Hello Amos, thank you for the reply. On Thu, Dec 11, Amos Jeffries wrote: > > we use squid 3.4.9 as proxy for our company with ipv4 and ipv6 > > dual stack. It works good, but if a destination has an A and AAAA > > record and the webserver isn't reachable via ipv6, squid generates > > an error page instead of trying a connection via ipv4. > > > > One example is the url: > > > > https://ssl.ratsinfo-online.net/pirna-ri/logon.asp > > > > where squid tries to reach the webside via the ip > > 2001:8d8:87c:5f00::6e:72d6, but without success, because it isn't > > reachable. > > > > Now I want, that squid does a fallback to ipv4 after > > connect_timeout, but squid returns an error page (ERR_CONNECT_FAIL) > > to the client. > > > > Squid rarely sees https:// URLs like that. Check if it is being given > the server name in a way that it can lookup all IPs, or just the one > IP address. in my squidlogs I see a line like: Fri Dec 19 13:49:18 2014 4789 10.252.16.100 TCP_MISS/503 0 CONNECT ssl.ratsinfo-online.net:443 - HIER_NONE/- - So I think squid gets the hostname instead of an ip address. > It also depends on how long the connection attempt(s) take. > If it takes longer to lookup the DNS (dns_timeout) and try that one > IP (connect_timeout * connect_retries) than the entire transaction is > permitted to use (forward_timeout), then there is of course no time to > try anything else. when I do a "host ssl.ratsinfo-online.net" on the server where squid runs I get the Ipv4 and the Ipv6 immediately. I didn't set any of the parameters forward_timeout, connect_timeout, connect_retries. > Note also that the message in the ERR_CONNECT_FAIL page is the result > of the final attempt made. Squid may have made several connection > attempts to other IP which also failed. for a http connections, the fallback to ipv4 works, but not for a https connection. The web server ssl.ratsinfo-online.net listens on port 80 for http and on port 443 for https. When I do a http://ssl.ratsinfo-online.net/ the fallback from ipv6 to ipv4 works fine, but when I do a https://ssl.ratsinfo-online.net/ squid tries ipv6 only and doesn't do a fallback to ipv4. I would be nice, if you can try it on your dial stack setup. Thank you. -- Regards Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the >From field. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
