Squid keeps using ipv6 using ssl_bump

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid keeps using ipv6 using ssl_bump

masterx81

Hi!

I’m using squid from long time, as my network isn’t ipv6 enabled, I’ve disabled it in squid using

dns_v4_first on

tcp_outgoing_address 0.0.0.0 all

 

and on the interface network script on centos

IPV6INIT=no

 

With this configuration, all worked fine for long time with squid 3.5.23.

But Friday I’ve update the squid/squid helpers packages (now I’m at 3.5.27), and I’ve enabled ssl_bump with the following lines:

ssl_bump none localhost

 

ssl_bump stare

ssl_bump bump all

 

http_port 8080 ssl-bump cert=/etc/squid/certificate.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

 

And now, on few sites (including https://wiki.squid-cache.org/), it try to open with ipv6 with the following error:

Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.

 

I’ve tried to disable ssl_bump (using only “http_port 8080” statement) and all works as before.      

For now I’ve “fixed” using the following lines:

acl no_ssl_interception dstdomain .squid-cache.org

ssl_bump none no_ssl_interception

 

On the problematic websites.

 

How I can get rid of the ipv6??

Thanks!


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid keeps using ipv6 using ssl_bump

Amos Jeffries
Administrator
On 23/04/18 20:27, Enrico Michieletti wrote:
> Hi!
>
> I’m using squid from long time, as my network isn’t ipv6 enabled, I’ve
> disabled it in squid using
>
> dns_v4_first on
>

That directives means it tries IPv4 *first*, not "only".

If *all* attempts fail the last one tried will naturally be an IPv6
whenever the server has support for both v4 (tried first) and v6 (tried
last).


> tcp_outgoing_address 0.0.0.0 all
>

This does nothing by itself but waste CPU. Outgoing address is separated
by protocol, so the above only says "use default address for all
IPv4-only traffic".

>
> and on the interface network script on centos
>
> IPV6INIT=no
>

This does not prevent servers and clients outside your machine
supporting or trying to use IPv6. All it will do is break traffic going
through your proxy machine.

What you should really do is enable IPv6 and use firewall rules to block
the traffic you do not want to go through. Whether that is "all IPv6" or
something better suited to your clients needs.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid keeps using ipv6 using ssl_bump

masterx81
But why with that 2 directives (tcp_outgoing_address and dns_v4_first,
dns_v4_first alone wasn't working) time ago fixed my problem with squid
trying always to use ipv6? Never had any problem with ip-v6 after that.
Until now...

And, why NOW i have problems with ipv6 with some sites (for example
https://wiki.squid-cache.org) only with ssl_bump?

My router doesn't either support IP-v6...
The dns servers configured in centos are ip-v4 only (and with nslookup
returns only ip-v4 addresses). Where squid is getting that ip-v6 address???

Thank you!



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid keeps using ipv6 using ssl_bump

Amos Jeffries
Administrator
On 23/04/18 23:10, masterx81 wrote:
> But why with that 2 directives (tcp_outgoing_address and dns_v4_first,
> dns_v4_first alone wasn't working) time ago fixed my problem with squid
> trying always to use ipv6? Never had any problem with ip-v6 after that.
> Until now...

What changed anywhere on the Internet? These are both directives very
much subject to external environment behaviour.

>
> And, why NOW i have problems with ipv6 with some sites (for example
> https://wiki.squid-cache.org) only with ssl_bump?

Something changed.

> My router doesn't either support IP-v6...
> The dns servers configured in centos are ip-v4 only (and with nslookup
> returns only ip-v4 addresses). Where squid is getting that ip-v6 address???

From the traffic itself, or from some other DNS server it knows about
that you have not hobbled to partial service.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid keeps using ipv6 using ssl_bump

masterx81
I've tried to comment out the "tcp_outgoing_address 0.0.0.0 all" directive as
you suggested, and actually all work as it should. Not know why in the past
had to add it.
By now, only one site has problem with ssl_bump and ipv6, and it's
wiki.squid-cache.org (quite hilarious). If i bump it i get the ipv6 error,
if i add it to the ssl_bump none ACL it go to the ipv4 route normally.
I've had fear that wasn't the only one, but by now i've not had any other
complain by users.
Strange. For now i'll not intercept it and problem solved.
Really thank for the support!




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users