Re: [Shorewall-users] Tproxy + Squid + IPv6

Wed, 05 Jul 2017 03:16:58 -0700 

Hello,

I had the Tproxy + SQUID config for ipv4 and ipv6, too and can confirm
the problem with Path-MTU Discovery. That simple does'nt work. So ipv6
sites that need reduced MTU simply will hang. In my opinion thats a
problem in xt_TPROXY/kernel not squid which should act on Packet-Too-Big
ICMP Types for the Tproxy connection.

See:
http://www1.gr.squid-cache.org/mail-archive/squid-users/201210/0217.html

My only solution was to disable transparent proxy for ipv6.

Bye
Am 03.07.2017 um 03:12 schrieb Tom Eastep:
> On 07/02/2017 03:37 AM, Tuomo Soini wrote:
>> I tested dual stack configuration (ipv4 and ipv6) with transparent
>> proxy some years ago and ended up decision:
>>
>> Time of transparent proxy is long gone. Especially with dual stack
>> transparent proxy makes things a lot worse. There are quite a few sites
>> with ipv6 address so that web site doesn't actually work at all with
>> ipv6. With transparent proxy in place browsers can't fail back to to
>> ipv4 rendering all these sites unavailable.
>>
>> Tom: I think this should be noted on documentation too.
>>
>> Reason for the issue is browser creates tcp connection with proxy, not
>> with remote site so browser doesn't know tcp connection failed with
>> destination site - so ipv6 to ipv4 fallback can't work.
>>
> I've added a caution to the top of the Shorewall Squid document.
>
> -Tom
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

-- 


*Ralf Schenk*
fon +49 (0) 24 05 / 40 83 70
fax +49 (0) 24 05 / 40 83 759
mail *r...@databay.de* <mailto:r...@databay.de>
                
*Databay AG*
Jens-Otto-Krag-Straße 11
D-52146 Würselen
*www.databay.de* <http://www.databay.de>

Sitz/Amtsgericht Aachen • HRB:8437 • USt-IdNr.: DE 210844202
Vorstand: Ralf Schenk, Dipl.-Ing. Jens Conze, Aresch Yavari, Dipl.-Kfm.
Philipp Hermanns
Aufsichtsratsvorsitzender: Wilhelm Dohmen

------------------------------------------------------------------------

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to