• 2 Posts
  • 16 Comments
Joined 2 years ago
cake
Cake day: June 9th, 2023

help-circle










  • Hopefully you have at least one of those set up in DNS with a AAAA address.

    I suspect that this is not the case, but also I’m not sure how I would set this up. Is that something I should configure on my internet router? This is what the DNS settings there look like at the moment:

    A quick check would be:

    $ host mywebserver.example.co.uk

    Well, that gives me this:

    host myserver.now-dns.net 
    myserver.now-dns.net has address 192.168.1.96
    myserver.now-dns.net has IPv6 address (my global IPv6 address here)
    myserver.now-dns.net mail is handled by 1 myserver.now-dns.net.
    

    Entering my IPv6 address between square brackets in the browser still doesn’t load, though.

    The final bit of the equation is that your internet router needs to allow access “from all to globally routeable ipv6 address of the web server”.

    Is that the same as setting a DMZ for IPv6 to the web server? That’s an option I could find in the router settings, though enabling it didn’t seem to make any difference…



  • Thanks for all the pointers! Let’s see, I’ll take this one by one.

    • Can you get to it locally via IPv6 as well as IPv4?

    Well, turns out reaching a link-local address with a browser is not really easy to do, but tried with SSH port forwarding and that seems to work, at least…

    (I used this command on my PC:

    ssh -N -L '8082:127.0.0.1:80' fe80::dea6:32ff:fe54:67fb%eno1

    where fe80::dea6:32ff:fe54:67fb%eno1 is the link-local address of my server. Then I browsed to 127.0.0.1:8082 on my PC.)

    • Can you get to it via IPv4 externally?

    I hadn’t thought of testing this! Yes, I can. I also tested by navigating to the IPv4 address with my phone on data (so without wifi)

    • ping -6 google.com[1] - from the web server, does it work?

    It does, yes.

    • ping -6 google.com[2] - from your PC/laptop.phone, does it work?

    Likewise, yes, this works.

    This works, at least from my PC. I tried to reach it from the server using w3m for the heck of it but without Javascript that didn’t work. Alas.

    I really appreciate your help, I hope we can get to the bottom of this. Otherwise I think I’ll just revert to IPv4, as that will probably still work. But I can’t stand IPv6 not working!


  • Well, I set up a basic nginx server and disabled Caddy. The nginx server only serves http for now, not https.

    I used the basic nginx.conf and added my IPv6 address like so:

    #user http;
    worker_processes  1;
    
    #error_log  logs/error.log;
    #error_log  logs/error.log  notice;
    #error_log  logs/error.log  info;
    
    #pid        logs/nginx.pid;
    
    
    events {
        worker_connections  1024;
    }
    
    
    http {
        include       mime.types;
        default_type  application/octet-stream;
    
        #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
        #                  '$status $body_bytes_sent "$http_referer" '
        #                  '"$http_user_agent" "$http_x_forwarded_for"';
    
        #access_log  logs/access.log  main;
    
        sendfile        on;
        #tcp_nopush     on;
    
        #keepalive_timeout  0;
        keepalive_timeout  65;
    
        #gzip  on;
    
        server {
            listen       80;
            listen [::]:80;
            server_name  localhost;
    
            #charset koi8-r;
    
            #access_log  logs/host.access.log  main;
    
            location / {
                root   /usr/share/nginx/html;
                index  index.html index.htm;
            }
    
            #error_page  404              /404.html;
    
            # redirect server error pages to the static page /50x.html
            #
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   /usr/share/nginx/html;
            }
    
            # proxy the PHP scripts to Apache listening on 127.0.0.1:80
            #
            #location ~ \.php$ {
            #    proxy_pass   http://127.0.0.1;
            #}
    
            # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
            #
            #location ~ \.php$ {
            #    root           html;
            #    fastcgi_pass   127.0.0.1:9000;
            #    fastcgi_index  index.php;
            #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
            #    include        fastcgi_params;
            #}
    
            # deny access to .htaccess files, if Apache's document root
            # concurs with nginx's one
            #
            #location ~ /\.ht {
            #    deny  all;
            #}
        }
    
    
        # another virtual host using mix of IP-, name-, and port-based configuration
        #
        #server {
        #    listen       8000;
        #    listen       somename:8080;
        #    server_name  somename  alias  another.alias;
    
        #    location / {
        #        root   html;
        #        index  index.html index.htm;
        #    }
        #}
    
    
        # HTTPS server
        #
        #server {
        #    listen       443 ssl;
        #    server_name  localhost;
    
        #    ssl_certificate      cert.pem;
        #    ssl_certificate_key  cert.key;
    
        #    ssl_session_cache    shared:SSL:1m;
        #    ssl_session_timeout  5m;
    
        #    ssl_ciphers  HIGH:!aNULL:!MD5;
        #    ssl_prefer_server_ciphers  on;
    
        #    location / {
        #        root   html;
        #        index  index.html index.htm;
        #    }
        #}
    
    }
    

    I can reach the webpage through the local IP (v4) address, but not online using the IPv6 address. Testing with a port checking tool does show that port 80 is open. I tried testing with my smartphone with wifi disconnected, too, but still no success… Any ideas on what I could try? I’m searching for tutorials for setting up an IPv6 nginx server but so far I’m not seeing a big difference with what I’m doing.

    Yes, using now-dns.com is different from paying for a host name, but in theory entering the plain IPv6 address in square brackets in Firefox should also work, right?




  • Thanks for your reply!

    First, in your caddyfile, “my.server” should reflect the real address used for access. Something like “jellyfin.my-domain.com”. This is important for the tls certificate to be generated correctly.

    Ah yes, I wasn’t clear in my original post—I had censored the address of my actual web address myself. In actuality it is more like this:

    {
    	debug
    	
    }
    
    # Jellyfin:
    myserver.now-dns.net:26347,
    myserver.now-dns.net:443,
    [my ipv6]:26347 {
    	header / {
    		# Enable cross-site filter (XSS) 
    		# and tell browser to block detected attacks    
    		X-Frame-Options "Deny"
    		Content-Security-Policy "
    	            default-src 'self' data: blob:;
    	            style-src 'self' 'unsafe-inline' bootstrapcdn.com *.bootstrapcdn.com https://ctalvio.github.io/Monochromic/default_style.css https://ctalvio.github.io/Monochromic/jfblue_style.css https://ctalvio.github.io/Monochromic/jfpurple_style.css https://ctalvio.github.io/Monochromic/bottom-progress_style.css https://ctalvio.github.io/Monochromic/customcolor-advanced_style.css https://ctalvio.github.io/Monochromic/improve-performance_style.css https://fonts.googleapis.com/css2;
    	            script-src 'self' 'unsafe-inline' bootstrapcdn.com *.bootstrapcdn.com googleapis.com *.googleapis.com https://www.gstatic.com/cv/js/sender/v1/cast_sender.js worker-src 'self' blob:;
    	            font-src 'self' bootstrapcdn.com *.bootstrapcdn.com;
    	            img-src data: 'self' imgur.com *.imgur.com;
    	            form-action 'self';
    	            connect-src 'self' pokeapi.co;
    	            frame-ancestors 'self';
    	            report-uri {$CSP_REPORT_URI}
    	        "
    	}
    	reverse_proxy 127.0.0.1:8093
    	#reverse_proxy localhost:8093
    }
    
    # Nextcloud:
    myserver.now-dns.net:65001 {
    	root * /usr/share/webapps/nextcloud
    	file_server
    	#        log {
    	#                output file     /var/log/caddy/myserver.now-dns.net.log
    	#                format single_field common_log
    	#        }
    
    	#php_fastcgi 127.0.0.1:9000
    	#php_fastcgi unix//run/php-fpm/php-fpm.sock # veranderd naar correcte adres uit /etc/php/php-fpm.d/www.conf
    	php_fastcgi unix//run/nextcloud/nextcloud.sock # veranderd naar nieuwe correcte adres uit /etc/php/php-fpm.d/nextcloud.conf
    
    	header {
    		# enable HSTS
    		Strict-Transport-Security max-age=31536000;
    	}
    
    	redir /.well-known/carddav /remote.php/dav 301
    	redir /.well-known/caldav /remote.php/dav 301
    
    	# .htaccess / data / config / ... shouldn't be accessible from outside
    	@forbidden {
    		path /.htaccess
    		path /data/*
    		path /config/*
    		path /db_structure
    		path /.xml
    		path /README
    		path /3rdparty/*
    		path /lib/*
    		path /templates/*
    		path /occ
    		path /console.php
    	}
    
    	respond @forbidden 404
    }
    

    Where I replaced myserver by my actual name. I also updated my original post to reflect this just now.

    Once updated, pull out a cell phone, turn off wifi (use LTE/5G), and verify it can connect to your site. This makes sure you can access from outside your home network.

    Yes, I have done this a lot over the past few months (in the hopes that the problem would’ve somehow fixed itself) but no dice.

    Once confirmed working, try again from your home network. Most likely the page will timeout. This will be due to DNS pointing you back to your own network, which can cause trouble. This can be solved several ways. One is by adding a static DNS entry which points to the IP of your caddy server. You can do this on a per system basis in the hosts file, or at the lan level with you DNS server or router, assuming it allows you to add a custom DNS entry. I do this with my Mikrotik router.

    Well, from my home network I just used the internal (IPv4) address to connect to Jellyfin, and that still works. Nextcloud did not work. I’ll play around with this once I get the server working again externally.

    But yeah, no, I’m afraid I had already taken the steps you outlined here. Any further ideas would be appreciated!