Squid proxy docker can not be reached from certain hosts

stephanseemove · January 11, 2024, 12:48pm

I run docker on a Photon OS VM on a VMWare server.

I created a container with the following docker-compose.yaml:

services:
  squid:
    image: sameersbn/squid
    restart: no
    container_name: squid
    hostname: squid
    volumes:
     - ./config/squid.conf:/etc/squid/squid.conf
    ports:
     - "10.30.10.88:8080:3128"

When testing the squid docker from a windows machine on the network that has the IP address 10.10.100.2 it works and I can succesfully make a WebRequest from that windows client:

Invoke-WebRequest -Uri "http://www.google.com" -Proxy (New-Object System.Uri("10.30.10.88:8080")) -UseBasicParsing

However when I make the same test from other windows machines within the IP address range 172.18.10.0/24 (e.g. 172.18.10.87; 172.18.10.214) it is not succesful.

I used tcpdump to investigate the difference.

Tcpdump on docker-host of test from 10.10.100.2:

08:52:52.229435 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [P.], seq 4029925884:4029926040, ack 2780089641, win 1026, length 156: HTTP: GET http://www.google.com/ HTTP/1.1
08:52:52.292147 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 8536, win 1026, length 0
08:52:52.292347 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 12640, win
1026, length 0
08:52:52.292825 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 16964, win
1026, length 0
08:52:52.293187 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 21048, win
1026, length 0
08:52:52.293524 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 25152, win
1026, length 0
08:52:52.293608 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 26657, win
1026, length 0
08:52:52.293656 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 29464, win
1026, length 0
08:52:52.294392 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 32271, win
1026, length 0
08:52:52.294583 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 35138, win
1026, length 0
08:52:52.294583 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 36485, win
1021, length 0
08:52:52.295381 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 43506, win
1026, length 0
08:52:52.295578 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 46320, win
1026, length 0
08:52:52.296192 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 49127, win
1026, length 0
08:52:52.296404 IP 10.10.100.2.54632 > 10.30.10.88.http-alt: Flags [.], ack 52245, win
1026, length 0

Tcpdump on docker-host of test from 172.18.10.214:

08:54:58.582128 IP 172.18.10.214.50598 > 10.30.10.88.ndl-aas: Flags [SEW], seq 1877155012, win 65535, options [mss 1375,nop,wscale 8,nop,nop,sackOK], length 0
08:54:59.582872 IP 172.18.10.214.50598 > 10.30.10.88.ndl-aas: Flags [SEW], seq 1877155012, win 65535, options [mss 1375,nop,wscale 8,nop,nop,sackOK], length 0
08:55:01.579291 IP 172.18.10.214.50598 > 10.30.10.88.ndl-aas: Flags [S], seq 1877155012, win 65535, options [mss 1375,nop,nop,sackOK], length 0
08:55:24.427633 IP 172.18.10.214.50610 > 10.30.10.88.ndl-aas: Flags [SEW], seq 4249270886, win 65535, options [mss 1375,nop,wscale 8,nop,nop,sackOK], length 0
08:55:24.762376 IP 172.18.10.214.50611 > 10.30.10.88.ndl-aas: Flags [SEW], seq 4173747800, win 65535, options [mss 1375,nop,wscale 8,nop,nop,sackOK], length 0
08:55:25.423622 IP 172.18.10.214.50610 > 10.30.10.88.ndl-aas: Flags [SEW], seq 4249270886, win 65535, options [mss 1375,nop,wscale 8,nop,nop,sackOK], length 0
08:55:25.764580 IP 172.18.10.214.50611 > 10.30.10.88.ndl-aas: Flags [SEW], seq 4173747800, win 65535, options [mss 1375,nop,wscale 8,nop,nop,sackOK], length 0
08:55:27.421593 IP 172.18.10.214.50610 > 10.30.10.88.ndl-aas: Flags [S], seq 4249270886, win 65535, options [mss 1375,nop,nop,sackOK], length 0
08:55:27.762579 IP 172.18.10.214.50611 > 10.30.10.88.ndl-aas: Flags [S], seq 4173747800, win 65535, options [mss 1375,nop,nop,sackOK], length 0

The hosts within the 172.18.10.0/24 are AWS machines that are connected to the network of the docker host via an ipsec tunnel. To make sure that that is not the root of the issue I setup a debian VM on the same VMware sever where the docker host VM is running and installed squid there with the same configuration as the docker squid. With this squid instance the connections from the AWS windows hosts are succesful.

The packets from the AWS hosts are arriving at the docker host but somehow no connection is being established. Is there any setting within docker that may prevent the docker container to make a connection with a host that it things is on another network?

All the things I checked:

All firewalls between AWS hosts and docker host
disable iptables on photon os docker host
configure container to use custom bridge network, that includes the IP addresses of the AWS hosts
tried ubuntu/squid image instead
using a completely different proxy application: GitHub - dwaaan/PHP-Proxy-Docker: Docker files for PHP-Proxy from https://www.php-proxy.com/

Topic		Replies	Views
How can I make my clients (host) use my Squid proxy inside Docker container? General docker	0	1434	April 14, 2018
Central Squid Proxy for LAN Network inside Docker Container General	0	1297	January 28, 2021
Accessing container by its internal IP from Windows host Docker Desktop docker , beta	0	2004	October 19, 2016
Can't ping containers from host on the company's network but works otherwise General docker	0	551	July 10, 2023
Problem with docker container redirecting to docker container on different host General	2	659	October 25, 2023

Squid proxy docker can not be reached from certain hosts

Related topics