[squid-users] ipv6 acl access not working properly
Alex Rousskov
rousskov at measurement-factory.com
Thu Sep 28 16:28:59 UTC 2017
On 09/28/2017 10:10 AM, anwesh tiwari wrote:
> Ipv6 acl is not working as expected, if the ipv6 address of domain is unrouteable and it fallbacks to ipv4 even when its denied.
>
> Details :
> What I am trying to achieve : I want to disable all IPv4 domain access from proxy and disable all ipv4 connections.
>
> Here is my directives just before http_access deny all line in default squid conf.
>
> dns_v4_first off
> acl to_ipv6 dst ipv6
> http_access deny !to_ipv6
> http_access allow to_ipv6
>
>
> When I browse this site using proxy
> http://whatismyipv6.com <http://whatismyipv6.com/>
>
> This site has ipv6 AAAA record but thats is not routed when I check.
>
> Here is the log
> 1506526125.315 327 <publicIP> TCP_MISS/200 2486 GET http://www.whatismyipv6.com/ - HIER_DIRECT/216.64.158.90 text/html
> 1506526126.259 632 <publicIP> TCP_MISS/200 31738 GET http://www.whatismyipv6.com/World-IPv6-Day.jpg - HIER_DIRECT/216.64.158.90 image/jpeg
>
> The log shows that squid is able to browse the site which is explicitly denied by http_access directive.
I will rephrase the above question in hope that other folks on this list
can help Anwesh Tiwari to solve his actual problem rather than tell him
yet again[1] that there is nothing wrong with the ipv6 ACL:
"I expected that using a dst ipv6 ACL with http_access would block IPv4
connections originating from Squid. I now understand that my
expectations were wrong. Please help me refine my goals and configure
Squid to achieve them. Thank you."
[1] http://bugs.squid-cache.org/show_bug.cgi?id=4777
HTH,
Alex.
More information about the squid-users
mailing list