How to configure HAProxy's Proxy Protocol with Squid

A customer asked me the other day how to set up HAProxy's Proxy Protocol in Squid on their Loadbalancer appliance.  

Here's the script I shared with them, as well as instructions on how to do this with HAProxy as the load balancer, which might be of interest to others.

So without further ado, let's get on with it!

What is a Squid Proxy and what is it for?

Squid is an open source forward proxy that accelerates web performance by caching and forwarding HTTP web content. It also serves to improve security by filtering traffic.

It's regularly used by a number of web filter vendors, to ensure that users don't download harmful content like viruses and trojans from the internet. Or to prevent access to harmful content, for example children in a school environment. One of our partners Smoothwall excels in that area.

What are the supported protocols with Squid?

Squid's common protocols are:

• Hypertext Transfer Protocol (HTTP)
• File Transfer Protocol (FTP)

Other Squid protocols are also available, but with limited support:

• Internet Gopher
• Secure Sockets Layer (SSL)
• Transport Layer Security (TLS)
• Hypertext Transfer Protocol Secure (HTTPS).

Note, Squid does NOT support the SOCKS protocol.

To use Privoxy as a SOCKS proxy for Squid, configure Privoxy to listen on a specific port (default 8118) and forward requests to a SOCKS server, then configure Squid to use Privoxy as its parent proxy.

For full details, see: How to configure Squid to use SOCKS as the parent.

How does HAProxy Protocol work with Squid?

Once you've installed a Squid proxy server, you can configure your web browsers to use it as a proxy HTTP server.

This allows Squid to take copies of the user requests returned, meaning repeat searches can skip the lookup, saving time and bandwidth. A process Internet Service Providers often employ to increase the speed of Local Area Networks (LANs) that share a connection.

To configure the browser, there are two options:

1. Specify the proxy server to use; or
2. Use transparent Squid caching so all outgoing HTTP requests are intercepted by Squid and cached without requiring clients to explicitly configure a proxy. This reduces bandwidth and improves speed.

Option 2 is most commonly chosen by businesses because all users are typically on the same LAN. The person controlling the computer running Squid can set, disable or change specific header fields in a client's HTTP requests to anonymize connections. The network users themselves may not know therefore be aware that this information is being logged or monitored.

Why set up HAProxy Protocol for Squid?

Without Proxy Protocol, when using a load balancer as a reverse proxy, what the Squid server sees is a connection that comes from the load balancer.

But with Proxy Protocol, the protocol allows the server to see the IP address of the user that's connected to the load balancer.

What this allows the Squid servers to do is respond differently, depending on the user attempting to access a resource. For example, in scenario A (below), a teacher trying to access Facebook might be allowed to do so. But a student (as shown in scenario B), should not be able to.

Scenario A: Teacher tries to access Facebook (without and with proxy protocol)

Scenario B: Student tries to access Facebook (without and with proxy protocol)

With the Proxy Protocol, using the client IP, the Squid server can determine whether it's a teacher or student device attempting to access Facebook.

Without the Proxy Protocol in place, there would need to be other faffing to try to ascertain this information.

Squid itself is an easily accessible open source proxy that can be used to achieve this.

How to configure the Proxy Protocol with Squid and HAProxy

First change the Squid configuration...

Download Squid if you haven't already, then enter these three lines of code:

acl loadbalancers src 192.168.87.1 192.168.87.2
http_port 3129 require-proxy-header 
proxy_protocol_access allow loadbalancers

This translates as:

• acl line = ACL label (I used 'loadbalancers' here), then the specification for the ACL (I put the source IP address of the load balancers, needs to be the IP that the squid server sees the connection from).
• http_port line = listen on this port but mandate PROXY protocol to pass the client IP address from HAProxy to squid.
• proxy_protocol_addess line = either allow or deny based on the provided ACL name (in this case, allow the source IP addresses of my load balancers).

That's all that's needed from the Squid side.

Then change your HAProxy configuration...

Enter the following into HAProxy:

server Squid1 192.168.120.51:3129 id 2  weight 100  check port 3129 inter 4000  rise 2  fall 2  slowstart 8000 minconn 0  maxconn 0  on-marked-down shutdown-sessions send-proxy-v2 check-send-proxy

The 'send-proxy-v2' section is the part that does the magic.

The check-send-proxy enables PROXY protocol on the health check.

And yes, of course, it's easy with Loadbalancer.org

You can configure our load balancer appliance to operate with Squid Proxy and persist the client IP address, in just a few clicks, by following these simple steps:

First configure your Squid...

Enter these three lines of code in Squid, exactly the same as you would with HAProxy normally:

acl loadbalancers src 192.168.87.1 192.168.87.2
http_port 3129 require-proxy-header 
proxy_protocol_access allow loadbalancers

Then configure your Loadbalancer appliance...

On your Enterprise load balancer, configure a Layer 7 TCP mode VIP, and tell it to 'Send PROXY Protocol' to the Real Servers:

When adding the Real Servers, set the 'real server port' to 3129 (see my example above), restart HAProxy, and then you should be good to go. Job done.

I'd love to find out more about how you are using proxy protocol.
And please, let me know if this helped by leaving a comment.

Thank you!