[squid-users] Re: Squid: how to link inbound IPv4 + multiple port connections to unique outbound IPv6's

From: bilderberger <marketquant_at_googlemail.com>
Date: Fri, 24 May 2013 03:53:36 -0700 (PDT)

Amos Jeffries-2 wrote
>>>> ## deny ipv4 access
>>>> http_access deny !to_ipv6
>>> This is probably the cause of your non-connectivity problem. IPv4 and
>>> not-IPv6 are two different things, all of IPv4 space maps inside IPv6.
>>> Also, just about all IPv6-enabled sites also have IPv4 addresses.
>>>
>>> What exactly are you trying to achieve here?
>>> ensuring that your clients get to IPv6 version of sites?
>>> or, ensuring that they get rejection pages if they go to IPv4-only
>>> sites?
>>> or, preventing access to IPv4 side of dual-stacked sites?
>> The purpose in this instance was to force IPv6 connection, or no
>> connection
>> at all. The sites to be accessed in this case should be dual-stacked and
>> as
>> far as I can see (at least, when testing my previous partially working
>> script with 3.1.1) IPv6 was taking priority. What I wanted to ensure was
>> no
>> leakage of the IPv4 address of the proxy on dual stack sites. Would this
>> accomplish this?
>>
>> When I tested this on 3.1.1 it seemed to work for that purpose - I went
>> to
>> http://ipv6-test.com/ and without this line, the test was showing both
>> IPv6
>> and IPv4 address. With the line enable, the test only showed IPv6. Is
>> there
>> a better way to approach this?
>
> It should do that yes. However, Squid will only have such leakage if
> there are problems with the IPv6 addresses and this method will push a
> rejection page back at the users until the used DNS records timeout
> instead of trying to recover IPv6 access immediately.
>
> You may want to simply place a firewall block on IPv4 outbound traffic
> from the proxy (maybe with a specific tcp_outgoing_address IPv4 to
> simplify the firewall rules). That will make Squid mark any IPv4 it
> tries as BAD connectivity when it gets to them and cycle back to using
> the IPv6 again. Or even better have the resolver(s) used by Squid setup
> to not provide it with any IPv4 in the first place.
>
> Amos

That makes perfect sense Amos, thank you.

FWIW, I removed this line:
http_access deny !to_ipv6
And I could connect through the proxy again - it worked in 3.1.1 but for
some reason it does not work the way I intended in 3.3.5 presumably it also
blocks the IPv4 inbound connection in some way.

However, the original problem remains "all outbound connections use the same
IPv6 (user5) regardless of the inbound port used, even though there are
different ipv6 defined per port/user - the wierd bit is that even if I
comment-out that user5 IPv6 from squid.conf, it still gets used for outbound
connections. "

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-how-to-link-inbound-IPv4-multiple-port-connections-to-unique-outbound-IPv6-s-tp4660190p4660234.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Fri May 24 2013 - 10:54:12 MDT

This archive was generated by hypermail 2.2.0 : Fri May 24 2013 - 12:00:48 MDT