On 2025-02-26 07:05, Matus UHLAR - fantomas wrote:
I'd like squid to avoid considering using ipv6,
because even if any ipv6 attempt failed, there still were some being made
... at least I assume so from squid logs:
1740062747.503 0 192.0.2.1 NONE_NONE/503 0 CONNECT ad.turn.com:443
- HIER_DIRECT/2001:678:cb4:bbbb::11 -
As I understand it, I can build squid without ipv6 support. Is there any
other way to disable outgoing ipv6 communication?
Yes, for some definition of "ipv6 communication". Modern Squids[1]
should not open connections to IPv6 addresses after deciding (at
startup) that IPv6 is not supported. When that "not supported" decision
is made, you should get a level-0 "BCP 177 violation" WARNING in
cache.log. Unfortunately, that diagnostics is not provided for some use
cases.
[1] Here, "modern Squids" are Squids with a Bug 5154 fix (e.g., v5.10,
v6.13, and v7.0.1; see master commit 97bbba61 for details).
From what I read in archives using "acl" makes no sense, as it decides
whether to block request or not
Using http_access to block requests to IPv6 addresses makes sense in
some cases, but it is difficult to get right, and it cannot cover all
use cases, so I would not recommend that solution in most cases.
...and the directive dns_v4_first is long obsolete
Correct. It is ignored (with a warning).
What I have tried:
1. disabling ipv6 by setting (linux) net.ipv6.conf.all.disable_ipv6=1
but in logs squid complains:
2025/02/24 00:00:10| WARNING: BCP 177 violation. Detected non-functional
IPv6 loopback.
This warning is a positive sign for your use case: Modern Squids[1]
should not open connections to IPv6 addresses after the above warning.
2. reboot linux kernel with option "ipv6.disable=1"
(at least the ipv6 attempts stopped)
I have not checked, but I am guessing that this OS configuration results
in the same overall outcome as net.ipv6.conf.all.disable_ipv6=1 but
without a BCP 177 violation warning at level-1. Check level-2 cache.log
for an "IPv6 not supported on this machine. Auto-Disabled" line. If that
line is there, Squid has disabled IPv6 use just like it does when
printing BCP 177 warning.
After either of last two attempts, squid seems to crash too often.
#5 0x0000564f2a77e824 in Ip::Address::getAddrInfo(addrinfo*&, int)
Your old Squid is suffering from Bug 5154 (at least):
https://bugs.squid-cache.org/show_bug.cgi?id=5154
I have squid 5.7 on Debian 12
Consider upgrading to a modern Squid[1].
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
