<div dir="ltr">Hello, <div><br></div><div>I had the same crushes. A network dump showed me that crushes occurred when clients tried to access IPv6 http-resources.</div><div>I blocked these requests at the beginning of the proxy policy.</div><div>The following configuration seems to be a workaround for me:</div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><font face="monospace">acl urldst_ipv6 url_regex ^http://\[</font></div><div><font face="monospace">http_access deny urldst_ipv6</font></div></blockquote><div><br></div><div>I don't know if this workaround is also suitable for https-resources. May be it should be rewritten like this:</div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><font face="monospace">acl urldst_ipv6_https url_regex ^\[</font></div><div><font face="monospace">http_access deny urldst_ipv6_https</font></div></blockquote><div><br></div></div><div>Kind regards,</div><div> Ankor.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">чт, 14 сент. 2023 г. в 17:12, Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 2023-09-14 07:02, Flashdown wrote:<br>
<br>
> Sep 14 08:55:06 vm-myproxy squid[79100]: Squid Parent: squid-2 process <br>
> 80675 exited due to signal 6 with status 0<br>
<br>
> 1694674498.411 9 **CENSORED_internal_client_IP** TCP_DENIED/407 <br>
> 4129 CONNECT [ff00::]:443 - HIER_NONE/- text/html<br>
<br>
> IPv6 is disabled via sysctl config "net.ipv6.conf.all.disable_ipv6=1"<br>
<br>
<br>
Your Squid is most likely suffering (among other v5 bugs) from Squid Bug <br>
5154: <a href="https://bugs.squid-cache.org/show_bug.cgi?id=5154" rel="noreferrer" target="_blank">https://bugs.squid-cache.org/show_bug.cgi?id=5154</a><br>
<br>
To confirm, enable core dumps and look for a gdb backtrace sequence <br>
similar to the one posted in the above bug report:<br>
<br>
* in __assert_fail<br>
* in Ip::Address::getAddrInfo(addrinfo*&, int) const<br>
* in comm_openex(int, int, Ip::Address&, int, char const*)<br>
<br>
The best known way to prevent bug 5154 is to enable IPv6 support. If <br>
that is not feasible in your environment, then please keep reading.<br>
<br>
<br>
Squid bug 5154 has an unofficial but, IMO, correct fix at PR 1421:<br>
<a href="https://github.com/squid-cache/squid/pull/1421" rel="noreferrer" target="_blank">https://github.com/squid-cache/squid/pull/1421</a><br>
<br>
The above fix is not trivial and has side effects: For Squids that <br>
cannot handle IPv6 (e.g., because IPv6 support was disabled at <br>
./configure time or is unavailable in the deployment environment), the <br>
fix will, in part, reject requests with IPv6 addresses in URLs. This <br>
rejection may negatively affect Squids that were "worked OK" by <br>
forwarding such traffic to IPv4 ICAP servers and cache_peers (at least).<br>
<br>
PR 1421 changes cannot be applied to Squid v5 "as is"; they have to be <br>
backported. I do not have a backporting patch for virgin Squid v5.<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>