And for the record. No Squid does not use libc getaddrinfo(). That API provides speed restrictions several orders of magnitude too slow for even small Squid installations.
** Description changed: Many people run squid (squid-deb-proxy, or maas-proxy) to provide ubuntu archive mirror caching and proxying. MAAS sets this up by default for users with the 'maas-proxy' package. On or about Friday February 19, this setup began to fail for many people. Users would see 'apt-get update' returning 503 errors. For me, I saw 503 on security.ubuntu.com addresses. - The reason for the failure was that the squid proxy began using ipv6 - addresses for instead of ipv4. The squid proxy host did not have ipv6 - connectivity and thus would fail. + The reason for the failure was that the DNS records for Ubuntu reacheda + threshold of 10 IPv6 entries. The squid proxy host did not have ipv6 + connectivity and with a limit of 10 retries the failover does not reach + any IPv4 addresses - thus would fail. The fix/workaround is to add the following to your squid config: - # http://www.squid-cache.org/Doc/config/dns_v4_first/ - dns_v4_first on + # http://www.squid-cache.org/Doc/config/forward_max_tries/ + forward_max_tries 25 The appropriate squid config file depends on what is running squid. maas-proxy: /usr/share/maas/maas-proxy.conf squid-deb-proxy: /etc/init/squid-deb-proxy.conf I'm not sure how this previously worked, nor what change was made. One change that was made in this time frame was a glibc update (2.19-0ubuntu6.6 to 2.19-0ubuntu6.7) for security (CVE-2013-7423 CVE-2014-9402 CVE-2015-1472 CVE-2015-1473). But it doesn't seem to make sense that that would change squid3 to start looking for AAAA records when it did not previously. i can verify that as late as - Thu Feb 18 06:36:07 EST 2016 + Thu Feb 18 06:36:07 EST 2016 i was seeing entries in my squid logs with - 1455713142.896 335 10.7.2.103 TCP_REFRESH_UNMODIFIED/200 82620 GET http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease - HIER_DIRECT/91.189.88.149 - + 1455713142.896 335 10.7.2.103 TCP_REFRESH_UNMODIFIED/200 82620 GET http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease - HIER_DIRECT/91.189.88.149 - but now i get - 1455879482.210 1 10.7.2.103 TCP_REFRESH_FAIL/200 635 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/2001:67c:1562::14 - + 1455879482.210 1 10.7.2.103 TCP_REFRESH_FAIL/200 635 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/2001:67c:1562::14 - -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1547640 Title: proxy tries ipv6 and gets 503 when no ipv6 routes To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1547640/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
