[squid-users] Squid doesn't do a fallback from ipv6 to ipv4, if the ipv6 connect fails
Dieter Bloms
squid at bloms.de
Fri Dec 19 13:08:19 UTC 2014
Hello Amos,
thank you for the reply.
On Thu, Dec 11, Amos Jeffries wrote:
> > we use squid 3.4.9 as proxy for our company with ipv4 and ipv6
> > dual stack. It works good, but if a destination has an A and AAAA
> > record and the webserver isn't reachable via ipv6, squid generates
> > an error page instead of trying a connection via ipv4.
> >
> > One example is the url:
> >
> > https://ssl.ratsinfo-online.net/pirna-ri/logon.asp
> >
> > where squid tries to reach the webside via the ip
> > 2001:8d8:87c:5f00::6e:72d6, but without success, because it isn't
> > reachable.
> >
> > Now I want, that squid does a fallback to ipv4 after
> > connect_timeout, but squid returns an error page (ERR_CONNECT_FAIL)
> > to the client.
> >
>
> Squid rarely sees https:// URLs like that. Check if it is being given
> the server name in a way that it can lookup all IPs, or just the one
> IP address.
in my squidlogs I see a line like:
Fri Dec 19 13:49:18 2014 4789 10.252.16.100 TCP_MISS/503 0 CONNECT ssl.ratsinfo-online.net:443 - HIER_NONE/- -
So I think squid gets the hostname instead of an ip address.
> It also depends on how long the connection attempt(s) take.
> If it takes longer to lookup the DNS (dns_timeout) and try that one
> IP (connect_timeout * connect_retries) than the entire transaction is
> permitted to use (forward_timeout), then there is of course no time to
> try anything else.
when I do a "host ssl.ratsinfo-online.net" on the server where squid
runs I get the Ipv4 and the Ipv6 immediately.
I didn't set any of the parameters forward_timeout, connect_timeout,
connect_retries.
> Note also that the message in the ERR_CONNECT_FAIL page is the result
> of the final attempt made. Squid may have made several connection
> attempts to other IP which also failed.
for a http connections, the fallback to ipv4 works, but not for a https connection.
The web server ssl.ratsinfo-online.net listens on port 80 for http and
on port 443 for https.
When I do a http://ssl.ratsinfo-online.net/ the fallback from ipv6 to
ipv4 works fine, but when I do a https://ssl.ratsinfo-online.net/ squid tries
ipv6 only and doesn't do a fallback to ipv4.
I would be nice, if you can try it on your dial stack setup.
Thank you.
--
Regards
Dieter
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
More information about the squid-users
mailing list