sniproxy
sniproxy copied to clipboard
dlundquist
"Secure Connection Failed" on IPv4 to IPv6
I'm not sure if this a duplicate of #157, but I'm unable to proxy a connection received on IPv4 to an IPv6 host.As mentioned in the other issue, this may be caused by a difference in the header sizes between the two versions.
Would it be possible to use the inbound protocol as a bias for the outbound protocol when both are available (i.e. when a connection is made over IPv4, use the A record, and when a connection is made over IPv6, use the AAAA record)?
@cyberjacob I don't think the increased size of the IPv6 header is your problem, but it could be that the downstream server is looking at the TCP segmentation and inferring the presence of a proxy. The easiest way to do this would be to run two instances of sniproxy, one listening only on IPv6 with the ipv6_v6only option and one listening on IPv6 i.e. listen 0.0.0.0:80 and configure the resolver on each accordingly. I don't see a strong case for making the resolver separate per listener, it would add a lot of complexity.
I'm assuming you meant one on IPv6 and one on IPv4? If so, I think the v4-only instance would still have issues, as it would resolve IPv6 addresses for the upstream hosts and use those to connect to.
@cyberjacob No, I was referring to the ipv6_v6only listener option, this disables the Linux default behavior that a socked listening on [::] will receive connections to any IPv4 address bound to the host as well as any IPv6 address bound.
/etc/sniproxy-v6.conf:
resolver {
mode ipv6_first
# Not use ipv6_only here so not to break IPv4 only sites, a dual stack client will not fallback to IPv4 if it is able to open a TCP connection to a site over IPv6
}
listen :: 443 {
proto http
ipv6_v6only on
}
/etc/sniproxy-v4.conf:
resolver {
mode ipv4_only
}
listen 0.0.0.0 80 {
proto http
}