Search squid archive

Re: Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03.04.2012 12:12, Peter Olsson wrote:

On Tue, Apr 03, 2012 at 10:28:38AM +1200, Amos Jeffries wrote:

On 03.04.2012 02:21, Peter Olsson wrote:
> Hello!
>
> Squid 3.1.19.
>
> Our squid servers are dual stack IPv4/IPv6 since about a year,
> with this config "hack":
>
> tcp_outgoing_address x:x:x:x::x to_ipv6
> tcp_outgoing_address x.x.x.x !to_ipv6
> acl to_ipv6 dst ipv6
> http_access allow to_ipv6 !all
>
> But now our users are tired of webs that announce IPv6 addresses
> but don't answer on port 80 on these addresses. So I enabled
> dns_v4_first in the config and did squid -k reconfigure.
> But it didn't help, we still get IPv6 timeouts towards
> misconfigured web sites.
>
> I'm guessing that dns_v4_first and the ipv6 config above are
> mutually exclusive? Should I change the tcp_outgoing_address
> line to just this:
> tcp_outgoing_address x:x:x:x::x
> tcp_outgoing_address x.x.x.x
> and remove these lines:
> acl to_ipv6 dst ipv6
> http_access allow to_ipv6 !all
>
> Or will this remove all of our IPv6 connectivity through squid?
>

You are the first person to report any issues. They are interrelated
but should not be exclusive. Does ordering the tcp_outgoing_address with 
IPv4 address first help?

Amos


Changing order of tcp_outgoing_address doesn't help, our squid with
"dns_v4_first on" still gives the Operation timed out error, and it
is trying to connect to the IPv6 address of the web server.

I also tried removing these four lines completely:
tcp_outgoing_address x:x:x:x::x to_ipv6
tcp_outgoing_address x.x.x.x !to_ipv6
acl to_ipv6 dst ipv6
http_access allow to_ipv6 !all

But that didn't help either, it still tries the IPv6 address even
though I have dns_v4_first on.

Is there some internal DNS timeout in squid that I should wait for
before testing between changes?
Er, yes. Whatever the TTL of the domain being tested against is. A restart clears the DNS caches, so may be better here than just a reconfigure. 



What debug setting should I use to see why squid is choosing the
IPv6 address?
comm (5) and DNS (78) sections at level 6. Possibly more if that is not enough. 

Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux