Search squid archive

Re: Squid do not reply

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/10/21 2:37 pm, Alex Rousskov wrote:
On 10/4/21 5:18 PM, Henning Svane wrote:


I search more on the problem and it shows that Squid as default only use IPv6

I really doubt that. Your access.log records seem to confirm my belief
that your Squid was listening on an IPv4 address (at least) -- Squid
would not see (and log) requests from IPv4 clients like 10.40.61.11 if
it were listening on IPv6 only.

Unfortunately, the exact meaning of "::" and "[::]" addresses (and even
"tcp6 ... ::" lines in netstat!) depends on the environment. Lots of
folks (mis)interpret those symbols as "any IPv6 address". That
interpretation is correct in some environments and wrong in many others.

No. "any IPv6 address" is the literal definition of "::".

The situation is that some (dual-stack, hybrid-stack) environments treat IPv4 as a part of IPv6 and others (split-stack) do not. Squid has been well tested in this area. It correctly opens the appropriate ports for the stack type. Ubuntu is dual-stack so the IPv6 port ("[::]:3128" is the correct one to open and use for both IPv4 and IPv6 clients.


Here is one detailed answer that enumerates a few cases, including what
looks like yours (except for an sshd instead of Squid):
https://serverfault.com/a/39561


That documentation is about Windows Vista which have a split-stack where IPv4 needs a dedicated IPv4-only port opened. As I mentioned above, Squid is well tested for these and will properly open both IPv6 and IPv4 ports on split-stack OS.


You can, of course, verify whether Squid listens on an IPv4 address by
connecting to port 3128 on that IPv4 address using telnet or another
program.


Please note that Squid listening address has nothing to do with Squid
outgoing address. That is why I suggested that you disable
(misconfigured?) IPv6 in your environment so that Squid does not try to
forward a request it received via IPv4 using a Squid-server connection
with IPv6 addresses.


To clarify what Alex is suggesting is one of these;

Either,

Add firewall rules that block public IPv6 traffic trying to be sent to your ISP. That means ip6tables rules to deny all traffic (not iptables which is IPv4-only). - this way Squid will attempt to connect to those IPv6 servers, but when rejected should failover to IPv4 ones. If you get ISP IPv6 connectivity you just need to change firewall rules and Squid starts working with those.


Or,

Configure the OS network interface not to allocate IPv6 addresses even for localhost. - this way Squid will detect the lack of IPv6 functionality on the machine and disable all use of IPv6 - incoming, internal uses, and outgoing traffic. If you get ISP IPv6 connectivity you need to change both the OS interface config and then restart Squid to pickup the change of capability.


However. Before you try those it would be helpful to test whether IPv4 is actually going to work to those servers. The issue may not be IP related at all.

I suggest adding "dns_v4_first on" to squid.conf. Squid-4 and older will first try connecting to IPv4 servers, only trying IPv6 ones if those fail. You will then only see IPv6 addresses for servers which are not available over IPv4. (Squid-5+ work differently and do not provide this option).


One possible bug you may be encountering is a known APT issue. When APT hands the proxy a URL with raw-IPv6 it uses the 5xx/4xx status response as final. It does not try to reach a different IP address of the server it was connecting to. There is nothing we can do in Squid to fix that. Efforts to get it fixed in APT have so far not been successful.


Finally, please make sure that ICMP and ICMPv6 are functional in your environment and do anything you can to ensure your ISP has it functional as well. Yes there are *some* packet types that need to be blocked for security, but the rest MUST NOT.

Squid and many other software rely on ICMP control signals indicating that connections have failed so they can re-try using an different IP address. This is important even for retry with two IPv4 addresses. Your router or ISPs router should be delivering those signals to Squid, otherwise the connection retry may not even be attempted.


Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux