Search squid archive

Re: HAProxy + Squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 16/08/19 8:46 am, Service MV wrote:
> Thank you, Amos. Taking into account your and Rafael's recommendations,
> I configured HAProxy and Squid to use the PROXY protocol instead of
> reformatting the messages.
> At the moment I disabled authentication, due to internal requirements.
> I had a hard time dealing with the HAProxy health checks, but I was able
> to fix it.
> However, by configuring Squid in this way, I had a last problem that I
> didn't expect:
> Squid reports the client's IP to my internet gateway instead of their
> own IP.

Your Squid should be using its own machines default IP to connect at the
TCP level, and you have "forwarded_for off" already to prevent it adding
the X-Forwarded-For header.

Maybe HAProxy is adding it to the headers still. But I do not see the
config option that is supposed to need in your haproxy.cnf

Maybe the server is getting the info some other way directly from the
client?


> 
> squid.conf
> acl localnet src 192.168.12.1-192.168.13.254# my clients IP's
> acl localnet src 192.168.11.80# haproxy IP
> 
...

> # implementation of core access policies
> proxy_protocol_access allow localnet

Careful. Since localnet includes your client IPs this means clients can
connect directly to Squid and send forged PROXY details.

You should have another src ACL that matches only the HAProxy IP. Use
that here.

...
> forwarded_for off
> 


Either "transparent" or "delete" would seem to suite your needs better here.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux