Ipv6 error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Ipv6 error

erdosain9
Hi.
Im getting this kind of error:

------------------------------------------------------------------------------------------
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

    Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.

The system returned: (101) Network is unreachable

The remote host or network may be down. Please try the request again.
-------------------------------------------------------------------------------------------

So, i want disable ipv6 (because now i cant config ipv6 in my net).
Squid is on a Centos7.

I found this command:
tcp_outgoing_address

but, have this error when i wrote it on squid.conf

2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 19 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 28 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address


Im using this command to, for authenticate

external_acl_type i-full ipv4 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]
external_acl_type i-limitado ipv4 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g [hidden email]

(I mean the ipv4 command).

What can i do??

Thanks to all,
and sorry for my bad english.






--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Amos Jeffries
Administrator
On 10/10/17 02:14, erdosain9 wrote:

> Hi.
> Im getting this kind of error:
>
> ------------------------------------------------------------------------------------------
> The following error was encountered while trying to retrieve the URL:
> https://wiki.squid-cache.org/*
>
>      Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.
>
> The system returned: (101) Network is unreachable
>
> The remote host or network may be down. Please try the request again.
> -------------------------------------------------------------------------------------------
>
> So, i want disable ipv6 (because now i cant config ipv6 in my net).
> Squid is on a Centos7.

Configure your machine without any IPv6 routes and setup the firewall to
reject IPv6 traffic. Squid will handle the rest automatically as long as
ICMP is working properly.

Note that the error page you got shows the *last* destination to be
tried and fail. All the others have to fail first - both IPv6 and IPv4.

So for this to show an IPv6 it means the site is IPv6-only or you
configured "dns_v4_first on" so the last destination on Squids list was
an IPv6 instead of an IPv4.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

erdosain9
this is weird.

This just happend to me with that web... i mean, with
https://wiki.squid-cache.org/ (not with google, not with facebook).

But the weird is that if i go trough a authenticate machine for ip, i
receive that ipv6. but if i go throug a authenticate kerberos machine i get
this net::err cert common name invalid.
?????

so, you tell me i config in iptables to reject ipv6 traffic??




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Amos Jeffries
Administrator
On 10/10/17 05:46, erdosain9 wrote:
> this is weird.
>
> This just happend to me with that web... i mean, with
> https://wiki.squid-cache.org/ (not with google, not with facebook).
>
> But the weird is that if i go trough a authenticate machine for ip, i
> receive that ipv6. but if i go throug a authenticate kerberos machine i get
> this net::err cert common name invalid.
> ?????

"net::err" is not something from Squid. Looks more like a Chrome error.

Which exact version of Squid is this?

>
> so, you tell me i config in iptables to reject ipv6 traffic??
>

For each table you expect traffic to be going through:

  ip6tables -t INPUT -I 1 PREROUTING -j REJECT
  ip6tables -t FORWARD -I 1 PREROUTING -j REJECT
  ip6tables -t OUTPUT -I 1 PREROUTING -j REJECT

(been a while, that might be '-I 0' instead of 1).

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

erdosain9
Ok, thats a error from chrome.

Another thing with just that web, that if i disable dns_ipv4_first.

I get this:
----------------------------------------------------------------------------------------------------------------------------------------------------------
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

    Failed to establish a secure connection to 104.130.201.120

The system returned:

    (71) Protocol error (TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

    SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's
Encrypt/CN=Let's Encrypt Authority X3

This proxy and the remote host failed to negotiate a mutually acceptable
security settings for handling your request. It is possible that the remote
host does not support secure connections, or the proxy is not satisfied with
the host security credentials.
-----------------------------------------------------------------------------------------------------------------------------------------------------------

AND, if i reload the web, then again this,

----------------------------------------------------------------------------------------------------------------------------------------------------------
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

    Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.

The system returned: (101) Network is unreachable

The remote host or network may be down. Please try the request again.
----------------------------------------------------------------------------------------------------------------------------------------------------------

First a certificate problem (with ipv4) and later that problem in ipv6...



So i put this and all have to work (or -I 0)
  ip6tables -t INPUT -I 1 PREROUTING -j REJECT
  ip6tables -t FORWARD -I 1 PREROUTING -j REJECT
  ip6tables -t OUTPUT -I 1 PREROUTING -j REJECT

Thanks.



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

erdosain9
Sorry, but, the problem with the certificate is a problem from the web?? i
mean, is not a problem of "my squid".
So better i exclude that web... but, so strange, squid webpage wiki with
problem in certificate???



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Ipv6 error

Amos Jeffries
Administrator
On 11/10/17 02:26, erdosain9 wrote:
> Sorry, but, the problem with the certificate is a problem from the web?? i
> mean, is not a problem of "my squid".
> So better i exclude that web... but, so strange, squid webpage wiki with
> problem in certificate???
>

It is either your browser or the LetsEncrypt software being broken again
(it has failed to fetch new certs a few times now).

I am forwarding your last mail to our NOC so someone can check it again.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users