Re: [squid-users] Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive?
On Tue, Apr 03, 2012 at 12:22:52PM +1200, Amos Jeffries wrote: > On 03.04.2012 12:12, Peter Olsson wrote: > > On Tue, Apr 03, 2012 at 10:28:38AM +1200, Amos Jeffries wrote: > >> On 03.04.2012 02:21, Peter Olsson wrote: > >> > Hello! > >> > > >> > Squid 3.1.19. > >> > > >> > Our squid servers are dual stack IPv4/IPv6 since about a year, > >> > with this config "hack": > >> > > >> > tcp_outgoing_address x:x:x:x::x to_ipv6 > >> > tcp_outgoing_address x.x.x.x !to_ipv6 > >> > acl to_ipv6 dst ipv6 > >> > http_access allow to_ipv6 !all > >> > > >> > But now our users are tired of webs that announce IPv6 addresses > >> > but don't answer on port 80 on these addresses. So I enabled > >> > dns_v4_first in the config and did squid -k reconfigure. > >> > But it didn't help, we still get IPv6 timeouts towards > >> > misconfigured web sites. > >> > > >> > I'm guessing that dns_v4_first and the ipv6 config above are > >> > mutually exclusive? Should I change the tcp_outgoing_address > >> > line to just this: > >> > tcp_outgoing_address x:x:x:x::x > >> > tcp_outgoing_address x.x.x.x > >> > and remove these lines: > >> > acl to_ipv6 dst ipv6 > >> > http_access allow to_ipv6 !all > >> > > >> > Or will this remove all of our IPv6 connectivity through squid? > >> > > >> > >> You are the first person to report any issues. They are interrelated > >> but should not be exclusive. Does ordering the tcp_outgoing_address > >> with > >> IPv4 address first help? > >> > >> Amos > > > > Changing order of tcp_outgoing_address doesn't help, our squid with > > "dns_v4_first on" still gives the Operation timed out error, and it > > is trying to connect to the IPv6 address of the web server. > > > > I also tried removing these four lines completely: > > tcp_outgoing_address x:x:x:x::x to_ipv6 > > tcp_outgoing_address x.x.x.x !to_ipv6 > > acl to_ipv6 dst ipv6 > > http_access allow to_ipv6 !all > > > > But that didn't help either, it still tries the IPv6 address even > > though I have dns_v4_first on. > > > > Is there some internal DNS timeout in squid that I should wait for > > before testing between changes? > > Er, yes. Whatever the TTL of the domain being tested against is. A > restart clears the DNS caches, so may be better here than just a > reconfigure. Excellent! It works now after restart. I will keep the ipv6 lines above out of our config, I don't think we really need them. Thanks! -- Peter Olssonp...@leissner.se CCIE #8963 R&S, Security+46 520 500511 Leissner Data AB+46 701 809511
Re: [squid-users] Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive?
On 03.04.2012 12:12, Peter Olsson wrote: On Tue, Apr 03, 2012 at 10:28:38AM +1200, Amos Jeffries wrote: On 03.04.2012 02:21, Peter Olsson wrote: > Hello! > > Squid 3.1.19. > > Our squid servers are dual stack IPv4/IPv6 since about a year, > with this config "hack": > > tcp_outgoing_address x:x:x:x::x to_ipv6 > tcp_outgoing_address x.x.x.x !to_ipv6 > acl to_ipv6 dst ipv6 > http_access allow to_ipv6 !all > > But now our users are tired of webs that announce IPv6 addresses > but don't answer on port 80 on these addresses. So I enabled > dns_v4_first in the config and did squid -k reconfigure. > But it didn't help, we still get IPv6 timeouts towards > misconfigured web sites. > > I'm guessing that dns_v4_first and the ipv6 config above are > mutually exclusive? Should I change the tcp_outgoing_address > line to just this: > tcp_outgoing_address x:x:x:x::x > tcp_outgoing_address x.x.x.x > and remove these lines: > acl to_ipv6 dst ipv6 > http_access allow to_ipv6 !all > > Or will this remove all of our IPv6 connectivity through squid? > You are the first person to report any issues. They are interrelated but should not be exclusive. Does ordering the tcp_outgoing_address with IPv4 address first help? Amos Changing order of tcp_outgoing_address doesn't help, our squid with "dns_v4_first on" still gives the Operation timed out error, and it is trying to connect to the IPv6 address of the web server. I also tried removing these four lines completely: tcp_outgoing_address x:x:x:x::x to_ipv6 tcp_outgoing_address x.x.x.x !to_ipv6 acl to_ipv6 dst ipv6 http_access allow to_ipv6 !all But that didn't help either, it still tries the IPv6 address even though I have dns_v4_first on. Is there some internal DNS timeout in squid that I should wait for before testing between changes? Er, yes. Whatever the TTL of the domain being tested against is. A restart clears the DNS caches, so may be better here than just a reconfigure. What debug setting should I use to see why squid is choosing the IPv6 address? comm (5) and DNS (78) sections at level 6. Possibly more if that is not enough. Amos
Re: [squid-users] Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive?
On Tue, Apr 03, 2012 at 10:28:38AM +1200, Amos Jeffries wrote: > On 03.04.2012 02:21, Peter Olsson wrote: > > Hello! > > > > Squid 3.1.19. > > > > Our squid servers are dual stack IPv4/IPv6 since about a year, > > with this config "hack": > > > > tcp_outgoing_address x:x:x:x::x to_ipv6 > > tcp_outgoing_address x.x.x.x !to_ipv6 > > acl to_ipv6 dst ipv6 > > http_access allow to_ipv6 !all > > > > But now our users are tired of webs that announce IPv6 addresses > > but don't answer on port 80 on these addresses. So I enabled > > dns_v4_first in the config and did squid -k reconfigure. > > But it didn't help, we still get IPv6 timeouts towards > > misconfigured web sites. > > > > I'm guessing that dns_v4_first and the ipv6 config above are > > mutually exclusive? Should I change the tcp_outgoing_address > > line to just this: > > tcp_outgoing_address x:x:x:x::x > > tcp_outgoing_address x.x.x.x > > and remove these lines: > > acl to_ipv6 dst ipv6 > > http_access allow to_ipv6 !all > > > > Or will this remove all of our IPv6 connectivity through squid? > > > > You are the first person to report any issues. They are interrelated > but should not be exclusive. Does ordering the tcp_outgoing_address with > IPv4 address first help? > > Amos Changing order of tcp_outgoing_address doesn't help, our squid with "dns_v4_first on" still gives the Operation timed out error, and it is trying to connect to the IPv6 address of the web server. I also tried removing these four lines completely: tcp_outgoing_address x:x:x:x::x to_ipv6 tcp_outgoing_address x.x.x.x !to_ipv6 acl to_ipv6 dst ipv6 http_access allow to_ipv6 !all But that didn't help either, it still tries the IPv6 address even though I have dns_v4_first on. Is there some internal DNS timeout in squid that I should wait for before testing between changes? What debug setting should I use to see why squid is choosing the IPv6 address? Thanks! -- Peter Olssonp...@leissner.se
Re: [squid-users] Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive?
On 03.04.2012 02:21, Peter Olsson wrote: Hello! Squid 3.1.19. Our squid servers are dual stack IPv4/IPv6 since about a year, with this config "hack": tcp_outgoing_address x:x:x:x::x to_ipv6 tcp_outgoing_address x.x.x.x !to_ipv6 acl to_ipv6 dst ipv6 http_access allow to_ipv6 !all But now our users are tired of webs that announce IPv6 addresses but don't answer on port 80 on these addresses. So I enabled dns_v4_first in the config and did squid -k reconfigure. But it didn't help, we still get IPv6 timeouts towards misconfigured web sites. I'm guessing that dns_v4_first and the ipv6 config above are mutually exclusive? Should I change the tcp_outgoing_address line to just this: tcp_outgoing_address x:x:x:x::x tcp_outgoing_address x.x.x.x and remove these lines: acl to_ipv6 dst ipv6 http_access allow to_ipv6 !all Or will this remove all of our IPv6 connectivity through squid? You are the first person to report any issues. They are interrelated but should not be exclusive. Does ordering the tcp_outgoing_address with IPv4 address first help? Amos