Hello,
I had the same crushes. A network dump showed me that crushes occurred when clients tried to access IPv6 http-resources.
I blocked these requests at the beginning of the proxy policy.
The following configuration seems to be a workaround for me:
acl urldst_ipv6 url_regex ^http://\[http_access deny urldst_ipv6
I don't know if this workaround is also suitable for https-resources. May be it should be rewritten like this:
acl urldst_ipv6_https url_regex ^\[http_access deny urldst_ipv6_https
Kind regards,
Ankor.
чт, 14 сент. 2023 г. в 17:12, Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx>:
On 2023-09-14 07:02, Flashdown wrote:
> Sep 14 08:55:06 vm-myproxy squid[79100]: Squid Parent: squid-2 process
> 80675 exited due to signal 6 with status 0
> 1694674498.411 9 **CENSORED_internal_client_IP** TCP_DENIED/407
> 4129 CONNECT [ff00::]:443 - HIER_NONE/- text/html
> IPv6 is disabled via sysctl config "net.ipv6.conf.all.disable_ipv6=1"
Your Squid is most likely suffering (among other v5 bugs) from Squid Bug
5154: https://bugs.squid-cache.org/show_bug.cgi?id=5154
To confirm, enable core dumps and look for a gdb backtrace sequence
similar to the one posted in the above bug report:
* in __assert_fail
* in Ip::Address::getAddrInfo(addrinfo*&, int) const
* in comm_openex(int, int, Ip::Address&, int, char const*)
The best known way to prevent bug 5154 is to enable IPv6 support. If
that is not feasible in your environment, then please keep reading.
Squid bug 5154 has an unofficial but, IMO, correct fix at PR 1421:
https://github.com/squid-cache/squid/pull/1421
The above fix is not trivial and has side effects: For Squids that
cannot handle IPv6 (e.g., because IPv6 support was disabled at
./configure time or is unavailable in the deployment environment), the
fix will, in part, reject requests with IPv6 addresses in URLs. This
rejection may negatively affect Squids that were "worked OK" by
forwarding such traffic to IPv4 ICAP servers and cache_peers (at least).
PR 1421 changes cannot be applied to Squid v5 "as is"; they have to be
backported. I do not have a backporting patch for virgin Squid v5.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
