[squid-users] Disable IPV6 for certain destinations only?
Alex Rousskov
rousskov at measurement-factory.com
Tue Apr 18 12:53:31 UTC 2023
On 4/18/23 03:38, Ralf Hildebrandt wrote:
> We're using squid-6, currently v4 only. The use case for us is mostly
> our users using our proxy to retrieve full text publications of
> several thousand medical journals... via IPv4.
>
> The publishers "know" our IPv4 range for the proxies and allow us to
> download freely. What they don't (yet) know is our ipv6 range.
>
> Thus arises the need to "fall back" to ipv4 in the unlikely case some
> publisher already has ipv6, we connect via ipv6 and suddenly are not
> allowed to download the publications.
>
> Is there an acl for that kind of need?
I will rephrase your question to avoid the distraction of "acl":
How can I configure Squid to try IPv4 if IPv6 fails?
The answer depends on how IPv6 fails:
1. If IPv6 fails at DNS resolution time (i.e. the DNS resolver does not
respond with a usable address to a AAAA query), then Squid will
automatically use IPv4 (i.e. the DNS resolver address in an A response).
There is nothing to configure.
2. If IPv6 fails at TCP connection establishment time, then Squid will
automatically use an IPv4 connection. There is nothing to configure
(although there are a few Happy Eyeballs configuration options that you
can tune).
3. If IPv6 fails at TLS connection establishment time, then, IIRC, #2
applies unless SslBump is involved. Squid will not retry failed TLS
connections that are subject to SslBump IIRC.
4. If IPv6 fails at HTTP request time, then Squid will retry in _some_
cases. See [1] for a long list of conditions; you are probably mostly
interested in the last four or five bullets, but keep in mind that the
list is of cases where Squid does _not_ re-forward the failed request.
[1]
https://wiki.squid-cache.org/SquidFaq/InnerWorkings#when-does-squid-re-forward-a-client-request
You can also replace your DNS resolver with a custom one (that drops
AAAA answers) or, as Adam has suggested, with hard-coded IPv4-only
/etc/hosts entries.
HTH,
Alex.
More information about the squid-users
mailing list