[squid-users] Ipv6 error

Discussion:

erdosain9

2017-10-09 13:14:40 UTC

Hi.
Im getting this kind of error:

------------------------------------------------------------------------------------------
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.

The system returned: (101) Network is unreachable

The remote host or network may be down. Please try the request again.
-------------------------------------------------------------------------------------------

So, i want disable ipv6 (because now i cant config ipv6 in my net).
Squid is on a Centos7.

I found this command:
tcp_outgoing_address

but, have this error when i wrote it on squid.conf

2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 19 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 28 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:07 kid1| commBind: Cannot bind socket FD 24 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address
2017/10/09 09:49:08 kid1| commBind: Cannot bind socket FD 30 to
190.x.xxx.xxx: (99) Cannot assign requested address

Im using this command to, for authenticate

external_acl_type i-full ipv4 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-***@DOMAIN.LAN
external_acl_type i-limitado ipv4 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -g i-***@DOMAIN.LAN

(I mean the ipv4 command).

What can i do??

Thanks to all,
and sorry for my bad english.

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

Amos Jeffries

2017-10-09 13:58:03 UTC

Permalink

Post by erdosain9
Hi.
------------------------------------------------------------------------------------------
https://wiki.squid-cache.org/*
Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.
The system returned: (101) Network is unreachable
The remote host or network may be down. Please try the request again.
-------------------------------------------------------------------------------------------
So, i want disable ipv6 (because now i cant config ipv6 in my net).
Squid is on a Centos7.

Configure your machine without any IPv6 routes and setup the firewall to
reject IPv6 traffic. Squid will handle the rest automatically as long as
ICMP is working properly.

Note that the error page you got shows the *last* destination to be
tried and fail. All the others have to fail first - both IPv6 and IPv4.

So for this to show an IPv6 it means the site is IPv6-only or you
configured "dns_v4_first on" so the last destination on Squids list was
an IPv6 instead of an IPv4.

Amos

erdosain9

2017-10-09 16:46:59 UTC

Permalink

this is weird.

This just happend to me with that web... i mean, with
https://wiki.squid-cache.org/ (not with google, not with facebook).

But the weird is that if i go trough a authenticate machine for ip, i
receive that ipv6. but if i go throug a authenticate kerberos machine i get
this net::err cert common name invalid.
?????

so, you tell me i config in iptables to reject ipv6 traffic??

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

Amos Jeffries

2017-10-10 11:38:10 UTC

Permalink

Post by erdosain9
this is weird.
This just happend to me with that web... i mean, with
https://wiki.squid-cache.org/ (not with google, not with facebook).
But the weird is that if i go trough a authenticate machine for ip, i
receive that ipv6. but if i go throug a authenticate kerberos machine i get
this net::err cert common name invalid.
?????

"net::err" is not something from Squid. Looks more like a Chrome error.

Which exact version of Squid is this?

Post by erdosain9
so, you tell me i config in iptables to reject ipv6 traffic??

For each table you expect traffic to be going through:

ip6tables -t INPUT -I 1 PREROUTING -j REJECT
ip6tables -t FORWARD -I 1 PREROUTING -j REJECT
ip6tables -t OUTPUT -I 1 PREROUTING -j REJECT

(been a while, that might be '-I 0' instead of 1).

Amos

erdosain9

2017-10-10 13:24:05 UTC

Permalink

Ok, thats a error from chrome.

Another thing with just that web, that if i disable dns_ipv4_first.

I get this:
----------------------------------------------------------------------------------------------------------------------------------------------------------
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

Failed to establish a secure connection to 104.130.201.120

The system returned:

(71) Protocol error (TLS code:
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)

SSL Certficate error: certificate issuer (CA) not known: /C=US/O=Let's
Encrypt/CN=Let's Encrypt Authority X3

This proxy and the remote host failed to negotiate a mutually acceptable
security settings for handling your request. It is possible that the remote
host does not support secure connections, or the proxy is not satisfied with
the host security credentials.
-----------------------------------------------------------------------------------------------------------------------------------------------------------

AND, if i reload the web, then again this,

----------------------------------------------------------------------------------------------------------------------------------------------------------
The following error was encountered while trying to retrieve the URL:
https://wiki.squid-cache.org/*

Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.

The system returned: (101) Network is unreachable

The remote host or network may be down. Please try the request again.
----------------------------------------------------------------------------------------------------------------------------------------------------------

First a certificate problem (with ipv4) and later that problem in ipv6...

So i put this and all have to work (or -I 0)
ip6tables -t INPUT -I 1 PREROUTING -j REJECT
ip6tables -t FORWARD -I 1 PREROUTING -j REJECT
ip6tables -t OUTPUT -I 1 PREROUTING -j REJECT

Thanks.

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

erdosain9

2017-10-10 13:26:19 UTC

Permalink

Sorry, but, the problem with the certificate is a problem from the web?? i
mean, is not a problem of "my squid".
So better i exclude that web... but, so strange, squid webpage wiki with
problem in certificate???

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

Amos Jeffries

2017-10-11 06:42:33 UTC

Permalink

Post by erdosain9
Sorry, but, the problem with the certificate is a problem from the web?? i
mean, is not a problem of "my squid".
So better i exclude that web... but, so strange, squid webpage wiki with
problem in certificate???

It is either your browser or the LetsEncrypt software being broken again
(it has failed to fetch new certs a few times now).

I am forwarding your last mail to our NOC so someone can check it again.

Amos

Schroeffu

2018-11-07 20:54:08 UTC

Permalink

I have had today experienced today exactly the same issue with Squid 4.4 for
this URL: https://bugs.squid-cache.org/index.cgi
(but not https://wiki.squid-cache.org/*, that one works)

Error Message from Squid:

/The following error was encountered while trying to retrieve the URL:
https://bugs.squid-cache.org/*
Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.
The system returned: (101) Network is unreachable/

It is not only IPv6 related issue. It happens to me when denying any request
via proxy without authentification like this:

/acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users all/

You will see in the access log Squid is trying to hit
http://cert.int-x3.letsencrypt.org/ directly with 407 (not authenticated), i
am so confused, why is it doing that and why is it not authenticating?

1541623232.530 0 - *TCP_DENIED/407 3619 GET
http://cert.int-x3.letsencrypt.org/* - HIER_NONE/- text/html;charset=utf-8
1541623232.530 245 172.16.5.15 NONE/200 0 CONNECT
bugs.squid-cache.org:443 xxxx
HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed -
1541623232.546 0 172.16.5.15 NONE/503 4940 GET
https://bugs.squid-cache.org/favicon.ico xxxx HIER_NONE/- text/html

So i added another acl on top in squid.conf to whitelist *.letsencrypt.org
without authentification and bam, the website
https://bugs.squid-cache.org/index.cgi is opening now:

/acl white_regexp url_regex -i
"/etc/squid/domains_whitelist_regex_without_authentification.acl"
http_access allow white_regexp/

Content:
\.letsencrypt\.org

I think somebody should track this, it is so weird! Why it happens on
https://bugs.squid-cache.org/index.cgi and how is that letsencrypt related?
I have no problems with any other letsencrypt secured domains and also not
on any site providing ipv4/ipv6 at the same time (Google/Facebook). But yes,
also my Proxy can *not*speech ipv6, if that is something related with
letsencrypt?
more specs:
- ssl bump active
- icapcan active
- ntlm and basic auth active
- dns_v4_first on/off doen't matter/doesnt change anything.

--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

Alex Rousskov

2018-11-07 22:57:56 UTC

Permalink

Post by Schroeffu
I have had today experienced today exactly the same issue with Squid 4.4 for
this URL: https://bugs.squid-cache.org/index.cgi
https://bugs.squid-cache.org/*
Connection to 2001:4801:7827:102:ad34:6f78:b6dc:fbed failed.
The system returned: (101) Network is unreachable/
It is not only IPv6 related issue. It happens to me when denying any request
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users all

For most modern Squids, this http_access policy is, IMO, incorrect
because it blocks internally-generated requests, such as requests for
missing intermediate certificates. Please adjust your configuration to
allow those requests (if you want them to be allowed).

[rant]It could be argued that Squid should automatically allow
internally-generated requests, but I do not think that would be a good
approach, despite the inconveniences/problems caused by the current
"apply standard http_access rules" approach.[/rant]

N.B. There is no need to say "all" after another ACL in a rule. It is
like adding "and true" to some boolean statement -- it adds no value and
creates noise/overheads.

Post by Schroeffu
You will see in the access log Squid is trying to hit
http://cert.int-x3.letsencrypt.org/ directly with 407 (not authenticated), i
am so confused, why is it doing that and why is it not authenticating?

I suspect Squid is requesting a missing intermediate certificate for
some letsencrypt-issued origin certificate. This is "normal" -- some
https sites do not send all of the intermediate x509 certificates, and
modern Squids request them automatically instead of failing certificate
validation.

Squid does not "trying to hit letsencrypt.org with 407". HTTP 407 is a
response status code, not a part of the request. That error response is
probably generated by Squid (not letsencrypt.org); its existence and its
status code are determined/caused by your own http_access settings -- it
is your Squid that is denying the internal request, not letsencrypt.org.

HTH,

Alex.

Post by Schroeffu
1541623232.530 0 - *TCP_DENIED/407 3619 GET
http://cert.int-x3.letsencrypt.org/* - HIER_NONE/- text/html;charset=utf-8
1541623232.530 245 172.16.5.15 NONE/200 0 CONNECT
bugs.squid-cache.org:443 xxxx
HIER_DIRECT/2001:4801:7827:102:ad34:6f78:b6dc:fbed -
1541623232.546 0 172.16.5.15 NONE/503 4940 GET
https://bugs.squid-cache.org/favicon.ico xxxx HIER_NONE/- text/html
Why it happens on
https://bugs.squid-cache.org/index.cgi and how is that letsencrypt related?
I have no problems with any other letsencrypt secured domains and also not
on any site providing ipv4/ipv6 at the same time (Google/Facebook). But yes,
also my Proxy can *not*speech ipv6, if that is something related with
letsencrypt?
- ssl bump active
- icapcan active
- ntlm and basic auth active
- dns_v4_first on/off doen't matter/doesnt change anything.

i***@schroeffu.ch

2018-11-08 08:32:36 UTC

Permalink

Hello and thanks for your explanation.
What kind of ACL would then match "all squid internal requests" to allow without authentification?

Post by Alex Rousskov
For most modern Squids, this http_access policy is, IMO, incorrect
because it blocks internally-generated requests, such as requests for
missing intermediate certificates. Please adjust your configuration to
allow those requests (if you want them to be allowed).

I found another Site missing the Intermediate in their cabundle, the same issue:

1541663927.195 0 - TCP_DENIED/407 3752 GET
http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt - HIER_NONE/-
text/html;charset=utf-8
1541663927.195 52 172.16.5.15 NONE/200 0 CONNECT gtacknowledge.extremenetworks.com:443 xxxx
HIER_DIRECT/136.146.11.219 -
1541663927.210 0 172.16.5.15 NONE/503 5471 GET
https://gtacknowledge.extremenetworks.com/favicon.ico xxxx HIER_NONE/- text/html

Just comment out the following line does resolve the problem

acl Authenticated_Users proxy_auth REQUIRED
#http_access deny !Authenticated_Users all

but I still need the requirement that users have to auth themselv (but exclude squid-internal requests). So, what kind of ACL does catch squid internal requests to !whitelist_squid_internal_requests then? for example:

acl Authenticated_Users proxy_auth REQUIRED
acl whitelist_squid_internal_requests ????
http_access deny !Authenticated_Users !whitelist_squid_internal_requests all

Alex Rousskov

2018-11-08 16:23:05 UTC

Permalink

Post by i***@schroeffu.ch
What kind of ACL would then match "all squid internal requests" to allow without authentification?

transaction_initiator internal

Alex.

Amos Jeffries

2018-11-08 23:42:05 UTC

Permalink

Post by i***@schroeffu.ch
Hello and thanks for your explanation.
What kind of ACL would then match "all squid internal requests" to allow without authentification?

1541663927.195 0 - TCP_DENIED/407 3752 GET
http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt - HIER_NONE/-
text/html;charset=utf-8
1541663927.195 52 172.16.5.15 NONE/200 0 CONNECT gtacknowledge.extremenetworks.com:443 xxxx
HIER_DIRECT/136.146.11.219 -
1541663927.210 0 172.16.5.15 NONE/503 5471 GET
https://gtacknowledge.extremenetworks.com/favicon.ico xxxx HIER_NONE/- text/html
Just comment out the following line does resolve the problem
acl Authenticated_Users proxy_auth REQUIRED
#http_access deny !Authenticated_Users all
but I still need the requirement that users have to auth themselv

FYI: By placing that "all" ACL (or any other non-authentication ACL) at
the end of your access line you are currently making Squid *not* fetch
credentials from users.

If the UA/Browser is so insecurely configured that it broadcasts user
credentials out to the network without being asked for them your above
config would _appear_ to work, but that insecurity is a different
problem on its own.

Amos

i***@schroeffu.ch

2018-11-09 08:37:06 UTC

Permalink

Post by Amos Jeffries
FYI: By placing that "all" ACL (or any other non-authentication ACL) at
the end of your access line you are currently making Squid *not* fetch
credentials from users.
If the UA/Browser is so insecurely configured that it broadcasts user
credentials out to the network without being asked for them your above
config would _appear_ to work, but that insecurity is a different
problem on its own.
Amos

Oh ok I see, thanks, will change that of course

Post by Amos Jeffries
transaction_initiator internal
Alex.

Perfect, thats the acl i was looking for, I didn't know that it exists.
So I changed my configuration and finally it fetchs now the intermediate certifications before an authentication is requried:

#Allow fetch intermediate certs before required authentication
acl fetched_certificate transaction_initiator certificate-fetching
cache allow fetched_certificate
cache deny all
http_access allow fetched_certificate

#Authentification is REQUIRED
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users

It also does cache them, as described here:
http://lists.squid-cache.org/pipermail/squid-dev/2017-June/008800.html

Example Log:

1541752564.411 0 172.16.5.15 TCP_DENIED/407 4638 CONNECT bugs.squid-cache.org:443 - HIER_NONE/- text/html
1541752564.702 2 - TCP_MEM_HIT/200 1174 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- application/pkix-cert
1541752564.834 421 172.16.5.15 NONE/200 0 CONNECT bugs.squid-cache.org:443 xxxx HIER_DIRECT/104.130.201.120 -
1541752567.031 2180 172.16.5.15 TCP_MISS/200 3875 GET https://bugs.squid-cache.org/index.cgi xxxx HIER_DIRECT/104.130.201.120 text/html

Continue reading on narkive:

Search results for '[squid-users] Ipv6 error' (Questions and Answers)

replies

Why does my internet do this to me?

started 2012-02-20 01:24:29 UTC

internet

replies

Hi all. This is a question I asked before but did not get the answer I required.?

started 2008-02-17 04:19:42 UTC

diseases & conditions

replies

Would you use vaccines with human diploid tissue (aborted babies)?