On 24/05/2013 9:03 p.m., bilderberger wrote:
Amos Jeffries-2 wrote
logfile_rotate 5
## this line is obsolete in 3.3.5
##emulate_httpd_log yes
server_persistent_connections off
The above is no longer necessary with squid-3.2 and later. You can
safely enable server persistence now without getting any of the
connection crossover bugs which were so annoying in older Squid.
Thank you, that is very helpful.
Amos Jeffries-2 wrote
forwarded_for off
## declare an acl that is true for all ipv6 destinations
acl to_ipv6 dst ipv6
## deny ipv4 access
http_access deny !to_ipv6
This is probably the cause of your non-connectivity problem. IPv4 and
not-IPv6 are two different things, all of IPv4 space maps inside IPv6.
Also, just about all IPv6-enabled sites also have IPv4 addresses.
What exactly are you trying to achieve here?
ensuring that your clients get to IPv6 version of sites?
or, ensuring that they get rejection pages if they go to IPv4-only sites?
or, preventing access to IPv4 side of dual-stacked sites?
The purpose in this instance was to force IPv6 connection, or no connection
at all. The sites to be accessed in this case should be dual-stacked and as
far as I can see (at least, when testing my previous partially working
script with 3.1.1) IPv6 was taking priority. What I wanted to ensure was no
leakage of the IPv4 address of the proxy on dual stack sites. Would this
accomplish this?
When I tested this on 3.1.1 it seemed to work for that purpose - I went to
http://ipv6-test.com/ and without this line, the test was showing both IPv6
and IPv4 address. With the line enable, the test only showed IPv6. Is there
a better way to approach this?
It should do that yes. However, Squid will only have such leakage if
there are problems with the IPv6 addresses and this method will push a
rejection page back at the users until the used DNS records timeout
instead of trying to recover IPv6 access immediately.
You may want to simply place a firewall block on IPv4 outbound traffic
from the proxy (maybe with a specific tcp_outgoing_address IPv4 to
simplify the firewall rules). That will make Squid mark any IPv4 it
tries as BAD connectivity when it gets to them and cycle back to using
the IPv6 again. Or even better have the resolver(s) used by Squid setup
to not provide it with any IPv4 in the first place.
Amos
