[squid-users] Squid + IPv6

Eliezer Croitoru eliezer at ngtech.co.il
Tue May 16 22:45:32 UTC 2017


It's doable but I really recommend to try and run squid on Linux instead of
Windows.
It's very important that you understand that the windows version cannot be
fully supported for your specific need.
Even if you will run a Linux virtual machine ontop of a windows box you will
probably have better results then trying to find a "fix" for the windows
version from this mailing list.

Specifically for the thousands of  IPv6 I believe that you will need a
custom solution either by patching squid for Linux or write the right
software for your needs.

Hope It Helps,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: IAPS Security Services, Ltd. [mailto:jared at iaps.pro] 
Sent: Wednesday, May 17, 2017 12:20 AM
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Squid + IPv6

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--E9SVe58D61BPqLwwes7HgAq2DqWH0WJJV
Content-Type: multipart/mixed; boundary="9uXrNjm44vJFPKovTw2oihDfwSCwtM6rd";
 protected-headers="v1"
From: "IAPS Security Services, Ltd." <jared at iaps.pro>
To: Eliezer Croitoru <eliezer at ngtech.co.il>
Cc: squid-users at lists.squid-cache.org
Message-ID: <42b652f1-3bd6-a3c8-8a3f-821d14c0d0da at iaps.pro>
Subject: Re: [squid-users] Squid + IPv6
References: <119093bb-bd72-b489-c10e-bde7b4e1b64c at iaps.pro>
 <04c301d2ce89$6748a060$35d9e120$@ngtech.co.il>
In-Reply-To: <04c301d2ce89$6748a060$35d9e120$@ngtech.co.il>

--9uXrNjm44vJFPKovTw2oihDfwSCwtM6rd
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

What I need from squid is the ability to use thousands of ipv6 ip addresses
in normal http mode. I am not concerned about https at this point. But the
original question was how to increase the ip limit of squid past the 128 ip
maximum on a Windows platform. The main purpose is to assign a specific set
of ipv6 proxies to specific users.

Best Regards,

Jared Twyler
On 5/16/2017 4:14 PM, Eliezer  Croitoru wrote:
> Hey,
> (not sure what=E2=80=99s your first name)
>=20
> What do you actually need from squid, in words.
> Do you need it as a caching proxy?
> What functionality is the main business of squid in your scenario?
> To give specific users ip addresses the option to use a specific 
>outgoi=
ng address?
> Do you need\want squid to enforce some policy else then the issue you 
> a=
re having?
> If you only need to "load balance'" or decide which outgoing ip will 
> be=
 used for a specific user source IP then there are much more efficient wa=
ys to do that these days.
> Also when you are talking about "big" number of users with big numbers 
> =
of connections you need to be more specific about your upper limit.
> If you want it to be more then 128 but less the 1024 I would say go 
> wit=
h squid and compile it but... when you are talking about 1k+ I would reco=
mmend you to rethink your strategy.
> If you don't care about SSL-BUMP for example then there are really 
> simp=
le ways to write a simple proxy which will do what you need, you just nee= d
the right programmer.
>=20
> All The Bests,
> Eliezer
>=20
> * I am really not looking for a job to write a proxy.. but just think 
>i=
t's a kind suggestion to redirect into some other directions.
>=20
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: eliezer at ngtech.co.il
>=20
>=20
>=20
> -----Original Message-----
> From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] 
>On=
 Behalf Of IAPS Security Services, Ltd.
> Sent: Tuesday, May 16, 2017 10:21 PM
> To: squid-users at lists.squid-cache.org
> Subject: [squid-users] Squid + IPv6
>=20
> Greetings All,
>=20
> First time poster to the list, long time squid user.
>=20
> I have an issue I've come across and I'm greatful if the community can  
>suggest ideas here. I've recently deployed squid for Windows from  
>Diladele (http://squid.diladele.com/) and they said to bring my issue 
>t=
o
> the mail list.
>=20
> Here goes:
>=20
> Squid requires each individual ip to be put on the network card 
>instead=

> of being permitted to use a cidr annotation for dedicated ip's. There 
> i=
s
> a 128 ip limit for squid by default. This limit can be removed for 
> linu=
x
> machines by re-compiling and adjusting the limits. In the ipv6  
>deployment that I'm trying to create, I need much more than 128 ip's.
>=20
> There are no instructions, at least none that I could find in a basic  
>google search, on how to increase this limit on a windows deployment.
> With ipv6 ip's I'm setting up individual ipv6's per squid acl's so 
>that=

> users have access to specific ipv6 proxies. Only issue I have is the 
> 12=
8
> ip limit imposed by default. Now when you have access to an ipv6 /29 
> range 128 usable ip's is a drop in the bucket and I'd need the ability 
> to have squid to use thousands of ipv6 ip addresses on demand. The 
> firs=
t
> 128 work fine, but when adding the 129th, the entirety of squid  
>immediately stops working. The acl that I'm using looks like this:
>=20
> acl ip1 myip 2axx:xxxx:285::1
> tcp_outgoing_address 2axx:xxxx:285::1 ip1
>=20
> acl ip2 myip 2axx:xxxx:285::2
> tcp_outgoing_address 2axxxx:xxxx:285::2 ip2
>=20
> How can I compile squid for windows to get around the 128 ip limit 
>impo=
sed?
>=20


--9uXrNjm44vJFPKovTw2oihDfwSCwtM6rd--

--E9SVe58D61BPqLwwes7HgAq2DqWH0WJJV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZG2z0AAoJEHJVw0pF7EnlQK4QAKy+I3fflCY1Z9XXoRoygpg2
d2DBcJ688fXY9xqbonGQ6h46FqNZCSBmViiPhTPt0ebj5sXOdGcjA4o0SK03JW15
8vmlfCd2hDfRFtkkVkqa6muTF3SLvVSPhb48/5AvAI6rDzwRrZWx8UeGH0X9nei1
nUd/wQdCY4V8CTA/ZeJmqF855ZrNzKw0+rb/s/m4Ub+Q8KxyJ/z+ygu9IRyi10Bc
/94IjY+w0vL+fZzZN0FZIloVYNGFyHfu4fHe028jSZ00stwH1zS5M2g6D1A4JI1P
oSbJ/5wkxwX51h7+B70t8pHQIQ/XD9BZ71EvE+jz5ImtnJwOLq5EuTLHZtlzFr6e
lHdWw+Pp6mqIB+IXTuE8iXsTT1J5rullUdpCEtg7+nh9Sp3Z0Q7YdLQrRNF902v8
7qDptx1tIHQ9J9cBchGtsX1wgOKNIG8FH28XSSzfT45x69Z14r7mTSxLeszblcvN
LDzXr+DXLj0N6esOFQGzHM/YCn0A5bAWQinoLO/pmdflxGnbPPTXI4muxkz1E/Mp
Kz60FW3TYPHtYHJ66NKKu8iL7W0Ax+aEkaEuAX5c9e8LL15U1FCOlT7KfeE0WU9+
oPsOCW/eoTrtdWfGzSTShg3A3Plfip5jUpjz4lJl7VDD4v3Ldwcx4oCt4QGwoowC
2zRnoiMu+j+mFwNpGhkQ
=t2dJ
-----END PGP SIGNATURE-----

--E9SVe58D61BPqLwwes7HgAq2DqWH0WJJV--



More information about the squid-users mailing list