This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 96%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
Currently in the private links of Azure they have implemented the possibility of activating proxy protocol v2. In our company we intend to share our outgoing proxies through a private link. Currently the problem was that you didn't know the source ip when going through the plink. My scenario is:
-Virtual machines with the browser proxy configured pointing to the plink
-On the other side of the plink is a squid proxy
I don't know if I misunderstood the v2 protocol and that protocol would be useful only for consuming an app that collects the headers or if it would work in our scenario, since we are already connecting with a proxy protocol from the machines.
By now, the moment we activate the TCP proxy V2 on the private link our scenario stops working.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 69%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Just tried, use squid version 4.10 with following configuration works on aws setup:
client --> private link service --> squid --> internet
http_port 3128 require-proxy-header
http_port 3128
proxy_protocol_access allow localnet
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hello @Julio Forniés , Welcome to the Microsoft Q&A forum.
Based on my understanding of the question, when using private link service, the source IP address of the packets coming from private endpoint is network address translated (NAT). As source Ip is not known you enabled TCP proxy V2 but your scenario stopped working.
From the documentation for TCP Proxy V2 the source IP is included proxy protocol header and the Service provider is responsible for making sure that the service behind the standard load balancer is configured to parse the proxy protocol header as per the specification when proxy protocol is enabled on private link service. The request will fail if proxy protocol setting is enabled on private link service but service provider's service is not configured to parse the header. Similarly, the request will fail if the service provider's service is expecting a proxy protocol header while the setting is not enabled on the private link service. So, in your case the application will be required to parse the proxy protocol header for TCP Proxy V2 to work.
Incase if your backend is configured to parse the proxy protocol header and the requests are still failing, you can do a packet capture on your target VM and determine if the TCP Proxy V2 is set-up correctly by checking the proxy protocol header values for LinkID and the source IP.
Hope this helps! Please let me know if you have any additional questions, I will be glad to continue with our discussion. Thank you!
Thank you for the answer. Yes, I saw the documentation, but I haven't seen any proxy on the market that can support that configuration.
With one that exists in the Azure market it would be enough for me.
That's why I was asking if this configuration is compatible with having a proxy on the other side of a private link or if a different application is needed.
Now we have a squid, but we can change it if it can really be made to work with a market proxy behind a private link enabling TCP proxy V2 on the private link.
Thank you for the answer. Yes, I saw the documentation, but I haven't seen any proxy on the market that can support that configuration.
With one that exists in the Azure market it would be enough for me.
That's why I was asking if this configuration is compatible with having a proxy on the other side of a private link or if a different application is needed.
Now we have a squid, but we can change it if it can really be made to work with a market proxy behind a private link enabling TCP proxy V2 on the private link.
What I mean is a scenario like this:
User equipment with configured browsing proxy to 192.168.0.5:8080
The idea is that this user can surf the internet
The IP 192.168.0.5 would be the private link
And on the other side of the private link, published by a private service, there would be a squid with access to the internet listening on port 8080
This scenario works, but stops working if you enable protocol v2.
The question is if this scenario would really work with a web proxy as I have put, or if it will never work because on the other side it is thought that there is a web application and not an outgoing proxy to the internet
user browser --> plink (tcp protocol v2) --> squid --> internet
Hello @Julio Forniés , Thank you for providing additional information. I think to troubleshoot this issue we will need to have a closer look at the set-up. Please refer to my private message below for additional details. Thank you!
I have same setup user browser --> plink (tcp protocol v2) --> squid --> internet and with same problem, a little more details:
After I enabled tcp proxy protocol v2 on my plink, I do see proxy protocol v2 packet on my squid server after tcp 3way handshake, however the packet does not include the Azure TLV described in (https://learn.microsoft.com/en-us/azure/private-link/private-link-service-overview), and the subsequent https request failed.
I tried to configure squid proxy (version 3.5) with http://www.squid-cache.org/Doc/config/proxy_protocol_access/, with example: https://serverfault.com/questions/840926/squid-proxy-protocol-access-with-dstdomain-acl
, but still not working.
Thanks for the reply.
I already tried that configuration too when I opened this thread. Because I found something similar here:
https://www.spinics.net/lists/squid/msg94673.html
But it didn't work for me either with the tcp v2 protocol active on the private link.
Can you copy the entire squid configuration please?
Is it a squid from the Azure market or configured by you on an Ubuntu?
This is the squid config file:
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localnet
http_access allow localhost
proxy_protocol_access allow localnet
http_access deny all
http_port 3128 require-proxy-header
http_port 3128
"Is it a squid from the Azure market or configured by you on an Ubuntu?"
It is a marketplace Ubuntu20 --- this is a setup I tried on AWS. Will try Azure with the same squid configuration.
Thanks for the config.
So you haven't tried then in Azure.
I have read in many places that it works in AWS, but in Azure I tell you that I have tried it with a thousand configurations and it has not worked for me
Just tried below setup on Azure with squid (Squid Cache: Version 4.10) running on Azure provided Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-1017-azure x86_64)
browser --> plink (tcp protocol v2) --> squid --> internet
with same squid config used for AWS setup as shown above, it works.
Great news!!
Have you used squid proxy with ubuntu from the Azure market or have you installed proxy squid on a clean ubuntu from the Azure market?
Because I used the Squid Proxy Server+ubuntu from the Azure market last day again and it didn't work for me
I created ubuntu VM with the Azure provided Ubuntu 20.04.4 LTS (GNU/Linux 5.13.0-1017-azure x86_64), then log into VM, and do apt install squid.
Many thanks!!!!
I've tried it and it works!!!!
It doesn't work with the squid on the market but installing it on ubuntu 20.04 works.
I have put exactly the configuration that you indicated.
Thanks again!!!!