NityaIyer
2018-10-23 18:45:41 UTC
Hello,
I really need a help in this issue.
I have a squid application running on a instance behind the Network load
balancer[NLB] in AWS cloud. Due to my use case, I have enabled proxy
protocol on the load balancer so that my backend instance can receive the
proxy protocol header.
Few details:
- The network load balancer is sending proxy protocol version 2 header.
- Squid version - 3.5.20
- TCP listening on 3128 both load balancer and my instance
As per the release note [1], below is the configuration of my Squid
application
********************************************************************
acl abc src 10.9.0.0/21 #My local network
proxy_protocol_access allow abc
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
%<la %<lp %<a %<p %<rd %>rd proxy_protocol_access allow abc
http_port 3128 accel require-proxy-header
http_port 3128
***********************************************************************************
On testing, I find below logs on cache file of the squid. Somehow, squid
application is not interpreting the proxy protocol header version 2[PPv2]:
2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from
local=10.9.7.165:3128 remote=10.9.7.170:43730 FD 10 flags=1
2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from
local=10.9.7.165:3128 remote=10.9.7.170:61432 FD 10 flags=1
2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from
local=10.9.7.165:3128 remote=10.9.7.170:16783 FD 10 flags=1
10.9.7.170 is the private IP load balancer and 10.9.7.165 is instance
itself.
To be noted:
- I configured Apache on the same box and Apache can successfully parse the
proxy protocol version 2 header received from NLB. I can successfully see
client IP address on access log of Apache.
**************************************************************************************
10.9.7.170 80 18.222.29.158 45634 - - [11/Oct/2018:15:15:18 +0000] "GET /
HTTP/1.1" 200 166 "-" "curl/7.53.1"
10.9.7.170 80 18.222.29.158 45638 - - [11/Oct/2018:15:17:15 +0000] "GET /
HTTP/1.1" 200 166 "-" "curl/7.53.1"
*************************************************************************************
10.9.7.170 is private IP of my NLB and 18.222.29.158 is my dummy box i.e.
client IP address.
- I used the same squid configuration to intercept proxy protocol version 1
header and surprisingly it works for version 1 header:
******************************************************************************************************
1539282729.144 0 18.222.29.158 TCP_DENIED/403 470 HEAD
http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1
18.203.114.1 proxy_protocol_access allow abc
1539286165.754 0 18.222.29.158 TCP_DENIED/403 4027 GET
http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1
18.203.114.1 proxy_protocol_access allow abc
1539286185.310 0 18.222.29.158 TCP_DENIED/403 4027 GET
http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1
18.203.114.1 proxy_protocol_access allow abc
***************************************************************************************************
Where: 18.222.29.158 is my dummy box nothing but client IP.
On summary , based on my analysis there is something I am missing or I dont
know but squid is not intercepting with the PPv2 header. Any help is greatly
appreciated.
Thank you
Regards
Nitya
Reference: [1]
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.20-RELEASENOTES.html#ss2.7
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
I really need a help in this issue.
I have a squid application running on a instance behind the Network load
balancer[NLB] in AWS cloud. Due to my use case, I have enabled proxy
protocol on the load balancer so that my backend instance can receive the
proxy protocol header.
Few details:
- The network load balancer is sending proxy protocol version 2 header.
- Squid version - 3.5.20
- TCP listening on 3128 both load balancer and my instance
As per the release note [1], below is the configuration of my Squid
application
********************************************************************
acl abc src 10.9.0.0/21 #My local network
proxy_protocol_access allow abc
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
%<la %<lp %<a %<p %<rd %>rd proxy_protocol_access allow abc
http_port 3128 accel require-proxy-header
http_port 3128
***********************************************************************************
On testing, I find below logs on cache file of the squid. Somehow, squid
application is not interpreting the proxy protocol header version 2[PPv2]:
2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from
local=10.9.7.165:3128 remote=10.9.7.170:43730 FD 10 flags=1
2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from
local=10.9.7.165:3128 remote=10.9.7.170:61432 FD 10 flags=1
2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from
local=10.9.7.165:3128 remote=10.9.7.170:16783 FD 10 flags=1
10.9.7.170 is the private IP load balancer and 10.9.7.165 is instance
itself.
To be noted:
- I configured Apache on the same box and Apache can successfully parse the
proxy protocol version 2 header received from NLB. I can successfully see
client IP address on access log of Apache.
**************************************************************************************
10.9.7.170 80 18.222.29.158 45634 - - [11/Oct/2018:15:15:18 +0000] "GET /
HTTP/1.1" 200 166 "-" "curl/7.53.1"
10.9.7.170 80 18.222.29.158 45638 - - [11/Oct/2018:15:17:15 +0000] "GET /
HTTP/1.1" 200 166 "-" "curl/7.53.1"
*************************************************************************************
10.9.7.170 is private IP of my NLB and 18.222.29.158 is my dummy box i.e.
client IP address.
- I used the same squid configuration to intercept proxy protocol version 1
header and surprisingly it works for version 1 header:
******************************************************************************************************
1539282729.144 0 18.222.29.158 TCP_DENIED/403 470 HEAD
http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1
18.203.114.1 proxy_protocol_access allow abc
1539286165.754 0 18.222.29.158 TCP_DENIED/403 4027 GET
http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1
18.203.114.1 proxy_protocol_access allow abc
1539286185.310 0 18.222.29.158 TCP_DENIED/403 4027 GET
http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1
18.203.114.1 proxy_protocol_access allow abc
***************************************************************************************************
Where: 18.222.29.158 is my dummy box nothing but client IP.
On summary , based on my analysis there is something I am missing or I dont
know but squid is not intercepting with the PPv2 header. Any help is greatly
appreciated.
Thank you
Regards
Nitya
Reference: [1]
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.20-RELEASENOTES.html#ss2.7
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html