[squid-users] Disable IPV6 for certain destinations only?

Stephen Borrill squid at borrill.org.uk
Tue Oct 31 13:08:29 UTC 2023


On 18th April 2023 Alex Rousskov wrote:
> On 4/18/23 03:38, Ralf Hildebrandt wrote:
> 
>> We're using squid-6, currently v4 only. The use case for us is mostly
>> our users using our proxy to retrieve full text publications of
>> several thousand medical journals... via IPv4.
>> 
>> The publishers "know" our IPv4 range for the proxies and allow us to
>> download freely. What they don't (yet) know is our ipv6 range.
>> 
>> Thus arises the need to "fall back" to ipv4 in the unlikely case some
>> publisher already has ipv6, we connect via ipv6 and suddenly are not
>> allowed to download the publications.
>> 
>> Is there an acl for that kind of need?
> 
> I will rephrase your question to avoid the distraction of "acl":
> 
>    How can I configure Squid to try IPv4 if IPv6 fails?
> 
> The answer depends on how IPv6 fails:
> 
> 1. If IPv6 fails at DNS resolution time (i.e. the DNS resolver does not 
> respond with a usable address to a AAAA query), then Squid will 
> automatically use IPv4 (i.e. the DNS resolver address in an A response). 
> There is nothing to configure.
> 
> 2. If IPv6 fails at TCP connection establishment time, then Squid will 
> automatically use an IPv4 connection. There is nothing to configure 
> (although there are a few Happy Eyeballs configuration options that you 
> can tune).
> 
> 3. If IPv6 fails at TLS connection establishment time, then, IIRC, #2 
> applies unless SslBump is involved. Squid will not retry failed TLS 
> connections that are subject to SslBump IIRC.
> 
> 4. If IPv6 fails at HTTP request time, then Squid will retry in _some_ 
> cases. See [1] for a long list of conditions; you are probably mostly 
> interested in the last four or five bullets, but keep in mind that the 
> list is of cases where Squid does _not_ re-forward the failed request.
> 
> [1] 
> https://wiki.squid-cache.org/SquidFaq/InnerWorkings#when-does-squid-re-forward-a-client-request
> 
> You can also replace your DNS resolver with a custom one (that drops 
> AAAA answers) or, as Adam has suggested, with hard-coded IPv4-only 
> /etc/hosts entries.

On a machine with no IPv6 connection to the Internet and bearing in mind 2 and 3 above,
what is going on in the following situation? The host is being resolved to IPv6,
the connection is failing with (presumably) no route to host and the client's connection is rejected
with a 503 error:


peer_select.cc(373) checkAlwaysDirectDone: ALLOWED
peer_select.cc(379) checkAlwaysDirectDone: direct = DIRECT_YES (always_direct allow)
peer_select.cc(612) selectMore: CONNECT forcesafesearch.google.com
peer_select.cc(1102) addSelection: adding HIER_DIRECT#forcesafesearch.google.com
peer_select.cc(460) resolveSelected: Find IP destination for: forcesafesearch.google.com:443' via forcesafesearch.google.com
Address.cc(389) lookupHostIP: Given Non-IP 'forcesafesearch.google.com': hostname or servname not provided or not known
peer_select.cc(1174) handlePath: PeerSelector33640 found conn271011 local=[::] remote=[2001:4860:4802:32::78]:443 HIER_DIRECT flags=1, destination #1 for forcesafesearch.google.com:443
peer_select.cc(1180) handlePath:   always_direct = ALLOWED
peer_select.cc(1181) handlePath:    never_direct = DENIED
peer_select.cc(1182) handlePath:        timedout = 0
peer_select.cc(479) resolveSelected: PeerSelector33640 found all 1 destinations for forcesafesearch.google.com:443
peer_select.cc(480) resolveSelected:   always_direct = ALLOWED
peer_select.cc(481) resolveSelected:    never_direct = DENIED
peer_select.cc(482) resolveSelected:        timedout = 0
client_side.cc(1953) clientParseRequests: Not parsing new requests, as this request may need the connection
FwdState.cc(1568) GetMarkingsToServer: from [::] tos 0 netfilter mark 0
ConnOpener.cc(42) ConnOpener: will connect to conn271013 local=[::] remote=[2001:4860:4802:32::78]:443 HIER_DIRECT flags=1 with 60 timeout
comm.cc(372) comm_openex: comm_openex: Attempt open socket for: [::]
comm.cc(414) comm_openex: comm_openex: Opened socket conn271014 local=[::] remote=[::] FD 1218 flags=1 : family=24, type=1, protocol=6
fd.cc(168) fd_open: fd_open() FD 1218 forcesafesearch.google.com
ConnOpener.cc(312) createFd: conn271013 local=[::] remote=[2001:4860:4802:32::78]:443 HIER_DIRECT flags=1 will timeout in 60
comm.cc(844) _comm_close: start closing FD 1218 by ConnOpener.cc:232
comm.cc(580) commUnsetFdTimeout: Remove timeout for FD 1218
HappyConnOpener.cc(522) sendFailure: conn271013 local=[::] remote=[2001:4860:4802:32::78]:443 HIER_DIRECT flags=1 @0
fd.cc(93) fd_close: fd_close FD 1218 forcesafesearch.google.com
tunnel.cc(1364) sendError: aborting transaction for HappyConnOpener gave up
errorpage.cc(751) errorSend: conn271010 local=127.0.0.1:8123 remote=127.0.0.1:56146 FD 1217 flags=1, err=ERR_CONNECT_FAIL

-- 
Stephen



More information about the squid-users mailing list