[squid-users] ipv6 acl access not working properly
rousskov at measurement-factory.com
Thu Sep 28 16:28:59 UTC 2017
On 09/28/2017 10:10 AM, anwesh tiwari wrote:
> Ipv6 acl is not working as expected, if the ipv6 address of domain is unrouteable and it fallbacks to ipv4 even when its denied.
> Details :
> What I am trying to achieve : I want to disable all IPv4 domain access from proxy and disable all ipv4 connections.
> Here is my directives just before http_access deny all line in default squid conf.
> dns_v4_first off
> acl to_ipv6 dst ipv6
> http_access deny !to_ipv6
> http_access allow to_ipv6
> When I browse this site using proxy
> http://whatismyipv6.com <http://whatismyipv6.com/>
> This site has ipv6 AAAA record but thats is not routed when I check.
> Here is the log
> 1506526125.315 327 <publicIP> TCP_MISS/200 2486 GET http://www.whatismyipv6.com/ - HIER_DIRECT/184.108.40.206 text/html
> 1506526126.259 632 <publicIP> TCP_MISS/200 31738 GET http://www.whatismyipv6.com/World-IPv6-Day.jpg - HIER_DIRECT/220.127.116.11 image/jpeg
> The log shows that squid is able to browse the site which is explicitly denied by http_access directive.
I will rephrase the above question in hope that other folks on this list
can help Anwesh Tiwari to solve his actual problem rather than tell him
yet again that there is nothing wrong with the ipv6 ACL:
"I expected that using a dst ipv6 ACL with http_access would block IPv4
connections originating from Squid. I now understand that my
expectations were wrong. Please help me refine my goals and configure
Squid to achieve them. Thank you."
More information about the squid-users