Ipv6 error

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Ipv6 error

erdosain9
Hi.
Im getting this kind of error:

------------------------------------------------------------------------------------------
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

    Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.

The system returned: (101) Network is unreachable

The remote host or network may be down. Please try the request again.
-------------------------------------------------------------------------------------------

So, i want disable ipv6 (because now i cant config ipv6 in my net).
Squid is on a Centos7.

I found this command:
tcp_outgoing_address

but, have this error when i wrote it on squid.conf

2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 19 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 28 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address


Im using this command to, for authenticate

external_acl_type i-full ipv4 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]
external_acl_type i-limitado ipv4 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]

(I mean the ipv4 command).

What can i do??

Thanks to all,
and sorry for my bad english.






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Amos Jeffries
Administrator
On 10/10/17 02:14, erdosain9 wrote:

> Hi.
> Im getting this kind of error:
>
> ------------------------------------------------------------------------------------------
> The following error was encountered while trying to retrieve the URL:
> https://wiki.squid-cache.org/*
>
>      Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.
>
> The system returned: (101) Network is unreachable
>
> The remote host or network may be down. Please try the request again.
> -------------------------------------------------------------------------------------------
>
> So, i want disable ipv6 (because now i cant config ipv6 in my net).
> Squid is on a Centos7.

Configure your machine without any IPv6 routes and setup the firewall to
reject IPv6 traffic. Squid will handle the rest automatically as long as
ICMP is working properly.

Note that the error page you got shows the *last* destination to be
tried and fail. All the others have to fail first - both IPv6 and IPv4.

So for this to show an IPv6 it means the site is IPv6-only or you
configured "dns_v4_first on" so the last destination on Squids list was
an IPv6 instead of an IPv4.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

erdosain9
this is weird.

This just happend to me with that web... i mean, with
https://wiki.squid-cache.org/ (not with google, not with facebook).

But the weird is that if i go trough a authenticate machine for ip, i
receive that ipv6. but if i go throug a authenticate kerberos machine i get
this net::err cert common name invalid.
?????

so, you tell me i config in iptables to reject ipv6 traffic??




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Amos Jeffries
Administrator
On 10/10/17 05:46, erdosain9 wrote:
> this is weird.
>
> This just happend to me with that web... i mean, with
> https://wiki.squid-cache.org/ (not with google, not with facebook).
>
> But the weird is that if i go trough a authenticate machine for ip, i
> receive that ipv6. but if i go throug a authenticate kerberos machine i get
> this net::err cert common name invalid.
> ?????

"net::err" is not something from Squid. Looks more like a Chrome error.

Which exact version of Squid is this?

>
> so, you tell me i config in iptables to reject ipv6 traffic??
>

For each table you expect traffic to be going through:

  ip6tables -t INPUT -I 1 PREROUTING -j REJECT
  ip6tables -t FORWARD -I 1 PREROUTING -j REJECT
  ip6tables -t OUTPUT -I 1 PREROUTING -j REJECT

(been a while, that might be '-I 0' instead of 1).

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

erdosain9
Ok, thats a error from chrome.

Another thing with just that web, that if i disable dns_ipv4_first.

I get this:
----------------------------------------------------------------------------------------------------------------------------------------------------------
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

    Failed to establish a secure connection to 104.130.201.120

The system returned:

    (71) Protocol error (TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

    SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's
Encrypt/CN=Let's Encrypt Authority X3

This proxy and the remote host failed to negotiate a mutually acceptable
security settings for handling your request. It is possible that the remote
host does not support secure connections, or the proxy is not satisfied with
the host security credentials.
-----------------------------------------------------------------------------------------------------------------------------------------------------------

AND, if i reload the web, then again this,

----------------------------------------------------------------------------------------------------------------------------------------------------------
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

    Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.

The system returned: (101) Network is unreachable

The remote host or network may be down. Please try the request again.
----------------------------------------------------------------------------------------------------------------------------------------------------------

First a certificate problem (with ipv4) and later that problem in ipv6...



So i put this and all have to work (or -I 0)
  ip6tables -t INPUT -I 1 PREROUTING -j REJECT
  ip6tables -t FORWARD -I 1 PREROUTING -j REJECT
  ip6tables -t OUTPUT -I 1 PREROUTING -j REJECT

Thanks.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

erdosain9
Sorry, but, the problem with the certificate is a problem from the web?? i
mean, is not a problem of "my squid".
So better i exclude that web... but, so strange, squid webpage wiki with
problem in certificate???



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Amos Jeffries
Administrator
On 11/10/17 02:26, erdosain9 wrote:
> Sorry, but, the problem with the certificate is a problem from the web?? i
> mean, is not a problem of "my squid".
> So better i exclude that web... but, so strange, squid webpage wiki with
> problem in certificate???
>

It is either your browser or the LetsEncrypt software being broken again
(it has failed to fetch new certs a few times now).

I am forwarding your last mail to our NOC so someone can check it again.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Schroeffu
I have had today experienced today exactly the same issue with Squid 4.4 for
this URL: https://bugs.squid-cache.org/index.cgi
(but not https://wiki.squid-cache.org/*, that one works)

Error Message from Squid:

/The following error was encountered while trying to retrieve the URL:
https://bugs.squid-cache.org/*
Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.
The system returned: (101) Network is unreachable/

It is not only IPv6 related issue. It happens to me when denying any request
via proxy without authentification like this:

/acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users all/

You will see in the access log Squid is trying to hit
http://cert.int-x3.letsencrypt.org/ directly with 407 (not authenticated), i
am so confused, why is it doing that and why is it not authenticating?

1541623232.530      0 - *TCP_DENIED/407 3619 GET
http://cert.int-x3.letsencrypt.org/* - HIER_NONE/- text/html;charset=utf-8
1541623232.530    245 172.16.5.15 NONE/200 0 CONNECT
bugs.squid-cache.org:443 xxxx
HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed -
1541623232.546      0 172.16.5.15 NONE/503 4940 GET
https://bugs.squid-cache.org/favicon.ico xxxx HIER_NONE/- text/html

So i added another acl on top in squid.conf  to whitelist  *.letsencrypt.org
without authentification and bam, the website
https://bugs.squid-cache.org/index.cgi is opening now:

/acl white_regexp url_regex -i
"/etc/squid/domains_whitelist_regex_without_authentification.acl"
http_access allow white_regexp/

Content:
\.letsencrypt\.org

I think somebody should track this, it is so weird! Why it happens on
https://bugs.squid-cache.org/index.cgi and how is that letsencrypt related?
I have no problems with any other letsencrypt secured domains and also not
on any site providing ipv4/ipv6 at the same time (Google/Facebook). But yes,
also my Proxy can *not*speech ipv6, if that is something related with
letsencrypt?
more specs:
- ssl bump active
- icapcan active
- ntlm and basic auth active
- dns_v4_first on/off doen't matter/doesnt change anything.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Alex Rousskov
On 11/7/18 1:54 PM, Schroeffu wrote:
> I have had today experienced today exactly the same issue with Squid 4.4 for
> this URL: https://bugs.squid-cache.org/index.cgi

> Error Message from Squid:
>
> /The following error was encountered while trying to retrieve the URL:
> https://bugs.squid-cache.org/*
> Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.
> The system returned: (101) Network is unreachable/
>
> It is not only IPv6 related issue. It happens to me when denying any request
> via proxy without authentification like this:
>
> acl Authenticated_Users proxy_auth REQUIRED
> http_access deny !Authenticated_Users all


For most modern Squids, this http_access policy is, IMO, incorrect
because it blocks internally-generated requests, such as requests for
missing intermediate certificates. Please adjust your configuration to
allow those requests (if you want them to be allowed).

[rant]It could be argued that Squid should automatically allow
internally-generated requests, but I do not think that would be a good
approach, despite the inconveniences/problems caused by the current
"apply standard http_access rules" approach.[/rant]

N.B. There is no need to say "all" after another ACL in a rule. It is
like adding "and true" to some boolean statement -- it adds no value and
creates noise/overheads.


> You will see in the access log Squid is trying to hit
> http://cert.int-x3.letsencrypt.org/ directly with 407 (not authenticated), i
> am so confused, why is it doing that and why is it not authenticating?

I suspect Squid is requesting a missing intermediate certificate for
some letsencrypt-issued origin certificate. This is "normal" -- some
https sites do not send all of the intermediate x509 certificates, and
modern Squids request them automatically instead of failing certificate
validation.

Squid does not "trying to hit letsencrypt.org with 407". HTTP 407 is a
response status code, not a part of the request. That error response is
probably generated by Squid (not letsencrypt.org); its existence and its
status code are determined/caused by your own http_access settings -- it
is your Squid that is denying the internal request, not letsencrypt.org.

HTH,

Alex.


> 1541623232.530      0 - *TCP_DENIED/407 3619 GET
> http://cert.int-x3.letsencrypt.org/* - HIER_NONE/- text/html;charset=utf-8
> 1541623232.530    245 172.16.5.15 NONE/200 0 CONNECT
> bugs.squid-cache.org:443 xxxx
> HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed -
> 1541623232.546      0 172.16.5.15 NONE/503 4940 GET
> https://bugs.squid-cache.org/favicon.ico xxxx HIER_NONE/- text/html

> Why it happens on
> https://bugs.squid-cache.org/index.cgi and how is that letsencrypt related?
> I have no problems with any other letsencrypt secured domains and also not
> on any site providing ipv4/ipv6 at the same time (Google/Facebook). But yes,
> also my Proxy can *not*speech ipv6, if that is something related with
> letsencrypt?
> more specs:
> - ssl bump active
> - icapcan active
> - ntlm and basic auth active
> - dns_v4_first on/off doen't matter/doesnt change anything.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Schroeffu
Hello and thanks for your explanation.
What kind of ACL would then match "all squid internal requests" to allow without authentification?

> For most modern Squids, this http_access policy is, IMO, incorrect
> because it blocks internally-generated requests, such as requests for
> missing intermediate certificates. Please adjust your configuration to
> allow those requests (if you want them to be allowed).

I found another Site missing the Intermediate in their cabundle, the same issue:

1541663927.195 0 - TCP_DENIED/407 3752 GET
http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt - HIER_NONE/-
text/html;charset=utf-8
1541663927.195 52 172.16.5.15 NONE/200 0 CONNECT gtacknowledge.extremenetworks.com:443 xxxx
HIER_DIRECT/136.146.11.219 -
1541663927.210 0 172.16.5.15 NONE/503 5471 GET
https://gtacknowledge.extremenetworks.com/favicon.ico xxxx HIER_NONE/- text/html

Just comment out the following line does resolve the problem

acl Authenticated_Users proxy_auth REQUIRED
#http_access deny !Authenticated_Users all

but I still need the requirement that users have to auth themselv (but exclude squid-internal requests). So, what kind of ACL does catch squid internal requests to !whitelist_squid_internal_requests then? for example:

acl Authenticated_Users proxy_auth REQUIRED
acl whitelist_squid_internal_requests ????
http_access deny !Authenticated_Users !whitelist_squid_internal_requests all
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Alex Rousskov
On 11/8/18 1:32 AM, [hidden email] wrote:

> What kind of ACL would then match "all squid internal requests" to allow without authentification?

transaction_initiator internal

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Amos Jeffries
Administrator
In reply to this post by Schroeffu
On 8/11/18 9:32 PM, [hidden email] wrote:

> Hello and thanks for your explanation.
> What kind of ACL would then match "all squid internal requests" to allow without authentification?
>
>> For most modern Squids, this http_access policy is, IMO, incorrect
>> because it blocks internally-generated requests, such as requests for
>> missing intermediate certificates. Please adjust your configuration to
>> allow those requests (if you want them to be allowed).
>
> I found another Site missing the Intermediate in their cabundle, the same issue:
>
> 1541663927.195 0 - TCP_DENIED/407 3752 GET
> http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt - HIER_NONE/-
> text/html;charset=utf-8
> 1541663927.195 52 172.16.5.15 NONE/200 0 CONNECT gtacknowledge.extremenetworks.com:443 xxxx
> HIER_DIRECT/136.146.11.219 -
> 1541663927.210 0 172.16.5.15 NONE/503 5471 GET
> https://gtacknowledge.extremenetworks.com/favicon.ico xxxx HIER_NONE/- text/html
>
> Just comment out the following line does resolve the problem
>
> acl Authenticated_Users proxy_auth REQUIRED
> #http_access deny !Authenticated_Users all
>
> but I still need the requirement that users have to auth themselv

FYI: By placing that "all" ACL (or any other non-authentication ACL) at
the end of your access line you are currently making Squid *not* fetch
credentials from users.

If the UA/Browser is so insecurely configured that it broadcasts user
credentials out to the network without being asked for them your above
config would _appear_ to work, but that insecurity is a different
problem on its own.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Schroeffu
> FYI: By placing that "all" ACL (or any other non-authentication ACL) at
> the end of your access line you are currently making Squid *not* fetch
> credentials from users.
>
> If the UA/Browser is so insecurely configured that it broadcasts user
> credentials out to the network without being asked for them your above
> config would _appear_ to work, but that insecurity is a different
> problem on its own.
>
> Amos

Oh ok I see, thanks, will change that of course

> transaction_initiator internal
>
> Alex.

Perfect, thats the acl i was looking for, I didn't know that it exists.
So I changed my configuration and finally it fetchs now the intermediate certifications before an authentication is requried:

#Allow fetch intermediate certs before required authentication
acl fetched_certificate transaction_initiator certificate-fetching
cache allow fetched_certificate
cache deny all
http_access allow fetched_certificate

#Authentification is REQUIRED
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users

It also does cache them, as described here:
http://lists.squid-cache.org/pipermail/squid-dev/2017-June/008800.html

Example Log:

1541752564.411      0 172.16.5.15 TCP_DENIED/407 4638 CONNECT bugs.squid-cache.org:443 - HIER_NONE/- text/html
1541752564.702      2 - TCP_MEM_HIT/200 1174 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- application/pkix-cert
1541752564.834    421 172.16.5.15 NONE/200 0 CONNECT bugs.squid-cache.org:443 xxxx HIER_DIRECT/104.130.201.120 -
1541752567.031   2180 172.16.5.15 TCP_MISS/200 3875 GET https://bugs.squid-cache.org/index.cgi xxxx HIER_DIRECT/104.130.201.120 text/html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users