[squid-users] Outgoing IPv6 address with no IPv4 address access

Tue Nov 3 11:56:10 UTC 2015

On 3/11/2015 10:36 p.m., Robert Conlustro wrote:
> I want to do it because I want to know if it’s possible. If I can
> manage a squid server with an IPv4 address that runs an IPv6 service.
> Knowledge for the future, let’s call it, an experiment.
> 

Um. Running an IPv6 service requires support for IPv4. IPv6 is still in
transitional period.

Right now I see you compaining about how well Squid does the gateway
translation of IPv4-only websites into IPv6 for your clients. And by
implication the vice-versa.

Squid obeys BCP 177. When either one or both of IPv6 or IPv4
connectivity is available they will be used to access the relevant IP
space(s). With a preference for IPv6 (configurable) if both are
available to the remote server. Neither protocol by itself is required
for correct operation of the proxy.

Due to a number of network admin previously screwing up their networks
IPv6 in a number of nasty ways we provide --disable-ipv6 build option to
force Squid to use IPv4-only as a temporary workaround. That is
disappearing as admin fix their networks, and will be removed once the
IPv6 transition is sufficiently advanced. There is no need for a
matching IPv4 option.

If you want to experiment with IPv6-only network conditions. Do so
properly with an IPv6-only network or machine. But don't be surprised
when IPv4 connectivity is not available from an IPv6-only machine. Squid
does not perform magic.

> I would rather not use IP tables, I want to use squid. What I mean
> was that I made the main server IPv4 address into a tcp outgoing
> address in squid and then tried to block access to it and it didn’t
> work.

And what I said was that you did it wrong. Then provided a way that does
work. If you don't want to use the way that works, so be it.

You need to understand the problem:

* Squid is not connecting *from* anything. It is connecting *to* an
IPv4-enabled server.

Enjoy the denials:
  acl to_ipv4 dst ipv4
  http_access deny to_ipv4

* The OS *outside* of Squid is deciding what src-IP to use on the TCP
packets.
All Squid can do is tell it to use another of the machines IPs:
  tcp_outgoing_address 127.0.0.1 all

> 
> Is it possible to do a redirect of all http/https traffic directed to
> the main IPv4 address of the server? This would also work. For
> example if someone tried to visit an IPv4 only site it would redirect
> them back to a different site so trying to use the IPv4 address would
> be useless.

If you can define what criteria in the client-to-Squid connection or
messages will work to do the rediret. Then Squid can do that.

There is no way *within* Squid to separate IPv4-only from merely
IPv4-enabled servers. That can only be done externally by the OS
preventing IPv4 connections. Which is why the to_ipv4 ACL above denies
dual-stack domains as well as ipv4-only.

Amos