[squid-users] HAProxy + Squid

Amos Jeffries squid3 at treenet.co.nz
Fri Aug 16 07:18:08 UTC 2019


On 16/08/19 8:46 am, Service MV wrote:
> Thank you, Amos. Taking into account your and Rafael's recommendations,
> I configured HAProxy and Squid to use the PROXY protocol instead of
> reformatting the messages.
> At the moment I disabled authentication, due to internal requirements.
> I had a hard time dealing with the HAProxy health checks, but I was able
> to fix it.
> However, by configuring Squid in this way, I had a last problem that I
> didn't expect:
> Squid reports the client's IP to my internet gateway instead of their
> own IP.

Your Squid should be using its own machines default IP to connect at the
TCP level, and you have "forwarded_for off" already to prevent it adding
the X-Forwarded-For header.

Maybe HAProxy is adding it to the headers still. But I do not see the
config option that is supposed to need in your haproxy.cnf

Maybe the server is getting the info some other way directly from the
client?


> 
> squid.conf
> acl localnet src 192.168.12.1-192.168.13.254# my clients IP's
> acl localnet src 192.168.11.80# haproxy IP
> 
...

> # implementation of core access policies
> proxy_protocol_access allow localnet

Careful. Since localnet includes your client IPs this means clients can
connect directly to Squid and send forged PROXY details.

You should have another src ACL that matches only the HAProxy IP. Use
that here.

...
> forwarded_for off
> 


Either "transparent" or "delete" would seem to suite your needs better here.


Amos


More information about the squid-users mailing list