[squid-dev] Basic tests results for the proxy protocol with squid.
Eliezer Croitoru
eliezer at ngtech.co.il
Sun Mar 15 15:32:52 UTC 2015
Hey Amos,
The setup I have used to test the proxy protocol is:
- 192.168.10.0/24 network.
- 192.168.10.131 basic forward proxy client(firefox)
- 192.168.10.151 haproxy+squid host
The haproxy is listening on port 13128 which is open on the FW.
The squid instance is listening on ports 3128 and 23128.
The settings for squid is from the release notes:
acl frontend src 127.0.0.1
http_port 23128 require-proxy-header
proxy_protocol_access allow frontend
While I have not found "proxy_protocol_access" at all in:
http://www.squid-cache.org/Doc/config/
Now indeed as you mentioned I was curios about this weird state which a
forward proxy would even look at the original_dst when in a forward
proxy mode it should not even be looked at.
What is even more weird is that the first request is being logged as
from 192.168.10.151 and the second is from 192.168.10.131.
Since the same issue happens when there is no default gateway I would
assume something is probably not happening as it was planned.
For each and every request there should be only one request happening.
I have never used the proxy protocol and my assumption is that there is
one of two:
- haproxy bad handling of the request
- squid issue with the proxy protocol handling.
I have seen that most server software which implements the proxy
protocol do use version 1 and not 2(at least the open source I have seen).
My next step would be to add a more detailed logs into the haproxy
instance and run TCPDUMP to make sure what is passing on the wires.
Eliezer
On 13/03/2015 10:54, Amos Jeffries wrote:
> On 13/03/2015 9:07 p.m., Eliezer Croitoru wrote:
>> >I started testing squid 3.5.2 with the proxy protocol and I have setup a
>> >basic haproxy settings for it.
>> >http://ngtech.co.il/paste/1287/
>> >
>> >copy of the logs at:
>> >http://www1.ngtech.co.il/paste/1288/
>> >
>> >While testing I started first haproxy with regular squid forward proxy
>> >and then moved to a proxy protocol supported forward proxy setup.
>> >
>> >While with forward proxy the acls seems to work fine with the proxy
>> >protocol I am encountering couple weird things:
>> >1426233543.491 28 192.168.10.131 TCP_MISS/404 611 GET
>> >http://ngtech.co.il/favico.ico - HIER_DIRECT/84.95.212.160 text/html
>> >1426233562.110 29091 192.168.10.131 TCP_TUNNEL/200 3374 CONNECT
>> >tiles.services.mozilla.com:443 - HIER_DIRECT/54.149.185.208 -
>> >1426233562.119 1 192.168.10.151 TCP_MISS/403 4324 GET
>> >http://ngtech.co.il/favicon.ico - HIER_NONE/- text/html
>> >1426233562.122 5 192.168.10.131 TCP_MISS/403 4461 GET
>> >http://ngtech.co.il/favicon.ico - ORIGINAL_DST/192.168.10.151 text/html
>> >1426233562.259 1 192.168.10.151 TCP_MISS/403 4382 GET
>> >http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html
>> >1426233562.261 3 192.168.10.131 TCP_MISS/403 4519 GET
>> >http://www.squid-cache.org/Artwork/SN.png - ORIGINAL_DST/192.168.10.151
>> >text/html
>> >1426233562.294 1 192.168.10.151 TCP_MISS/403 4306 GET
>> >http://ngtech.co.il/favicon.ico - HIER_NONE/- text/html
>> >1426233562.296 2 192.168.10.131 TCP_MISS/403 4443 GET
>> >http://ngtech.co.il/favicon.ico - ORIGINAL_DST/192.168.10.151 text/html
>> >
>> >
>> >The first two requests are on the regular forward proxy port.
>> >Then the 403 response is not a TCP_DENIED but I am still watching the
>> >screen and see a squid access denied page which is identified by the
>> >with the local proxy name.
> MISS/403 usually means the server contacted supplied 403.
>
> Whats the 192.168.10.151 server and which port is it being contacted on?
>
>
>> >Why would I see an "ORIGINAL_DST" at all in these requests??? there is
>> >none...(else then the haproxy).
> The PROXY protocol is providing Squid with both the src-IP and dst-IP.
> Squid is using those as the client IP and ORIGINAL_DST.
>
>
>> >
>> >So summery of the setup:
>> >1 host with both squid and haproxy installed and configured for proxy
>> >protocol version 1(version 2 didn't worked for me at all)
>> >haproxy listens on one port(13128) and squid on receives the requests on
>> >the loopback interface(port 23128).
>> >
>> >I think it's a bug but first I am putting the details here in the dev
>> >list and later next week I will file a bugzilla report.
> Not working the same with v2 of the protocol is a bug.
>
> I'm not sure how we could handle the dst-IP differently. By using the
> PROXY protocol we explicitly trust the haproxy frontend to supply the
> correct IPs.
>
> Amos
More information about the squid-dev
mailing list