[squid-users] How to make squid use ipv4 only for connecting to websites

Alex Rousskov rousskov at measurement-factory.com
Fri Oct 18 14:57:02 UTC 2019


On 10/18/19 10:17 AM, Robert Senger wrote:

> there's a group of clients that should be configured to load
> websites via ipv4 only.

> The only way I found so far is to set an invalid ipv6 outgoing address:
> 
>   tcp_outgoing_address fd20::1  proxy-extra
>   tcp_outgoing_address 172.16.4.244 proxy-extra
> 
> where fd20::1 simply does not exist on the host system.
> 
> This shows the results I want when browsing to test sites like 
> http://ipv6-test.com (ipv4 connectivity only).

Glad you found a workaround!


> But I am not sure if setting invalid addresses is really desirable...

It is not. I have not checked, but I would expect that Squid master/v5
(at least) will try to use that invalid outgoing address (and fail).
Needless to say, such futile attempts waste time and other resources.
They may also lead to misleading user-visible errors.


> So, is there a better / more elegant way to tell squid to use ipv4 only
> when serving request for certain clients? 

tcp_outgoing_address is not meant for prohibiting destinations. I think
Squid should support use cases like yours explicitly: We should add a
new directive that only applies to direct destinations selected by the
existing peer selection algorithms:

    acl to_ipv6 dst ipv6
    direct_access deny to_ipv6 proxy-extra

I also considered extending cache_peer_access to apply to direct
destinations, but rejected that idea because we want to preserve
existing checks for cache_peer names in cache_peer_access and because
applying a directive called "cache_peer..." to direct connections is
unexpected/confusing.

We could also add a new ACL-driven directive to prohibit A or AAAA DNS
queries for certain names:

    dns_query_access AAAA deny proxy-extra

Using dns_query_access would save DNS resources in your use case, but
direct_access would cover a lot more use cases because it is a lot more
precise/selective (and not subject to DNS caching concerns).

Perhaps both directives should be added.


Quality pull requests or their sponsorship welcomed:
https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


Cheers,

Alex.


More information about the squid-users mailing list