How to expose forward proxy (e.g. squid) via Traefik

Hi, I'm trying to deploy a squid proxy in a Kubernetes cluster fronted by Traefik. The architecture looks like this:

inbound request on port 3128 => metallb => traefik => squid => upstream
inbound request on port 443 => metallb => traefik => some other webservice

I know that Traefik in general works because all the other services it fronts are working as expected. I also know that Squid is working because when I use kubectl to port-forward the Squid service to localhost and use it as a proxy from there, it behaves as expected.

Here is an example of Squid working as expected to proxy traffic to a private upstream at

curl -U admin:redacted -v -x

Then the following shows up in the Squid logs:

1672285498.374 1 TCP_MISS/200 257 GET admin HIER_DIRECT/ -

On the other hand, if I attempt to contact Squid through Traefik, like this:

curl -U admin:redacted -v -x

Then I get a 400 from Squid (Invalid URL), and the following in the logs:

1672285454.813 0 NONE_NONE/400 3971 GET /health - HIER_NONE/- text/html

Notice that Squid receives GET /health, not GET This naturally leads Squid to return a 400 error because it has not been told what upstream to contact. As far as I can understand, this issue is the result of changes that Traefik makes while proxying the HTTP request.

I saw that the same question was raised at Support forward proxies as backend · Issue #3528 · traefik/traefik · GitHub, but no answer was provided, and the issue was closed.

I reviewed all the official Traefik documentation I could find, and I did not see any reference to a behavior of Traefik that would rewrite the HTTP request line (GET ...), nor any way to disable such a behavior. I also was unable to find any other relevant discussion thread, feature request, or issue on the matter. (There were plenty about people wanting Traefik to use a proxy for one thing or another, but nothing except the issue above about actually deploying a forward proxy fronted by Traefik.)

So, I am not sure whether forward proxies are simply not a supported use case of Traefik, or perhaps I am misunderstanding something, ...?

Happy to provide configuration files and manifests for my use case if it would be helpful.

As a workaround, I can enable IP address sharing in metallb using the annotation, and create a separate Service of type LoadBalancer to expose Squid directly on the same IP address as Traefik. However, this is inconvenient, since I am using Traefik to manage certificates and terminate TLS, so now I need to find a way to replicate this functionality separately for Squid as well (since it no longer goes through Traefik), which duplicates effort.