Re: [squid-users] Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive? from Amos Jeffries on 2012-04-02 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 03 Apr 2012 12:22:52 +1200

On 03.04.2012 12:12, Peter Olsson wrote:
> On Tue, Apr 03, 2012 at 10:28:38AM +1200, Amos Jeffries wrote:
>> On 03.04.2012 02:21, Peter Olsson wrote:
>> > Hello!
>> >
>> > Squid 3.1.19.
>> >
>> > Our squid servers are dual stack IPv4/IPv6 since about a year,
>> > with this config "hack":
>> >
>> > tcp_outgoing_address x:x:x:x::x to_ipv6
>> > tcp_outgoing_address x.x.x.x !to_ipv6
>> > acl to_ipv6 dst ipv6
>> > http_access allow to_ipv6 !all
>> >
>> > But now our users are tired of webs that announce IPv6 addresses
>> > but don't answer on port 80 on these addresses. So I enabled
>> > dns_v4_first in the config and did squid -k reconfigure.
>> > But it didn't help, we still get IPv6 timeouts towards
>> > misconfigured web sites.
>> >
>> > I'm guessing that dns_v4_first and the ipv6 config above are
>> > mutually exclusive? Should I change the tcp_outgoing_address
>> > line to just this:
>> > tcp_outgoing_address x:x:x:x::x
>> > tcp_outgoing_address x.x.x.x
>> > and remove these lines:
>> > acl to_ipv6 dst ipv6
>> > http_access allow to_ipv6 !all
>> >
>> > Or will this remove all of our IPv6 connectivity through squid?
>> >
>>
>> You are the first person to report any issues. They are interrelated
>> but should not be exclusive. Does ordering the tcp_outgoing_address
>> with
>> IPv4 address first help?
>>
>> Amos
>
> Changing order of tcp_outgoing_address doesn't help, our squid with
> "dns_v4_first on" still gives the Operation timed out error, and it
> is trying to connect to the IPv6 address of the web server.
>
> I also tried removing these four lines completely:
> tcp_outgoing_address x:x:x:x::x to_ipv6
> tcp_outgoing_address x.x.x.x !to_ipv6
> acl to_ipv6 dst ipv6
> http_access allow to_ipv6 !all
>
> But that didn't help either, it still tries the IPv6 address even
> though I have dns_v4_first on.
>
> Is there some internal DNS timeout in squid that I should wait for
> before testing between changes?

Er, yes. Whatever the TTL of the domain being tested against is. A
restart clears the DNS caches, so may be better here than just a
reconfigure.

>
> What debug setting should I use to see why squid is choosing the
> IPv6 address?

comm (5) and DNS (78) sections at level 6. Possibly more if that is not
enough.

Amos
Received on Tue Apr 03 2012 - 00:22:55 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 03 2012 - 12:00:02 MDT