Re: [squid-users] Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive?

From: Peter Olsson <pol_at_leissner.se>
Date: Tue, 3 Apr 2012 02:12:11 +0200

On Tue, Apr 03, 2012 at 10:28:38AM +1200, Amos Jeffries wrote:
> On 03.04.2012 02:21, Peter Olsson wrote:
> > Hello!
> >
> > Squid 3.1.19.
> >
> > Our squid servers are dual stack IPv4/IPv6 since about a year,
> > with this config "hack":
> >
> > tcp_outgoing_address x:x:x:x::x to_ipv6
> > tcp_outgoing_address x.x.x.x !to_ipv6
> > acl to_ipv6 dst ipv6
> > http_access allow to_ipv6 !all
> >
> > But now our users are tired of webs that announce IPv6 addresses
> > but don't answer on port 80 on these addresses. So I enabled
> > dns_v4_first in the config and did squid -k reconfigure.
> > But it didn't help, we still get IPv6 timeouts towards
> > misconfigured web sites.
> >
> > I'm guessing that dns_v4_first and the ipv6 config above are
> > mutually exclusive? Should I change the tcp_outgoing_address
> > line to just this:
> > tcp_outgoing_address x:x:x:x::x
> > tcp_outgoing_address x.x.x.x
> > and remove these lines:
> > acl to_ipv6 dst ipv6
> > http_access allow to_ipv6 !all
> >
> > Or will this remove all of our IPv6 connectivity through squid?
> >
>
> You are the first person to report any issues. They are interrelated
> but should not be exclusive. Does ordering the tcp_outgoing_address with
> IPv4 address first help?
>
> Amos

Changing order of tcp_outgoing_address doesn't help, our squid with
"dns_v4_first on" still gives the Operation timed out error, and it
is trying to connect to the IPv6 address of the web server.

I also tried removing these four lines completely:
tcp_outgoing_address x:x:x:x::x to_ipv6
tcp_outgoing_address x.x.x.x !to_ipv6
acl to_ipv6 dst ipv6
http_access allow to_ipv6 !all

But that didn't help either, it still tries the IPv6 address even
though I have dns_v4_first on.

Is there some internal DNS timeout in squid that I should wait for
before testing between changes?

What debug setting should I use to see why squid is choosing the
IPv6 address?

Thanks!

-- 
Peter Olsson                    pol_at_leissner.se
Received on Tue Apr 03 2012 - 00:12:25 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 03 2012 - 12:00:02 MDT