[squid-users] Conditional IPv6 usage
Stefan Hölzle
stefan at hoelzle.work
Tue Jun 28 11:32:04 UTC 2016
Hello,
I inserted an iptables rule which rejects outgoing tcp packets from the
default IPv4 address to the ip of somedomain.asdf.
This causes Squid to fall back to IPv6.
I'd like to change Squid's behavior in this case to immediately fall
back to IPv6 instead of falling back to the default IPv4 address first.
Can this behavior easily be changed in the source code ?
--
Best Regards
Stefan
On 25.06.2016 07:35, Amos Jeffries wrote:
> On 25/06/2016 6:27 a.m., Stefan Hölzle wrote:
>> Hello,
>>
>> I'm having trouble configuring a forward proxy.
>> My goal is the following:
>> Only for one destination domain IPv6 should be used, otherwise IPv4.
> This is not how the Internet Protocol (IP) works. If a domain is
> advertising IPv6 addresses, then it can and should be contacted using
> those addresses.
>
>> The proxy has multiple incoming IPs and multiple outgoing IPs, here is
>> the relevant part of the squid.conf:
>>
>> acl port80 localport 80
>> acl port88 localport 88
>> acl port443 localport 443
>>
>> http_port 10.0.0.54:80
>> http_port 10.0.0.54:443
>> http_port 10.0.0.59:80
>> http_port 10.0.0.59:443
>> http_port 10.0.0.59:88
> Problem #1: you are configuring a forward proxy on port 80 and 443 which
> are registered ports for reverse-proxy traffic syntax.
>
> This is not necessarily a big problem. But other software in the
> environment that handles port 80 and 443 traffic may interpret the
> format wrongly and scew things up.
>
>
>> acl ipA localip 10.0.0.54
>> acl ipB localip 10.0.0.59
>>
>> # only somedomain.asdf via IPv6
>> acl domain_acl dstdom_regex -i \.somedomain\.asdf
>>
>> tcp_outgoing_address 10.0.0.93 ipB port88
>> tcp_outgoing_address 2001:cdba::3257:9652 ipB port88 domain_acl
>>
>> tcp_outgoing_address 10.0.0.54 ipA port80
>> tcp_outgoing_address 10.0.0.63 ipA port443
>> tcp_outgoing_address 10.0.0.59 ipB port80
>> tcp_outgoing_address 10.0.0.93 ipB port443
>>
>> dns_v4_first on
>>
>> Expected behavior:
>> A connection on http_port 10.0.0.59:88 is requesting a domain matching
>> regex "\.somedomain\.asdf", then the first matching tcp_outgoing_address
>> is used, namely
>>
>> tcp_outgoing_address 2001:cdba::3257:9652 ipB port88 domain_acl
>>
> Expectation is a bit wrong.
>
> tcp_outgoing_address configures _which address to use the type of
> traffic that server requires. The connection has already been allowed by
> tha http_access rules - which do not distinguish whether IPv4 or IPv6 is
> used to contact any particular server.
>
>
> You literally cannot send traffic to an IPv6 addressed server using IPv4
> packet format. Nor vice versa. Squid knows that and does not attempt to
> use the wrong family of IP for any outgoing traffic.
>
> So:
> - The server destination *has already been selected for use* by
> determining in various *_access lists that the client is allowed to
> contact that *domain*.
>
> - IPv6 entries are ignored for IPv4 server destinations.
>
> - IPv4 entries are ignored for IPv6 server destinations.
>
>> Actual behavior:
>> A connection on http_port 10.0.0.59:88 is requesting a domain matching
>> regex "\.somedomain\.net" and
>>
> Incoming port has nothing to do with outgoing IP format.
>
> * DNS tells Squid a set of IP addresses that the domain can be contacted at.
>
> ** "dns_v4_first on" tells Squid to use the servers A address(es) as
> first choice before attempting IPv6 contact.
>
> That domain *does* have an A address. So...
>
>> tcp_outgoing_address 10.0.1.54 ipA port80
>>
>> is used.
> If that fails it might fail over to another IPv4 or to the domains IPv6
> address.
>
>
>> If I change dns_v4_first from on to off,
>>
> ** then "dns_v4_first on" tells Squid to use the servers AAAA address as
> first choice before attempting IPv6 contact.
>
> ** That domain *does* have an AAAA address. So ...
>
>> tcp_outgoing_address 2001:cdba::3257:9652 ipB port88 domain_acl
>>
> ... or the machines default IPv6 addresss is used when contacting the
> servers AAAA address(es).
>
> If that fails then Squid might failover to another of the servers IPv6
> addresses, or to its IPv4 address.
>
>
>
>
> You can choose a particular IP from amongst the appropriate v4/v6 types
> available. But you cannot force a particular type to be used.
> (though you might configure an IPv4/IPv6 address which will force
> breakage on the connection).
>
>
> It is the network firewalls job to determine whether *Squid* is allowed
> contact from IP A to IP B. If it blocks unwanted IPv6 traffic properly,
> then the normal ICMPv6 packet that comes back from the firewall will
> tell Squid to try the next IP on the list for the server being contacted.
>
>
> HTH
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list