Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers
So far it seems there are some issues with my docker networks on the host, thank you for your help, I will come later if this will not be the case. Kind regards, Dragos On Tuesday, March 5th, 2024 at 11:59 AM, Dragos Pacher wrote: > Please see my replies in between the lines below. > > On Tuesday, March 5th, 2024 at 5:40 AM, Amos Jeffries squ...@treenet.co.nz > wrote: > > > On 5/03/24 08:03, Dragos Pacher wrote: > > > > > Hello, > > > > > > I am a Squid beginner and we would like to use Squid inside our > > > organization only as a HTTPS traffic inspection/logging tool for some > > > 3rd party apps that we bought, > > > something close to what a "MITM proxy" is called but we will not do > > > that, instead we use a self signed certificate and the 3rd party app > > > owners know this. Everything is > > > 100% completely legal. (Ps: I am the IT lead). > > > > FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in > > security terminology, "proxy" means "intermediary" in networking > > terminology. > > So that term just means "intermediary intermediary", yeah. > > > I did not coined this term, I was referring to this: https://mitmproxy.org, > I guess it entered IT popular culture somehow.. > > > Any serious HTTPS inspection/logging by Squid needs some form of > > SSL-Bump configuration and those 3rd-party Apps MUST be configured with > > trust for the self-signed root CA you are using. > > > > Without that nothing Squid (or any other proxy) does will allow traffic > > inspection beyond the initial TLS handshake. > > > I specified in my first email I did this already, maybe I was not so clear but > my self-signed certificate is working with the 3rd party apps. > > > Assuming that you have checked that detail, on to your issue ... > > > > > We will be using Squid only internally, no outside access. Here is my > > > issue with the current knowledge of Squid: POC running well on 3 servers > > > but on the 4th I get no IPv6 > > > sockets: > > > ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp > > > tcp 0 0 10.10.0.16:3128 0.0.0.0:* > > > LISTEN 2891391/(squid-1) > > > > Your problem is the https(s)_port "port" configuration parameter. > > > > This Squid is configured to listen like: > > > > http_port 10.10.0.16:3128 > > > > or > > > > http_port example.com:3128 > > > > (when example.com has only address 10.10.0.16) > > > > The "http_port" receives port 80 syntax traffic, it may also be > > "https_port" which receives port 443 syntax traffic. > > > > > and on the other 3 I have IPv6: > > > ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp > > > tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED > > > 997651/(squid-1) > > > tcp6 0 0 :::3128 :::* > > > LISTEN 997651/(squid-1) > > > > These Squid are configured to listen like: > > > > http_port 3128 > > > > Ensure that the machine/server the 4th Squid is running on has its > > http(s)_port line matching the other three machines port value. > > > > At this point do not care about the "mode" or options later in the line. > > Your issue is solely the "port" parameter. > > > So far it seems I was missing [::] in my http_port in the problem server, > because of automatic deployment > something went wrong and I assumed my Squid configuration is all the same all > over the place. I fixed this but the issue is still there, > please see: this is inside a docker container on a healthy server: > # netstat -patun > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 127.0.0.11:41421 0.0.0.0:* LISTEN 1574/dockerd > tcp 0 1 172.18.0.10:46950 10.10.0.16:3128 SYN_SENT 307601/node > udp 0 0 127.0.0.11:57486 0.0.0.0:* 1574/dockerd > > and same netstat on the unhealthy server, still inside docker: > > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 127.0.0.11:38339 0.0.0.0:* LISTEN 273025/dockerd > tcp 0 0 172.18.0.4:50666 10.10.0.11:3128 ESTABLISHED 494253/node > tcp6 0 0 :::8080 :::* LISTEN 494253/node > tcp6 0 0 127.0.0.1:8080 127.0.0.1:46168 TIME_WAIT - > tcp6 0 0 127.0.0.1:8080 127.0.0.1:44480 TIME_WAIT - > udp 0 0 127.0.0.11:56639 0.0.0.0:* 273025/dockerd > > and a tcpdump from the docker bridge interface, 172.18.0.10 is my issue > container with the SYN sent only > > root@A2-3:~# tcpdump -i br-7b47c165c9ba dst port 3128 -vvv > tcpdump: listening on br-7b47c165c9ba, link-type EN10MB (Ethernet), snapshot > length 262144 bytes > 09:55:53.436758 IP (tos 0x0, ttl 64, id 48752, offset 0, flags [DF], proto > TCP (6), length 60) > 172.18.0.10.59056 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x0dd4), > seq 2115452268, win 65535, options [mss 1460,sackOK,TS val 1708093369 ecr > 0,nop,wscale 11], length 0 > > 09:56:20.845804 IP (tos 0x0, ttl 64, id 40649, offset 0, flags [DF], proto > TCP (6), length 60) > 172.18.0.10.56272 >
Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers
Please see my replies in between the lines below. On Tuesday, March 5th, 2024 at 5:40 AM, Amos Jeffries wrote: > On 5/03/24 08:03, Dragos Pacher wrote: > > > Hello, > > > > I am a Squid beginner and we would like to use Squid inside our > > organization only as a HTTPS traffic inspection/logging tool for some > > 3rd party apps that we bought, > > something close to what a "MITM proxy" is called but we will not do > > that, instead we use a self signed certificate and the 3rd party app > > owners know this. Everything is > > 100% completely legal. (Ps: I am the IT lead). > > > FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in > security terminology, "proxy" means "intermediary" in networking > terminology. > So that term just means "intermediary intermediary", yeah. > I did not coined this term, I was referring to this: https://mitmproxy.org, I guess it entered IT popular culture somehow.. > > > Any serious HTTPS inspection/logging by Squid needs some form of > SSL-Bump configuration and those 3rd-party Apps MUST be configured with > trust for the self-signed root CA you are using. > > > Without that nothing Squid (or any other proxy) does will allow traffic > inspection beyond the initial TLS handshake. > I specified in my first email I did this already, maybe I was not so clear but my self-signed certificate is working with the 3rd party apps. > > > Assuming that you have checked that detail, on to your issue ... > > > We will be using Squid only internally, no outside access. Here is my > > issue with the current knowledge of Squid: POC running well on 3 servers > > but on the 4th I get no IPv6 > > sockets: > > ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp > > tcp 0 0 10.10.0.16:3128 0.0.0.0:* > > LISTEN 2891391/(squid-1) > > > > Your problem is the https(s)_port "port" configuration parameter. > > > This Squid is configured to listen like: > > http_port 10.10.0.16:3128 > > or > > http_port example.com:3128 > > (when example.com has only address 10.10.0.16) > > > The "http_port" receives port 80 syntax traffic, it may also be > "https_port" which receives port 443 syntax traffic. > > > and on the other 3 I have IPv6: > > ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp > > tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED > > 997651/(squid-1) > > tcp6 0 0 :::3128 :::* > > LISTEN 997651/(squid-1) > > > > These Squid are configured to listen like: > > http_port 3128 > > > Ensure that the machine/server the 4th Squid is running on has its > http(s)_port line matching the other three machines port value. > > At this point do not care about the "mode" or options later in the line. > Your issue is solely the "port" parameter. > So far it seems I was missing [::] in my http_port in the problem server, because of automatic deployment something went wrong and I assumed my Squid configuration is all the same all over the place. I fixed this but the issue is still there, please see: this is inside a docker container on a healthy server: # netstat -patun Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 127.0.0.11:414210.0.0.0:* LISTEN 1574/dockerd tcp0 1 172.18.0.10:46950 10.10.0.16:3128 SYN_SENT 307601/node udp0 0 127.0.0.11:574860.0.0.0:* 1574/dockerd and same netstat on the unhealthy server, still inside docker: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp0 0 127.0.0.11:383390.0.0.0:* LISTEN 273025/dockerd tcp0 0 172.18.0.4:5066610.10.0.11:3128 ESTABLISHED 494253/node tcp6 0 0 :::8080 :::*LISTEN 494253/node tcp6 0 0 127.0.0.1:8080 127.0.0.1:46168 TIME_WAIT - tcp6 0 0 127.0.0.1:8080 127.0.0.1:44480 TIME_WAIT - udp0 0 127.0.0.11:566390.0.0.0:* 273025/dockerd and a tcpdump from the docker bridge interface, 172.18.0.10 is my issue container with the SYN sent only root@A2-3:~# tcpdump -i br-7b47c165c9ba dst port 3128 -vvv tcpdump: listening on br-7b47c165c9ba, link-type EN10MB (Ethernet), snapshot length 262144 bytes 09:55:53.436758 IP (tos 0x0, ttl 64, id 48752, offset 0, flags [DF], proto TCP (6), length 60) 172.18.0.10.59056 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect -> 0x0dd4), seq 2115452268, win 65535, options [mss 1460,sackOK,TS val 1708093369 ecr 0,nop,wscale 11], length 0 09:56:20.845804 IP (tos 0x0, ttl 64, id 40649, offset 0, flags [DF], proto TCP (6), length 60) 172.18.0.10.56272 > A2-3.3128: Flags [S], cksum 0xb661 (incorrect ->
Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers
On 5/03/24 08:03, Dragos Pacher wrote: Hello, I am a Squid beginner and we would like to use Squid inside our organization only as a HTTPS traffic inspection/logging tool for some 3rd party apps that we bought, something close to what a "MITM proxy" is called but we will not do that, instead we use a self signed certificate and the 3rd party app owners know this. Everything is 100% completely legal. (Ps: I am the IT lead). FYI: "MITM proxy" is a ridiculous term. "MITM" means "intermediary" in security terminology, "proxy" means "intermediary" in networking terminology. So that term just means "intermediary intermediary", yeah. Any serious HTTPS inspection/logging by Squid needs some form of SSL-Bump configuration and those 3rd-party Apps MUST be configured with trust for the self-signed root CA you are using. Without that nothing Squid (or any other proxy) does will allow traffic inspection beyond the initial TLS handshake. Assuming that you have checked that detail, on to your issue ... We will be using Squid only internally, no outside access. Here is my issue with the current knowledge of Squid: POC running well on 3 servers but on the 4th I get no IPv6 sockets: ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp tcp 0 0 10.10.0.16:3128 0.0.0.0:* LISTEN 2891391/(squid-1) Your problem is the https(s)_port "port" configuration parameter. This Squid is configured to listen like: http_port 10.10.0.16:3128 or http_port example.com:3128 (when example.com has only address 10.10.0.16) The "http_port" receives port 80 syntax traffic, it may also be "https_port" which receives port 443 syntax traffic. and on the other 3 I have IPv6: ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED 997651/(squid-1) tcp6 0 0 :::3128 :::* LISTEN 997651/(squid-1) These Squid are configured to listen like: http_port 3128 Ensure that the machine/server the 4th Squid is running on has its http(s)_port line matching the other three machines port value. At this point do not care about the "mode" or options later in the line. Your issue is solely the "port" parameter. Cheers Amos ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers
Thank you Alex, Indeed something is listening on this port, but it looks to be Squid: root@A2-3:/# nc -6 -l 3128 nc: Address already in use root@A2-3:/# lsof -i:3128 COMMAND PID USER FD TYPEDEVICE SIZE/OFF NODE NAME squid 3480423 proxy 25u IPv4 283726201 0t0 TCP A2-3:3128 (LISTEN) but the socket is IPV4 only on the problem host: root@A2-3:/# lsof -a -i4 -i6 -itcp | grep 3128 squid 3480423 proxy 25u IPv4 283726201 0t0 TCP A2-3:3128 (LISTEN) compared to a 'healthy' server: root@A2-2:~# lsof -a -i4 -i6 -itcp | grep 3128 squid 997651 proxy 12u IPv6 254219302 0t0 TCP A2-2:3128->x.x.x.x:46816 (ESTABLISHED) squid 997651 proxy 25u IPv6 241163587 0t0 TCP *:3128 (LISTEN) As I know a IPV6 socket accepts both v4 and v6 connections but a V4 socket only V4 connections, and this looks to be the symptom. This is what I found in the cache.log: 2024/03/04 16:09:28 kid1| With 100 file descriptors available 2024/03/04 16:09:28 kid1| Initializing IP Cache... 2024/03/04 16:09:28 kid1| DNS IPv6 socket created at [::], FD 9 2024/03/04 16:09:28 kid1| DNS IPv4 socket created at 0.0.0.0, FD 10 so it looks like it creates the IPv6 socket but it's not working somehow: root@A2-3:/# telnet ::1 3128 Trying ::1... telnet: Unable to connect to remote host: Connection refused Unfortunately nothing else relevant to me in the cache.log, I enabled debugging, to what email can I send the archive for you to look at it, please? Thank you, Dragos Sent with Proton Mail secure email. On Monday, March 4th, 2024 at 9:43 PM, Alex Rousskov wrote: > On 2024-03-04 14:03, Dragos Pacher wrote: > > > POC running well on 3 servers but on the 4th I get no IPv6 > > sockets: > > ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp > > tcp 0 0 10.10.0.16:3128 0.0.0.0:* > > LISTEN 2891391/(squid-1) > > > Are there any other processes listening on IPv6 addresses on this > problematic host? > > Does something like "nc -6 -l 3128" listen on an IPv6 address on this > problematic host? > > If possible, please also check cache.log for messages mentioning IPv6 > and "BCP 177"; I know you shared syslog output, but I am a bit worried > that syslog might be missing some relevant early debugging messages. > > > If nothing helps, consider sharing a pointer to compressed Squid startup > cache.log after adding "debug_options ALL,2 50,3" to your squid.conf. We > do not need to see any transactions, just Squid startup steps. Still, > this log may contain some sensitive details, so share privately if needed. > > > Thank you, > > Alex. > > > > and on the other 3 I have IPv6: > > ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp > > tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED > > 997651/(squid-1) > > tcp6 0 0 :::3128 :::* > > LISTEN 997651/(squid-1) > > tcp6 0 0 10.10.0.12:3128 10.20.0.1:39428 > > ESTABLISHED 997651/(squid-1) > > > > > > > > This creates a problem for us since the apps I monitor are not starting > > since their start routine is IPV6 only and then they switch to > > IPv4/IPV6, but the start is IPV6 alone. > > > > Therefore my questions are as follows: > > > > 1. How can I make it listen on both IPV6/IPV4 like on the other servers? > > 2. Any configuration improvement suggestions? > > > > Please find all details here: > > So far I did a POC on 4 servers, here is the full config, nothing > > sophisticated since this is where my Squid knowledge took me so far. > > Running Squid 6.7 with some basic options > > on Ubuntu 22.04 kernel 5.15.0-89-generic x86_64 > > squid -v > > Squid Cache: Version 6.7 > > Service Name: squid > > This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: > > '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' > > '--datadir=/share/squid' '--sysconfdir=/etc/squid' > > '--with-default-user=proxy' '--with-logdir=/var/log/squid' > > '--enable-ssl-crtd' '--with-openssl' > > > > and here is the syslog of Squid start: > > Mar 4 16:09:28 A2-3 systemd[1]: Starting Squid Web Proxy Server... > > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Processing > > Configuration File: /etc/squid/squid.conf (depth 0) > > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: empty > > ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt" > > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: The > > "Hs" formatting code is deprecated. Use the ">Hs" instead. > > Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Created PID > > file (/var/run/squid.pid) > > Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: will start 1 kids > > Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: (squid-1) process > > 3094665 started > > Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| > > Processing Configuration File: /etc/squid/squid.conf (depth 0) > > Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: > > empty
Re: [squid-users] Missing IPv6 sockets in Squid 6.7 in some servers
On 2024-03-04 14:03, Dragos Pacher wrote: POC running well on 3 servers but on the 4th I get no IPv6 sockets: ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp tcp 0 0 10.10.0.16:3128 0.0.0.0:* LISTEN 2891391/(squid-1) Are there any other processes listening on IPv6 addresses on this problematic host? Does something like "nc -6 -l 3128" listen on an IPv6 address on this problematic host? If possible, please also check cache.log for messages mentioning IPv6 and "BCP 177"; I know you shared syslog output, but I am a bit worried that syslog might be missing some relevant early debugging messages. If nothing helps, consider sharing a pointer to compressed Squid startup cache.log after adding "debug_options ALL,2 50,3" to your squid.conf. We do not need to see any transactions, just Squid startup steps. Still, this log may contain some sensitive details, so share privately if needed. Thank you, Alex. and on the other 3 I have IPv6: ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED 997651/(squid-1) tcp6 0 0 :::3128 :::* LISTEN 997651/(squid-1) tcp6 0 0 10.10.0.12:3128 10.20.0.1:39428 ESTABLISHED 997651/(squid-1) This creates a problem for us since the apps I monitor are not starting since their start routine is IPV6 only and then they switch to IPv4/IPV6, but the start is IPV6 alone. Therefore my questions are as follows: 1. How can I make it listen on both IPV6/IPV4 like on the other servers? 2. Any configuration improvement suggestions? Please find all details here: So far I did a POC on 4 servers, here is the full config, nothing sophisticated since this is where my Squid knowledge took me so far. Running Squid 6.7 with some basic options on Ubuntu 22.04 kernel 5.15.0-89-generic x86_64 squid -v Squid Cache: Version 6.7 Service Name: squid This binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--enable-ssl-crtd' '--with-openssl' and here is the syslog of Squid start: Mar 4 16:09:28 A2-3 systemd[1]: Starting Squid Web Proxy Server... Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Processing Configuration File: /etc/squid/squid.conf (depth 0) Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt" Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead. Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Created PID file (/var/run/squid.pid) Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: will start 1 kids Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: (squid-1) process 3094665 started Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Processing Configuration File: /etc/squid/squid.conf (depth 0) Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt" Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead. Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Set Current Directory to /var/cache/squid Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Creating missing swap directories Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| No cache_dir stores are configured. Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: squid-1 process 3094665 exited with status 0 Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Removing PID file (/var/run/squid.pid) Mar 4 16:09:28 A2-3 squid[3094666]: Processing Configuration File: /etc/squid/squid.conf (depth 0) Mar 4 16:09:28 A2-3 squid[3094666]: WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt" Mar 4 16:09:28 A2-3 squid[3094666]: WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead. Mar 4 16:09:28 A2-3 squid[3094666]: Created PID file (/var/run/squid.pid) Mar 4 16:09:28 A2-3 squid[3094666]: Squid Parent: will start 1 kids Mar 4 16:09:28 A2-3 squid[3094666]: Squid Parent: (squid-1) process 3094668 started Mar 4 16:09:28 A2-3 squid[3094668]: Processing Configuration File: /etc/squid/squid.conf (depth 0) Mar 4 16:09:28 A2-3 squid[3094668]: WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt" Mar 4 16:09:28 A2-3 squid[3094668]: WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead. Mar 4 16:09:28 A2-3 squid[3094668]: Set Current Directory to /var/cache/squid Mar 4 16:09:28 A2-3 squid[3094668]:
[squid-users] Missing IPv6 sockets in Squid 6.7 in some servers
Hello, I am a Squid beginner and we would like to use Squid inside our organization only as a HTTPS traffic inspection/logging tool for some 3rd party apps that we bought, something close to what a "MITM proxy" is called but we will not do that, instead we use a self signed certificate and the 3rd party app owners know this. Everything is 100% completely legal. (Ps: I am the IT lead). We will be using Squid only internally, no outside access. Here is my issue with the current knowledge of Squid: POC running well on 3 servers but on the 4th I get no IPv6 sockets: ubuntu@A2-3:/$ sudo netstat -patun | grep squid | grep tcp tcp 0 0 10.10.0.16:3128 0.0.0.0:* LISTEN 2891391/(squid-1) and on the other 3 I have IPv6: ubuntu@A2-2:/$ sudo netstat -patun | grep squid | grep tcp tcp 0 0 x.x.x.x:52386 x.x.x.x:443 ESTABLISHED 997651/(squid-1) tcp6 0 0 :::3128 :::* LISTEN 997651/(squid-1) tcp6 0 0 10.10.0.12:3128 10.20.0.1:39428 ESTABLISHED 997651/(squid-1) This creates a problem for us since the apps I monitor are not starting since their start routine is IPV6 only and then they switch to IPv4/IPV6, but the start is IPV6 alone. Therefore my questions are as follows: - How can I make it listen on both IPV6/IPV4 like on the other servers? - Any configuration improvement suggestions? Please find all details here: So far I did a POC on 4 servers, here is the full config, nothing sophisticated since this is where my Squid knowledge took me so far. Running Squid 6.7 with some basic options on Ubuntu 22.04 kernel 5.15.0-89-generic x86_64 squid -v Squid Cache: Version 6.7 Service Name: squidThis binary uses OpenSSL 3.0.2 15 Mar 2022. configure options: '--prefix=/usr' '--localstatedir=/var' '--libexecdir=/lib/squid' '--datadir=/share/squid' '--sysconfdir=/etc/squid' '--with-default-user=proxy' '--with-logdir=/var/log/squid' '--enable-ssl-crtd' '--with-openssl' and here is the syslog of Squid start: Mar 4 16:09:28 A2-3 systemd[1]: Starting Squid Web Proxy Server... Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Processing Configuration File: /etc/squid/squid.conf (depth 0) Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt" Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead. Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Created PID file (/var/run/squid.pid) Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: will start 1 kids Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: (squid-1) process 3094665 started Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Processing Configuration File: /etc/squid/squid.conf (depth 0) Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt" Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead. Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Set Current Directory to /var/cache/squid Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| Creating missing swap directories Mar 4 16:09:28 A2-3 squid[3094665]: 2024/03/04 16:09:28 kid1| No cache_dir stores are configured. Mar 4 16:09:28 A2-3 squid[3094662]: Squid Parent: squid-1 process 3094665 exited with status 0 Mar 4 16:09:28 A2-3 squid[3094662]: 2024/03/04 16:09:28| Removing PID file (/var/run/squid.pid) Mar 4 16:09:28 A2-3 squid[3094666]: Processing Configuration File: /etc/squid/squid.conf (depth 0) Mar 4 16:09:28 A2-3 squid[3094666]: WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt" Mar 4 16:09:28 A2-3 squid[3094666]: WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead. Mar 4 16:09:28 A2-3 squid[3094666]: Created PID file (/var/run/squid.pid) Mar 4 16:09:28 A2-3 squid[3094666]: Squid Parent: will start 1 kids Mar 4 16:09:28 A2-3 squid[3094666]: Squid Parent: (squid-1) process 3094668 started Mar 4 16:09:28 A2-3 squid[3094668]: Processing Configuration File: /etc/squid/squid.conf (depth 0) Mar 4 16:09:28 A2-3 squid[3094668]: WARNING: empty ACL: acl broken_sites ssl::server_name "/etc/squid/ssl_broken_sites.txt" Mar 4 16:09:28 A2-3 squid[3094668]: WARNING: The "Hs" formatting code is deprecated. Use the ">Hs" instead. Mar 4 16:09:28 A2-3 squid[3094668]: Set Current Directory to /var/cache/squid Mar 4 16:09:28 A2-3 squid[3094668]: Starting Squid Cache version 6.7 for x86_64-pc-linux-gnu... Mar 4 16:09:28 A2-3 squid[3094668]: Service Name: squid Mar 4 16:09:28 A2-3 squid[3094668]: Process ID 3094668 Mar 4 16:09:28 A2-3 squid[3094668]: Process Roles: worker Mar 4 16:09:28 A2-3 squid[3094668]: With 100 file descriptors available Mar 4 16:09:28 A2-3 squid[3094668]: Initializing IP Cache... Mar 4 16:09:28 A2-3 squid[3094668]: DNS IPv6 socket created at [::], FD