On 13/03/2015 9:07 p.m., Eliezer Croitoru wrote: > I started testing squid 3.5.2 with the proxy protocol and I have setup a > basic haproxy settings for it. > http://ngtech.co.il/paste/1287/ > > copy of the logs at: > http://www1.ngtech.co.il/paste/1288/ > > While testing I started first haproxy with regular squid forward proxy > and then moved to a proxy protocol supported forward proxy setup. > > While with forward proxy the acls seems to work fine with the proxy > protocol I am encountering couple weird things: > 1426233543.491 28 192.168.10.131 TCP_MISS/404 611 GET > http://ngtech.co.il/favico.ico - HIER_DIRECT/84.95.212.160 text/html > 1426233562.110 29091 192.168.10.131 TCP_TUNNEL/200 3374 CONNECT > tiles.services.mozilla.com:443 - HIER_DIRECT/54.149.185.208 -
> 1426233562.119 1 192.168.10.151 TCP_MISS/403 4324 GET > http://ngtech.co.il/favicon.ico - HIER_NONE/- text/html > 1426233562.122 5 192.168.10.131 TCP_MISS/403 4461 GET > http://ngtech.co.il/favicon.ico - ORIGINAL_DST/192.168.10.151 text/html > 1426233562.259 1 192.168.10.151 TCP_MISS/403 4382 GET > http://www.squid-cache.org/Artwork/SN.png - HIER_NONE/- text/html > 1426233562.261 3 192.168.10.131 TCP_MISS/403 4519 GET > http://www.squid-cache.org/Artwork/SN.png - ORIGINAL_DST/192.168.10.151 > text/html > 1426233562.294 1 192.168.10.151 TCP_MISS/403 4306 GET > http://ngtech.co.il/favicon.ico - HIER_NONE/- text/html > 1426233562.296 2 192.168.10.131 TCP_MISS/403 4443 GET > http://ngtech.co.il/favicon.ico - ORIGINAL_DST/192.168.10.151 text/html > > > The first two requests are on the regular forward proxy port. > Then the 403 response is not a TCP_DENIED but I am still watching the > screen and see a squid access denied page which is identified by the > with the local proxy name. MISS/403 usually means the server contacted supplied 403. Whats the 192.168.10.151 server and which port is it being contacted on? > Why would I see an "ORIGINAL_DST" at all in these requests??? there is > none...(else then the haproxy). The PROXY protocol is providing Squid with both the src-IP and dst-IP. Squid is using those as the client IP and ORIGINAL_DST. > > So summery of the setup: > 1 host with both squid and haproxy installed and configured for proxy > protocol version 1(version 2 didn't worked for me at all) > haproxy listens on one port(13128) and squid on receives the requests on > the loopback interface(port 23128). > > I think it's a bug but first I am putting the details here in the dev > list and later next week I will file a bugzilla report. Not working the same with v2 of the protocol is a bug. I'm not sure how we could handle the dst-IP differently. By using the PROXY protocol we explicitly trust the haproxy frontend to supply the correct IPs. Amos _______________________________________________ squid-dev mailing list squid-dev@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-dev
