proxyload-balancingdigital-oceansquid

Serving squid proxy behind HTTP load balancer


I want to build a system where we have 3 squid proxies server running behind load balancer. Currently squid proxy is running on http port, (help for https_port is also appreciated)

dns_v4_first on
acl loadbalancer src 174.138.123.136/32  

# allow only https ports
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

include /etc/squid/conf.d/*.conf
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy

acl authenticated proxy_auth REQUIRED

http_access allow localhost
http_access allow authenticated
http_access deny all
http_port 8080
coredump_dir /var/spool/squid

When I provide the target url in https it is working, otherwise its giving error from loadbalancer ip.

curl -x http://user:pass@lb_ip:8080 https://ifconfig.me  # works
curl -x http://user:pass@lb_ip:8080 http://ifconfig.me   # does not work

The error in second case is

<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="/">/</a></p>

When I tried appending /test path in the example. It is confirmed that origin is getting stripped when using http://

curl -sx http://user:pass@lb_ip:8080 http://ifconfig.me/test | grep /test

<p>The following error was encountered while trying to retrieve the URL: <a href="/test">/test</a></p>

But direct usage works in both case

curl -x http://user:pass@direct_ip:8080 https://ifconfig.me  # works
curl -x http://user:pass@direct_ip:8080 http://ifconfig.me   # works

Solution

  • I solved this by connecting the loadbalancer with TCP instead of HTTP. In the terraform it will look like (copied from here)

    forwarding_rule {
        entry_port      = 80
        entry_protocol  = "tcp" // this is the main change
        target_port     = 3128
        target_protocol = "tcp" // target must be tcp, if entry point is tcp
    }
    

    This solution is available as OpenSource project, I call it ProxyForge.