Ah, yep. Adding the following to my config got things working in AWS:
```
acl private src 172.0.0.0/8
proxy_protocol_access allow private
http_port 3128 require-proxy-header
```
I was trying to test it locally without success by running the Docker container and hitting it with a curl along the lines of:
`curl --proxy http://<un>:<pw>@localhost:3128 -v --header "X-Forwarded-For: 192.168.0.2" https://www.google.com`
--- Resulting Squid logs ---
```
squid-proxy_1 | 2021/10/18 19:55:33| PROXY protocol error: invalid magic
squid-proxy_1 | exception location: Parser.cc(260) Parse from conn6 local=172.24.0.2:3128 remote=172.24.0.1:65426 FD 12 flags=1
squid-proxy_1 | connection: conn6 local=172.24.0.2:3128 remote=172.24.0.1:65426 FD 12 flags=1
squid-proxy_1 | exception location: Parser.cc(260) Parse from conn6 local=172.24.0.2:3128 remote=172.24.0.1:65426 FD 12 flags=1
squid-proxy_1 | connection: conn6 local=172.24.0.2:3128 remote=172.24.0.1:65426 FD 12 flags=1
```
--- Resulting client logs ---
```
* Proxy CONNECT aborted
* CONNECT phase completed!
* Closing connection 0
curl: (56) Proxy CONNECT aborted
* CONNECT phase completed!
* Closing connection 0
curl: (56) Proxy CONNECT aborted
```
Any idea offhand what I'm missing from the local testing scenario? I thought adding a "X-Forwarded-For" header via curl would be treated as proxy protocol v1 by Squid, but the "invalid magic" protocol error gives me the impression I'm not going about it the right way.
On Mon, Oct 18, 2021 at 12:48 PM Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 10/18/21 12:11 PM, Ty Martin wrote:
> I am looking to run Squid as a forward proxy with basic auth in Docker
> on AWS ECS behind a network load balancer. I seem to have things up and
> running for the most part; however, I am having difficulty in getting
> proxy protocol to work so that I get access to client IP addresses
> beyond that of the private IPs of my NLB. As soon as I enable proxy
> protocol v2 on the AWS NLB, requests to Squid start failing with errors
> similar to the following:
>
> Squid log: `1634330668.200 5 <nlb-private-ip> NONE_NONE/400 2032 -
> error:invalid-request - HIER_NONE/- text/html`
> Client log: `X-Squid-Error: ERR_PROTOCOL_UNKNOWN 0`
> http_port 3128
You must use require-proxy-header http_port option to tell Squid to
always expect/require PROXY protocol messages on connections to that
listening port. Otherwise, Squid will expect naked HTTP traffic and
fail to parse incoming (PROXY protocol) connection bytes.
According to proxy_protocol_access documentation, after adding
require-proxy-header to http_port, you must also use
proxy_protocol_access to tell Squid which TCP connections to allow on
that port (and, hence, which PROXY protocol messages to trust). Denied
connections will be closed.
HTH,
Alex.
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
