[squid-users] PROXY client not permited by ACLs...
Alex Rousskov
rousskov at measurement-factory.com
Thu May 4 20:30:36 UTC 2023
On 5/4/23 13:57, Service MV wrote:
> I'm monitoring by SNMP my SQUID nodes using Zabbix 5.2 without problems.
> The monitoring is working fine. I clarify that in front of my proxies I
> have a HAproxy with proxy protocol enabled.
> However in cache.log I have many messages like the following:
> PROXY client not permitted by ACLs from local=10.10.8.53:3128
> remote=10.10.8.66:54568
> FD 888 flags=1
> This is the relevant configuration:
>
> # SNMP monitoring with Zabbix
> acl zabbix snmp_community zabbix_public
> acl zabbix_proxy src 10.10.8.66
> snmp_port 3401
> snmp_access allow zabbix zabbix_proxy
> snmp_access allow zabbix localhost
> snmp_access deny all
> snmp_incoming_address 0.0.0.0
> snmp_outgoing_address 0.0.0.0
> access_log none zabbix_proxy
> access_log daemon:/var/log/squid/4.14/access.log
>
> http_port 3128 require-proxy-header
> forwarded_for transparent
>
> acl vip_haproxy src 10.10.8.92
> proxy_protocol_access allow vip_haproxy
> Could someone tell me what configuration I could do to avoid these messages?
Bugs notwithstanding, something running on 10.10.8.66 is opening TCP
connections to your Squid http_port 3128. That port is configured to
require PROXY protocol connection prefixes. Your Squid is also
configured to only accept such connections from vip_haproxy which does
not match 10.10.8.66. Squid denies http_port connections from
10.10.8.66, and you see the above cache.log messages.
Does this give you enough information to fix the problem?
Alex.
More information about the squid-users
mailing list