Hello, I really need a help in this issue. I have a squid application running on a instance behind the Network load balancer[NLB] in AWS cloud. Due to my use case, I have enabled proxy protocol on the load balancer so that my backend instance can receive the proxy protocol header. Few details: - The network load balancer is sending proxy protocol version 2 header. - Squid version - 3.5.20 - TCP listening on 3128 both load balancer and my instance As per the release note [1], below is the configuration of my Squid application ******************************************************************** acl abc src 10.9.0.0/21 #My local network proxy_protocol_access allow abc logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt %<la %<lp %<a %<p %<rd %>rd proxy_protocol_access allow abc http_port 3128 accel require-proxy-header http_port 3128 *********************************************************************************** On testing, I find below logs on cache file of the squid. Somehow, squid application is not interpreting the proxy protocol header version 2[PPv2]: 2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from local=10.9.7.165:3128 remote=10.9.7.170:43730 FD 10 flags=1 2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from local=10.9.7.165:3128 remote=10.9.7.170:61432 FD 10 flags=1 2018/10/11 17:55:45 kid1| PROXY protocol error: invalid header from local=10.9.7.165:3128 remote=10.9.7.170:16783 FD 10 flags=1 10.9.7.170 is the private IP load balancer and 10.9.7.165 is instance itself. To be noted: - I configured Apache on the same box and Apache can successfully parse the proxy protocol version 2 header received from NLB. I can successfully see client IP address on access log of Apache. ************************************************************************************** 10.9.7.170 80 18.222.29.158 45634 - - [11/Oct/2018:15:15:18 +0000] "GET / HTTP/1.1" 200 166 "-" "curl/7.53.1" 10.9.7.170 80 18.222.29.158 45638 - - [11/Oct/2018:15:17:15 +0000] "GET / HTTP/1.1" 200 166 "-" "curl/7.53.1" ************************************************************************************* 10.9.7.170 is private IP of my NLB and 18.222.29.158 is my dummy box i.e. client IP address. - I used the same squid configuration to intercept proxy protocol version 1 header and surprisingly it works for version 1 header: ****************************************************************************************************** 1539282729.144 0 18.222.29.158 TCP_DENIED/403 470 HEAD http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1 18.203.114.1 proxy_protocol_access allow abc 1539286165.754 0 18.222.29.158 TCP_DENIED/403 4027 GET http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1 18.203.114.1 proxy_protocol_access allow abc 1539286185.310 0 18.222.29.158 TCP_DENIED/403 4027 GET http://18.203.114.1:3128/ - HIER_NONE/- text/html - - - - 18.203.114.1 18.203.114.1 proxy_protocol_access allow abc *************************************************************************************************** Where: 18.222.29.158 is my dummy box nothing but client IP. On summary , based on my analysis there is something I am missing or I dont know but squid is not intercepting with the PPv2 header. Any help is greatly appreciated. Thank you Regards Nitya Reference: [1] http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.20-RELEASENOTES.html#ss2.7 -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
