of core access policies
proxy_protocol_access allow localnet
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 require-proxy-header

# port used only for haproxy health checks
http_port 8181

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

# squid customization settings
quick_abort_min 0 KB
quick_abort_max 0 KB
read_timeout 5 minutes
request_timeout 3 minutes
shutdown_lifetime 0 seconds
ipcache_size 2048
fqdncache_size 4096
cache_mgr me at tsa.net
visible_hostname px1
httpd_suppress_version_string on
forwarded_for off


Best regards
Gabriel

El vie., 9 de ago. de 2019 a la(s) 03:45, Amos Jeffries (
squid3 at treenet.co.nz) escribió:

> On 9/08/19 1:44 am, neok wrote:
> > Hi, I finally did the configuration differently. It's working very well
> for
> > me.
> >
>
> What you are doing is polluting every HTTP message with two new headers.
>
> The way Rafael suggested is more efficient since the PROXY protocol
> details are only delivered at the start of each TCP connection, and HTTP
> messages do not need to be reformatted at the LB as they pass.
>
> Note that Squid will be extending that XFF header itself anyway. But
> with your way the LB IP address will be broadcast to the origin(s) in
> the XFF header along with the client address. With PROXY protocol Squid
> adds only the client address there.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190815/ceb3730b/attachment-0001.html>

More information about the squid-users mailing list