<div dir="ltr"><div dir="ltr">Hello, Flashdown,<div><br></div><div>As you can see in your access.log, your client tried to connect not to a DNS hostname but directly to IPv6 address:</div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><font face="monospace">1694674498.411 9 **CENSORED_internal_client_IP** TCP_DENIED/407</font></div></blockquote><div><font face="monospace">4129 CONNECT <b>[ff00::]:443</b> - HIER_NONE/- text/html</font><br></div></div><div>So, I suppose that your DNS configuration changes will not eliminate the client requests to <b style="font-family:monospace">[ff00::]:443</b></div><div>But I believe that enabling IPv6 will prevent your squid crushes.</div><div><br></div><div>Kind regards,</div><div> Ankor.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">вт, 19 сент. 2023 г. в 19:04, Flashdown <<a href="mailto:flashdown@data-core.org">flashdown@data-core.org</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Thank you Alex for confirming this and all the hints given.<br>
<br>
I have taken another path to fix this. I have configured the dns <br>
forwarders that squid is configured to use, to not give out any AAAA <br>
responses. After that I have enabled IPv6 on this box to completly avoid <br>
this bug. Thank you!<br>
<br>
---<br>
Best regards,<br>
Flashdown<br>
<br>
Am 2023-09-14 16:11, schrieb Alex Rousskov:<br>
> On 2023-09-14 07:02, Flashdown wrote:<br>
> <br>
>> Sep 14 08:55:06 vm-myproxy squid[79100]: Squid Parent: squid-2 process <br>
>> 80675 exited due to signal 6 with status 0<br>
> <br>
>> 1694674498.411 9 **CENSORED_internal_client_IP** TCP_DENIED/407 <br>
>> 4129 CONNECT [ff00::]:443 - HIER_NONE/- text/html<br>
> <br>
>> IPv6 is disabled via sysctl config "net.ipv6.conf.all.disable_ipv6=1"<br>
> <br>
> <br>
> Your Squid is most likely suffering (among other v5 bugs) from Squid<br>
> Bug 5154: <a href="https://bugs.squid-cache.org/show_bug.cgi?id=5154" rel="noreferrer" target="_blank">https://bugs.squid-cache.org/show_bug.cgi?id=5154</a><br>
> <br>
> To confirm, enable core dumps and look for a gdb backtrace sequence<br>
> similar to the one posted in the above bug report:<br>
> <br>
> * in __assert_fail<br>
> * in Ip::Address::getAddrInfo(addrinfo*&, int) const<br>
> * in comm_openex(int, int, Ip::Address&, int, char const*)<br>
> <br>
> The best known way to prevent bug 5154 is to enable IPv6 support. If<br>
> that is not feasible in your environment, then please keep reading.<br>
> <br>
> <br>
> Squid bug 5154 has an unofficial but, IMO, correct fix at PR 1421:<br>
> <a href="https://github.com/squid-cache/squid/pull/1421" rel="noreferrer" target="_blank">https://github.com/squid-cache/squid/pull/1421</a><br>
> <br>
> The above fix is not trivial and has side effects: For Squids that<br>
> cannot handle IPv6 (e.g., because IPv6 support was disabled at<br>
> ./configure time or is unavailable in the deployment environment), the<br>
> fix will, in part, reject requests with IPv6 addresses in URLs. This<br>
> rejection may negatively affect Squids that were "worked OK" by<br>
> forwarding such traffic to IPv4 ICAP servers and cache_peers (at<br>
> least).<br>
> <br>
> PR 1421 changes cannot be applied to Squid v5 "as is"; they have to be<br>
> backported. I do not have a backporting patch for virgin Squid v5.<br>
> <br>
> <br>
> HTH,<br>
> <br>
> Alex.<br>
> <br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div></div>