From 95c5b6eab1ab292c95ad3c1eb7ac729dee6757a5 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Wed, 28 Aug 2019 19:18:33 +0100
Subject: [PATCH 1/1] Disable IPv6 support in squid on machines with no IPv6

---
 cookbooks/squid/recipes/default.rb               | 5 +++++
 cookbooks/squid/templates/default/squid.conf.erb | 3 ---
 cookbooks/systemd/resources/service.rb           | 1 +
 cookbooks/systemd/templates/default/service.erb  | 3 +++
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/cookbooks/squid/recipes/default.rb b/cookbooks/squid/recipes/default.rb
index fe5077bcd..e3faae46b 100644
--- a/cookbooks/squid/recipes/default.rb
+++ b/cookbooks/squid/recipes/default.rb
@@ -85,6 +85,10 @@ systemd_tmpfile "/var/run/squid" do
   mode "0755"
 end
 
+address_families = %w[AF_UNIX AF_INET]
+
+address_families << "AF_INET6" unless node.interfaces(:family => :inet6).empty?
+
 systemd_service "squid" do
   description "Squid caching proxy"
   after ["network.target", "nss-lookup.target"]
@@ -98,6 +102,7 @@ systemd_service "squid" do
   private_devices true
   protect_system "full"
   protect_home true
+  restrict_address_families address_families
   restart "on-failure"
   timeout_sec 0
 end
diff --git a/cookbooks/squid/templates/default/squid.conf.erb b/cookbooks/squid/templates/default/squid.conf.erb
index 2861daa92..775f5ec6c 100644
--- a/cookbooks/squid/templates/default/squid.conf.erb
+++ b/cookbooks/squid/templates/default/squid.conf.erb
@@ -19,9 +19,6 @@ log_icp_queries off
 http_port 80 accel defaultsite=tile.openstreetmap.org tcpkeepalive=60,10,6 http11
 <% else -%>
 http_port 80 accel no-vhost defaultsite=tile.openstreetmap.org tcpkeepalive=60,10,6
-
-#prefer IPv4 until everything is upgraded
-dns_v4_first on
 <% end -%>
 
 cache_effective_user proxy
diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb
index b01f6787b..2f677f775 100644
--- a/cookbooks/systemd/resources/service.rb
+++ b/cookbooks/systemd/resources/service.rb
@@ -57,6 +57,7 @@ property :private_devices, [TrueClass, FalseClass]
 property :private_network, [TrueClass, FalseClass]
 property :protect_system, [TrueClass, FalseClass, String]
 property :protect_home, [TrueClass, FalseClass, String]
+property :restrict_address_families, [String, Array]
 property :no_new_privileges, [TrueClass, FalseClass]
 property :timeout_sec, Integer
 property :pid_file, String
diff --git a/cookbooks/systemd/templates/default/service.erb b/cookbooks/systemd/templates/default/service.erb
index 9620d1c8d..ed117c24e 100644
--- a/cookbooks/systemd/templates/default/service.erb
+++ b/cookbooks/systemd/templates/default/service.erb
@@ -93,6 +93,9 @@ ProtectSystem=<%= @protect_system %>
 <% if @protect_home -%>
 ProtectHome=<%= @protect_home %>
 <% end -%>
+<% if @restrict_address_families -%>
+RestrictAddressFamilies=<%= Array(@restrict_address_families).join(" ") %>
+<% end -%>
 <% if @no_new_privileges -%>
 NoNewPrivileges=<%= @no_new_privileges %>
 <% end -%>
-- 
2.43.2