How to definitively disable IPv6

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

How to definitively disable IPv6

Troiano Alessio

Hello,

I need to definitively solve the ipv6 (un)reachbility issue.

I state I read this topic: http://squid-web-proxy-cache.1019090.n4.nabble.com/dns-v4-first-on-ignored-td4658427.html but not found a solution. Amos wrote “Squid tests for IPv6 ability automatically by opening a socket on a private IP address, if that works the socket options are noted and used.”

Anyway I disable IPv6 on my Red Hat 7.4 with the following:

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

net.ipv6.conf.bond0.disable_ipv6 = 1

net.ipv6.conf.lo.disable_ipv6 = 1

Used the “dns_v4_first on” and also “tcp_outgoing_address 172.31.1.x all” on squid conf to force the use of IPv4.

Anyway squid try to connect to the IPv6 address instead of IPv4 and I’m not able to reach it:

C:\Users\atroiano>nslookup download.pdfforge.org

Server:  espevmdxxxx.xxxx.prv

Address:  172.x.x.x

 

Risposta da un server non autorevole:

Nome:    download.pdfforge.org

Addresses:  2001:4860:4802:38::15

          2001:4860:4802:34::15

          2001:4860:4802:32::15

          2001:4860:4802:36::15

          216.239.32.21

          216.239.38.21

          216.239.36.21

          216.239.34.21

[root@HUB-RM-PRX-03 ~]# tail -f /var/log/squid/rsa/access.log | grep pdfforge.org

%SQUID-4: 172.31.x.x 49444 [25/Jan/2019:11:02:58 +0100] "GET http://download.pdfforge.org/download/pdfcreator/PDFCreator-stable HTTP/1.1" download.pdfforge.org - - "/download/pdfcreator/PDFCreator-stable" 503 text/html 4545 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" TCP_MISS:HIER_DIRECT 2001:4860:4802:38::15 80 0

Squid doesn’t try to connect to IPv4 addresses for this site and for many others.

 

What can I do?

My ISP is IPv4 only.

 

Thank you, Regards.


Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.

The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to definitively disable IPv6

Bruno de Paula Larini
Em 25/01/2019 08:29, Troiano Alessio escreveu:
What can I do?

My ISP is IPv4 only.

 

I'm not completely sure but it looks more like a DNS issue than the IP binding on Squid server. But check if your 'ifcfg-ethX' has IPV6INIT=no. Also, is Squid listening on all local IPs? If yes, then try binding it on a single local IPv4 with "http_port" instead.
(this may be out of the scope of the list but...) If your DNS server on 172.x.x.x is running named, check if it has OPTIONS="-4" on sysconfig/named or if 'listen-on-v6 port 53 { ::1; };' on named.conf is commented out. If it is caching, clean it too just to be sure.

-Bruno

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

R: How to definitively disable IPv6

Troiano Alessio

Thank you Bruno for the answer.

The DNS returns both IPv6 and IPv4 addresses, but it depends on the request (A or AAAA). Squid should do both and prefer in order the IPv4 answer.

I added the IPV6INIT=no on my interface and http_port 172.31.1.68:8080, restarted squid, but same behavior.


Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.

The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to definitively disable IPv6

Alex Rousskov
In reply to this post by Troiano Alessio
On 1/25/19 3:29 AM, Troiano Alessio wrote:

> I need to definitively solve the ipv6 (un)reachbility issue.

You can

* build Squid with --disable-ipv6

* try an experimental (and unofficial) Squid branch that implements the
TCP part of the Happy Eyeballs algorithm:
https://github.com/measurement-factory/squid/pull/3

Alex.



> I state I read this topic:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/dns-v4-first-on-ignored-td4658427.html
> but not found a solution. Amos wrote “Squid tests for IPv6 ability
> automatically by opening a socket on a private IP address, if that works
> the socket options are noted and used.”
>
> Anyway I disable IPv6 on my Red Hat 7.4 with the following:
>
> net.ipv6.conf.all.disable_ipv6 = 1
>
> net.ipv6.conf.default.disable_ipv6 = 1
>
> net.ipv6.conf.bond0.disable_ipv6 = 1
>
> net.ipv6.conf.lo.disable_ipv6 = 1
>
> Used the “dns_v4_first on” and also “tcp_outgoing_address 172.31.1.x
> all” on squid conf to force the use of IPv4.
>
> Anyway squid try to connect to the IPv6 address instead of IPv4 and I’m
> not able to reach it:
>
> C:\Users\atroiano>nslookup download.pdfforge.org
>
> Server:  espevmdxxxx.xxxx.prv
>
> Address:  172.x.x.x
>
>  
>
> Risposta da un server non autorevole:
>
> Nome:    download.pdfforge.org
>
> Addresses:  2001:4860:4802:38::15
>
>           2001:4860:4802:34::15
>
>           2001:4860:4802:32::15
>
>           2001:4860:4802:36::15
>
>           216.239.32.21
>
>           216.239.38.21
>
>           216.239.36.21
>
>           216.239.34.21
>
> [root@HUB-RM-PRX-03 ~]# tail -f /var/log/squid/rsa/access.log | grep
> pdfforge.org
>
> %SQUID-4: 172.31.x.x 49444 [25/Jan/2019:11:02:58 +0100] "GET
> http://download.pdfforge.org/download/pdfcreator/PDFCreator-stable
> HTTP/1.1" download.pdfforge.org - -
> "/download/pdfcreator/PDFCreator-stable" 503 text/html 4545 "-"
> "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101
> Firefox/64.0" TCP_MISS:HIER_DIRECT 2001:4860:4802:38::15 80 0
>
> Squid doesn’t try to connect to IPv4 addresses for this site and for
> many others.
>
>  
>
> What can I do?
>
> My ISP is IPv4 only.
>
>  
>
> Thank you, Regards.
>
>
> Il presente messaggio e-mail e ogni suo allegato devono intendersi
> indirizzati esclusivamente al destinatario indicato e considerarsi dal
> contenuto strettamente riservato e confidenziale. Se non siete
> l'effettivo destinatario o avete ricevuto il messaggio e-mail per
> errore, siete pregati di avvertire immediatamente il mittente e di
> cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema
> informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del
> presente messaggio da parte di chi non ne è il destinatario è
> strettamente proibito e può dar luogo a responsabilità di carattere
> civile e penale punibili ai sensi di legge.
> Questa e-mail ha valore legale solo se firmata digitalmente ai sensi
> della normativa vigente.
> ------------------------------------------------------------------------
> The contents of this email message and any attachments are intended
> solely for the addressee(s) and contain confidential and/or privileged
> information.
> If you are not the intended recipient of this message, or if this
> message has been addressed to you in error, please immediately notify
> the sender and then delete this message and any attachments from your
> system. If you are not the intended recipient, you are hereby notified
> that any use, dissemination, copying, or storage of this message or its
> attachments is strictly prohibited. Unauthorized disclosure and/or use
> of information contained in this email message may result in civil and
> criminal liability. “
> This e-mail has legal value according to the applicable laws only if it
> is digitally signed by the sender
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to definitively disable IPv6

Amos Jeffries
Administrator
In reply to this post by Troiano Alessio
On 25/01/19 11:29 pm, Troiano Alessio wrote:

> Hello,
>
> I need to definitively solve the ipv6 (un)reachbility issue.
>
> I state I read this topic:
> http://squid-web-proxy-cache.1019090.n4.nabble.com/dns-v4-first-on-ignored-td4658427.html
> but not found a solution. Amos wrote “Squid tests for IPv6 ability
> automatically by opening a socket on a private IP address, if that works
> the socket options are noted and used.”
>
> Anyway I disable IPv6 on my Red Hat 7.4 with the following:
>
> net.ipv6.conf.all.disable_ipv6 = 1
>
> net.ipv6.conf.default.disable_ipv6 = 1
>
> net.ipv6.conf.bond0.disable_ipv6 = 1
>
> net.ipv6.conf.lo.disable_ipv6 = 1
>

IIRC there are boot options necessary so the machine kernel starts with
its IPv6 TCP stack disabled.


> Used the “dns_v4_first on” and also “tcp_outgoing_address 172.31.1.x
> all” on squid conf to force the use of IPv4.

Neither of which forces anything.

 dns_v4_first influences the sorting order of DNS results provided to
Squids server selection logic. Services which are IPv6-only or whose
IPv4 are not working _will_ attempt to use IPv6.


  NP: Please be aware that error pages only mention the *last* error to
be encountered. With dns_v4_first you will see an IPv6 address being
mentioned as not contactable. Because all the IPv4 failed (first) then
all the IPv6 failed (last).


 tcp_outgoing_address only applies on protocols for which that address
is valid. Meaning the above only sets a particular address on IPv4
connections - it has no effect on IPv6 connections.


The only way to completely disable IPv6 is to build Squid with
--disable-ipv6.


>
> Anyway squid try to connect to the IPv6 address instead of IPv4 and I’m
> not able to reach it:
>
> C:\Users\atroiano>nslookup download.pdfforge.org
>
> Server:  espevmdxxxx.xxxx.prv
>
> Address:  172.x.x.x
>
>  
>
> Risposta da un server non autorevole:
>
> Nome:    download.pdfforge.org
>
> Addresses:  2001:4860:4802:38::15
>
>           2001:4860:4802:34::15
>
>           2001:4860:4802:32::15
>
>           2001:4860:4802:36::15
>
>           216.239.32.21
>
>           216.239.38.21
>
>           216.239.36.21
>
>           216.239.34.21
>

Are any of those IPv4 addresses able to be connected to and fetched from
by processes on the Squid machine?

The squidclient tool can be used to probe individual server/IP for
issues fetching requests.



> [root@HUB-RM-PRX-03 ~]# tail -f /var/log/squid/rsa/access.log | grep
> pdfforge.org
>
> %SQUID-4: 172.31.x.x 49444 [25/Jan/2019:11:02:58 +0100] "GET
> http://download.pdfforge.org/download/pdfcreator/PDFCreator-stable
> HTTP/1.1" download.pdfforge.org - -
> "/download/pdfcreator/PDFCreator-stable" 503 text/html 4545 "-"
> "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101
> Firefox/64.0" TCP_MISS:HIER_DIRECT 2001:4860:4802:38::15 80 0
>
> Squid doesn’t try to connect to IPv4 addresses for this site and for
> many others.
>

I suspect Squid actually is, but not telling you everything it does to
retry different destination servers / IPs before it gets to the final
failure point.

Please check the mgr:ipcache log to see what IPs Squid has known for
that domain and which ones are flagged 'B' for broken/bad/failing.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to definitively disable IPv6

Amos Jeffries
Administrator
On 26/01/19 5:00 am, Amos Jeffries wrote:

> On 25/01/19 11:29 pm, Troiano Alessio wrote:
>> Hello,
>>
>> I need to definitively solve the ipv6 (un)reachbility issue.
>>
>> I state I read this topic:
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/dns-v4-first-on-ignored-td4658427.html
>> but not found a solution. Amos wrote “Squid tests for IPv6 ability
>> automatically by opening a socket on a private IP address, if that works
>> the socket options are noted and used.”
>>
>> Anyway I disable IPv6 on my Red Hat 7.4 with the following:
>>
>> net.ipv6.conf.all.disable_ipv6 = 1
>>
>> net.ipv6.conf.default.disable_ipv6 = 1
>>
>> net.ipv6.conf.bond0.disable_ipv6 = 1
>>
>> net.ipv6.conf.lo.disable_ipv6 = 1
>>
>
> IIRC there are boot options necessary so the machine kernel starts with
> its IPv6 TCP stack disabled.
>


FWIW; the patch I made to detect and disable IPv6 inside Squid when the
::1 cannot be bound has now been merged and should be in the upcoming
v4.6 release.

If you wish to try it out before then it can be found at
<http://www.squid-cache.org/Versions/v5/changesets/squid-5-4685e7ba556dd81facf98e6a8e5503211cff3f1a.patch>


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

R: How to definitively disable IPv6

Troiano Alessio
In reply to this post by Amos Jeffries
> > Anyway squid try to connect to the IPv6 address instead of IPv4 and
> > I’m not able to reach it:
> >
> > C:\Users\atroiano>nslookup download.pdfforge.org
> >
> > Server:  espevmdxxxx.xxxx.prv
> >
> > Address:  172.x.x.x
> >
> >
> >
> > Risposta da un server non autorevole:
> >
> > Nome:    download.pdfforge.org
> >
> > Addresses:  2001:4860:4802:38::15
> >
> >           2001:4860:4802:34::15
> >
> >           2001:4860:4802:32::15
> >
> >           2001:4860:4802:36::15
> >
> >           216.239.32.21
> >
> >           216.239.38.21
> >
> >           216.239.36.21
> >
> >           216.239.34.21
> >

> Are any of those IPv4 addresses able to be connected to and fetched from by processes on the Squid machine?

> The squidclient tool can be used to probe individual server/IP for issues fetching requests.


Finally Amos you are right! The IPv4 addresses are blocked by the firewall. It is difficult to understand that, if these connections are not logged. I'll use squidclient and mgr:ipcache for future debugging.
Thank you so much!

Il presente messaggio e-mail e ogni suo allegato devono intendersi indirizzati esclusivamente al destinatario indicato e considerarsi dal contenuto strettamente riservato e confidenziale. Se non siete l'effettivo destinatario o avete ricevuto il messaggio e-mail per errore, siete pregati di avvertire immediatamente il mittente e di cancellare il suddetto messaggio e ogni suo allegato dal vostro sistema informatico. Qualsiasi utilizzo, diffusione, copia o archiviazione del presente messaggio da parte di chi non ne è il destinatario è strettamente proibito e può dar luogo a responsabilità di carattere civile e penale punibili ai sensi di legge.
Questa e-mail ha valore legale solo se firmata digitalmente ai sensi della normativa vigente.

The contents of this email message and any attachments are intended solely for the addressee(s) and contain confidential and/or privileged information.
If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately notify the sender and then delete this message and any attachments from your system. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. Unauthorized disclosure and/or use of information contained in this email message may result in civil and criminal liability. “
This e-mail has legal value according to the applicable laws only if it is digitally signed by the sender
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users