I'm configuring a squid proxy to work as a sort of a gateway for traffic egress.
The environment in which this is deployed has a client that makes a request through a load balancer which then sends it on to the squid proxy.
To not obfuscate the original client ip the load balancer uses the proxy protocol.
Squid (3.5+) "supports" the proxy protocol and allows it to be used in an acl.
A working configuration that I have seen to allow proxy protocol access is below:
acl localnet src 10.0.0.0/8
http_port 3128 require-proxy-header
http_port 3128
proxy_protocol_access allow localnet
However this doesn't allow me to filter the subsequent requests based on dstdomain. I've also tried
acl allowed dstdomain .google.com
acl localnet src 10.0.0.0/8
http_port 3128 require-proxy-header
http_port 3128
proxy_protocol_access allow localnet allowed
But this causes my curl requests to return with error 53 empty requests.
I've tried
acl allowed dstdomain .google.com
http_port 3128 require-proxy-header
http_port 3128
proxy_protocol_access allow allowed
This has the same behavior as the one directly above. I've tried also
acl localnet src 10.0.0.0/8
http_port 3128 require-proxy-header
http_port 3128
proxy_protocol_access allow localnet
acl allowed dstdomain .google.com
http_access allow allowed
http_access deny all
And this results in all the traffic being allowed out. (I've also tried swapping those 2 blocks as well with the same results.
Am I missing something? Does someone have a working configuration that allows for domain filtering and proxy protocol?
Best Answer
After looking at this more, I was able to fix the config so it would work. This works:
Although I had tried this before, I was running into a snag with an
http_access deny all
was listed above.The proxy_protocol_access simply establishes where the proxy protocol can be accepted from. In looking at the cache.log on reload, it seems to indicate that any dstdomain filtering in proxy_protocol_access is not actually allowed.
As a note: The rules are applied in order of appearance in the configuration and as things match they are applied. So if a deny appears above, the request is denied.
Additional logging information can be provided for troubleshooting using the
debug_options
specificallydebug_options 3,28
for configuration file troubleshooting. (More info here: http://wiki.squid-cache.org/KnowledgeBase/DebugSections)http://www.squid-cache.org/Doc/config/proxy_protocol_access/