[squid-users] Forward Squid work with AWS ALB

Alex Rousskov rousskov at measurement-factory.com
Fri Sep 12 18:42:37 UTC 2025

Previous message (by thread): [squid-users] Forward Squid work with AWS ALB
Next message (by thread): [squid-users] Which versions of squid Support ident ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2025-09-11 23:59, Tan Tang Suan (NCS) wrote:

> I am running Squid 3.5.20 in AWS as a forward proxy (http_port 3128) to 
> forward client traffic through a firewall to the Internet.
> 
> The proxy works fine when placed behind a Network Load Balancer (NLB). 
> However, when I place Squid behind an Application Load Balancer (ALB) on 
> port 3128, Squid receives malformed requests and logs the following error:
> 
>    ERR_INVALID_URL
> 
>    HTTP/400 Bad Request
> 
>  From my understanding, this happens because ALB only supports 
> HTTP/HTTPS listeners and does not forward raw TCP traffic the way Squid 
> expects on port 3128.

That understanding is incorrect: Squid does _not_ expect raw TCP traffic 
on a forward-proxy http_port. Squid expects HTTP traffic instead.

I do not know what kind of HTTP requests your Squid receives, but I 
suspect that your ALB configuration does not match your Squid 
configuration. If ALB supports forward proxies, configure ALB to forward 
traffic to a forward proxy listening at Squid's http_port address.

If you still have problems, consider sharing a sample problematic 
request received at http_port. If you use any optional http_port 
parameters, please share them as well.

You should also plan to upgrade: Squid v3 is very buggy and unsupported 
by Squid Project. However, the basics described about apply to any Squid 
version.

HTH,

Alex.

> My questions are:
> 
> 1. Is there any Squid configuration that can make it compatible with AWS 
> ALB (which handles HTTP only), while still operating as a forward proxy?
> 
> 2. If not, are there recommended approaches to integrate Squid with AWS 
> WAF (which requires ALB/CloudFront) so that Squid can still function as 
> a forward proxy for outbound client HTTPS traffic?
> 
> 3. Would switching to reverse proxy mode help in this case, or would 
> that break HTTPS CONNECT tunneling?
> 
> Environment details:
> 
> - Squid 3.5.20
> 
> - Deployed in AWS VPC
> 
> - Works with NLB, fails with ALB
> 
> Thank you for any guidance or suggestions. Hope to hear from you soon.
> 
> Thanks and regards,
> 
> Tan Tang Suan
> 
> Mobile: 96228330
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

Previous message (by thread): [squid-users] Forward Squid work with AWS ALB
Next message (by thread): [squid-users] Which versions of squid Support ident ?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list