[squid-users] Conditional IPv6 usage

Amos Jeffries squid3 at treenet.co.nz
Sat Jun 25 05:35:23 UTC 2016 

On 25/06/2016 6:27 a.m., Stefan Hölzle wrote:
> Hello,
> 
> I'm having trouble configuring a forward proxy.
> My goal is the following:
> Only for one destination domain IPv6 should be used, otherwise IPv4.

This is not how the Internet Protocol (IP) works. If a domain is
advertising IPv6 addresses, then it can and should be contacted using
those addresses.

> 
> The proxy has multiple incoming IPs and multiple outgoing IPs, here is
> the relevant part of the squid.conf:
> 
> acl port80 localport 80
> acl port88 localport 88
> acl port443 localport 443
> 
> http_port 10.0.0.54:80
> http_port 10.0.0.54:443
> http_port 10.0.0.59:80
> http_port 10.0.0.59:443
> http_port 10.0.0.59:88

Problem #1: you are configuring a forward proxy on port 80 and 443 which
are registered ports for reverse-proxy traffic syntax.

This is not necessarily a big problem. But other software in the
environment that handles port 80 and 443 traffic may interpret the
format wrongly and scew things up.


> 
> acl ipA localip 10.0.0.54
> acl ipB localip 10.0.0.59
> 
> # only somedomain.asdf via IPv6
> acl domain_acl dstdom_regex -i \.somedomain\.asdf
> 
> tcp_outgoing_address 10.0.0.93 ipB port88
> tcp_outgoing_address 2001:cdba::3257:9652 ipB port88 domain_acl
> 
> tcp_outgoing_address 10.0.0.54 ipA port80
> tcp_outgoing_address 10.0.0.63 ipA port443
> tcp_outgoing_address 10.0.0.59 ipB port80
> tcp_outgoing_address 10.0.0.93 ipB port443
> 
> dns_v4_first on
> 
> Expected behavior:
> A connection on http_port 10.0.0.59:88 is requesting a domain matching
> regex "\.somedomain\.asdf", then the first matching tcp_outgoing_address
> is used, namely
> 
> tcp_outgoing_address 2001:cdba::3257:9652 ipB port88 domain_acl
> 

Expectation is a bit wrong.

tcp_outgoing_address configures _which address to use the type of
traffic that server requires. The connection has already been allowed by
tha http_access rules - which do not distinguish whether IPv4 or IPv6 is
used to contact any particular server.


You literally cannot send traffic to an IPv6 addressed server using IPv4
packet format. Nor vice versa. Squid knows that and does not attempt to
use the wrong family of IP for any outgoing traffic.

So:
- The server destination *has already been selected for use* by
determining in various *_access lists that the client is allowed to
contact that *domain*.

- IPv6 entries are ignored for IPv4 server destinations.

- IPv4 entries are ignored for IPv6 server destinations.

> 
> Actual behavior:
> A connection on http_port 10.0.0.59:88 is requesting a domain matching
> regex "\.somedomain\.net" and
> 

Incoming port has nothing to do with outgoing IP format.

* DNS tells Squid a set of IP addresses that the domain can be contacted at.

** "dns_v4_first on" tells Squid to use the servers A address(es) as
first choice before attempting IPv6 contact.

That domain *does* have an A address. So...

> tcp_outgoing_address 10.0.1.54 ipA port80
> 
> is used.

If that fails it might fail over to another IPv4 or to the domains IPv6
address.


> If I change dns_v4_first from on to off,
> 

** then "dns_v4_first on" tells Squid to use the servers AAAA address as
first choice before attempting IPv6 contact.

** That domain *does* have an AAAA address. So ...

> tcp_outgoing_address 2001:cdba::3257:9652 ipB port88 domain_acl
> 

... or the machines default IPv6 addresss is used when contacting the
servers AAAA address(es).

If that fails then Squid might failover to another of the servers IPv6
addresses, or to its IPv4 address.




You can choose a particular IP from amongst the appropriate v4/v6 types
available. But you cannot force a particular type to be used.
 (though you might configure an IPv4/IPv6 address which will force
breakage on the connection).


It is the network firewalls job to determine whether *Squid* is allowed
contact from IP A to IP B. If it blocks unwanted IPv6 traffic properly,
then the normal ICMPv6 packet that comes back from the firewall will
tell Squid to try the next IP on the list for the server being contacted.


HTH
Amos

More information about the squid-users mailing list