[squid-users] ipv6 acl access not working properly
Adam Majer
amajer at suse.de
Mon Oct 2 09:58:20 UTC 2017
On 09/28/2017 06:10 PM, anwesh tiwari wrote:
> Ipv6 acl is not working as expected, if the ipv6 address of domain is
> unrouteable and it fallbacks to ipv4 even when its denied.
>
> Details : What I am trying to achieve : I want to disable all IPv4
> domain access from proxy and disable all ipv4 connections.
You appear to be correct. The ACL behaviour is checked before
connections are attempted.
So, trying to connect to IPv4 only sites fails, as expected. But if you
have a dualstack site, like whatismyipv6.com, then it passes the ACL but
fails on the IPv6 connection. Then it falls back to Ipv4 and succeeds.
This seems to be the not very intuitive part of the ACL mechanism. ACL
guards access to squid-cache, not to the site themselves. So as long as
the ACL succeeds *before* connection is ever attempted (and sometimes it
may not even be attempted, because things are cached after all), then it
passes.
If you want to disable access to outside world on IPv4, you can disable
it outside of squid. Like via iptables or dropping IPv4 from your
network interface.
- Adam
More information about the squid-users
mailing list