[squid-users] AWS NLB Proxy Protocol V2
Ty Martin
ty at vergesense.com
Mon Oct 18 21:16:02 UTC 2021
Ah, yep. Adding the following to my config got things working in AWS:
```
acl private src 172.0.0.0/8
proxy_protocol_access allow private
http_port 3128 require-proxy-header
```
I was trying to test it locally without success by running the Docker
container and hitting it with a curl along the lines of:
`curl --proxy http://<un>:<pw>@localhost:3128 -v --header "X-Forwarded-For:
192.168.0.2" https://www.google.com`
--- Resulting Squid logs ---
```
squid-proxy_1 | 2021/10/18 19:55:33| PROXY protocol error: invalid magic
squid-proxy_1 | exception location: Parser.cc(260) Parse from conn6
local=172.24.0.2:3128 remote=172.24.0.1:65426 FD 12 flags=1
squid-proxy_1 | connection: conn6 local=172.24.0.2:3128 remote=
172.24.0.1:65426 FD 12 flags=1
```
--- Resulting client logs ---
```
* Proxy CONNECT aborted
* CONNECT phase completed!
* Closing connection 0
curl: (56) Proxy CONNECT aborted
```
Any idea offhand what I'm missing from the local testing scenario? I
thought adding a "X-Forwarded-For" header via curl would be treated as
proxy protocol v1 by Squid, but the "invalid magic" protocol error gives me
the impression I'm not going about it the right way.
On Mon, Oct 18, 2021 at 12:48 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 10/18/21 12:11 PM, Ty Martin wrote:
>
> > I am looking to run Squid as a forward proxy with basic auth in Docker
> > on AWS ECS behind a network load balancer. I seem to have things up and
> > running for the most part; however, I am having difficulty in getting
> > proxy protocol to work so that I get access to client IP addresses
> > beyond that of the private IPs of my NLB. As soon as I enable proxy
> > protocol v2 on the AWS NLB, requests to Squid start failing with errors
> > similar to the following:
> >
> > Squid log: `1634330668.200 5 <nlb-private-ip> NONE_NONE/400 2032 -
> > error:invalid-request - HIER_NONE/- text/html`
> > Client log: `X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0`
>
> > http_port 3128
>
> You must use require-proxy-header http_port option to tell Squid to
> always expect/require PROXY protocol messages on connections to that
> listening port. Otherwise, Squid will expect naked HTTP traffic and
> fail to parse incoming (PROXY protocol) connection bytes.
>
> According to proxy_protocol_access documentation, after adding
> require-proxy-header to http_port, you must also use
> proxy_protocol_access to tell Squid which TCP connections to allow on
> that port (and, hence, which PROXY protocol messages to trust). Denied
> connections will be closed.
>
>
> HTH,
>
> Alex.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20211018/8b254788/attachment-0001.htm>
More information about the squid-users
mailing list