The error it shows when I activate IPv6 only mode not dual stack is Error: no forward proxy ports configured Squid terminated Sent from my iPhone > On Jul 30, 2024, at 20:16, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > > On 30/07/24 08:47, Jonathan Lee wrote: >> I did not know that I had the option set to disable Squid ICMP pinger > > pinger helper is not releted. > > > What I meant was that you need to ensure ICMPv6 protocol is enabled and working on your network. That is usually a firewall issue. > > If it is blocked, the IPv6 packet fragmentation mechanism (required for tunnels) will not work and result in behaviour like you are seeing. > Similarly if MTU is set too large for the tunnel maximum packet size. > > >> I enabled ping helper I show a good socket for my IPV6 interface address but every IPV6 only device shows NONE_NONE/409 on the Squid Access Table > > 409 generated by Squid is a failed security check. > <https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery> > > >> I get the same result. How would I change MTU on Squid isn’t that set to auto discover with the HTTP port directive? > > Yes, that is dneone using ICMPv6 and teh primary reason why Squid needs that protocol working. > >> I also forgot to mention the IPV6 only device works when I have it set to not use the proxy. > > The list of ports you show below has Squid accepting direct (forward proxy) connections with an IPv4-only port 3128. > > > I really do recommend using the port-only configuration style. At least until you get the proxy working properly. Squid sockets are dual-stack and accept both protocols by default. That will help you sort out the scope of what each port number is doing and avoid copy-paste mistakes like this. > > >> Thanks again for the reply. It does work from IPV4 to IPV6 requests but never for IPV6 to IPV6 addresses or pure IPV6. I can disable the proxy and the system works for IPV6 to IPV6 only. > > >> Here is my configuration I am testing.. >> # This file is automatically generated by pfSense >> # Do not edit manually ! >> http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3 >> http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3 >> https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3 >> http_port [REDACTED:192::]:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3 >> https_port [REDACTED:192::]:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/local/etc/squid/serverkey.pem tls-cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3 > > >> tls_outgoing_options cafile=/usr/local/share/certs/ca-root-nss.crt >> tls_outgoing_options capath=/usr/local/share/certs/ >> tls_outgoing_options options=NO_SSLv3 >> tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS >> sslcrtd_children 10 > > >> # Allow local network(s) on interface(s) >> acl localnet src 192.168.1.0/27 REDACTED:192::/64 > >> acl block_hours time 00:30-05:00 >> ssl_bump terminate all block_hours >> http_access deny all block_hours >> acl getmethod method GET > > >> tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET >> #SINGLE_DH_USE,SINGLE_ECDH_USE >> acl HttpAccess dstdomain '/usr/local/pkg/http.access' >> acl windowsupdate dstdomain '/usr/local/pkg/windowsupdate' > > >> refresh_pattern -i ^http.*squid.internal.* 43200 100% 79900 override-expire override-lastmod ignore-reload ignore-no-store ignore-must-revalidate ignore-private ignore-auth > >> # Updates: Windows >> refresh_pattern -i microsoft.com/..(cab|exe|msi|msu|msf|asf|wma|dat|zip)$ 4320 80% 43200 refresh-ims >> refresh_pattern -i windowsupdate.com/..(cab|exe|msi|msu|msf|asf|wma|wmv)|dat|zip)$ 4320 80% 43200 refresh-ims >> refresh_pattern -i windows.com/..(cab|exe|msi|msu|msf|asf|wmv|wma|dat|zip)$ 4320 80% 43200 refresh-ims >> refresh_pattern -i microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 >> refresh_pattern -i windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 >> refresh_pattern -i windows.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 4320 80% 43200 >> refresh_pattern -i .*windowsupdate.com/.*.(cab|exe) 259200 100% 259200 >> refresh_pattern -i .*update.microsoft.com/.*.(cab|exe|dll|msi|psf) 259200 100% 259200 >> refresh_pattern windowsupdate.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200 >> refresh_pattern download.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200 >> refresh_pattern www.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200 >> refresh_pattern au.download.windowsupdate.com/.*.(cab|exe|dll|msi|psf) 4320 100% 43200 >> refresh_pattern bg.v4.pr.dl.ws.microsoft.com/.*.(cab|exe|dll|msi|psf) 4320 100% 43200 >> #windows update NEW UPDATE 0.04 >> refresh_pattern update.microsoft.com/.*.(cab|exe) 43200 100% 129600 >> refresh_pattern ([^.]+.)?(download|(windows)?update).(microsoft.)?com/.*.(cab|exe|msi|msp|psf) 4320 100% 43200 >> refresh_pattern update.microsoft.com/.*.(cab|exe|dll|msi|psf) 10080 100% 43200 >> refresh_pattern -i .update.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600 >> refresh_pattern -i .windowsupdate.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600 >> refresh_pattern -i .download.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600 >> refresh_pattern -i .ws.microsoft.com/.*.(cab|exe|ms[i|u|f]|[ap]sf|wm[v|a]|dat|zip) 525600 100% 525600 >> > > You might want to look through these patterns in future and remove the impossible-to-match ones and duplicates. > >> acl https_login url_regex -i ^https.*(login|Login).* >> cache deny https_login >> acl donotcache dstdomain '/var/squid/acl/donotcache.acl' >> cache deny donotcache >> cache allow all > > >> # Setup some default acls >> # ACLs all, manager, localhost, and to_localhost are predefined. >> acl allsrc src all >> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 3128 3129 1025-65535 >> acl sslports port 443 563 8080 5223 2197 >> acl purge method PURGE >> acl connect method CONNECT >> # Define protocols used for redirects >> acl HTTP proto HTTP >> acl HTTPS proto HTTPS >> # SslBump Peek and Splice >> # http://wiki.squid-cache.org/Features/SslPeekAndSplice >> # http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit >> # Match against the current step during ssl_bump evaluation [fast] >> # Never matches and should not be used outside the ssl_bump context. >> # >> # At each SslBump step, Squid evaluates ssl_bump directives to find >> # the next bumping action (e.g., peek or splice). Valid SslBump step >> # values and the corresponding ssl_bump evaluation moments are: >> # SslBump1: After getting TCP-level and HTTP CONNECT info. >> # SslBump2: After getting TLS Client Hello info. >> # SslBump3: After getting TLS Server Hello info. >> # These ACLs exist even when 'SSL/MITM Mode' is set to 'Custom' so that >> # they can be used there for custom configuration. >> acl step1 at_step SslBump1 >> acl step2 at_step SslBump2 >> acl step3 at_step SslBump3 >> acl banned_hosts src '/var/squid/acl/banned_hosts.acl' >> acl whitelist dstdom_regex -i '/var/squid/acl/whitelist.acl' >> acl blacklist dstdom_regex -i '/var/squid/acl/blacklist.acl' >> http_access allow manager localhost >> http_access deny manager >> http_access allow purge localhost >> http_access deny purge >> http_access deny !safeports >> http_access deny CONNECT !sslports >> # Always allow localhost connections >> http_access allow localhost >> quick_abort_min 0 KB >> quick_abort_max 0 KB >> quick_abort_pct 95 >> request_body_max_size 0 KB >> delay_pools 1 >> delay_class 1 2 >> delay_parameters 1 -1/-1 -1/-1 >> delay_initial_bucket_level 100 >> delay_access 1 allow allsrc >> # Reverse Proxy settings >> deny_info TCP_RESET allsrc >> # Package Integration >> url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squidGuard/squidGuard.conf >> url_rewrite_bypass off >> url_rewrite_children 32 startup=8 idle=4 concurrency=0 >> # Custom options before auth >> #host_verify_strict on >> # These hosts are banned >> http_access deny banned_hosts >> # Always allow access to whitelist domains >> http_access allow whitelist >> # Block access to blacklist domains >> http_access deny blacklist >> # List of domains allowed to logging in to Google services >> request_header_access X-GoogApps-Allowed-Domains deny all >> request_header_add X-GoogApps-Allowed-Domains consumer_accounts >> # Set YouTube safesearch restriction >> acl youtubedst dstdomain -n www.youtube.com m.youtube.com youtubei.googleapis.com youtube.googleapis.com www.youtube-nocookie.com >> request_header_access YouTube-Restrict deny all >> request_header_add YouTube-Restrict none youtubedst >> acl sglog url_regex -i sgr=ACCESSDENIED >> http_access deny sglog >> # Custom SSL/MITM options before auth >> cachemgr_passwd disable offline_toggle reconfigure shutdown >> cachemgr_passwd REDACTED all >> eui_lookup on >> acl no_miss url_regex -i gateway.facebook.com/ws/realtime? >> acl no_miss url_regex -i web-chat-e2ee.facebook.com/ws/chat >> acl CONNECT method CONNECT >> acl wuCONNECT dstdomain www.update.microsoft.com >> acl wuCONNECT dstdomain sls.microsoft.com >> http_access allow CONNECT wuCONNECT localnet >> http_access allow CONNECT wuCONNECT localhost >> http_access allow windowsupdate localnet >> http_access allow windowsupdate localhost >> http_access allow HttpAccess localnet >> http_access allow HttpAccess localhost >> http_access deny manager >> acl BrokenButTrustedServers dstdomain '/usr/local/pkg/dstdom.broken' >> acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH >> sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch >> sslproxy_cert_error deny all >> acl splice_only src 192.168.1.8 #Tasha iPhone >> acl splice_only src 192.168.1.10 #Jon iPhone >> acl splice_only src REDACTEDIPV6:6383:14b3 #Jon iPhone >> acl splice_only src 192.168.1.11 #Amazon Fire >> acl splice_only src 192.168.1.15 #Tasha HP >> acl splice_only src 192.168.1.16 #iPad >> acl splice_only src REDACTEDIPV6f:8589:3922 #iPad >> acl splice_only_mac arp REDACTEDMAC >> acl splice_only_mac arp REDACTEDMAC >> acl splice_only_mac arp REDACTEDMAC >> acl splice_only_mac arp REDACTEDMAC >> acl splice_only_mac arp REDACTEDMAC >> acl NoSSLIntercept ssl::server_name_regex -i '/usr/local/pkg/reg.url.nobump' >> acl NoBumpDNS dstdomain '/usr/local/pkg/dns.nobump' > >> acl active_use annotate_client active=true >> acl bump_only src 192.168.1.3 #webtv >> acl bump_only src 192.168.1.4 #toshiba >> acl bump_only src 192.168.1.5 #imac >> acl bump_only src REDACTEDIPV6:720b:5bdd #imac >> acl bump_only src 192.168.1.9 #macbook >> acl bump_only src 192.168.1.13 #dell >> acl bump_only_mac arp REDACTEDMAC >> acl bump_only_mac arp REDACTEDMAC >> acl bump_only_mac arp REDACTEDMAC >> acl bump_only_mac arp REDACTEDMAC >> acl bump_only_mac arp REDACTEDMAC >> ssl_bump peek step1 >> miss_access deny no_miss active_use >> ssl_bump splice https_login active_use >> ssl_bump splice splice_only_mac splice_only active_use >> ssl_bump splice NoBumpDNS active_use >> ssl_bump splice NoSSLIntercept active_use #tested without MAC match > >> ssl_bump bump bump_only active_use > > >> # Setup allowed ACLs >> # Allow local network(s) on interface(s) >> http_access allow localnet >> # Default block all to be sure >> http_access deny allsrc > _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
