Re: [squid-users] Are dns_v4_first and "acl to_ipv6 dst ipv6" mutually exclusive?

Mon, 02 Apr 2012 17:22:58 -0700 

On 03.04.2012 12:12, Peter Olsson wrote:

On Tue, Apr 03, 2012 at 10:28:38AM +1200, Amos Jeffries wrote:

On 03.04.2012 02:21, Peter Olsson wrote:
> Hello!
>
> Squid 3.1.19.
>
> Our squid servers are dual stack IPv4/IPv6 since about a year,
> with this config "hack":
>
> tcp_outgoing_address x:x:x:x::x to_ipv6
> tcp_outgoing_address x.x.x.x !to_ipv6
> acl to_ipv6 dst ipv6
> http_access allow to_ipv6 !all
>
> But now our users are tired of webs that announce IPv6 addresses
> but don't answer on port 80 on these addresses. So I enabled
> dns_v4_first in the config and did squid -k reconfigure.
> But it didn't help, we still get IPv6 timeouts towards
> misconfigured web sites.
>
> I'm guessing that dns_v4_first and the ipv6 config above are
> mutually exclusive? Should I change the tcp_outgoing_address
> line to just this:
> tcp_outgoing_address x:x:x:x::x
> tcp_outgoing_address x.x.x.x
> and remove these lines:
> acl to_ipv6 dst ipv6
> http_access allow to_ipv6 !all
>
> Or will this remove all of our IPv6 connectivity through squid?
>

You are the first person to report any issues. They are interrelated
but should not be exclusive. Does ordering the tcp_outgoing_address with 
IPv4 address first help?

Amos


Changing order of tcp_outgoing_address doesn't help, our squid with
"dns_v4_first on" still gives the Operation timed out error, and it
is trying to connect to the IPv6 address of the web server.

I also tried removing these four lines completely:
tcp_outgoing_address x:x:x:x::x to_ipv6
tcp_outgoing_address x.x.x.x !to_ipv6
acl to_ipv6 dst ipv6
http_access allow to_ipv6 !all

But that didn't help either, it still tries the IPv6 address even
though I have dns_v4_first on.

Is there some internal DNS timeout in squid that I should wait for
before testing between changes?
Er, yes. Whatever the TTL of the domain being tested against is. A restart clears the DNS caches, so may be better here than just a reconfigure. 



What debug setting should I use to see why squid is choosing the
IPv6 address?
comm (5) and DNS (78) sections at level 6. Possibly more if that is not enough. 

Amos

Reply via email to