[squid-users] AWS NLB Proxy Protocol V2

Alex Rousskov rousskov at measurement-factory.com
Mon Oct 18 22:32:51 UTC 2021 

On 10/18/21 5:16 PM, Ty Martin wrote:
> Ah, yep. Adding the following to my config got things working in AWS:

> acl private src 172.0.0.0/8
> proxy_protocol_access allow private
> http_port 3128 require-proxy-header


> I was trying to test it locally without success by running the Docker
> container and hitting it with a curl along the lines of:
> `curl --proxy http://<un>:<pw>@localhost:3128 -v --header
> "X-Forwarded-For: 192.168.0.2" https://www.google.com

To test using curl, try curl --haproxy-protocol ...

PROXY protocol (all versions) is not HTTP.

Alex.


> --- Resulting Squid logs ---
> ```
> squid-proxy_1  | 2021/10/18 19:55:33| PROXY protocol error: invalid magic
> squid-proxy_1  |     exception location: Parser.cc(260) Parse from conn6
> local=172.24.0.2:3128 <http://172.24.0.2:3128> remote=172.24.0.1:65426
> <http://172.24.0.1:65426> FD 12 flags=1
> squid-proxy_1  |     connection: conn6 local=172.24.0.2:3128
> <http://172.24.0.2:3128> remote=172.24.0.1:65426
> <http://172.24.0.1:65426> FD 12 flags=1
> ```
> 
> --- Resulting client logs ---
> ```
> * Proxy CONNECT aborted
> * CONNECT phase completed!
> * Closing connection 0
> curl: (56) Proxy CONNECT aborted
> ```
> 
> Any idea offhand what I'm missing from the local testing scenario? I
> thought adding a "X-Forwarded-For" header via curl would be treated as
> proxy protocol v1 by Squid, but the "invalid magic" protocol error gives
> me the impression I'm not going about it the right way.
> 
> On Mon, Oct 18, 2021 at 12:48 PM Alex Rousskov
> <rousskov at measurement-factory.com
> <mailto:rousskov at measurement-factory.com>> wrote:
> 
>     On 10/18/21 12:11 PM, Ty Martin wrote:
> 
>     > I am looking to run Squid as a forward proxy with basic auth in Docker
>     > on AWS ECS behind a network load balancer. I seem to have things
>     up and
>     > running for the most part; however, I am having difficulty in getting
>     > proxy protocol to work so that I get access to client IP addresses
>     > beyond that of the private IPs of my NLB. As soon as I enable proxy
>     > protocol v2 on the AWS NLB, requests to Squid start failing with
>     errors
>     > similar to the following:
>     >
>     > Squid log: `1634330668.200      5 <nlb-private-ip> NONE_NONE/400
>     2032 -
>     > error:invalid-request - HIER_NONE/- text/html`
>     > Client log: `X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0`
> 
>     > http_port 3128
> 
>     You must use require-proxy-header http_port option to tell Squid to
>     always expect/require PROXY protocol messages on connections to that
>     listening  port. Otherwise, Squid will expect naked HTTP traffic and
>     fail to parse incoming (PROXY protocol) connection bytes.
> 
>     According to proxy_protocol_access documentation, after adding
>     require-proxy-header to http_port, you must also use
>     proxy_protocol_access to tell Squid which TCP connections to allow on
>     that port (and, hence, which PROXY protocol messages to trust). Denied
>     connections will be closed.
> 
> 
>     HTH,
> 
>     Alex.
>

More information about the squid-users mailing list