[squid-users] disable/block ipv6 requests

Alex Rousskov rousskov at measurement-factory.com
Wed Feb 26 14:42:55 UTC 2025 

On 2025-02-26 07:05, Matus UHLAR - fantomas wrote:

> I'd like squid to avoid considering using ipv6, 
> because even if any ipv6 attempt failed, there still were some being made
> ... at least I assume so from squid logs:
> 
> 1740062747.503      0 192.0.2.1 NONE_NONE/503 0 CONNECT ad.turn.com:443 
> - HIER_DIRECT/2001:678:cb4:bbbb::11 -
> 
> As I understand it, I can build squid without ipv6 support. Is there any 
> other way to disable outgoing ipv6 communication?

Yes, for some definition of "ipv6 communication". Modern Squids[1] 
should not open connections to IPv6 addresses after deciding (at 
startup) that IPv6 is not supported. When that "not supported" decision 
is made, you should get a level-0 "BCP 177 violation" WARNING in 
cache.log. Unfortunately, that diagnostics is not provided for some use 
cases.

[1] Here, "modern Squids" are Squids with a Bug 5154 fix (e.g., v5.10, 
v6.13, and v7.0.1; see master commit 97bbba61 for details).


>  From what I read in archives using "acl" makes no sense, as it decides 
> whether to block request or not

Using http_access to block requests to IPv6 addresses makes sense in 
some cases, but it is difficult to get right, and it cannot cover all 
use cases, so I would not recommend that solution in most cases.


> ...and the directive dns_v4_first is long obsolete

Correct. It is ignored (with a warning).


> What I have tried:
> 
> 1. disabling ipv6 by setting (linux) net.ipv6.conf.all.disable_ipv6=1
> 
> but in logs squid complains:
> 
> 2025/02/24 00:00:10| WARNING: BCP 177 violation. Detected non-functional 
> IPv6 loopback.

This warning is a positive sign for your use case: Modern Squids[1] 
should not open connections to IPv6 addresses after the above warning.


> 2. reboot linux kernel with option "ipv6.disable=1"
> 
> (at least the ipv6 attempts stopped)

I have not checked, but I am guessing that this OS configuration results 
in the same overall outcome as net.ipv6.conf.all.disable_ipv6=1 but 
without a BCP 177 violation warning at level-1. Check level-2 cache.log 
for an "IPv6 not supported on this machine. Auto-Disabled" line. If that 
line is there, Squid has disabled IPv6 use just like it does when 
printing BCP 177 warning.


> After either of last two attempts, squid seems to crash too often.
> #5  0x0000564f2a77e824 in Ip::Address::getAddrInfo(addrinfo*&, int) 

Your old Squid is suffering from Bug 5154 (at least):
https://bugs.squid-cache.org/show_bug.cgi?id=5154


> I have squid 5.7 on Debian 12

Consider upgrading to a modern Squid[1].


HTH,

Alex.

More information about the squid-users mailing list