How to make squid use ipv4 only for connecting to websites

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to make squid use ipv4 only for connecting to websites

Robert Senger
Hi there,

I am running squid on a dual stacked host. Both ipv4 and ipv6
connectivity is fully functional.

Now there's a group of clients that should be configured to load
websites via ipv4 only.

  acl proxy-extra localip fd10:96e4:b552::43
  acl proxy-extra localip 172.16.4.243

I know there's an acl that can be used to identify ipv6 destinations.

  acl to_ipv6 dst ipv6

I tried to block outgoing ipv6 with
 
  always_direct deny to_ipv6

but that makes dual stacked websites completely unreachable, no
fallback etc.

The only way I found so far is to set an invalid ipv6 outgoing address:

  tcp_outgoing_address fd20::1  proxy-extra
  tcp_outgoing_address 172.16.4.244 proxy-extra

where fd20::1 simply does not exist on the host system.

This shows the results I want when browsing to test sites like
http://ipv6-test.com (ipv4 connectivity only).

But I am not sure if setting invalid addresses is really desirable...

So, is there a better / more elegant way to tell squid to use ipv4 only
when serving request for certain clients?

Thanks,

Robert

 
--
Robert Senger


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: How to make squid use ipv4 only for connecting to websites

Alex Rousskov
On 10/18/19 10:17 AM, Robert Senger wrote:

> there's a group of clients that should be configured to load
> websites via ipv4 only.

> The only way I found so far is to set an invalid ipv6 outgoing address:
>
>   tcp_outgoing_address fd20::1  proxy-extra
>   tcp_outgoing_address 172.16.4.244 proxy-extra
>
> where fd20::1 simply does not exist on the host system.
>
> This shows the results I want when browsing to test sites like
> http://ipv6-test.com (ipv4 connectivity only).

Glad you found a workaround!


> But I am not sure if setting invalid addresses is really desirable...

It is not. I have not checked, but I would expect that Squid master/v5
(at least) will try to use that invalid outgoing address (and fail).
Needless to say, such futile attempts waste time and other resources.
They may also lead to misleading user-visible errors.


> So, is there a better / more elegant way to tell squid to use ipv4 only
> when serving request for certain clients?

tcp_outgoing_address is not meant for prohibiting destinations. I think
Squid should support use cases like yours explicitly: We should add a
new directive that only applies to direct destinations selected by the
existing peer selection algorithms:

    acl to_ipv6 dst ipv6
    direct_access deny to_ipv6 proxy-extra

I also considered extending cache_peer_access to apply to direct
destinations, but rejected that idea because we want to preserve
existing checks for cache_peer names in cache_peer_access and because
applying a directive called "cache_peer..." to direct connections is
unexpected/confusing.

We could also add a new ACL-driven directive to prohibit A or AAAA DNS
queries for certain names:

    dns_query_access AAAA deny proxy-extra

Using dns_query_access would save DNS resources in your use case, but
direct_access would cover a lot more use cases because it is a lot more
precise/selective (and not subject to DNS caching concerns).

Perhaps both directives should be added.


Quality pull requests or their sponsorship welcomed:
https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F


Cheers,

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users