[Bug 1547640] Re: proxy tries ipv6 and gets 503 when no ipv6 routes

Amos Jeffries 1547640 at bugs.launchpad.net
Mon Feb 22 23:02:11 UTC 2016 

And for the record. No Squid does not use libc getaddrinfo(). That API
provides speed restrictions several orders of magnitude too slow for
even small Squid installations.

** Description changed:

  Many people run squid (squid-deb-proxy, or maas-proxy) to provide ubuntu
  archive mirror caching and proxying.  MAAS sets this up by default for
  users with the 'maas-proxy' package.
  
  On or about Friday February 19, this setup began to fail for many people.
  Users would see 'apt-get update' returning 503 errors.  For me, I saw 503 on security.ubuntu.com addresses.
  
- The reason for the failure was that the squid proxy began using ipv6
- addresses for instead of ipv4.  The squid proxy host did not have ipv6
- connectivity and thus would fail.
+ The reason for the failure was that the DNS records for Ubuntu reacheda
+ threshold of 10 IPv6 entries. The squid proxy host did not have ipv6
+ connectivity and with a limit of 10 retries the failover does not reach
+ any IPv4 addresses - thus would fail.
  
  The fix/workaround is to add the following to your squid config:
-   # http://www.squid-cache.org/Doc/config/dns_v4_first/
-   dns_v4_first on
+   # http://www.squid-cache.org/Doc/config/forward_max_tries/
+   forward_max_tries 25
  
  The appropriate squid config file depends on what is running squid.
    maas-proxy: /usr/share/maas/maas-proxy.conf
    squid-deb-proxy: /etc/init/squid-deb-proxy.conf
  
  I'm not sure how this previously worked, nor what change was made.
  One change that was made in this time frame was a glibc update (2.19-0ubuntu6.6 to 2.19-0ubuntu6.7) for security (CVE-2013-7423 CVE-2014-9402 CVE-2015-1472 CVE-2015-1473).  But it doesn't seem to make sense that that would change squid3 to start looking for AAAA records when it did not previously.
  i can verify that as late as
-   Thu Feb 18 06:36:07 EST 2016
+   Thu Feb 18 06:36:07 EST 2016
  i was seeing entries in my squid logs with
-   1455713142.896    335 10.7.2.103 TCP_REFRESH_UNMODIFIED/200 82620 GET http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease - HIER_DIRECT/91.189.88.149 -
+   1455713142.896    335 10.7.2.103 TCP_REFRESH_UNMODIFIED/200 82620 GET http://security.ubuntu.com/ubuntu/dists/xenial-security/InRelease - HIER_DIRECT/91.189.88.149 -
  but now i get
-   1455879482.210      1 10.7.2.103 TCP_REFRESH_FAIL/200 635 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/2001:67c:1562::14 -
+   1455879482.210      1 10.7.2.103 TCP_REFRESH_FAIL/200 635 GET http://security.ubuntu.com/ubuntu/dists/precise-security/main/i18n/Index - HIER_DIRECT/2001:67c:1562::14 -

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid3 in Ubuntu.
https://bugs.launchpad.net/bugs/1547640

Title:
  proxy tries ipv6 and gets 503 when no ipv6 routes

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1547640/+subscriptions

More information about the Ubuntu-server-bugs mailing list