[squid-users] Squid and site ryanair.com

[Amos Jeffries]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 20/02/2015 8:16 a.m., Yuri Voinov wrote:
> https://www.google.com/search?q=ipv4+to+ipv6
> 

WTF? google-fu failure ;-)


> 19.02.15 23:35, masterx81 пишет:
>> After futher search seem that the webpage now is trying to get 
>> files from cdnjs.cloudflare.com, but it resolves as an ipv6 
>> address. My network is not ready for ipv6. I've already shut off 
>> ipv6 on the interface,

1) Disabling the NIC has never been a good idea, or even truely
possible. If you followed almost any of the online tutorials then its
not so much disabled as broken (like smashing a window to let in the
breeze).


2) Squid does kernel capability detection and v4-only kernels will
cause Squid to not even lookup AAAA records or attempt IPv6
connections. v6-enabled kernels without network connectivity (actual
connectivity "down" no-IPv6 state, not borked NIC drivers) will inform
Squid on connection setup that the IP is unreachable, causing
immediate retry with a differnet IP address.


3) Its seriously well past time you started making things
IPv6-enabled. ARIN exhaustion is expected to occur in *less than 90
days*. Most of the "eyeballs" user population lives in areas that
already ran out years ago (WiFi NAT upon DSL NAT upon Tier-3 CGNAT
upon Tier-2 CGNAT ... my last two employers VPN tools didn't stand a
chance   /rant).


4) Instead of disabling components in the kernel your firewalls should
instead be configured to block unwanted traffic just like for unwanted
IPv4 **. Let the IPv6-enabled bits operate within the machine the way
its designed to, even if there is no global IPv6 assigned or
permission to leave the box. That way when your network links do come
online with IPv6 you already have the on-machine parts mostly
operating okay and there will be fewer changes.
 You can even (for now) work on rollign network links out slowly
between specific devices or services so when things go noticably mad
in IPv4 world you have less to do.

** If you dont have a firewall capable of controlling IPv6 then you
urgently need it upgraded, priority #1, right now.


> used the "dns_v4_first on" and
>> "tcp_outgoing_address 0.0.0.0", but still no luck.... It tries 
>> always to use the ipv6. What i can do?
> 

Cloudflare are one of the CDN presenting very long lists of IP
addresses for both IPv4 and IPv6 (10 of each for me).

You need to increase the forward_max_tries from your versions default
10 to the current recommended 25 before Squid has much hope of
handling the connect failover at all.

After that dns_v4_first should just be a latency tuning knob. Set to
ON reduces useless v6 attempts on an IPv4-only network. Set to OFF
reduces them on a IPv6-enabled network. NOTE: it has no effect at all
unless both the kernel and the domain being visited are IPv6-enabled,
its just a sorting order for IP lookup results.


You should also try an upgrade to a more current Squid version. No
guarantees, but we are constantly doing improvements to match Internet
environmental changes (like that forwarding retries setting change)
and there may be a more obscure bug involved.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJU5nigAAoJELJo5wb/XPRjocYIAIzDWagLD52sazB/FAEAnzKG
fzMs7EeZuL4sbpS6kYH7JGbu6IfbVCDKxl4Dy03pToIGHSPyzOerBiHXo1J1IlU0
E3mgQab1x6XAa10TyOJ29UJp+Pqx0wmADSIfWdFkre29NYUrB99AdL5Jo18mMkLz
67Lp+3S4ZrFIqUCk/ASbXaJUoHUg7Q02ryJOGYN9dV7y+sE+4rlcIHA3YeyQMnV4
NMMV+dDwzO19G2YJa8E5LfaFSgCv7berpbixP2ku98NmT/bAahu1qmKHTAp+F1ig
TxnEkaLRcMpBBUXp/Ye3cUF+jRlGdH2HTc1wOnAqOc5k0PlY/Diyyshfdsm58Cc=
=xRGy
-----END PGP SIGNATURE-----