On 10/18/21 12:11 PM, Ty Martin wrote: > I am looking to run Squid as a forward proxy with basic auth in Docker > on AWS ECS behind a network load balancer. I seem to have things up and > running for the most part; however, I am having difficulty in getting > proxy protocol to work so that I get access to client IP addresses > beyond that of the private IPs of my NLB. As soon as I enable proxy > protocol v2 on the AWS NLB, requests to Squid start failing with errors > similar to the following: > > Squid log: `1634330668.200 5 <nlb-private-ip> NONE_NONE/400 2032 - > error:invalid-request - HIER_NONE/- text/html` > Client log: `X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0` > http_port 3128 You must use require-proxy-header http_port option to tell Squid to always expect/require PROXY protocol messages on connections to that listening port. Otherwise, Squid will expect naked HTTP traffic and fail to parse incoming (PROXY protocol) connection bytes. According to proxy_protocol_access documentation, after adding require-proxy-header to http_port, you must also use proxy_protocol_access to tell Squid which TCP connections to allow on that port (and, hence, which PROXY protocol messages to trust). Denied connections will be closed. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
