[squid-users] AWS NLB Proxy Protocol V2

Ty Martin ty at vergesense.com
Mon Oct 18 16:11:43 UTC 2021 

Good morning,

I am looking to run Squid as a forward proxy with basic auth in Docker on
AWS ECS behind a network load balancer. I seem to have things up and
running for the most part; however, I am having difficulty in getting proxy
protocol to work so that I get access to client IP addresses beyond that of
the private IPs of my NLB. As soon as I enable proxy protocol v2 on the AWS
NLB, requests to Squid start failing with errors similar to the following:

Squid log: `1634330668.200      5 <nlb-private-ip> NONE_NONE/400 2032 -
error:invalid-request - HIER_NONE/- text/html`
Client log: `X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0`

--- Environment and Configuration details ---

Operating System: Alpine Linux 3.14.2

```
$ squid -v
Squid Cache: Version 5.0.6
Service Name: squid

This binary uses OpenSSL 1.1.1l  24 Aug 2021. For legal restrictions on
distribution see https://www.openssl.org/source/license.html

configure options:  '--build=x86_64-alpine-linux-musl'
'--host=x86_64-alpine-linux-musl' '--prefix=/usr'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--localstatedir=/var'
'--with-logdir=/var/log/squid' '--disable-strict-error-checking'
'--disable-arch-native' '--enable-removal-policies=lru,heap'
'--enable-auth-digest'
'--enable-auth-basic=getpwnam,NCSA,SMB,SMB_LM,RADIUS' '--enable-epoll'
'--enable-external-acl-helpers=file_userip,unix_group,wbinfo_group'
'--enable-auth-ntlm=fake,SMB_LM' '--enable-auth-negotiate=kerberos,wrapper'
'--disable-mit' '--enable-heimdal' '--enable-delay-pools'
'--enable-openssl' '--enable-ssl-crtd' '--enable-linux-netfilter'
'--enable-ident-lookups' '--enable-useragent-log' '--enable-cache-digests'
'--enable-referer-log' '--enable-async-io' '--enable-truncate'
'--enable-arp-acl' '--enable-htcp' '--enable-carp' '--enable-poll'
'--enable-follow-x-forwarded-for' '--with-large-files'
'--with-default-user=squid' '--with-openssl'
'build_alias=x86_64-alpine-linux-musl'
'host_alias=x86_64-alpine-linux-musl' 'CC=gcc' 'CFLAGS=-Os
-fomit-frame-pointer' 'CPPFLAGS=-Os -fomit-frame-pointer' 'CXX=g++'
'CXXFLAGS=-Os -fomit-frame-pointer'
```

```
$ cat /etc/squid/squid.conf
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic realm proxy

acl authenticated proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80

http_access allow authenticated
http_port 3128

cache deny all

pid_file
name /var/run/squid/squid.pid

visible_hostname <dns-for-nlb>

debug_options ALL,1

acl hasRequest has request
access_log stdio:/proc/self/fd/1 hasRequest
```

I've looked into `proxy_protocol_access` and
`http_port require-proxy-header`, but those both appear to be options to
provide access control to Squid around proxy information. I'm simply
looking to keep the basic auth in place as the access control mechanism
while getting at the forwarded client information for logging purposes.

Is there something silly that I'm missing to get proxy protocol working
with Squid and AWS NLBs?

Thanks,

Ty
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20211018/aea7f3a7/attachment.htm>

More information about the squid-users mailing list