Squid + IPv6

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid + IPv6

IAPS Security Services, Ltd.
Greetings All,

First time poster to the list, long time squid user.

I have an issue I've come across and I'm greatful if the community can
suggest ideas here. I've recently deployed squid for Windows from
Diladele (http://squid.diladele.com/) and they said to bring my issue to
the mail list.

Here goes:

Squid requires each individual ip to be put on the network card instead
of being permitted to use a cidr annotation for dedicated ip's. There is
a 128 ip limit for squid by default. This limit can be removed for linux
machines by re-compiling and adjusting the limits. In the ipv6
deployment that I'm trying to create, I need much more than 128 ip's.

There are no instructions, at least none that I could find in a basic
google search, on how to increase this limit on a windows deployment.
With ipv6 ip's I'm setting up individual ipv6's per squid acl's so that
users have access to specific ipv6 proxies. Only issue I have is the 128
ip limit imposed by default. Now when you have access to an ipv6 /29
range 128 usable ip's is a drop in the bucket and I'd need the ability
to have squid to use thousands of ipv6 ip addresses on demand. The first
128 work fine, but when adding the 129th, the entirety of squid
immediately stops working. The acl that I'm using looks like this:

acl ip1 myip 2axx:xxxx:285::1
tcp_outgoing_address 2axx:xxxx:285::1 ip1

acl ip2 myip 2axx:xxxx:285::2
tcp_outgoing_address 2axxxx:xxxx:285::2 ip2

How can I compile squid for windows to get around the 128 ip limit imposed?

--
Best Regards,

Jared Twyler



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid + IPv6

Walter H.
On 16.05.2017 21:21, IAPS Security Services, Ltd. wrote:
> How can I compile squid for windows to get around the 128 ip limit imposed?
>
have you ever tried to give each network interface more than 128 IP
addresses at a time?



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid + IPv6

Eliezer Croitoru
In reply to this post by IAPS Security Services, Ltd.
Hey,
(not sure what’s your first name)

What do you actually need from squid, in words.
Do you need it as a caching proxy?
What functionality is the main business of squid in your scenario?
To give specific users ip addresses the option to use a specific outgoing address?
Do you need\want squid to enforce some policy else then the issue you are having?
If you only need to "load balance'" or decide which outgoing ip will be used for a specific user source IP then there are much more efficient ways to do that these days.
Also when you are talking about "big" number of users with big numbers of connections you need to be more specific about your upper limit.
If you want it to be more then 128 but less the 1024 I would say go with squid and compile it but... when you are talking about 1k+ I would recommend you to rethink your strategy.
If you don't care about SSL-BUMP for example then there are really simple ways to write a simple proxy which will do what you need, you just need the right programmer.

All The Bests,
Eliezer

* I am really not looking for a job to write a proxy.. but just think it's a kind suggestion to redirect into some other directions.

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of IAPS Security Services, Ltd.
Sent: Tuesday, May 16, 2017 10:21 PM
To: [hidden email]
Subject: [squid-users] Squid + IPv6

Greetings All,

First time poster to the list, long time squid user.

I have an issue I've come across and I'm greatful if the community can
suggest ideas here. I've recently deployed squid for Windows from
Diladele (http://squid.diladele.com/) and they said to bring my issue to
the mail list.

Here goes:

Squid requires each individual ip to be put on the network card instead
of being permitted to use a cidr annotation for dedicated ip's. There is
a 128 ip limit for squid by default. This limit can be removed for linux
machines by re-compiling and adjusting the limits. In the ipv6
deployment that I'm trying to create, I need much more than 128 ip's.

There are no instructions, at least none that I could find in a basic
google search, on how to increase this limit on a windows deployment.
With ipv6 ip's I'm setting up individual ipv6's per squid acl's so that
users have access to specific ipv6 proxies. Only issue I have is the 128
ip limit imposed by default. Now when you have access to an ipv6 /29
range 128 usable ip's is a drop in the bucket and I'd need the ability
to have squid to use thousands of ipv6 ip addresses on demand. The first
128 work fine, but when adding the 129th, the entirety of squid
immediately stops working. The acl that I'm using looks like this:

acl ip1 myip 2axx:xxxx:285::1
tcp_outgoing_address 2axx:xxxx:285::1 ip1

acl ip2 myip 2axx:xxxx:285::2
tcp_outgoing_address 2axxxx:xxxx:285::2 ip2

How can I compile squid for windows to get around the 128 ip limit imposed?

--
Best Regards,

Jared Twyler



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + IPv6

IAPS Security Services, Ltd.
What I need from squid is the ability to use thousands of ipv6 ip
addresses in normal http mode. I am not concerned about https at this
point. But the original question was how to increase the ip limit of
squid past the 128 ip maximum on a Windows platform. The main purpose is
to assign a specific set of ipv6 proxies to specific users.

Best Regards,

Jared Twyler
On 5/16/2017 4:14 PM, Eliezer  Croitoru wrote:

> Hey,
> (not sure what’s your first name)
>
> What do you actually need from squid, in words.
> Do you need it as a caching proxy?
> What functionality is the main business of squid in your scenario?
> To give specific users ip addresses the option to use a specific outgoing address?
> Do you need\want squid to enforce some policy else then the issue you are having?
> If you only need to "load balance'" or decide which outgoing ip will be used for a specific user source IP then there are much more efficient ways to do that these days.
> Also when you are talking about "big" number of users with big numbers of connections you need to be more specific about your upper limit.
> If you want it to be more then 128 but less the 1024 I would say go with squid and compile it but... when you are talking about 1k+ I would recommend you to rethink your strategy.
> If you don't care about SSL-BUMP for example then there are really simple ways to write a simple proxy which will do what you need, you just need the right programmer.
>
> All The Bests,
> Eliezer
>
> * I am really not looking for a job to write a proxy.. but just think it's a kind suggestion to redirect into some other directions.
>
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>
>
>
> -----Original Message-----
> From: squid-users [mailto:[hidden email]] On Behalf Of IAPS Security Services, Ltd.
> Sent: Tuesday, May 16, 2017 10:21 PM
> To: [hidden email]
> Subject: [squid-users] Squid + IPv6
>
> Greetings All,
>
> First time poster to the list, long time squid user.
>
> I have an issue I've come across and I'm greatful if the community can
> suggest ideas here. I've recently deployed squid for Windows from
> Diladele (http://squid.diladele.com/) and they said to bring my issue to
> the mail list.
>
> Here goes:
>
> Squid requires each individual ip to be put on the network card instead
> of being permitted to use a cidr annotation for dedicated ip's. There is
> a 128 ip limit for squid by default. This limit can be removed for linux
> machines by re-compiling and adjusting the limits. In the ipv6
> deployment that I'm trying to create, I need much more than 128 ip's.
>
> There are no instructions, at least none that I could find in a basic
> google search, on how to increase this limit on a windows deployment.
> With ipv6 ip's I'm setting up individual ipv6's per squid acl's so that
> users have access to specific ipv6 proxies. Only issue I have is the 128
> ip limit imposed by default. Now when you have access to an ipv6 /29
> range 128 usable ip's is a drop in the bucket and I'd need the ability
> to have squid to use thousands of ipv6 ip addresses on demand. The first
> 128 work fine, but when adding the 129th, the entirety of squid
> immediately stops working. The acl that I'm using looks like this:
>
> acl ip1 myip 2axx:xxxx:285::1
> tcp_outgoing_address 2axx:xxxx:285::1 ip1
>
> acl ip2 myip 2axx:xxxx:285::2
> tcp_outgoing_address 2axxxx:xxxx:285::2 ip2
>
> How can I compile squid for windows to get around the 128 ip limit imposed?
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Squid + IPv6

Eliezer Croitoru
It's doable but I really recommend to try and run squid on Linux instead of
Windows.
It's very important that you understand that the windows version cannot be
fully supported for your specific need.
Even if you will run a Linux virtual machine ontop of a windows box you will
probably have better results then trying to find a "fix" for the windows
version from this mailing list.

Specifically for the thousands of  IPv6 I believe that you will need a
custom solution either by patching squid for Linux or write the right
software for your needs.

Hope It Helps,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: IAPS Security Services, Ltd. [mailto:[hidden email]]
Sent: Wednesday, May 17, 2017 12:20 AM
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Subject: Re: [squid-users] Squid + IPv6

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--E9SVe58D61BPqLwwes7HgAq2DqWH0WJJV
Content-Type: multipart/mixed; boundary="9uXrNjm44vJFPKovTw2oihDfwSCwtM6rd";
 protected-headers="v1"
From: "IAPS Security Services, Ltd." <[hidden email]>
To: Eliezer Croitoru <[hidden email]>
Cc: [hidden email]
Message-ID: <[hidden email]>
Subject: Re: [squid-users] Squid + IPv6
References: <[hidden email]>
 <04c301d2ce89$6748a060$35d9e120$@ngtech.co.il>
In-Reply-To: <04c301d2ce89$6748a060$35d9e120$@ngtech.co.il>

--9uXrNjm44vJFPKovTw2oihDfwSCwtM6rd
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

What I need from squid is the ability to use thousands of ipv6 ip addresses
in normal http mode. I am not concerned about https at this point. But the
original question was how to increase the ip limit of squid past the 128 ip
maximum on a Windows platform. The main purpose is to assign a specific set
of ipv6 proxies to specific users.

Best Regards,

Jared Twyler
On 5/16/2017 4:14 PM, Eliezer  Croitoru wrote:
> Hey,
> (not sure what=E2=80=99s your first name)
>=20
> What do you actually need from squid, in words.
> Do you need it as a caching proxy?
> What functionality is the main business of squid in your scenario?
> To give specific users ip addresses the option to use a specific
>outgoi=
ng address?
> Do you need\want squid to enforce some policy else then the issue you
> a=
re having?
> If you only need to "load balance'" or decide which outgoing ip will
> be=
 used for a specific user source IP then there are much more efficient wa=
ys to do that these days.
> Also when you are talking about "big" number of users with big numbers
> =
of connections you need to be more specific about your upper limit.
> If you want it to be more then 128 but less the 1024 I would say go
> wit=
h squid and compile it but... when you are talking about 1k+ I would reco=
mmend you to rethink your strategy.
> If you don't care about SSL-BUMP for example then there are really
> simp=
le ways to write a simple proxy which will do what you need, you just nee= d
the right programmer.
>=20
> All The Bests,
> Eliezer
>=20
> * I am really not looking for a job to write a proxy.. but just think
>i=
t's a kind suggestion to redirect into some other directions.

>=20
> ----
> Eliezer Croitoru
> Linux System Administrator
> Mobile: +972-5-28704261
> Email: [hidden email]
>=20
>=20
>=20
> -----Original Message-----
> From: squid-users [mailto:[hidden email]]
>On=
 Behalf Of IAPS Security Services, Ltd.

> Sent: Tuesday, May 16, 2017 10:21 PM
> To: [hidden email]
> Subject: [squid-users] Squid + IPv6
>=20
> Greetings All,
>=20
> First time poster to the list, long time squid user.
>=20
> I have an issue I've come across and I'm greatful if the community can  
>suggest ideas here. I've recently deployed squid for Windows from  
>Diladele (http://squid.diladele.com/) and they said to bring my issue
>t=
o
> the mail list.
>=20
> Here goes:
>=20
> Squid requires each individual ip to be put on the network card
>instead=

> of being permitted to use a cidr annotation for dedicated ip's. There
> i=
s
> a 128 ip limit for squid by default. This limit can be removed for
> linu=
x
> machines by re-compiling and adjusting the limits. In the ipv6  
>deployment that I'm trying to create, I need much more than 128 ip's.
>=20
> There are no instructions, at least none that I could find in a basic  
>google search, on how to increase this limit on a windows deployment.
> With ipv6 ip's I'm setting up individual ipv6's per squid acl's so
>that=

> users have access to specific ipv6 proxies. Only issue I have is the
> 12=
8
> ip limit imposed by default. Now when you have access to an ipv6 /29
> range 128 usable ip's is a drop in the bucket and I'd need the ability
> to have squid to use thousands of ipv6 ip addresses on demand. The
> firs=
t

> 128 work fine, but when adding the 129th, the entirety of squid  
>immediately stops working. The acl that I'm using looks like this:
>=20
> acl ip1 myip 2axx:xxxx:285::1
> tcp_outgoing_address 2axx:xxxx:285::1 ip1
>=20
> acl ip2 myip 2axx:xxxx:285::2
> tcp_outgoing_address 2axxxx:xxxx:285::2 ip2
>=20
> How can I compile squid for windows to get around the 128 ip limit
>impo=
sed?
>=20


--9uXrNjm44vJFPKovTw2oihDfwSCwtM6rd--

--E9SVe58D61BPqLwwes7HgAq2DqWH0WJJV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZG2z0AAoJEHJVw0pF7EnlQK4QAKy+I3fflCY1Z9XXoRoygpg2
d2DBcJ688fXY9xqbonGQ6h46FqNZCSBmViiPhTPt0ebj5sXOdGcjA4o0SK03JW15
8vmlfCd2hDfRFtkkVkqa6muTF3SLvVSPhb48/5AvAI6rDzwRrZWx8UeGH0X9nei1
nUd/wQdCY4V8CTA/ZeJmqF855ZrNzKw0+rb/s/m4Ub+Q8KxyJ/z+ygu9IRyi10Bc
/94IjY+w0vL+fZzZN0FZIloVYNGFyHfu4fHe028jSZ00stwH1zS5M2g6D1A4JI1P
oSbJ/5wkxwX51h7+B70t8pHQIQ/XD9BZ71EvE+jz5ImtnJwOLq5EuTLHZtlzFr6e
lHdWw+Pp6mqIB+IXTuE8iXsTT1J5rullUdpCEtg7+nh9Sp3Z0Q7YdLQrRNF902v8
7qDptx1tIHQ9J9cBchGtsX1wgOKNIG8FH28XSSzfT45x69Z14r7mTSxLeszblcvN
LDzXr+DXLj0N6esOFQGzHM/YCn0A5bAWQinoLO/pmdflxGnbPPTXI4muxkz1E/Mp
Kz60FW3TYPHtYHJ66NKKu8iL7W0Ax+aEkaEuAX5c9e8LL15U1FCOlT7KfeE0WU9+
oPsOCW/eoTrtdWfGzSTShg3A3Plfip5jUpjz4lJl7VDD4v3Ldwcx4oCt4QGwoowC
2zRnoiMu+j+mFwNpGhkQ
=t2dJ
-----END PGP SIGNATURE-----

--E9SVe58D61BPqLwwes7HgAq2DqWH0WJJV--

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + IPv6

Amos Jeffries
Administrator
Holdup guys. There is no limit on tcp_outgoing_address in Squid.

So Jared;

* what did you mean by "the entirety of squid immediately stops working"
in your original mail?
   crash? errors? something else?

* what is your Windows system per-process handle limit?


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid + IPv6

Eliezer Croitoru
I think that the answers on how to re-compile squid for windows with special options might be the diladale part of the issue.
They compile squid with mostly default and they have enough experience and knowledge on how to recompile squid to match the requirement of the thread.

I still think that it's better to run Squid ontop of a linux and even in a VM ontop of windows compared to squid native binary(but it's my preference).

All The Bests,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Wednesday, May 17, 2017 4:33 AM
To: [hidden email]
Subject: Re: [squid-users] Squid + IPv6

Holdup guys. There is no limit on tcp_outgoing_address in Squid.

So Jared;

* what did you mean by "the entirety of squid immediately stops working"
in your original mail?
   crash? errors? something else?

* what is your Windows system per-process handle limit?


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users