[squid-dev] PROXY protocol and TPROXY, can they go together?

Eliezer Croitoru eliezer at ngtech.co.il
Fri Jun 22 10:25:23 UTC 2018 

Hey Amos,

The custom LB is to only try and filter before the connections reach's 
squid http and non-http traffic.
Currently I have a prototype which intercepts using TPROXY by itself and 
identifies couple protocols.

The reason for this LB is that I get a more flexible way around the 
connection.
My code can enforce specific ACL's based on specific characteristics of 
the client and\or the server.

Iptables does it's work fine but lacks the ability to dynamically handle 
and identify specific traffic.
For example the nDPI iptables module:
- https://github.com/vel21ripn/nDPI

which is being used in couple products and a similar module also exists 
on many commercial products but still lacks some degree of flexibility.
The kernel land is indeed fast and maybe efficient but is binding the 
programmers to C and it's libraries and compilers let alone licenses.

Currently on a 40+ cores machine with 128GB ram I can run a full blown 
layer 7 proxy for a big network(/16+) and the CPU is almost always 
loaded below 10%.

I do not intent to develop my proxy too much since others have done this 
already but it's nice to see that more products can enter the market 
easily.

Thanks,
Eliezer


On 2018-05-15 22:36, Amos Jeffries wrote:
> On 16/05/18 02:09, Eliezer Croitoru wrote:
>> Hey Squid-Dev,
>> 
>> I am in the middle of writing a load balancer \ router (almost done) 
>> for
>> squid with TPROXY in it.
>> 
>> The load balancer sits on the Squid machine and intercepts the 
>> connections.
>> 
>> I want to send Squid instances a new connection on a PROXY protocol
>> enabled http_port but that squid will use TPROXY on the outgoing
>> connection based on the PROXY protocol details.
>> 
>>  
>> 
>> Would it be possible? I think it should but not sure.
>> 
> 
> Maybe. Since both software are on the same machine it should get past
> the kernel protections against arbitrary spoofing.
> 
> You will have to check that BOTH dst-IP:port and src-IP:port pairs are
> correctly relayed by the PROXY protocol. If not the TPROXY will end up
> with mangled socket state and undefined behaviour (probably breakage).
> 
> 
>>  
>> 
>> My plan is to try and load balance connections between multiple squid
>> instances\workers for filtering purposes and PIN each of the instances
>> to a CPU (20+ cores Physical host).
>> 
>> How reasonable is this idea?
> 
> You don't need a custom LB. iptables is sufficient, or other firewalls
> if you have a non-Linux machine.
> 
> 
> <https://wiki.squid-cache.org/ConfigExamples/ExtremeCarpFrontend#Frontend_Balancer_Alternative_1:_iptables>
> 
> You should be able to fit those LB lines into a normal TPROXY config.
> Just replace the "-j REDIRECT" with the "-j TPROXY --tproxy-mark ...".
> 
> Amos
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev

-- 
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

More information about the squid-dev mailing list