[Question] Please help troubleshooting my Caddy server. Can't get it to work since changing from IPv4 to IPv6

toothpaste_sandwich@feddit.nl · 11 months ago

[Question] Please help troubleshooting my Caddy server. Can't get it to work since changing from IPv4 to IPv6

gerdesj · 11 months ago

Best of luck. Let us know how you get on

toothpaste_sandwich@feddit.nl · edit-2 11 months ago

Well, I set up a basic nginx server and disabled Caddy. The nginx server only serves http for now, not https.

I used the basic nginx.conf and added my IPv6 address like so:

#user http;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        listen [::]:80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

I can reach the webpage through the local IP (v4) address, but not online using the IPv6 address. Testing with a port checking tool does show that port 80 is open. I tried testing with my smartphone with wifi disconnected, too, but still no success… Any ideas on what I could try? I’m searching for tutorials for setting up an IPv6 nginx server but so far I’m not seeing a big difference with what I’m doing.

Yes, using now-dns.com is different from paying for a host name, but in theory entering the plain IPv6 address in square brackets in Firefox should also work, right?

gerdesj · 11 months ago

I can see that you have bound nginx to port 80 on both IPv4 and 6 - the two Listen directives.

Can you get to it locally via IPv6 as well as IPv4?
Can you get to it via IPv4 externally?

Let’s get right down to basics:

ping -6 google.com - from the web server, does it work?
ping -6 google.com - from your PC/laptop.phone, does it work?
https://test-ipv6.com

I’m on GMT+1/BST/UTC+1 so its a bit late now. I’ll pick up tomorrow pm

toothpaste_sandwich@feddit.nl · edit-2 11 months ago

Thanks for all the pointers! Let’s see, I’ll take this one by one.

Can you get to it locally via IPv6 as well as IPv4?

Well, turns out reaching a link-local address with a browser is not really easy to do, but tried with SSH port forwarding and that seems to work, at least…

(I used this command on my PC:

ssh -N -L '8082:127.0.0.1:80' fe80::dea6:32ff:fe54:67fb%eno1

where fe80::dea6:32ff:fe54:67fb%eno1 is the link-local address of my server. Then I browsed to 127.0.0.1:8082 on my PC.)

Can you get to it via IPv4 externally?

I hadn’t thought of testing this! Yes, I can. I also tested by navigating to the IPv4 address with my phone on data (so without wifi)

ping -6 google.com[1] - from the web server, does it work?

It does, yes.

ping -6 google.com[2] - from your PC/laptop.phone, does it work?

Likewise, yes, this works.

https://test-ipv6.com

This works, at least from my PC. I tried to reach it from the server using w3m for the heck of it but without Javascript that didn’t work. Alas.

I really appreciate your help, I hope we can get to the bottom of this. Otherwise I think I’ll just revert to IPv4, as that will probably still work. But I can’t stand IPv6 not working!

gerdesj · 11 months ago

As well as a link local address you should also have one or more globally routeable ones too. Hopefully you have at least one of those set up in DNS with a AAAA address. Therefore you should be able to put the address of your web server into your browser and off it goes. In theory IPv6 should be preferred by your browser, so even if both an A record and a AAAA record resolve for the name, IPv6 should kick in.

A quick check would be:

$ host mywebserver.example.co.uk

That should return an IPv4 and an IPv6 address. The IPv6 address is the same for internal and external - there is no distinction, which can be surprising if you are used to IPv4 and NAT. The final bit of the equation is that your internet router needs to allow access “from all to globally routeable ipv6 address of the web server”.

toothpaste_sandwich@feddit.nl · edit-2 11 months ago

Hopefully you have at least one of those set up in DNS with a AAAA address.

I suspect that this is not the case, but also I’m not sure how I would set this up. Is that something I should configure on my internet router? This is what the DNS settings there look like at the moment:

A quick check would be:

$ host mywebserver.example.co.uk

Well, that gives me this:

host myserver.now-dns.net 
myserver.now-dns.net has address 192.168.1.96
myserver.now-dns.net has IPv6 address (my global IPv6 address here)
myserver.now-dns.net mail is handled by 1 myserver.now-dns.net.

Entering my IPv6 address between square brackets in the browser still doesn’t load, though.

The final bit of the equation is that your internet router needs to allow access “from all to globally routeable ipv6 address of the web server”.

Is that the same as setting a DMZ for IPv6 to the web server? That’s an option I could find in the router settings, though enabling it didn’t seem to make any difference…

gerdesj · 11 months ago

You don’t need to put the IPv6 address into your browser. The host command shows that you have got DNS sorted - try:

$ dig @9.9.9.9 myserver.now-dns.net AAAA

That should return an IPv6 address and the @9.9.9.9 means: use the Quad9 DNS server - 1.1.1.1 or 8.8.8.8 will also try external DNS servers - CloudFlare and Google. Hopefully that’s naming sorted out.

Now to actual access. Your router will (probably), by default, block all inbound connections. I’ve just had a look at your screenshot and it has a menu entry: “Port forwarding IPv6”. IPv6 doesn’t need port forwarding really but I suspect that is how you allow access. I am now guessing. There is such a thing as IPv6 NAT and something called NPT (Network Prefix Translation) which is not for the faint of heart!

Have a look around in that menu a screen shot might help.

It might help if you tell us where you are (very roughly - country and perhaps city), your ISP and router model. I can get you to the point of all of this working but there are rather a lot of unknowns. I can see that your router offers Dutch or English so I will guess you are from the Netherlands.

toothpaste_sandwich@feddit.nl · 11 months ago

Oh, I forgot, there’s one more setting regarding IPv6:

In the port forwarding section for IPv6 instead of making a port be TCP or UDP, I can also select something called ICMPv6 REQ. I had already enabled this to test if it did anything, but it didn’t seem so.

gerdesj · 11 months ago

That is for ping. ICMP v6 REQ: REQ means request and is a NAT type of terminology. A firewall rule allows some form of inbound traffic - here ICMP ping inbound (REQ), and then creates a state entry which allows the corresponding return traffic (RESP or response) - pong!

ping can be useful to determine connectivity and that rule will not open you up to anything nasty.

Your router seems to have been designed by someone who gives a shit about security, which is a good sign.

toothpaste_sandwich@feddit.nl · 11 months ago

$ dig @9.9.9.9 myserver.now-dns.net AAAA

It does indeed return my IPv6 address! Good to know that that works, at least.

IPv6 doesn’t need port forwarding really but I suspect that is how you allow access

Yes, I had the same thought. I had read that IPv6 doesn’t open ports per se but rather allows access in a firewall or something like that.

Have a look around in that menu a screen shot might help.

Unfortunately the amount of settings for IPv6 is quite scarce.

I can set up a DMZ for IPv6:

I can “open ports” (the screenshot I already posted basically shows all I can do there: https://feddit.nl/pictrs/image/e0a39af4-aef5-4a15-a6e7-ec78621a704a.png)
I can either turn on IPv6 or turn it off:

…and as far as I could find, that rounds off all the settings to do with IPv6.

It might help if you tell us where you are (very roughly - country and perhaps city), your ISP and router model. I can get you to the point of all of this working but there are rather a lot of unknowns. I can see that your router offers Dutch or English so I will guess you are from the Netherlands.

That’s right, I’m in the Netherlands, in Utrecht to be exact. My ISP is Youfone and the router model is a ZTE H369A

Thanks again for all your help!

gerdesj · 11 months ago

That IPv6 forwarding page is strange. IPv6 does not need forwarding.

Anyway, I am trying to find a manual for your router. A Google search shows that it is probably NL localized and probably Asian manufactured for NL ISPs. Are you able to get a manual from your ISP? Their website looks just like one of ours - no help at all. I have also tried searching on the model and not much comes back.

I’m off on holidays for a few days. I’ll be back on dinsdag/tuesday (08/08/2023).

toothpaste_sandwich@feddit.nl · 11 months ago

By the way—don’t know how relevant this is, but there’s two ways for “port forwarding” on my router for IPv6:

I can either use the MAC address of my server or use the IPv6 address.

When I use the MAC address, scanning the opened port 80 works with online port scanning tools, but when I use the link-local address, the port appears closed. Not sure if that means anything, but I figured more information can’t hurt.