Thank you, Amos. Taking into account your and Rafael's recommendations, I
configured HAProxy and Squid to use the PROXY protocol instead of
reformatting the messages.
At the moment I disabled authentication, due to internal requirements.
I had a hard time dealing with the HAProxy health checks, but I was able to
fix it.
However, by configuring Squid in this way, I had a last problem that I
didn't expect:
Squid reports the client's IP to my internet gateway instead of their own
IP.
It's true, I want to see my clients' IPs in Squid's log; but I want Squid's
IP to reach my gateway and not my clients'. This way I can make my clients
browse internet only through my proxies.
I'm really not sure if continuing with this configuration I'm doing will be
possible to achieve it.
I appreciate in advance any indication you can give me.
haproxy.cfg
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd
listeners
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 4000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:
ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend squid_in
bind *:3128
default_backend squid_pool
backend squid_pool
balance source
mode tcp
server px1 x.x.x.1:3128 check port 8181 send-proxy inter 2000 rise 2 fall 3
server px2 x.x.x.2:3128 check port 8181 send-proxy inter 2000 rise 2 fall 3
squid.conf
acl localnet src 192.168.12.1-192.168.13.254 # my clients IP's
acl localnet src 192.168.11.80 # haproxy IP
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
#acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8181 # haproxy health checks port
acl CONNECT method CONNECT
# list of allowed domains
acl LS_whitedomains dstdomain "/etc/squid/acl/whitedomains.txt"
# list of bloqued domains
acl LS_blackdomains dstdomain "/etc/squid/acl/blackdomains.txt"
acl LS_malicius dstdomain "/etc/squid/acl/malicius.txt"
acl LS_porn dstdomain "/etc/squid/acl/porn.txt"
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
web applications running on the proxy server who think the only one who can
access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# implementation of access list policies
http_access deny LS_blackdomains
http_access allow LS_whitedomains
http_access deny LS_malicius
http_access deny LS_porn
# limit downloads to 10 Mb/s to the localnet network
delay_pools 1
delay_class 1 2
delay_parameters 1 1310720/1966080 917504/1310720
delay_access 1 allow localnet
# implementation of core access policies
proxy_protocol_access allow localnet
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128 require-proxy-header
# port used only for haproxy health checks
http_port 8181
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
# squid customization settings
quick_abort_min 0 KB
quick_abort_max 0 KB
read_timeout 5 minutes
request_timeout 3 minutes
shutdown_lifetime 0 seconds
ipcache_size 2048
fqdncache_size 4096
cache_mgr m...@tsa.net
visible_hostname px1
httpd_suppress_version_string on
forwarded_for off
Best regards
Gabriel
El vie., 9 de ago. de 2019 a la(s) 03:45, Amos Jeffries (
squ...@treenet.co.nz) escribió:
> On 9/08/19 1:44 am, neok wrote:
> > Hi, I finally did the configuration differently. It's working very well
> for
> > me.
> >
>
> What you are doing is polluting every HTTP message with two new headers.
>
> The way Rafael suggested is more efficient since the PROXY protocol
> details are only delivered at the start of each TCP connection, and HTTP
> messages do not need to be reformatted at the LB as they pass.
>
> Note that Squid will be extending that XFF header itself anyway. But
> with your way the LB IP address will be broadcast to the origin(s) in
> the XFF header along with the client address. With PROXY protocol Squid
> adds only the client address there.
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
