Re: How to make squid use ipv4 only for connecting to websites
On 10/18/19 10:17 AM, Robert Senger wrote:
> there's a group of clients that should be configured to load
> websites via ipv4 only.
> The only way I found so far is to set an invalid ipv6 outgoing address:
> tcp_outgoing_address fd20::1 proxy-extra
> tcp_outgoing_address 172.16.4.244 proxy-extra
> where fd20::1 simply does not exist on the host system.
> This shows the results I want when browsing to test sites like
> http://ipv6-test.com (ipv4 connectivity only).
Glad you found a workaround!
> But I am not sure if setting invalid addresses is really desirable...
It is not. I have not checked, but I would expect that Squid master/v5
(at least) will try to use that invalid outgoing address (and fail).
Needless to say, such futile attempts waste time and other resources.
They may also lead to misleading user-visible errors.
> So, is there a better / more elegant way to tell squid to use ipv4 only
> when serving request for certain clients?
tcp_outgoing_address is not meant for prohibiting destinations. I think
Squid should support use cases like yours explicitly: We should add a
new directive that only applies to direct destinations selected by the
existing peer selection algorithms:
I also considered extending cache_peer_access to apply to direct
destinations, but rejected that idea because we want to preserve
existing checks for cache_peer names in cache_peer_access and because
applying a directive called "cache_peer..." to direct connections is
We could also add a new ACL-driven directive to prohibit A or AAAA DNS
queries for certain names:
dns_query_access AAAA deny proxy-extra
Using dns_query_access would save DNS resources in your use case, but
direct_access would cover a lot more use cases because it is a lot more
precise/selective (and not subject to DNS caching concerns).