[squid-users] AWS NLB Proxy Protocol V2

Alex Rousskov rousskov at measurement-factory.com
Mon Oct 18 17:48:57 UTC 2021


On 10/18/21 12:11 PM, Ty Martin wrote:

> I am looking to run Squid as a forward proxy with basic auth in Docker
> on AWS ECS behind a network load balancer. I seem to have things up and
> running for the most part; however, I am having difficulty in getting
> proxy protocol to work so that I get access to client IP addresses
> beyond that of the private IPs of my NLB. As soon as I enable proxy
> protocol v2 on the AWS NLB, requests to Squid start failing with errors
> similar to the following:
> 
> Squid log: `1634330668.200      5 <nlb-private-ip> NONE_NONE/400 2032 -
> error:invalid-request - HIER_NONE/- text/html`
> Client log: `X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0`

> http_port 3128

You must use require-proxy-header http_port option to tell Squid to
always expect/require PROXY protocol messages on connections to that
listening  port. Otherwise, Squid will expect naked HTTP traffic and
fail to parse incoming (PROXY protocol) connection bytes.

According to proxy_protocol_access documentation, after adding
require-proxy-header to http_port, you must also use
proxy_protocol_access to tell Squid which TCP connections to allow on
that port (and, hence, which PROXY protocol messages to trust). Denied
connections will be closed.


HTH,

Alex.


More information about the squid-users mailing list