[squid-users] AWS NLB Proxy Protocol V2
Alex Rousskov
rousskov at measurement-factory.com
Mon Oct 18 22:32:51 UTC 2021
On 10/18/21 5:16 PM, Ty Martin wrote:
> Ah, yep. Adding the following to my config got things working in AWS:
> acl private src 172.0.0.0/8
> proxy_protocol_access allow private
> http_port 3128 require-proxy-header
> I was trying to test it locally without success by running the Docker
> container and hitting it with a curl along the lines of:
> `curl --proxy http://<un>:<pw>@localhost:3128 -v --header
> "X-Forwarded-For: 192.168.0.2" https://www.google.com
To test using curl, try curl --haproxy-protocol ...
PROXY protocol (all versions) is not HTTP.
Alex.
> --- Resulting Squid logs ---
> ```
> squid-proxy_1 | 2021/10/18 19:55:33| PROXY protocol error: invalid magic
> squid-proxy_1 | exception location: Parser.cc(260) Parse from conn6
> local=172.24.0.2:3128 <http://172.24.0.2:3128> remote=172.24.0.1:65426
> <http://172.24.0.1:65426> FD 12 flags=1
> squid-proxy_1 | connection: conn6 local=172.24.0.2:3128
> <http://172.24.0.2:3128> remote=172.24.0.1:65426
> <http://172.24.0.1:65426> FD 12 flags=1
> ```
>
> --- Resulting client logs ---
> ```
> * Proxy CONNECT aborted
> * CONNECT phase completed!
> * Closing connection 0
> curl: (56) Proxy CONNECT aborted
> ```
>
> Any idea offhand what I'm missing from the local testing scenario? I
> thought adding a "X-Forwarded-For" header via curl would be treated as
> proxy protocol v1 by Squid, but the "invalid magic" protocol error gives
> me the impression I'm not going about it the right way.
>
> On Mon, Oct 18, 2021 at 12:48 PM Alex Rousskov
> <rousskov at measurement-factory.com
> <mailto:rousskov at measurement-factory.com>> wrote:
>
> On 10/18/21 12:11 PM, Ty Martin wrote:
>
> > I am looking to run Squid as a forward proxy with basic auth in Docker
> > on AWS ECS behind a network load balancer. I seem to have things
> up and
> > running for the most part; however, I am having difficulty in getting
> > proxy protocol to work so that I get access to client IP addresses
> > beyond that of the private IPs of my NLB. As soon as I enable proxy
> > protocol v2 on the AWS NLB, requests to Squid start failing with
> errors
> > similar to the following:
> >
> > Squid log: `1634330668.200 5 <nlb-private-ip> NONE_NONE/400
> 2032 -
> > error:invalid-request - HIER_NONE/- text/html`
> > Client log: `X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0`
>
> > http_port 3128
>
> You must use require-proxy-header http_port option to tell Squid to
> always expect/require PROXY protocol messages on connections to that
> listening port. Otherwise, Squid will expect naked HTTP traffic and
> fail to parse incoming (PROXY protocol) connection bytes.
>
> According to proxy_protocol_access documentation, after adding
> require-proxy-header to http_port, you must also use
> proxy_protocol_access to tell Squid which TCP connections to allow on
> that port (and, hence, which PROXY protocol messages to trust). Denied
> connections will be closed.
>
>
> HTH,
>
> Alex.
>
More information about the squid-users
mailing list