Discussion:
[squid-users] error in parsing Proxy protocol version 2 by Squid proxy protocol
NityaIyer
2018-10-23 18:45:41 UTC
Permalink
Hello,

I really need a help in this issue.

I have a squid application running on a instance behind the Network load
balancer[NLB] in AWS cloud. Due to my use case, I have enabled proxy
protocol on the load balancer so that my backend instance can receive the
proxy protocol header.

Few details:
- The network load balancer is sending proxy protocol version 2 header.
- Squid version - 3.5.20
- TCP listening on 3128 both load balancer and my instance

As per the release note [1], below is the configuration of my Squid
application
********************************************************************
acl abc src 10.9.0.0/21 #My local network
proxy_protocol_access allow abc
logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
%<la %<lp %<a %<p %<rd %>rd proxy_protocol_access allow abc
http_port 3128 accel require-proxy-header
http_port 3128
***********************************************************************************
On testing, I find below logs on cache file of the squid. Somehow, squid
application is not interpreting the proxy protocol header version 2[PPv2]:

2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from
local=10.9.7.165:3128 remote=10.9.7.170:43730 FD 10 flags=1

2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from
local=10.9.7.165:3128 remote=10.9.7.170:61432 FD 10 flags=1

2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from
local=10.9.7.165:3128 remote=10.9.7.170:16783 FD 10 flags=1

10.9.7.170 is the private IP load balancer and 10.9.7.165 is instance
itself.

To be noted:
- I configured Apache on the same box and Apache can successfully parse the
proxy protocol version 2 header received from NLB. I can successfully see
client IP address on access log of Apache.
**************************************************************************************
10.9.7.170 80 18.222.29.158 45634 - - [11/Oct/2018:15:15:18 +0000] "GET /
HTTP/1.1" 200 166 "-" "curl/7.53.1"
10.9.7.170 80 18.222.29.158 45638 - - [11/Oct/2018:15:17:15 +0000] "GET /
HTTP/1.1" 200 166 "-" "curl/7.53.1"
*************************************************************************************
10.9.7.170 is private IP of my NLB and 18.222.29.158 is my dummy box i.e.
client IP address.

- I used the same squid configuration to intercept proxy protocol version 1
header and surprisingly it works for version 1 header:
******************************************************************************************************
1539282729.144 0 18.222.29.158 TCP_DENIED/403 470 HEAD
http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1
18.203.114.1 proxy_protocol_access allow abc

1539286165.754 0 18.222.29.158 TCP_DENIED/403 4027 GET
http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1
18.203.114.1 proxy_protocol_access allow abc

1539286185.310 0 18.222.29.158 TCP_DENIED/403 4027 GET
http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1
18.203.114.1 proxy_protocol_access allow abc
***************************************************************************************************
Where: 18.222.29.158 is my dummy box nothing but client IP.


On summary , based on my analysis there is something I am missing or I dont
know but squid is not intercepting with the PPv2 header. Any help is greatly
appreciated.

Thank you

Regards
Nitya


Reference: [1]
http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.20-RELEASENOTES.html#ss2.7



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
Amos Jeffries
2018-10-23 22:17:18 UTC
Permalink
Post by NityaIyer
Hello,
I really need a help in this issue.
I have a squid application running on a instance behind the Network load
balancer[NLB] in AWS cloud. Due to my use case, I have enabled proxy
protocol on the load balancer so that my backend instance can receive the
proxy protocol header.
- The network load balancer is sending proxy protocol version 2 header.
- Squid version - 3.5.20
- TCP listening on 3128 both load balancer and my instance
Please try Squid-4. One of the HTTP protections against Slow-Loris
attacks was found to conflict with the PROXYv2 detection. Squid-4
parsers have been redesigned to separate protocols better.

Amos
Alex Rousskov
2018-10-23 22:25:27 UTC
Permalink
Post by Amos Jeffries
Post by NityaIyer
- The network load balancer is sending proxy protocol version 2 header.
- Squid version - 3.5.20
- TCP listening on 3128 both load balancer and my instance
Please try Squid-4. One of the HTTP protections against Slow-Loris
attacks was found to conflict with the PROXYv2 detection. Squid-4
parsers have been redesigned to separate protocols better.
And if Squid v4 fails, consider testing the following experimental
unofficial v5 code that enhances PROXY protocol handling while fixing a
few related bugs in the official code:
https://github.com/measurement-factory/squid/pull/13


Good luck,

Alex.

Loading...