Hi, I'm trying to deploy a squid proxy in a Kubernetes cluster fronted by Traefik. The architecture looks like this:
inbound request on port 3128 => metallb => traefik => squid => upstream
inbound request on port 443 => metallb => traefik => some other webservice
I know that Traefik in general works because all the other services it fronts are working as expected. I also know that Squid is working because when I use kubectl to port-forward the Squid service to localhost and use it as a proxy from there, it behaves as expected.
Here is an example of Squid working as expected to proxy traffic to a private upstream at 10.244.0.72:
curl -U admin:redacted -v -x http://127.0.0.1:3128 http://10.244.0.72:869/health
Then the following shows up in the Squid logs:
1672285498.374 1 127.0.0.1 TCP_MISS/200 257 GET http://10.244.0.72:869/health admin HIER_DIRECT/10.244.0.72 -
On the other hand, if I attempt to contact Squid through Traefik, like this:
curl -U admin:redacted -v -x https://myhostname.example.com:3128 http://10.244.0.72:869/health
Then I get a 400 from Squid (Invalid URL
), and the following in the logs:
1672285454.813 0 10.244.0.86 NONE_NONE/400 3971 GET /health - HIER_NONE/- text/html
Notice that Squid receives GET /health
, not GET http://10.244.0.72:869/health
. This naturally leads Squid to return a 400 error because it has not been told what upstream to contact. As far as I can understand, this issue is the result of changes that Traefik makes while proxying the HTTP request.
I saw that the same question was raised at Support forward proxies as backend · Issue #3528 · traefik/traefik · GitHub, but no answer was provided, and the issue was closed.
I reviewed all the official Traefik documentation I could find, and I did not see any reference to a behavior of Traefik that would rewrite the HTTP request line (GET http://10.244.0.72:869/health ...), nor any way to disable such a behavior. I also was unable to find any other relevant discussion thread, feature request, or issue on the matter. (There were plenty about people wanting Traefik to use a proxy for one thing or another, but nothing except the issue above about actually deploying a forward proxy fronted by Traefik.)
So, I am not sure whether forward proxies are simply not a supported use case of Traefik, or perhaps I am misunderstanding something, ...?
Happy to provide configuration files and manifests for my use case if it would be helpful.