-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 20/02/2015 8:16 a.m., Yuri Voinov wrote: > https://www.google.com/search?q=ipv4+to+ipv6 > WTF? google-fu failure ;-) > 19.02.15 23:35, masterx81 пишет: >> After futher search seem that the webpage now is trying to get >> files from cdnjs.cloudflare.com, but it resolves as an ipv6 >> address. My network is not ready for ipv6. I've already shut off >> ipv6 on the interface, 1) Disabling the NIC has never been a good idea, or even truely possible. If you followed almost any of the online tutorials then its not so much disabled as broken (like smashing a window to let in the breeze). 2) Squid does kernel capability detection and v4-only kernels will cause Squid to not even lookup AAAA records or attempt IPv6 connections. v6-enabled kernels without network connectivity (actual connectivity "down" no-IPv6 state, not borked NIC drivers) will inform Squid on connection setup that the IP is unreachable, causing immediate retry with a differnet IP address. 3) Its seriously well past time you started making things IPv6-enabled. ARIN exhaustion is expected to occur in *less than 90 days*. Most of the "eyeballs" user population lives in areas that already ran out years ago (WiFi NAT upon DSL NAT upon Tier-3 CGNAT upon Tier-2 CGNAT ... my last two employers VPN tools didn't stand a chance /rant). 4) Instead of disabling components in the kernel your firewalls should instead be configured to block unwanted traffic just like for unwanted IPv4 **. Let the IPv6-enabled bits operate within the machine the way its designed to, even if there is no global IPv6 assigned or permission to leave the box. That way when your network links do come online with IPv6 you already have the on-machine parts mostly operating okay and there will be fewer changes. You can even (for now) work on rollign network links out slowly between specific devices or services so when things go noticably mad in IPv4 world you have less to do. ** If you dont have a firewall capable of controlling IPv6 then you urgently need it upgraded, priority #1, right now. > used the "dns_v4_first on" and >> "tcp_outgoing_address 0.0.0.0", but still no luck.... It tries >> always to use the ipv6. What i can do? > Cloudflare are one of the CDN presenting very long lists of IP addresses for both IPv4 and IPv6 (10 of each for me). You need to increase the forward_max_tries from your versions default 10 to the current recommended 25 before Squid has much hope of handling the connect failover at all. After that dns_v4_first should just be a latency tuning knob. Set to ON reduces useless v6 attempts on an IPv4-only network. Set to OFF reduces them on a IPv6-enabled network. NOTE: it has no effect at all unless both the kernel and the domain being visited are IPv6-enabled, its just a sorting order for IP lookup results. You should also try an upgrade to a more current Squid version. No guarantees, but we are constantly doing improvements to match Internet environmental changes (like that forwarding retries setting change) and there may be a more obscure bug involved. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJU5nigAAoJELJo5wb/XPRjocYIAIzDWagLD52sazB/FAEAnzKG fzMs7EeZuL4sbpS6kYH7JGbu6IfbVCDKxl4Dy03pToIGHSPyzOerBiHXo1J1IlU0 E3mgQab1x6XAa10TyOJ29UJp+Pqx0wmADSIfWdFkre29NYUrB99AdL5Jo18mMkLz 67Lp+3S4ZrFIqUCk/ASbXaJUoHUg7Q02ryJOGYN9dV7y+sE+4rlcIHA3YeyQMnV4 NMMV+dDwzO19G2YJa8E5LfaFSgCv7berpbixP2ku98NmT/bAahu1qmKHTAp+F1ig TxnEkaLRcMpBBUXp/Ye3cUF+jRlGdH2HTc1wOnAqOc5k0PlY/Diyyshfdsm58Cc= =xRGy -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
