[squid-users] How to definitively disable IPv6

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 25 16:00:18 UTC 2019


On 25/01/19 11:29 pm, Troiano Alessio wrote:
> Hello,
> 
> I need to definitively solve the ipv6 (un)reachbility issue.
> 
> I state I read this topic:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/dns-v4-first-on-ignored-td4658427.html
> but not found a solution. Amos wrote “Squid tests for IPv6 ability
> automatically by opening a socket on a private IP address, if that works
> the socket options are noted and used.”
> 
> Anyway I disable IPv6 on my Red Hat 7.4 with the following:
> 
> net.ipv6.conf.all.disable_ipv6 = 1
> 
> net.ipv6.conf.default.disable_ipv6 = 1
> 
> net.ipv6.conf.bond0.disable_ipv6 = 1
> 
> net.ipv6.conf.lo.disable_ipv6 = 1
> 

IIRC there are boot options necessary so the machine kernel starts with
its IPv6 TCP stack disabled.


> Used the “dns_v4_first on” and also “tcp_outgoing_address 172.31.1.x
> all” on squid conf to force the use of IPv4.

Neither of which forces anything.

 dns_v4_first influences the sorting order of DNS results provided to
Squids server selection logic. Services which are IPv6-only or whose
IPv4 are not working _will_ attempt to use IPv6.


  NP: Please be aware that error pages only mention the *last* error to
be encountered. With dns_v4_first you will see an IPv6 address being
mentioned as not contactable. Because all the IPv4 failed (first) then
all the IPv6 failed (last).


 tcp_outgoing_address only applies on protocols for which that address
is valid. Meaning the above only sets a particular address on IPv4
connections - it has no effect on IPv6 connections.


The only way to completely disable IPv6 is to build Squid with
--disable-ipv6.


> 
> Anyway squid try to connect to the IPv6 address instead of IPv4 and I’m
> not able to reach it:
> 
> C:\Users\atroiano>nslookup download.pdfforge.org
> 
> Server:  espevmdxxxx.xxxx.prv
> 
> Address:  172.x.x.x
> 
>  
> 
> Risposta da un server non autorevole:
> 
> Nome:    download.pdfforge.org
> 
> Addresses:  2001:4860:4802:38::15
> 
>           2001:4860:4802:34::15
> 
>           2001:4860:4802:32::15
> 
>           2001:4860:4802:36::15
> 
>           216.239.32.21
> 
>           216.239.38.21
> 
>           216.239.36.21
> 
>           216.239.34.21
> 

Are any of those IPv4 addresses able to be connected to and fetched from
by processes on the Squid machine?

The squidclient tool can be used to probe individual server/IP for
issues fetching requests.



> [root at HUB-RM-PRX-03 ~]# tail -f /var/log/squid/rsa/access.log | grep
> pdfforge.org
> 
> %SQUID-4: 172.31.x.x 49444 [25/Jan/2019:11:02:58 +0100] "GET
> http://download.pdfforge.org/download/pdfcreator/PDFCreator-stable
> HTTP/1.1" download.pdfforge.org - -
> "/download/pdfcreator/PDFCreator-stable" 503 text/html 4545 "-"
> "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101
> Firefox/64.0" TCP_MISS:HIER_DIRECT 2001:4860:4802:38::15 80 0
> 
> Squid doesn’t try to connect to IPv4 addresses for this site and for
> many others.
> 

I suspect Squid actually is, but not telling you everything it does to
retry different destination servers / IPs before it gets to the final
failure point.

Please check the mgr:ipcache log to see what IPs Squid has known for
that domain and which ones are flagged 'B' for broken/bad/failing.

Amos


More information about the squid-users mailing list