How to make Ubuntu honor "ignore-hosts" proxy settings for IPv6?
I just typed under "dconf-editor", System → Proxy → ignore-hosts
, the following content:
['localhost', '127.0.0.0/8', '::1', '192.168.0.1', '2000::/3', 'fc00::/8']
But, Google Chrome (and apt-get update / upgrade
) is just ignoring this settings.
EDITED: Also, Firefox doesn't honor the ingore-hosts
settings, even configuring it to "Use system proxy settings".
For example, my Proxy Server (Ubuntu with Squid3) is in dual-stacked mode BUT, I do NOT want to access IPv6 web sites through the Proxy, that's why I'm trying to ignore the entire IPv6 Internet with the entry 2000::/3
, but, it does not work as expected.
EDITED: Also, I don't need the proxy to access Hyperboria
sites, which resides under fc00::/8
but, it doesn't work either...
Why I'm doing this?
Because my environment is already a IPv6-Only Network and, to access the old internet infrastructure (IPv4-Only), I need to go through the dual-stacked proxy. But I need the proxy only when a web site doesn't have IPv6...
How can I know that it doesn't work?!
It is simple, just access a web site that shows a IPv6 address on it, for example, http://www.sixxs.net
or http://ipv6.whatismyv6.com
, then, I'm still seeing the IPv6 address of the Proxy Server, so, "ignore-hosts entry '2000::/3'"
doesn't seem to be working.
EDITED: Plus, when I'm trying to access a Hyperboria
website, Squid returns an error that it can not reach fc00::/8 network
(Squid ERROR: (101) Network is unreachable)
(of course it can't, the cjdns
router is running right on my Ubuntu Desktop, so, no need to go through proxy when browsing Hyperboria fc00::/8
but, Ubuntu isn't honoring ignore-hosts
under proxy settings.
Solution 1:
It looks like this won't work with Gnome proxy settings. The ignore-hosts
setting works for hostnames, addresses and address ranges, but apparently does not resolve hostnames before checking against addresses.
From the ignore-hosts
documentation (emphasis by me):
Also note that hostname exclusions apply only to connections made to hosts identified by name, and IP address exclusions apply only to connections made to hosts identified by address. That is, if example.com has an address of 192.168.1.1, and the :ignore-hosts list contains only "192.168.1.1", then a connection to "example.com" (eg, via a GNetworkAddress) will use the proxy, and a connection to "192.168.1.1" (eg, via a GInetSocketAddress) will not.
Solution 2:
For Google Chrome and Chromium you can create a machine wide policy file.
Linux Chrome Administrator Quick Start Guide
Here are various proxy settings and descriptions from the Policy Template:
// Proxy bypass rules
//-------------------------------------------------------------------------
// Google Chrome will bypass any proxy for the list of hosts given here. This
// policy only takes effect if you have selected manual proxy settings at
// 'Choose how to specify proxy server settings'. You should leave this
// policy not set if you have selected any other mode for setting proxy
// policies. For more detailed examples, visit:
// http://www.chromium.org/developers/design-documents/network-settings#TOC-
// Command-line-options-for-proxy-sett
//"ProxyBypassList": "http://www.example1.com,http://www.example2.com,http://internalsite/",
// Choose how to specify proxy server settings
//-------------------------------------------------------------------------
// Allows you to specify the proxy server used by Google Chrome and prevents
// users from changing proxy settings. If you choose to never use a proxy
// server and always connect directly, all other options are ignored. If you
// choose to use system proxy settings or auto detect the proxy server, all
// other options are ignored. If you choose fixed server proxy mode, you can
// specify further options in 'Address or URL of proxy server' and 'Comma-
// separated list of proxy bypass rules'. If you choose to use a .pac proxy
// script, you must specify the URL to the script in 'URL to a proxy .pac
// file'. For detailed examples, visit: http://www.chromium.org/developers
// /design-documents/network-settings#TOC-Command-line-options-for-proxy-sett
// If you enable this setting, Google Chrome ignores all proxy-related options
// specified from the command line. Leaving this policy not set will allow
// the users to choose the proxy settings on their own.
//"ProxyMode": "direct",
// URL to a proxy .pac file
//-------------------------------------------------------------------------
// You can specify a URL to a proxy .pac file here. This policy only takes
// effect if you have selected manual proxy settings at 'Choose how to specify
// proxy server settings'. You should leave this policy not set if you have
// selected any other mode for setting proxy policies. For detailed examples,
// visit: http://www.chromium.org/developers/design-documents/network-settings
// #TOC-Command-line-options-for-proxy-sett
//"ProxyPacUrl": "http://internal.site/example.pac",
// Address or URL of proxy server
//-------------------------------------------------------------------------
// You can specify the URL of the proxy server here. This policy only takes
// effect if you have selected manual proxy settings at 'Choose how to specify
// proxy server settings'. You should leave this policy not set if you have
// selected any other mode for setting proxy policies. For more options and
// detailed examples, visit: http://www.chromium.org/developers/design-
// documents/network-settings#TOC-Command-line-options-for-proxy-sett
//"ProxyServer": "123.123.123.123:8080",
// Enable or disable PIN-less authentication
//-------------------------------------------------------------------------
// If this setting is enabled or not configured, then users can opt to pair
// clients and hosts at connection time, eliminating the need to enter a PIN
// every time. If this setting is disabled, then this feature will not be
// available.
Solution 3:
I don't know how to make Ubuntu obey that setting, but there might be workarounds:
-
APT follows settings in
/etc/apt/apt.conf
or the environment variables (such ashttp_proxy
). The man pages forapt.conf
don't mention dconf settings, so I think apt doesn't check them. To specify sites for which apt should ignore proxy, add to/etc/apt/apt.conf
:Acquire::http::Proxy::<hostname/ip> DEFAULT;
I think this can't be done for ranges or subnets, and you'll need an entry for each host to exclude.
-
Chrome honours the no_proxy environment variable, so one might try using that:
no_proxy=localhost,127.0.0.0/8,::1,192.168.0.1,2000::/3,fc00::/8 google-chrome
Define
no_proxy
in/etc/environment
to ensure its availability everywhere. Other programs are known to honour this variable too. - Lastly, you might consider running two squid servers. The new one will use your current one as a parent, but only for certain hosts, using the
allow_direct
/never_direct
settings. Then set the new one as the proxy server everywhere (/etc/apt/apt.conf
,/etc/environment
, thedconf
entries). I don't know much about dual stack networking, so I don't know if this would work, but it's worth a mention.
I don't use dual stack networking, but since I am behind a campus proxy, I have to juggle proxy settings, and I find that the last option is best. Let squid do the juggling.