After enabling IPv6 squid no longer responds

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

After enabling IPv6 squid no longer responds

James Moe
Hello,
  squid v4.8

  I have started transitioning our local network to IPv6.
  After adding v6 addresses to the server and hosts, and enabling an RA, squid
no longer delivers anything from its cache, or is exceedingly slow about it.
  I have reviewed the wiki. The one section that discusses this issue has a
solution only for v3.1 or earlier. Does it also apply to later versions?
  What am I missing?

----[ squid.conf ]----
# acl manager url_regex -i ^cache_object:// /squid-internal-mgr/
acl manager_admin src 192.168.69.115
#
# acl localnet src fc00::/7
# acl localnet src fe80::/10
#
# https, cups
acl SSL_ports port 443
acl SSL_ports port 631
#
# Jumpline cPanel ports
acl SSL_ports port 2083
acl SSL_ports port 2096
#
# sma-nas-02, cgatePro, webadmin
acl SSL_ports port 5000
acl SSL_ports port 5001
acl SSL_ports port 9010
acl SSL_ports port 9100
acl SSL_ports port 10000
#
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 563
acl Safe_ports port 631
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 9100
#
acl CONNECT method CONNECT
acl localnet src 192.168.69.0/24
acl localnet src fd2f:4760:521f:3f3c::0/64

access_log /data01/var/log/squid/access.log
#
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager_admin
http_access allow manager localhost
http_access deny manager
http_access allow localnet
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# Uncomment and adjust the following to add a disk cache directory.
# cache_dir ufs /var/cache/squid 100 16 256
cache_dir ufs /data01/var/cache/squid 51200 16 256
maximum_object_size 99999 KB
cache_mem 256 MB

# Leave coredumps in the first cache dir
coredump_dir /var/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern -i  (/cgi-bin/|\?) 0 0 0
refresh_pattern . 0 20 4320

cache_log /data01/var/log/squid/cache.log
cache_mgr [hidden email]
cache_replacement_policy lru
cache_store_log /data01/var/log/squid/store.log
cache_swap_high 95
cache_swap_low 90
client_lifetime 1 days
connect_timeout 2 minutes

logfile_rotate 0

error_directory /usr/share/squid/errors/en

ftp_passive on
memory_replacement_policy lru
minimum_object_size 0 KB
----[ end ]----

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: After enabling IPv6 squid no longer responds

James Moe
On 13/11/2019 12.36 pm, James Moe wrote:

>   After adding v6 addresses to the server and hosts, and enabling an RA, squid
> no longer delivers anything from its cache, or is exceedingly slow about it.
>
 Any one?

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: After enabling IPv6 squid no longer responds

James Moe
In reply to this post by James Moe
On 13/11/2019 12.36 pm, James Moe wrote:

>   After adding v6 addresses to the server and hosts, and enabling an RA, squid
> no longer delivers anything from its cache, or is exceedingly slow about it.
>
  Here is a typical error message from squid:

The following error was encountered while trying to retrieve the URL:
http://dx.doi.org/
Connection to 2606:4700:20::681a:9ed failed.
The system returned: (110) Connection timed out

  There is nothing in the access.log; the request is utterly ignored.
  When I have the browser bypass the proxy, the site loads almost instantly.

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: After enabling IPv6 squid no longer responds

Antony Stone
On Thursday 14 November 2019 at 19:50:00, James Moe wrote:

> On 13/11/2019 12.36 pm, James Moe wrote:
> >   After adding v6 addresses to the server and hosts, and enabling an RA,
> >   squid no longer delivers anything from its cache, or is exceedingly slow
> >   about it.
>
>   Here is a typical error message from squid:
>
> The following error was encountered while trying to retrieve the URL:
> http://dx.doi.org/
> Connection to 2606:4700:20::681a:9ed failed.
> The system returned: (110) Connection timed out
>
>   There is nothing in the access.log; the request is utterly ignored.
>   When I have the browser bypass the proxy, the site loads almost instantly.

Have you confirmed (for example with a network packet sniffer) that the browser
is connecting directly to the site also using IPv6?


For that matter, have you used a packet sniffer to find out what Squid is doing,
in terms of requests sent and possible responses received?


Antony.

--
Wanted: telepath.   You know where to apply.

                                                   Please reply to the list;
                                                         please *don't* CC me.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: After enabling IPv6 squid no longer responds

Alex Rousskov
In reply to this post by James Moe
On 11/14/19 1:50 PM, James Moe wrote:
> On 13/11/2019 12.36 pm, James Moe wrote:
>
>>   After adding v6 addresses to the server and hosts, and enabling an RA, squid
>> no longer delivers anything from its cache, or is exceedingly slow about it.

>   Here is a typical error message from squid:
>
> The following error was encountered while trying to retrieve the URL:
> http://dx.doi.org/
> Connection to 2606:4700:20::681a:9ed failed.
> The system returned: (110) Connection timed out

Can you connect to port 80 of that IPv6 address using telnet, wget, or
curl running on the Squid box?


>   There is nothing in the access.log; the request is utterly ignored.

FYI: "utterly ignored" seems to contradict "error message from squid"
above. If Squid v4 sent an error response to the browser but logged
nothing to access.log, then there is a Squid bug that you should report
to Bugzilla.

HTH,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: After enabling IPv6 squid no longer responds

James Moe
On 2019-11-14 3:04 PM, Alex Rousskov wrote:

> Can you connect to port 80 of that IPv6 address using telnet, wget, or
> curl running on the Squid box?
>
  Yes.
$ telnet fd2f:4760:521f:3f3c::c0a8:45f6 80
Trying fd2f:4760:521f:3f3c::c0a8:45f6...
Connected to fd2f:4760:521f:3f3c::c0a8:45f6.
Escape character is '^]'.

>
>>   There is nothing in the access.log; the request is utterly ignored.
> FYI: "utterly ignored" seems to contradict "error message from squid"
> above.
>
  I know. Confusing.
  I have narrowed the problem space. The issue occurs only with https:, and not
always. Most sites timeout, others (partially) load after a delay of 5 - 20 seconds.
  The delay never occurs for non-secure traffic.

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.




_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: After enabling IPv6 squid no longer responds

James Moe
In reply to this post by Alex Rousskov
On 2019-11-14 3:04 PM, Alex Rousskov wrote:

> FYI: "utterly ignored" seems to contradict "error message from squid"
> above.
>
  The command "ip a" produces the following rather intimidating output. Should I
add some more IPv6 addresses to the configuration parameter "localnet"?
  Address fd2f:4760:521f:3f3c::c0a8:45f6 is the IPv6 address given as the static
entry for the network interface.

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc pfifo_fast state UP
group default qlen 1000
    link/ether 00:24:8c:9a:f4:f4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.69.246/24 brd 192.168.69.255 scope global eth0:smasvr3
       valid_lft forever preferred_lft forever
    inet6 fd2f:4760:521f:3f3c:4dfa:4b86:934:5684/64 scope global temporary dynamic
       valid_lft 602374sec preferred_lft 83376sec
    inet6 fd2f:4760:521f:3f3c:1f0:8b81:2a1e:bb1f/64 scope global temporary
deprecated dynamic
       valid_lft 516573sec preferred_lft 0sec
    inet6 fd2f:4760:521f:3f3c:38ef:8276:b87b:5f8d/64 scope global temporary
deprecated dynamic
       valid_lft 430773sec preferred_lft 0sec
    inet6 fd2f:4760:521f:3f3c:d4c3:7847:797c:37da/64 scope global temporary
deprecated dynamic
       valid_lft 344973sec preferred_lft 0sec
    inet6 fd2f:4760:521f:3f3c:c02e:96a3:1557:88ec/64 scope global temporary
deprecated dynamic
       valid_lft 259173sec preferred_lft 0sec
    inet6 fd2f:4760:521f:3f3c:3598:28d1:3525:e51e/64 scope global temporary
deprecated dynamic
       valid_lft 173373sec preferred_lft 0sec
    inet6 fd2f:4760:521f:3f3c:913c:74dd:d2fd:dc66/64 scope global temporary
deprecated dynamic
       valid_lft 87572sec preferred_lft 0sec
    inet6 fd2f:4760:521f:3f3c:f592:3b23:f025:50ba/64 scope global temporary
deprecated dynamic
       valid_lft 1773sec preferred_lft 0sec
    inet6 fd2f:4760:521f:3f3c:224:8cff:fe9a:f4f4/64 scope global mngtmpaddr dynamic
       valid_lft 2591781sec preferred_lft 604581sec
    inet6 fd2f:4760:521f:3f3c::c0a8:45f6/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::224:8cff:fe9a:f4f4/64 scope link
       valid_lft forever preferred_lft forever



--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: After enabling IPv6 squid no longer responds

Alex Rousskov
In reply to this post by James Moe
On 11/25/19 1:53 PM, James Moe wrote:

>>>   There is nothing in the access.log; the request is utterly ignored.

>> FYI: "utterly ignored" seems to contradict "error message from squid"
>> above.

>   I know. Confusing.

My remark was meant as a hint that something in your description needs
adjustment: "error message from squid" is mutually exclusive with "the
request is utterly ignored". Going forward, I will assume that the
request was not ignored; I will assume that Squid received the request
and responded with an error message (after a timeout).

Do you see Squid making DNS queries when handling the problematic
transaction?

Can you reproduce the problem using a single transaction on an otherwise
idle Squid?


> I have narrowed the problem space. The issue occurs only with https:, and not
> always. Most sites timeout, others (partially) load after a delay of 5 - 20 seconds.
> The delay never occurs for non-secure traffic.

After the timeout and client-to-Squid connection closure, is there a
corresponding CONNECT record in access.log?

And just to double check, the error message from Squid is in response to
a CONNECT request, right? I see no SslBump rules in your configuration
so this must be a simple case of trying to establish a TCP tunnel with
the address specified by the CONNECT request.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: After enabling IPv6 squid no longer responds

Amos Jeffries
Administrator
In reply to this post by James Moe
On 26/11/19 8:11 am, James Moe wrote:
> On 2019-11-14 3:04 PM, Alex Rousskov wrote:
>
>> FYI: "utterly ignored" seems to contradict "error message from squid"
>> above.
>>
>   The command "ip a" produces the following rather intimidating output. Should I
> add some more IPv6 addresses to the configuration parameter "localnet"?

You could add the fe80::/10 subnet back in. But it should not have any
noticeable effect on your current problem.


The number of "temporary deprecated dynamic" means your server is
changing its public IP randomly and frequently (so-called 'privacy
addressing'). The addresses marked 'deprecated' can only be used by
existing fully-open TCP connections. New connections to that IP are
rejected as if it did not exist - these addresses are supposed to be
only for outbound traffic anyway.

So ... check if you have any firewall rules or DNS entries regarding
traffic *to* the server. Make sure they only use the addresses marked
'forever' in that list, or the whole fd2f:4760:521f:3f3c::/64 range.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: After enabling IPv6 squid no longer responds

Amos Jeffries
Administrator
In reply to this post by Alex Rousskov
On 26/11/19 11:52 am, Alex Rousskov wrote:
> On 11/25/19 1:53 PM, James Moe wrote:
>
>> I have narrowed the problem space. The issue occurs only with https:, and not
>> always. Most sites timeout, others (partially) load after a delay of 5 - 20 seconds.
>> The delay never occurs for non-secure traffic.
>
> After the timeout and client-to-Squid connection closure, is there a
> corresponding CONNECT record in access.log?
>

If not, double-check that the traffic is actually going to the Squid you
think it is (that may require one or more packet traces). There have
been a few cases in the past where it turned out sometimes traffic was
going to a proxy it was not supposed to.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users