[squid-users] Working proxy_protocol_access settings on Squid 3.5 or 4?

Tom Karches twk at ncsu.edu
Tue Sep 24 16:02:07 UTC 2019 

Alex,

Our current production configuration is squid 3.123 with LVS load
balancing. The desired production configuration is 3.5.20 with a FortiADC
load balancer. I am working with networking staff on the configuration. If
I directly connect to the actual proxy server behind the load balancer, I
get :

2019/09/24 11:31:46 kid1| PROXY protocol error: invalid header from local=
152.7.114.8:3128 remote=152.7.148.47:65220 FD 16 flags=1

Relevant squid.conf on the server looks like this :

acl fortiadc src 10.50.54.0/24
acl fortiadc src 152.7.148.0/24 <----temporary for testing by going
directly to the proxy server and not the load balancer
proxy_protocol_access allow fortiadc

proxy_protocol_access allow localnet
follow_x_forwarded_for allow localhost
follow_x_forwarded_for allow localnet
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on
tproxy_uses_indirect_client off
...
http_port 3128 require-proxy-header

I have tried adding the following...it appears to make no difference.

http_port 127.0.0.1:3128

So, you are saying that v4 does not contain changes to fix the "PROXY
protocol error" and my only option at this point is v5 code? (or fall back
to using LVS with 3.5.20) Just trying to understand my options.

Thanks,
Tom

On Mon, Sep 23, 2019 at 4:47 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:

> On 9/23/19 4:14 PM, Tom Karches wrote:
>
> > The suggestion was to move to Squid 4 as noted here :
> >
> http://squid-web-proxy-cache.1019090.n4.nabble.com/error-in-parsing-Proxy-protocol-version-2-by-Squid-proxy-protocol-td4686763.html
> >
> > This was back in Oct 2018. Has anything changed since then?
>
> Yes, the changes I mentioned then have been accepted:
>
>    https://github.com/squid-cache/squid/pull/342
>
> The above pull request contained lots of PROXY protocol fixes and
> several important improvements. Those changes are not in v4, but master
> (future v5) code is available and works well for some. YMMV.
>
> I do not recall any fixes going back into v3, but I did not check.
>
> Alex.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


-- 
Thomas Karches
NCSU OIT CSI - Systems Specialist
M.E Student - Technology Education
Hillsborough 319 / 919.515.5508
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190924/d84a9fb3/attachment.html>

More information about the squid-users mailing list