[squid-users] IPv6 and syntax?

Amos Jeffries squid3 at treenet.co.nz
Mon May 18 11:25:38 UTC 2015


On 16/05/2015 11:09 p.m., Walter H. wrote:
> On 16.05.2015 10:13, Amos Jeffries wrote:
>> On 16/05/2015 6:22 p.m., Walter H. wrote:
>>> On 16.05.2015 01:41, Amos Jeffries wrote:
>>>> On 16/05/2015 6:14 a.m., Walter H. wrote:
>>>>> Hello,
>>>>>
>>>>> is IPv6 somewhat similar to IPv4?
>>>> Somewhat, yes.
>>> I just wondered because of the "different" behaviour;
>>>>> e.g.
>>>>>
>>>>> I would write
>>>>>
>>>>> acl block_ipv4_range dst  84.84.84.0/24
>>>>> deny_info errorpage block_ipv4_range
>>>>> http_access deny block_ipv4_range
>>>>>
>>>>> to block any hosts within this IPv4 range
>>>> Taking a step asside, that is not quite what those rules do. They block
>>>> access from anywhere *to* the IP address range (TCP/IP packet
>>>> destination on the request messages).
>>>>
>>> yes this should be the intention, that you get an error (in this case
>>> the errorpage) when
>>> you have e.g.  http://84.84.84.2/ or https://84.84.84.2/ as URL in your
>>> browser ...
>> It will block that, and any domain name which resolves to those IPs.
>>
> yes, that is the intention;
> 
> I would have done it this way:
> 
> acl block_whole_network dst_as 4837
> deny_info errorpage block_whole_network
> http_access deny block_whole_network
> 
> but this crashes squid ...

Ouch. Is that the <http://bugs.squid-cache.org/show_bug.cgi?id=3579> crash?

I would like to fix that, but need the backtrace.


> 
> as workaround I've got a file listing any range for one AS number
> and doing this:
> 
> acl block_as4837 dst "block-as4837-acl.squid"
> 
> and one of these files has more than 600(!) entries ...
> 
>>> does it seem to be problematic, when having an TLS-server with an IPv6
>>> address only without DNS, because of the comm name?
>> That is a different issue entirely.
> yes and hoping no browser ever will accept a common name of just '*'
>> Going by that description it seems Firefox and Chrome are a bit broken.
> IE, too;

IE is doing the right thing in your description. That cert-with-IP
warning is the correct / working behaviour. The Firefox hang and Chrome
"insecure" warning are the broken bits.

Amos



More information about the squid-users mailing list