[squid-users] AWS NLB Proxy Protocol V2
Ty Martin
ty at vergesense.com
Wed Oct 20 17:09:37 UTC 2021
Got it. Thanks for your help, Alex!
On Tue, Oct 19, 2021 at 9:27 PM Alex Rousskov <
rousskov at measurement-factory.com> wrote:
> On 10/19/21 4:56 PM, Ty Martin wrote:
>
> > That `--haproxy-protocol` option seems like it should have done the
> > trick. Am I just shooting myself in the foot with bad curl commands?
>
> It look like curl --haproxy-protocol does not work the way you want for
> HTTPS requests sent through HTTP proxies:
>
> > curl --haproxy-protocol -x http://127.0.0.1:3128/ https://...
> >> CONNECT localhost:443 HTTP/1.1
> ...
> > < HTTP/1.1 200 Connection established
> >
> > * Proxy replied 200 to CONNECT request
> > * CONNECT phase completed!
>
> >> PROXY TCP4 127.0.0.1 127.0.0.1 35628 3128
>
> The above PROXY protocol message is sent to the HTTP origin server
> inside the CONNECT tunnel instead of being sent to Squid _before_ the
> tunnel.
>
>
> A similar curl command "works" for plain HTTP requests (because, without
> CONNECT, it is impossible to distinguish the target of the PROXY
> protocol message):
>
> > curl --haproxy-protocol -x http://127.0.0.1:3128/ http://...
> > * Connected to 127.0.0.1 (127.0.0.1) port 3128 (#0)
> >> PROXY TCP4 127.0.0.1 127.0.0.1 35634 3128
> >> GET http://... HTTP/1.1
>
> FWIW, my v5.2-based Squid groks the above correctly, forwarding the
> request (if proxy_protocol_access allows it). This indicates that the
> basic PROXY protocol support in my Squid works.
>
>
> Unfortunately, there is no curl --proxy-haproxy-protocol (yet?) so you
> will need to find another way to test. Alternatively, you can share
> Squid debugging logs and/or packet captures when using your network load
> balancer.
>
>
> Alex.
>
>
> > On Mon, Oct 18, 2021 at 5:32 PM Alex Rousskov wrote:
> >
> > On 10/18/21 5:16 PM, Ty Martin wrote:
> > > Ah, yep. Adding the following to my config got things working in
> AWS:
> >
> > > acl private src 172.0.0.0/8 <http://172.0.0.0/8>
> > > proxy_protocol_access allow private
> > > http_port 3128 require-proxy-header
> >
> >
> > > I was trying to test it locally without success by running the
> Docker
> > > container and hitting it with a curl along the lines of:
> > > `curl --proxy http://<un>:<pw>@localhost:3128 -v --header
> > > "X-Forwarded-For: 192.168.0.2" https://www.google.com
> > <https://www.google.com>
> >
> > To test using curl, try curl --haproxy-protocol ...
> >
> > PROXY protocol (all versions) is not HTTP.
> >
> > Alex.
> >
> >
> > > --- Resulting Squid logs ---
> > > ```
> > > squid-proxy_1 | 2021/10/18 19:55:33| PROXY protocol error:
> > invalid magic
> > > squid-proxy_1 | exception location: Parser.cc(260) Parse from
> > conn6
> > > local=172.24.0.2:3128 <http://172.24.0.2:3128>
> > <http://172.24.0.2:3128 <http://172.24.0.2:3128>>
> > remote=172.24.0.1:65426 <http://172.24.0.1:65426>
> > > <http://172.24.0.1:65426 <http://172.24.0.1:65426>> FD 12 flags=1
> > > squid-proxy_1 | connection: conn6 local=172.24.0.2:3128
> > <http://172.24.0.2:3128>
> > > <http://172.24.0.2:3128 <http://172.24.0.2:3128>>
> > remote=172.24.0.1:65426 <http://172.24.0.1:65426>
> > > <http://172.24.0.1:65426 <http://172.24.0.1:65426>> FD 12 flags=1
> > > ```
> > >
> > > --- Resulting client logs ---
> > > ```
> > > * Proxy CONNECT aborted
> > > * CONNECT phase completed!
> > > * Closing connection 0
> > > curl: (56) Proxy CONNECT aborted
> > > ```
> > >
> > > Any idea offhand what I'm missing from the local testing scenario?
> I
> > > thought adding a "X-Forwarded-For" header via curl would be
> treated as
> > > proxy protocol v1 by Squid, but the "invalid magic" protocol error
> > gives
> > > me the impression I'm not going about it the right way.
> > >
> > > On Mon, Oct 18, 2021 at 12:48 PM Alex Rousskov
> > > <rousskov at measurement-factory.com
> > <mailto:rousskov at measurement-factory.com>
> > > <mailto:rousskov at measurement-factory.com
> > <mailto:rousskov at measurement-factory.com>>> wrote:
> > >
> > > On 10/18/21 12:11 PM, Ty Martin wrote:
> > >
> > > > I am looking to run Squid as a forward proxy with basic auth
> > in Docker
> > > > on AWS ECS behind a network load balancer. I seem to have
> things
> > > up and
> > > > running for the most part; however, I am having difficulty
> > in getting
> > > > proxy protocol to work so that I get access to client IP
> > addresses
> > > > beyond that of the private IPs of my NLB. As soon as I
> > enable proxy
> > > > protocol v2 on the AWS NLB, requests to Squid start failing
> with
> > > errors
> > > > similar to the following:
> > > >
> > > > Squid log: `1634330668.200 5 <nlb-private-ip>
> NONE_NONE/400
> > > 2032 -
> > > > error:invalid-request - HIER_NONE/- text/html`
> > > > Client log: `X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0`
> > >
> > > > http_port 3128
> > >
> > > You must use require-proxy-header http_port option to tell
> > Squid to
> > > always expect/require PROXY protocol messages on connections
> > to that
> > > listening port. Otherwise, Squid will expect naked HTTP
> > traffic and
> > > fail to parse incoming (PROXY protocol) connection bytes.
> > >
> > > According to proxy_protocol_access documentation, after adding
> > > require-proxy-header to http_port, you must also use
> > > proxy_protocol_access to tell Squid which TCP connections to
> > allow on
> > > that port (and, hence, which PROXY protocol messages to
> > trust). Denied
> > > connections will be closed.
> > >
> > >
> > > HTH,
> > >
> > > Alex.
> > >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20211020/a3fdb96d/attachment.htm>
More information about the squid-users
mailing list