[squid-users] ipv6 acl access not working properly

Alex Rousskov rousskov at measurement-factory.com
Thu Sep 28 16:28:59 UTC 2017

On 09/28/2017 10:10 AM, anwesh tiwari wrote:
> Ipv6 acl is not working as expected, if the ipv6 address of domain is unrouteable and it fallbacks to ipv4 even when its denied.
> Details :
> What I am trying to achieve :  I want to disable all IPv4 domain access from proxy and disable all ipv4 connections.
> Here is my directives just before http_access deny all line in default squid conf.
> dns_v4_first off
> acl to_ipv6 dst ipv6
> http_access deny !to_ipv6
> http_access allow to_ipv6
> When I browse this site using proxy
> http://whatismyipv6.com <http://whatismyipv6.com/>
> This site has ipv6 AAAA record but thats is not routed when I check. 
> Here is the log 
> 1506526125.315    327 <publicIP> TCP_MISS/200 2486 GET http://www.whatismyipv6.com/ - HIER_DIRECT/ text/html
> 1506526126.259    632 <publicIP> TCP_MISS/200 31738 GET http://www.whatismyipv6.com/World-IPv6-Day.jpg - HIER_DIRECT/ image/jpeg
> The log shows that squid is able to browse the site which is explicitly denied by http_access directive.

I will rephrase the above question in hope that other folks on this list
can help Anwesh Tiwari to solve his actual problem rather than tell him
yet again[1] that there is nothing wrong with the ipv6 ACL:

"I expected that using a dst ipv6 ACL with http_access would block IPv4
connections originating from Squid. I now understand that my
expectations were wrong. Please help me refine my goals and configure
Squid to achieve them. Thank you."

  [1] http://bugs.squid-cache.org/show_bug.cgi?id=4777



More information about the squid-users mailing list