Re: [squid-users] Dual Stack (IPv4,IPv6) Oddities

On Fri, 15 Oct 2010 14:52:57 -0400, Morgan Humes <morgan_at_lanaddict.com>
wrote:
> Sorry if this has already been addressed at some time, however I was
> unable to find anyone else having similar occurrences with a dual
> stack configuration. For starters, here is what my configuratoin
> looks like:
>
> Squid Version:
>
> Squid Cache: Version 3.1.6
> configure options: '--build=x86_64-linux-gnu' '--prefix=/usr'
> '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
> '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
> '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3'
> '--disable-maintainer-mode' '--disable-dependency-tracking'
> '--disable-silent-rules' '--srcdir=.' '--datadir=/usr/share/squid3'
> '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man'
> '--with-cppunit-basedir=/usr' '--enable-inline' '--enable-async-io=8'
> '--enable-storeio=ufs,aufs,diskd' '--enable-removal-policies=lru,heap'
> '--enable-delay-pools' '--enable-cache-digests' '--enable-underscores'
> '--enable-icap-client' '--enable-follow-x-forwarded-for'
> '--enable-auth=basic,digest,ntlm,negotiate'
>
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM'
> '--enable-ntlm-auth-helpers=smb_lm,'
> '--enable-digest-auth-helpers=ldap,password'
> '--enable-negotiate-auth-helpers=squid_kerb_auth'
>
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
> '--enable-arp-acl' '--enable-esi' '--disable-translation'
> '--with-logdir=/var/log/squid3' '--with-pidfile=/var/run/squid3.pid'
> '--with-filedescriptors=65536' '--with-large-files'
> '--with-default-user=proxy' '--enable-linux-netfilter'
> 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -g -Wall -O2' 'LDFLAGS='
> 'CPPFLAGS=' 'CXXFLAGS=-g -O2 -g -Wall -O2'
> --with-squid=/home/white/debian/packages/squid3/new/squid3-3.1.6
>
>
> I create a tunnel to my server that is running squid using ssh and
> running with a default (debian) configuration. My server is
> dual-stacked (public IPv4 and IPv6 addresses) while the client is a
> IPv4 only.
>
> Over the past few days I have been developing a website and found an
> oddity on what address is reported specifically from my laptop while
> using this tunnel. It appears that Squid is alternating between using
> the IPv4 and IPv6 address (the destination website is also dual stack)
> and as such was making it difficult for myself to deal with these
> sessions.
>
> So this appears to be happening because:
>
> * Squid is choosing to use IPv6 and IPv4 randomly /
> interchangeably causing server side session checking to fail (phpBB
> has an IP Address check for example)
>
> So my question are:
>
> * Did I miss something in the configuration file?

This sounds like the balance_on_multiple_ip setting has been turned on.
Which will make Squid round-robin the website IP which it goes to on every
TCP connection. Its not so obvious with IPv4 alone but when the destination
IP changes famliy Squid is forced to change its sending IP as well.

> * Has anyone else seen similar issues?
> * Are there fixes/patches/work-arounds for this situation?

Turning off balance_on_multiple_ip and turning on the persistent
connections setting should reduce the problem a bit. At least in the case
of sites which require a fixed IP for the life of a session.

However you need to be aware this behaviour is likely to increase with
IPv6 usage. Each machine can and does have multiple IPs it can use to send
from. Windows boxes and networks using so called "privacy" address mangling
change their IP on short random intervals.

Amos
Received on Sat Oct 16 2010 - 00:42:30 MDT