[squid-dev] Basic tests results for the proxy protocol with squid.

Amos Jeffries squid3 at treenet.co.nz
Fri Mar 13 08:54:35 UTC 2015 

On 13/03/2015 9:07 p.m., Eliezer Croitoru wrote:
> I started testing squid 3.5.2 with the proxy protocol and I have setup a
> basic haproxy settings for it.
> http://ngtech.co.il/paste/1287/
> 
> copy of the logs at:
> http://www1.ngtech.co.il/paste/1288/
> 
> While testing I started first haproxy with regular squid forward proxy
> and then moved to a proxy protocol supported forward proxy setup.
> 
> While with forward proxy the acls seems to work fine with the proxy
> protocol I am encountering couple weird things:
> 1426233543.491     28 192.168.10.131 TCP_MISS/404 611 GET
> http://ngtech.co.il/favico.ico - HIER_DIRECT/84.95.212.160 text/html
> 1426233562.110  29091 192.168.10.131 TCP_TUNNEL/200 3374 CONNECT
> tiles.services.mozilla.com:443 - HIER_DIRECT/54.149.185.208 -

> 1426233562.119      1 192.168.10.151 TCP_MISS/403 4324 GET
> http://ngtech.co.il/favicon.ico - HIER_NONE/- text/html
> 1426233562.122      5 192.168.10.131 TCP_MISS/403 4461 GET
> http://ngtech.co.il/favicon.ico - ORIGINAL_DST/192.168.10.151 text/html
> 1426233562.259      1 192.168.10.151 TCP_MISS/403 4382 GET
> http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
> 1426233562.261      3 192.168.10.131 TCP_MISS/403 4519 GET
> http://www.squid-cache.org/Artwork/SN.png - ORIGINAL_DST/192.168.10.151
> text/html
> 1426233562.294      1 192.168.10.151 TCP_MISS/403 4306 GET
> http://ngtech.co.il/favicon.ico - HIER_NONE/- text/html
> 1426233562.296      2 192.168.10.131 TCP_MISS/403 4443 GET
> http://ngtech.co.il/favicon.ico - ORIGINAL_DST/192.168.10.151 text/html
> 
> 
> The first two requests are on the regular forward proxy port.
> Then the 403 response is not a TCP_DENIED but I am still watching the
> screen and see a squid access denied page which is identified by the
> with the local proxy name.

MISS/403 usually means the server contacted supplied 403.

Whats the 192.168.10.151 server and which port is it being contacted on?


> Why would I see an "ORIGINAL_DST" at all in these requests??? there is
> none...(else then the haproxy).

The PROXY protocol is providing Squid with both the src-IP and dst-IP.
Squid is using those as the client IP and ORIGINAL_DST.


> 
> So summery of the setup:
> 1 host with both squid and haproxy installed and configured for proxy
> protocol version 1(version 2 didn't worked for me at all)
> haproxy listens on one port(13128) and squid on receives the requests on
> the loopback interface(port 23128).
> 
> I think it's a bug but first I am putting the details here in the dev
> list and later next week I will file a bugzilla report.

Not working the same with v2 of the protocol is a bug.

I'm not sure how we could handle the dst-IP differently. By using the
PROXY protocol we explicitly trust the haproxy frontend to supply the
correct IPs.

Amos

More information about the squid-dev mailing list