Good morning,
I am looking to run Squid as a forward proxy with basic auth in Docker on AWS ECS behind a network load balancer. I seem to have things up and running for the most part; however, I am having difficulty in getting proxy protocol to work so that I get access to client IP addresses beyond that of the private IPs of my NLB. As soon as I enable proxy protocol v2 on the AWS NLB, requests to Squid start failing with errors similar to the following:
Squid log: `1634330668.200 5 <nlb-private-ip> NONE_NONE/400 2032 - error:invalid-request - HIER_NONE/- text/html`
Client log: `X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0`
--- Environment and Configuration details ---
Operating System: Alpine Linux 3.14.2
```
$ squid -v
Squid Cache: Version 5.0.6
Service Name: squid
This binary uses OpenSSL 1.1.1l 24 Aug 2021. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-alpine-linux-musl' '--host=x86_64-alpine-linux-musl' '--prefix=/usr' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--with-logdir=/var/log/squid' '--disable-strict-error-checking' '--disable-arch-native' '--enable-removal-policies=lru,heap' '--enable-auth-digest' '--enable-auth-basic=getpwnam,NCSA,SMB,SMB_LM,RADIUS' '--enable-epoll' '--enable-external-acl-helpers=file_userip,unix_group,wbinfo_group' '--enable-auth-ntlm=fake,SMB_LM' '--enable-auth-negotiate=kerberos,wrapper' '--disable-mit' '--enable-heimdal' '--enable-delay-pools' '--enable-openssl' '--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-ident-lookups' '--enable-useragent-log' '--enable-cache-digests' '--enable-referer-log' '--enable-async-io' '--enable-truncate' '--enable-arp-acl' '--enable-htcp' '--enable-carp' '--enable-poll' '--enable-follow-x-forwarded-for' '--with-large-files' '--with-default-user=squid' '--with-openssl' 'build_alias=x86_64-alpine-linux-musl' 'host_alias=x86_64-alpine-linux-musl' 'CC=gcc' 'CFLAGS=-Os -fomit-frame-pointer' 'CPPFLAGS=-Os -fomit-frame-pointer' 'CXX=g++' 'CXXFLAGS=-Os -fomit-frame-pointer'
Squid Cache: Version 5.0.6
Service Name: squid
This binary uses OpenSSL 1.1.1l 24 Aug 2021. For legal restrictions on distribution see https://www.openssl.org/source/license.html
configure options: '--build=x86_64-alpine-linux-musl' '--host=x86_64-alpine-linux-musl' '--prefix=/usr' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--localstatedir=/var' '--with-logdir=/var/log/squid' '--disable-strict-error-checking' '--disable-arch-native' '--enable-removal-policies=lru,heap' '--enable-auth-digest' '--enable-auth-basic=getpwnam,NCSA,SMB,SMB_LM,RADIUS' '--enable-epoll' '--enable-external-acl-helpers=file_userip,unix_group,wbinfo_group' '--enable-auth-ntlm=fake,SMB_LM' '--enable-auth-negotiate=kerberos,wrapper' '--disable-mit' '--enable-heimdal' '--enable-delay-pools' '--enable-openssl' '--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-ident-lookups' '--enable-useragent-log' '--enable-cache-digests' '--enable-referer-log' '--enable-async-io' '--enable-truncate' '--enable-arp-acl' '--enable-htcp' '--enable-carp' '--enable-poll' '--enable-follow-x-forwarded-for' '--with-large-files' '--with-default-user=squid' '--with-openssl' 'build_alias=x86_64-alpine-linux-musl' 'host_alias=x86_64-alpine-linux-musl' 'CC=gcc' 'CFLAGS=-Os -fomit-frame-pointer' 'CPPFLAGS=-Os -fomit-frame-pointer' 'CXX=g++' 'CXXFLAGS=-Os -fomit-frame-pointer'
```
```
$ cat /etc/squid/squid.conf
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80
http_access allow authenticated
http_port 3128
cache deny all
pid_file
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80
http_access allow authenticated
http_port 3128
cache deny all
pid_file
name /var/run/squid/squid.pid
visible_hostname <dns-for-nlb>
debug_options ALL,1
acl hasRequest has request
access_log stdio:/proc/self/fd/1 hasRequest
visible_hostname <dns-for-nlb>
debug_options ALL,1
acl hasRequest has request
access_log stdio:/proc/self/fd/1 hasRequest
```
I've looked into `proxy_protocol_access` and `http_port require-proxy-header`, but those both appear to be options to provide access control to Squid around proxy information. I'm simply looking to keep the basic auth in place as the access control mechanism while getting at the forwarded client information for logging purposes.
Is there something silly that I'm missing to get proxy protocol working with Squid and AWS NLBs?
Thanks,
Ty
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users