On 16.05.2015 01:41, Amos Jeffries wrote:
On 16/05/2015 6:14 a.m., Walter H. wrote:Hello, is IPv6 somewhat similar to IPv4?Somewhat, yes.
I just wondered because of the "different" behaviour;
yes this should be the intention, that you get an error (in this case the errorpage) when you have e.g. http://84.84.84.2/ or https://84.84.84.2/ as URL in your browser ...e.g. I would write acl block_ipv4_range dst 84.84.84.0/24 deny_info errorpage block_ipv4_range http_access deny block_ipv4_range to block any hosts within this IPv4 rangeTaking a step asside, that is not quite what those rules do. They block access from anywhere *to* the IP address range (TCP/IP packet destination on the request messages).
If you were trying to prevent those hosts themselves from accessing anything through the proxy you need the "src" ACL type.
I know;
I noticed the difference, but wondered why e.g. /etc/hosts.deny contains this:how would be the syntax for blocking any hosts within a specific IPv6 subnet e.g. [2408:8000::]/24FYI the [] syntax is URL format - for uses when a port may exist. So the ':' between IP:port dont get confused.
sshd: [2408:8000::]/24
why I'm asking, because; when having both sections in squid.conf and doing SSL-bumpshould it be this? acl block_ipv6_subnet dst 2408:8000::/24 deny_info errorpage block_ipv6_subnet http_access deny block_ipv6_subnetYes. Though the /N CIDR range is probably different. An IPv4 /24 is equivalent to an IPv6 /52 (255 separate pieces of hardware with a mandatory /64 each).
you get a different reaction in the browser: https://84.84.84.22/ brings the 'errorpage' as expectedthe generated certificate has the IP-address (84.84.84.22) as its common name;
but https://[2408:8000::3]/ behaves different in various browsers: - IE 7: brings a certificate error, when accepting you get the errorpagethe generated certificate has the IP-address 2408:8000::3 as its common name
- later FF (17+) do nothing, older FF (3.6) bring
"The proxy server is refusing connections
Firefox is configured to use a proxy server that is refusing
connections."
- Chrome 42 brings ' Your connection is not private' and NET::ERR_CERT_COMMON_NAME_INVALID
when clicking advanced and proceed with warning you get the errorpage
the generated certificate has the IP-address 2408:8000::3 as
its common name
trying https://[2408:8000:0:0:0:0:0:3]/ does an automatic reduction to https://[2408:8000::3]/ by the browser
does it seem to be problematic, when having an TLS-server with an IPv6 address only without DNS, because of the comm name?
Thanks, Walter
<<attachment: smime.p7s>>
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
