Re: [squid-users] Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive? from Peter Olsson on 2012-04-02 (squid-users)

From: Peter Olsson <pol_at_leissner.se>
Date: Tue, 3 Apr 2012 02:47:39 +0200

On Tue, Apr 03, 2012 at 12:22:52PM +1200, Amos Jeffries wrote:
> On 03.04.2012 12:12, Peter Olsson wrote:
> > On Tue, Apr 03, 2012 at 10:28:38AM +1200, Amos Jeffries wrote:
> >> On 03.04.2012 02:21, Peter Olsson wrote:
> >> > Hello!
> >> >
> >> > Squid 3.1.19.
> >> >
> >> > Our squid servers are dual stack IPv4/IPv6 since about a year,
> >> > with this config "hack":
> >> >
> >> > tcp_outgoing_address x:x:x:x::x to_ipv6
> >> > tcp_outgoing_address x.x.x.x !to_ipv6
> >> > acl to_ipv6 dst ipv6
> >> > http_access allow to_ipv6 !all
> >> >
> >> > But now our users are tired of webs that announce IPv6 addresses
> >> > but don't answer on port 80 on these addresses. So I enabled
> >> > dns_v4_first in the config and did squid -k reconfigure.
> >> > But it didn't help, we still get IPv6 timeouts towards
> >> > misconfigured web sites.
> >> >
> >> > I'm guessing that dns_v4_first and the ipv6 config above are
> >> > mutually exclusive? Should I change the tcp_outgoing_address
> >> > line to just this:
> >> > tcp_outgoing_address x:x:x:x::x
> >> > tcp_outgoing_address x.x.x.x
> >> > and remove these lines:
> >> > acl to_ipv6 dst ipv6
> >> > http_access allow to_ipv6 !all
> >> >
> >> > Or will this remove all of our IPv6 connectivity through squid?
> >> >
> >>
> >> You are the first person to report any issues. They are interrelated
> >> but should not be exclusive. Does ordering the tcp_outgoing_address
> >> with
> >> IPv4 address first help?
> >>
> >> Amos
> >
> > Changing order of tcp_outgoing_address doesn't help, our squid with
> > "dns_v4_first on" still gives the Operation timed out error, and it
> > is trying to connect to the IPv6 address of the web server.
> >
> > I also tried removing these four lines completely:
> > tcp_outgoing_address x:x:x:x::x to_ipv6
> > tcp_outgoing_address x.x.x.x !to_ipv6
> > acl to_ipv6 dst ipv6
> > http_access allow to_ipv6 !all
> >
> > But that didn't help either, it still tries the IPv6 address even
> > though I have dns_v4_first on.
> >
> > Is there some internal DNS timeout in squid that I should wait for
> > before testing between changes?
>
> Er, yes. Whatever the TTL of the domain being tested against is. A
> restart clears the DNS caches, so may be better here than just a
> reconfigure.

Excellent! It works now after restart. I will keep the ipv6 lines
above out of our config, I don't think we really need them.

Thanks!

-- 
Peter Olsson                    pol_at_leissner.se
CCIE #8963 R&S, Security        +46 520 500511
Leissner Data AB                +46 701 809511

Received on Tue Apr 03 2012 - 00:47:51 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 03 2012 - 12:00:02 MDT