Never mind why but I have just been setting up some network related software on a Raspberry Pi. One of these softwares was Squid3. There are lots of guides out there to creating a web cache with a Raspberry Pi and I've been using several of them however, I ran into a problem that none of them mention....
My set up is that I have the Pi sitting on my home network. (Its name is rcjd-pi-2 and I can access it with the name rcjd-pi-2.local. The name works fine for ping-ing it, ssh-ing to it and setting it up as a web-proxy). I have a number of other machines on the network, for the purposes of this post, the only one which really matters is my laptop which is wired into the same access point (Apple Airport Extreme previous generation (n)).
I set up Squid and set my laptop 's laptop's http proxy to be "rcjd-pi-1:3128". Running ps and netstat on the Pi showed that Squid was running and listening on port 3128. However,
although a small amount of surfing got done (the first access to a site?) it turns out that subsequently access were be blocked.
I checked and checked the squid.config file against the various instructions. Yes, I had
- http_access allow localness
uncommented as required, yes I had
- acl localnet src 10.0.xxx.0/24
uncommented and the xxx set correctly. But something was wrong.
Then, glancing between the access log and the configuration file I noticed there was an option to uncomment
- acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machine
in the configuration file. Strangely the log contained entries with IPv6 addresses in them such as
- fe80::225:4bff:fec9:2118 TCP_DENIED/403 3976 GET http://images.apple.com...
Could that be it?
It still leaves open the question of whether I need to allow accesses from the IPv6 local private network range. I suspect it might be the correct thing to do but I'll leave it closed for now.