On Tue, Apr 03, 2012 at 12:22:52PM +1200, Amos Jeffries wrote: > On 03.04.2012 12:12, Peter Olsson wrote: > > On Tue, Apr 03, 2012 at 10:28:38AM +1200, Amos Jeffries wrote: > >> On 03.04.2012 02:21, Peter Olsson wrote: > >> > Hello! > >> > > >> > Squid 3.1.19. > >> > > >> > Our squid servers are dual stack IPv4/IPv6 since about a year, > >> > with this config "hack": > >> > > >> > tcp_outgoing_address x:x:x:x::x to_ipv6 > >> > tcp_outgoing_address x.x.x.x !to_ipv6 > >> > acl to_ipv6 dst ipv6 > >> > http_access allow to_ipv6 !all > >> > > >> > But now our users are tired of webs that announce IPv6 addresses > >> > but don't answer on port 80 on these addresses. So I enabled > >> > dns_v4_first in the config and did squid -k reconfigure. > >> > But it didn't help, we still get IPv6 timeouts towards > >> > misconfigured web sites. > >> > > >> > I'm guessing that dns_v4_first and the ipv6 config above are > >> > mutually exclusive? Should I change the tcp_outgoing_address > >> > line to just this: > >> > tcp_outgoing_address x:x:x:x::x > >> > tcp_outgoing_address x.x.x.x > >> > and remove these lines: > >> > acl to_ipv6 dst ipv6 > >> > http_access allow to_ipv6 !all > >> > > >> > Or will this remove all of our IPv6 connectivity through squid? > >> > > >> > >> You are the first person to report any issues. They are interrelated > >> but should not be exclusive. Does ordering the tcp_outgoing_address > >> with > >> IPv4 address first help? > >> > >> Amos > > > > Changing order of tcp_outgoing_address doesn't help, our squid with > > "dns_v4_first on" still gives the Operation timed out error, and it > > is trying to connect to the IPv6 address of the web server. > > > > I also tried removing these four lines completely: > > tcp_outgoing_address x:x:x:x::x to_ipv6 > > tcp_outgoing_address x.x.x.x !to_ipv6 > > acl to_ipv6 dst ipv6 > > http_access allow to_ipv6 !all > > > > But that didn't help either, it still tries the IPv6 address even > > though I have dns_v4_first on. > > > > Is there some internal DNS timeout in squid that I should wait for > > before testing between changes? > > Er, yes. Whatever the TTL of the domain being tested against is. A > restart clears the DNS caches, so may be better here than just a > reconfigure. Excellent! It works now after restart. I will keep the ipv6 lines above out of our config, I don't think we really need them. Thanks! -- Peter Olsson pol@xxxxxxxxxxx CCIE #8963 R&S, Security +46 520 500511 Leissner Data AB +46 701 809511
