如何在 squid 代理中禁用 ipv4,这样当我访问网站时它将仅使用 ipv6 ip。我在 ubuntu 20.04 上安装了 squid 代理。我测试了我的配置,但在 whatismyipaddress.com 上它仍然可以检测到 ipv4。这是我的配置
forwarded_for off
via off
follow_x_forwarded_for deny all
request_header_access X-Forwarded-For deny all
request_header_access From deny all
request_header_access Referer deny all
request_header_access User-Agent deny all
request_header_access Authorization allow all
request_header_access Proxy-Authorization allow all
request_header_access Cache-Control allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Connection allow all
request_header_access All deny all
acl localnet src xxx.xxx.xxx.xxx
acl localnet src xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
acl ipv4_from src ipv4
acl ipv4_to dst ipv4
acl ip1 myip 2406:cb42:0:1029:607a:0000:0000:0001
acl ip2 myip 2406:cb42:0:1029:607a:0000:0000:0002
tcp_outgoing_address 2406:cb42:0:1029:607a:0000:0000:0001 ip1
tcp_outgoing_address 2406:cb42:0:1029:607a:0000:0000:0002 ip2
http_access allow localnet
http_access allow localhost
http_access deny all
http_access deny ipv4_from
http_access deny ipv4_to
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_port 3128
答案1
acl ipv4_from src ipv4
acl ipv4_to dst ipv4
http_access deny ipv4_from
http_access deny ipv4_to
http_access allow localhost
http_access deny all
此 Squid ACL 片段禁止所有 IPv4,并且仅允许本地主机,因此 Squid 在本地框上运行。(编译为特殊 ACL 字符串,适用于所有“ipv4”或“ipv6”。)根据需要进行调整,或许允许来自您组织的 /48 前缀。
拒绝 v4 目标将阻止对仅 IPv4 站点的访问,即使 squid 主机是双栈的并且可以访问它们。如果您想强制使用仅 v6 环境,这很好。但会拒绝包括(截至 2021 年)serverfault.com 在内的内容。
或者,可以为主机配置仅 IPv6 网络。
答案2
我已经测试了以下配置文件,该文件仅允许 IPv6 流量:
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl ipv4_from src ipv4
acl ipv4_to dst ipv4
dns_v4_first off
acl to_ipv6 dst ipv6
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny ipv4_to
http_access deny ipv4_from
http_access deny !to_ipv6
http_access allow to_ipv6
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
coredump_dir /var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
dns_nameservers 2620:fe::fe
max_filedescriptors 3200
我确认了https://www.iplocation.net/myip并且正确发现没有 ip4 地址但是有一个完全正常工作的 ipv6 地址。
关键部分是拒绝http_access水平ipv4_to和ipv4_from和反向规则!to_ipv6
注意:DNS 服务器也设置为使用 IPv6 服务器。