Re: [squid-users] Re: Squid: how to link inbound IPv4 + multiple port connections to unique outbound IPv6's from Amos Jeffries on 2013-05-24 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 24 May 2013 22:23:29 +1200

On 24/05/2013 9:03 p.m., bilderberger wrote:
> Amos Jeffries-2 wrote
>>> logfile_rotate 5
>>>
>>> ## this line is obsolete in 3.3.5
>>> ##emulate_httpd_log yes
>>>
>>> server_persistent_connections off
>> The above is no longer necessary with squid-3.2 and later. You can
>> safely enable server persistence now without getting any of the
>> connection crossover bugs which were so annoying in older Squid.
> Thank you, that is very helpful.
>
> Amos Jeffries-2 wrote
>>> forwarded_for off
>>>
>>> ## declare an acl that is true for all ipv6 destinations
>>> acl to_ipv6 dst ipv6
>>>
>>> ## deny ipv4 access
>>> http_access deny !to_ipv6
>> This is probably the cause of your non-connectivity problem. IPv4 and
>> not-IPv6 are two different things, all of IPv4 space maps inside IPv6.
>> Also, just about all IPv6-enabled sites also have IPv4 addresses.
>>
>> What exactly are you trying to achieve here?
>> ensuring that your clients get to IPv6 version of sites?
>> or, ensuring that they get rejection pages if they go to IPv4-only sites?
>> or, preventing access to IPv4 side of dual-stacked sites?
> The purpose in this instance was to force IPv6 connection, or no connection
> at all. The sites to be accessed in this case should be dual-stacked and as
> far as I can see (at least, when testing my previous partially working
> script with 3.1.1) IPv6 was taking priority. What I wanted to ensure was no
> leakage of the IPv4 address of the proxy on dual stack sites. Would this
> accomplish this?
>
> When I tested this on 3.1.1 it seemed to work for that purpose - I went to
> http://ipv6-test.com/ and without this line, the test was showing both IPv6
> and IPv4 address. With the line enable, the test only showed IPv6. Is there
> a better way to approach this?

It should do that yes. However, Squid will only have such leakage if
there are problems with the IPv6 addresses and this method will push a
rejection page back at the users until the used DNS records timeout
instead of trying to recover IPv6 access immediately.

You may want to simply place a firewall block on IPv4 outbound traffic
from the proxy (maybe with a specific tcp_outgoing_address IPv4 to
simplify the firewall rules). That will make Squid mark any IPv4 it
tries as BAD connectivity when it gets to them and cycle back to using
the IPv6 again. Or even better have the resolver(s) used by Squid setup
to not provide it with any IPv4 in the first place.

Amos
Received on Fri May 24 2013 - 10:23:42 MDT

This archive was generated by hypermail 2.2.0 : Fri May 24 2013 - 12:00:48 MDT