I want to build a system where we have 3 squid proxies server running behind load balancer. Currently squid proxy is running on http port, (help for https_port is also appreciated)
dns_v4_first on
acl loadbalancer src 174.138.123.136/32
# allow only https ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*.conf
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow localhost
http_access allow authenticated
http_access deny all
http_port 8080
coredump_dir /var/spool/squid
When I provide the target url in https it is working, otherwise its giving error from loadbalancer ip.
curl -x http://user:pass@lb_ip:8080 https://ifconfig.me # works
curl -x http://user:pass@lb_ip:8080 http://ifconfig.me # does not work
The error in second case is
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="/">/</a></p>
When I tried appending /test
path in the example. It is confirmed that origin is getting stripped when using http://
curl -sx http://user:pass@lb_ip:8080 http://ifconfig.me/test | grep /test
<p>The following error was encountered while trying to retrieve the URL: <a href="/test">/test</a></p>
But direct usage works in both case
curl -x http://user:pass@direct_ip:8080 https://ifconfig.me # works
curl -x http://user:pass@direct_ip:8080 http://ifconfig.me # works
I solved this by connecting the loadbalancer with TCP instead of HTTP. In the terraform it will look like (copied from here)
forwarding_rule {
entry_port = 80
entry_protocol = "tcp" // this is the main change
target_port = 3128
target_protocol = "tcp" // target must be tcp, if entry point is tcp
}
This solution is available as OpenSource project, I call it ProxyForge.