Hello, Flashdown,
As you can see in your access.log, your client tried to connect not to a DNS hostname but directly to IPv6 address:
1694674498.411 9 **CENSORED_internal_client_IP** TCP_DENIED/407
4129 CONNECT [ff00::]:443 - HIER_NONE/- text/html
So, I suppose that your DNS configuration changes will not eliminate the client requests to [ff00::]:443
But I believe that enabling IPv6 will prevent your squid crushes.
Kind regards,
Ankor.
вт, 19 сент. 2023 г. в 19:04, Flashdown <flashdown@xxxxxxxxxxxxx>:
Thank you Alex for confirming this and all the hints given.
I have taken another path to fix this. I have configured the dns
forwarders that squid is configured to use, to not give out any AAAA
responses. After that I have enabled IPv6 on this box to completly avoid
this bug. Thank you!
---
Best regards,
Flashdown
Am 2023-09-14 16:11, schrieb Alex Rousskov:
> On 2023-09-14 07:02, Flashdown wrote:
>
>> Sep 14 08:55:06 vm-myproxy squid[79100]: Squid Parent: squid-2 process
>> 80675 exited due to signal 6 with status 0
>
>> 1694674498.411 9 **CENSORED_internal_client_IP** TCP_DENIED/407
>> 4129 CONNECT [ff00::]:443 - HIER_NONE/- text/html
>
>> IPv6 is disabled via sysctl config "net.ipv6.conf.all.disable_ipv6=1"
>
>
> Your Squid is most likely suffering (among other v5 bugs) from Squid
> Bug 5154: https://bugs.squid-cache.org/show_bug.cgi?id=5154
>
> To confirm, enable core dumps and look for a gdb backtrace sequence
> similar to the one posted in the above bug report:
>
> * in __assert_fail
> * in Ip::Address::getAddrInfo(addrinfo*&, int) const
> * in comm_openex(int, int, Ip::Address&, int, char const*)
>
> The best known way to prevent bug 5154 is to enable IPv6 support. If
> that is not feasible in your environment, then please keep reading.
>
>
> Squid bug 5154 has an unofficial but, IMO, correct fix at PR 1421:
> https://github.com/squid-cache/squid/pull/1421
>
> The above fix is not trivial and has side effects: For Squids that
> cannot handle IPv6 (e.g., because IPv6 support was disabled at
> ./configure time or is unavailable in the deployment environment), the
> fix will, in part, reject requests with IPv6 addresses in URLs. This
> rejection may negatively affect Squids that were "worked OK" by
> forwarding such traffic to IPv4 ICAP servers and cache_peers (at
> least).
>
> PR 1421 changes cannot be applied to Squid v5 "as is"; they have to be
> backported. I do not have a backporting patch for virgin Squid v5.
>
>
> HTH,
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
