[squid-users] How to configure IPv6
Amos Jeffries
squid3 at treenet.co.nz
Tue Nov 20 00:20:35 UTC 2018
On 20/11/18 9:37 am, igmaniac wrote:
> Hi,
>
> I am trying to create a simple proxy that will receive traffic and forward
> it to the server IPv6 address.
Squid defaults to using IPv6 all connections unless there is something
actively preventing IPv6 from working.
If your network supports IPv6 traffic and the server you are connecting
to has an IPv6 address you do not have to do anything. Just configure
whatever ACLs and access rules you would have about whether a client is
allowed to use your proxy.
> I can actually connect to proxy but when I check my IP on a browser it says
> the IPv4 address of the server.
What check are you doing exactly? and what exactly is it producing?
The problem is most likely that you are looking at the wrong info or the
test is broken in some other way.
Please be aware that in normal HTTP operations the Browser<->Squid
connection is fully independent of any Squid<->server connections.
Websites which tell you "your IP" (aka whatismyip.com) are often not
telling you Squid's IP they are seeking to tell you the Browser's IP.
> So far my configuration is like this but I don't know if it's correct:
>
> hierarchy_stoplist cgi-bin ?
The above directive was removed in Squid-3.5.
> acl QUERY urlpath_regex cgi-bin \? \.css
> no_cache deny QUERY
You can remove the above lines completely. It is a workaround from
Squid-1.x for HTTP/1.0 lack of certain caching features. Squid-3.2 and
later support HTTP/1.1 caching and you already have the relevant
refresh_pattern to handle dynamic content better than the "QUERY"
workaround ever could.
> acl NOT_TO_CACHE dstdomain "/etc/squid/list/not-to-cache.conf"
> no_cache deny NOT_TO_CACHE
Remove that "no_" prefix. The directive has been called just "cache "
since Squid-2 era.
Or, if you have Squid-3.5 or later consider using the store_miss
directive instead of "cache".
> acl SSL_ports port 443
> acl Safe_ports port 80
> acl Safe_ports port 21
> acl Safe_ports port 443
> acl Safe_ports port 70
> acl Safe_ports port 210
> acl Safe_ports port 1025-65535
> acl Safe_ports port 280
> acl Safe_ports port 488
> acl Safe_ports port 591
> acl Safe_ports port 777
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localhost
> http_access allow all
Do not do that. "allow all" makes your proxy an "Open Proxy" which is a
very bad idea.
Especially when testing since it artificially makes things that are
quite abnormal "work". As evidenced by your very mangled http_access
rules later on (which are ignored since everything was already allowed
by this).
> http_port 3128
> acl user1 myportname 3128
The "user1" ACL is never used. You can remove the above line.
> acl to_ipv6 dst ipv6
> http_access deny to_ipv6 !all
The "allow all" above already allowed *everything* through your Squid.
So this line is never even evaluated and its use as a trick to get Squid
to perform DNS far earlier than normal is not happening.
>From the context of your question and intended behaviour I suspect that
you were not actually wanting to do the behaviour this config trick is
designed to cause. Specifically to force Squid to perform DNS lookups
far earlier than it would normally do them - for a very minor
performance enhancement when DNS server are expected to be very slow.
That behaviour will not help with your stated intentions. So I suggest
removing this http_access line as well.
> tcp_outgoing_address xxx::xxx to_ipv6
In current Squids where it works properly this directive selects the IP
based first on which IP type the server has. You can only set IPv6
address on connections to IPv6 servers, and only set IPv4 address on
connections to IPv4 servers. Squid-3.4+ will ignore lines attempting to
set the wrong IP type.
In other words the "to_ipv6" is implicit in how this directive currently
does things and no longer needed. If you have to use the above line to
set a custom IPv6 for outgoing traffic you should use the "all" ACL here
instead.
Or better yet, remove that line entirely. The OS networking stack will
assign an appropriate IP address for the connection.
... if you do all those changes you should notice you are pretty much
back to Squid's default config file.
Amos
More information about the squid-users
mailing list