On 16/08/19 8:46 am, Service MV wrote: > Thank you, Amos. Taking into account your and Rafael's recommendations, > I configured HAProxy and Squid to use the PROXY protocol instead of > reformatting the messages. > At the moment I disabled authentication, due to internal requirements. > I had a hard time dealing with the HAProxy health checks, but I was able > to fix it. > However, by configuring Squid in this way, I had a last problem that I > didn't expect: > Squid reports the client's IP to my internet gateway instead of their > own IP. Your Squid should be using its own machines default IP to connect at the TCP level, and you have "forwarded_for off" already to prevent it adding the X-Forwarded-For header. Maybe HAProxy is adding it to the headers still. But I do not see the config option that is supposed to need in your haproxy.cnf Maybe the server is getting the info some other way directly from the client? > > squid.conf > acl localnet src 192.168.12.1-192.168.13.254# my clients IP's > acl localnet src 192.168.11.80# haproxy IP > ... > # implementation of core access policies > proxy_protocol_access allow localnet Careful. Since localnet includes your client IPs this means clients can connect directly to Squid and send forged PROXY details. You should have another src ACL that matches only the HAProxy IP. Use that here. ... > forwarded_for off > Either "transparent" or "delete" would seem to suite your needs better here. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
