Hello, Flashdown,
As you can see in your access.log, your client tried to connect not to a
DNS hostname but directly to IPv6 address:
1694674498.411 9 **CENSORED_internal_client_IP** TCP_DENIED/407
4129 CONNECT *[ff00::]:443* - HIER_NONE/- text/html
So, I suppose that your DNS configuration changes will not eliminate the
client requests to *[ff00::]:443*
But I believe that enabling IPv6 will prevent your squid crushes.
Kind regards,
Ankor.
вт, 19 сент. 2023 г. в 19:04, Flashdown <flashd...@data-core.org>:
> Thank you Alex for confirming this and all the hints given.
>
> I have taken another path to fix this. I have configured the dns
> forwarders that squid is configured to use, to not give out any AAAA
> responses. After that I have enabled IPv6 on this box to completly avoid
> this bug. Thank you!
>
> ---
> Best regards,
> Flashdown
>
> Am 2023-09-14 16:11, schrieb Alex Rousskov:
> > On 2023-09-14 07:02, Flashdown wrote:
> >
> >> Sep 14 08:55:06 vm-myproxy squid[79100]: Squid Parent: squid-2 process
> >> 80675 exited due to signal 6 with status 0
> >
> >> 1694674498.411 9 **CENSORED_internal_client_IP** TCP_DENIED/407
> >> 4129 CONNECT [ff00::]:443 - HIER_NONE/- text/html
> >
> >> IPv6 is disabled via sysctl config "net.ipv6.conf.all.disable_ipv6=1"
> >
> >
> > Your Squid is most likely suffering (among other v5 bugs) from Squid
> > Bug 5154: https://bugs.squid-cache.org/show_bug.cgi?id=5154
> >
> > To confirm, enable core dumps and look for a gdb backtrace sequence
> > similar to the one posted in the above bug report:
> >
> > * in __assert_fail
> > * in Ip::Address::getAddrInfo(addrinfo*&, int) const
> > * in comm_openex(int, int, Ip::Address&, int, char const*)
> >
> > The best known way to prevent bug 5154 is to enable IPv6 support. If
> > that is not feasible in your environment, then please keep reading.
> >
> >
> > Squid bug 5154 has an unofficial but, IMO, correct fix at PR 1421:
> > https://github.com/squid-cache/squid/pull/1421
> >
> > The above fix is not trivial and has side effects: For Squids that
> > cannot handle IPv6 (e.g., because IPv6 support was disabled at
> > ./configure time or is unavailable in the deployment environment), the
> > fix will, in part, reject requests with IPv6 addresses in URLs. This
> > rejection may negatively affect Squids that were "worked OK" by
> > forwarding such traffic to IPv4 ICAP servers and cache_peers (at
> > least).
> >
> > PR 1421 changes cannot be applied to Squid v5 "as is"; they have to be
> > backported. I do not have a backporting patch for virgin Squid v5.
> >
> >
> > HTH,
> >
> > Alex.
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > https://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
>
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users
