[squid-users] AWS NLB Proxy Protocol V2

Alex Rousskov rousskov at measurement-factory.com
Wed Oct 20 02:27:12 UTC 2021 

On 10/19/21 4:56 PM, Ty Martin wrote:

> That `--haproxy-protocol` option seems like it should have done the
> trick. Am I just shooting myself in the foot with bad curl commands?

It look like curl --haproxy-protocol does not work the way you want for
HTTPS requests sent through HTTP proxies:

> curl --haproxy-protocol -x http://127.0.0.1:3128/ https://...
>> CONNECT localhost:443 HTTP/1.1
...
> < HTTP/1.1 200 Connection established
>
> * Proxy replied 200 to CONNECT request
> * CONNECT phase completed!

>> PROXY TCP4 127.0.0.1 127.0.0.1 35628 3128

The above PROXY protocol message is sent to the HTTP origin server
inside the CONNECT tunnel instead of being sent to Squid _before_ the
tunnel.


A similar curl command "works" for plain HTTP requests (because, without
CONNECT, it is impossible to distinguish the target of the PROXY
protocol message):

> curl --haproxy-protocol -x http://127.0.0.1:3128/ http://...
> * Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)
>> PROXY TCP4 127.0.0.1 127.0.0.1 35634 3128
>> GET http://... HTTP/1.1

FWIW, my v5.2-based Squid groks the above correctly, forwarding the
request (if proxy_protocol_access allows it). This indicates that the
basic PROXY protocol support in my Squid works.


Unfortunately, there is no curl --proxy-haproxy-protocol (yet?) so you
will need to find another way to test. Alternatively, you can share
Squid debugging logs and/or packet captures when using your network load
balancer.


Alex.


> On Mon, Oct 18, 2021 at 5:32 PM Alex Rousskov wrote:
> 
>     On 10/18/21 5:16 PM, Ty Martin wrote:
>     > Ah, yep. Adding the following to my config got things working in AWS:
> 
>     > acl private src 172.0.0.0/8 <http://172.0.0.0/8>
>     > proxy_protocol_access allow private
>     > http_port 3128 require-proxy-header
> 
> 
>     > I was trying to test it locally without success by running the Docker
>     > container and hitting it with a curl along the lines of:
>     > `curl --proxy http://<un>:<pw>@localhost:3128 -v --header
>     > "X-Forwarded-For: 192.168.0.2" https://www.google.com
>     <https://www.google.com>
> 
>     To test using curl, try curl --haproxy-protocol ...
> 
>     PROXY protocol (all versions) is not HTTP.
> 
>     Alex.
> 
> 
>     > --- Resulting Squid logs ---
>     > ```
>     > squid-proxy_1  | 2021/10/18 19:55:33| PROXY protocol error:
>     invalid magic
>     > squid-proxy_1  |     exception location: Parser.cc(260) Parse from
>     conn6
>     > local=172.24.0.2:3128 <http://172.24.0.2:3128>
>     <http://172.24.0.2:3128 <http://172.24.0.2:3128>>
>     remote=172.24.0.1:65426 <http://172.24.0.1:65426>
>     > <http://172.24.0.1:65426 <http://172.24.0.1:65426>> FD 12 flags=1
>     > squid-proxy_1  |     connection: conn6 local=172.24.0.2:3128
>     <http://172.24.0.2:3128>
>     > <http://172.24.0.2:3128 <http://172.24.0.2:3128>>
>     remote=172.24.0.1:65426 <http://172.24.0.1:65426>
>     > <http://172.24.0.1:65426 <http://172.24.0.1:65426>> FD 12 flags=1
>     > ```
>     >
>     > --- Resulting client logs ---
>     > ```
>     > * Proxy CONNECT aborted
>     > * CONNECT phase completed!
>     > * Closing connection 0
>     > curl: (56) Proxy CONNECT aborted
>     > ```
>     >
>     > Any idea offhand what I'm missing from the local testing scenario? I
>     > thought adding a "X-Forwarded-For" header via curl would be treated as
>     > proxy protocol v1 by Squid, but the "invalid magic" protocol error
>     gives
>     > me the impression I'm not going about it the right way.
>     >
>     > On Mon, Oct 18, 2021 at 12:48 PM Alex Rousskov
>     > <rousskov at measurement-factory.com
>     <mailto:rousskov at measurement-factory.com>
>     > <mailto:rousskov at measurement-factory.com
>     <mailto:rousskov at measurement-factory.com>>> wrote:
>     >
>     >     On 10/18/21 12:11 PM, Ty Martin wrote:
>     >
>     >     > I am looking to run Squid as a forward proxy with basic auth
>     in Docker
>     >     > on AWS ECS behind a network load balancer. I seem to have things
>     >     up and
>     >     > running for the most part; however, I am having difficulty
>     in getting
>     >     > proxy protocol to work so that I get access to client IP
>     addresses
>     >     > beyond that of the private IPs of my NLB. As soon as I
>     enable proxy
>     >     > protocol v2 on the AWS NLB, requests to Squid start failing with
>     >     errors
>     >     > similar to the following:
>     >     >
>     >     > Squid log: `1634330668.200      5 <nlb-private-ip> NONE_NONE/400
>     >     2032 -
>     >     > error:invalid-request - HIER_NONE/- text/html`
>     >     > Client log: `X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0`
>     >
>     >     > http_port 3128
>     >
>     >     You must use require-proxy-header http_port option to tell
>     Squid to
>     >     always expect/require PROXY protocol messages on connections
>     to that
>     >     listening  port. Otherwise, Squid will expect naked HTTP
>     traffic and
>     >     fail to parse incoming (PROXY protocol) connection bytes.
>     >
>     >     According to proxy_protocol_access documentation, after adding
>     >     require-proxy-header to http_port, you must also use
>     >     proxy_protocol_access to tell Squid which TCP connections to
>     allow on
>     >     that port (and, hence, which PROXY protocol messages to
>     trust). Denied
>     >     connections will be closed.
>     >
>     >
>     >     HTH,
>     >
>     >     Alex.
>     >
>

More information about the squid-users mailing list