IPv4 to IPv6 Proxy configuration
What is this?
Our IPv4 to IPv6 reverse proxies allow you to host a website on an IPv6-only server and make it accessible to all users, including those who only have an IPv4 connection.
Why is this needed?
IPv4 addresses are in short supply, which is why we offer cheaper, IPv6-only servers. Unfortunately, not all users have an IPv6-enabled connection yet, and so would not normally be able to view a site on an IPv6-only server.
What problem does this solve?
Our IPv4 to IPv6 reverse proxy will relay traffic for common services, such as HTTP and HTTPS, from a shared IPv4 address to your server's IPv6 address, making your website accessible to users on an IPv4-only connection.
Important information to remember
To use this service, the domains that you wish to host websites on must be known to our control panel. If the domain is not registered through us, you can add it as a "third party domain".
Our proxies will also relay IPv6 traffic, which can simplify configuration, as you can direct all traffic to your site by the same route.
HTTPS and other secure services
Our proxy uses Server Name Indication (SNI) to pass HTTPS and certain other secure protocols through to your server without decrypting the traffic. This means that we don't need access to your certificate.
Configuring a reverse proxy
Head to IPv4 to IPv6 Reverse Proxy section, under Servers, in the control panel.
Enter the hostname, and select the domain you wish to use. So if you wish to host www.example.com, set the hostname to www and select example.com from the list of domains.
If you wish to host a website on the bare domain name (e.g. https//example.com) you should enter a hostname of @.
Enter the IPv6 address of your server in the Endpoint address field and then press the Add button.
You should leave the location set to the default of 'ALL' which will use all available proxies.
Next, you need to update the DNS records for your domain to direct traffic to
our proxy servers. The best way to use the proxies is to set up a CNAME or
ANAME record, pointing to proxy.mythic-beasts.com.
Generally if you are setting up a record for a hostname within your domain (e.g. www.example.com) you can, and should, use a CNAME. If you are setting up a record for a bare domain (e.g. example.com) you won't be able to use a CNAME record, and you should use an ANAME psuedo-record instead.
For almost every hostname, you can use CNAME records instead which require less configuration. However, if you already have a hostname configured (for example sub.domain.tld as MX, and sub.domain.tld as AAAA), you must use the AAAA and A records.
If the DNS for your domain is not managed by Mythic Beasts, and you are unable to use either a CNAME or ANAME record, then you can use A and AAAA records using the details below.
Example
As an example, to create a working proxy for www.mydomain.tld you would need to put the following parts into the Reverse Proxy, and Manage DNS pages;
..in the IPv4 to IPv6 Reverse Proxy section
Hostname Domain Data centre Endpoint address -------- ------ ----------- --------------- www mydomain.tld ALL 2001:db8:0::1
..in the Manage DNS section
Hostname Type Data -------- ---- ---- www CNAME proxy.mythic-beasts.com. @ ANAME proxy.mythic-beasts.com.
Done!
Please note that our reverse proxies only update their configuration once every five minutes, and there may also be delays before DNS changes are fully active.
Worked example
There is a walkthrough on our blog about how to host a website on an IPv6-only Raspberry Pi server, though most of the instructions will apply to any kind of server.
Advanced users
PROXY protocol
One disadvantage of using the proxy service, is that all requests will appear to come from our proxy server, rather than from the end user. This will mean that the end user's IP address will not be visible in your server logs, and will prevent IP-based access controls. To a large extent this can be addressed by using PROXY protocol, a protocol which adds an additional header to all requests that includes the actual client IP address. In order to use this, you will need to configure your server software to handle PROXY protocol. At time of wriiting, nginx has native support for PROXY protocol, and Apache has support in the form of an optional module.
If you enable PROXY protocol, you should take steps (e.g. a firewall) to only accept HTTP/HTTPS requests from our proxy servers, as otherwise it is trivial for third parties to spoof their IP address.
Configuring your server for PROXY protocol
Most web servers have support for PROXY protocol, in the case of apache2 and nginx this can be done as follows.
NGINX
Append proxy_protocol to your listen directive:
server {
listen 80 proxy_protocol;
listen 443 ssl proxy_protocol;
...
}
Apache 2.4.30 and above
Enable remoteip module in apache2 with a2enmode remoteip and
append the following directive to your configuration:
RemoteIPProxyProtocol On
Apache 2.4.29 and below
This guide assumes you are using an apt based packaging distribution (Debian
,Ubuntu..). For older versions, you will need to add support via a third party
module,
mod_proxy_protocol
This is a little more involved, as the necessary module isn’t currently packaged as part of the standard Apache distribution (although this is changing), so we need to download and build it ourselves. First some extra packages are needed:
apt-get install apache2-dev git
This will install a good number of packages, and take a few minutes to
complete. Once done, you can download, install and build
mod_proxy_protocol
git clone https://github.com/roadrunner2/mod-proxy-protocol.git cd mod-proxy-protocol make
At this point you should be able to type make install. If this
fails you may also copy the mobile manually into place:
cp .libs/mod_proxy_protocol.so /usr/lib/apache2/modules/
Now you can load the module:
echo "LoadModule proxy_protocol_module /usr/lib/apache2/modules/mod_proxy_protocol.so" > /etc/apache2/mods-available/proxy_protocol.load a2enmod proxy_protocol
You will also need to configure Apache to use this new module. To do this,
edit /etc/apache2/sites-enabled/000-default.conf and replace each
line that containers CustomLog with the following two lines:
ProxyProtocol On
CustomLog ${APACHE_LOG_DIR}/access.log "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
This tells Apache to use PROXY protocol, and to use the supplied IP address in its log files. Now restart Apache:
systemctl reload apache2
Visit your website, if all is working you should see actual client IP
addresses in the log file, /var/log/apache2/access_log:
93.93.130.44 - - [24/Feb/2017:20:13:25 +0000] "GET / HTTP/1.1" 200 10701 "-" "curl/7.26.0"
Do not forget to firewall connections! Otherwise anyone can use PROXY protocol to forge their IP address.
Multiple backends
The service does allow the use of more than one endpoint address and will round robin between them accordingly. There is no guarantee that a client will be directed back to the same endpoint on subsequent requests.
Proxy location
The default configuration of using a CNAME or ANAME to
proxy.mythic-beasts.com will cause your traffic to be split across all of our
proxy servers, hosted in multiple data centres.
You may direct traffic to a specific proxy server by using the details of individual proxy servers in your DNS records. Details of IPs and hostnames for our individual proxy servers are shown below.
It is also possible to configure different proxy servers to direct traffic to different backend servers. If you have servers in different data centres, you can use this to control the path that traffic takes. Use the data center option in the control panel to restrict a particular configuration to a particular proxy server, and specify different endpoint addresses in different data centres.
Wildcard hostnames
Wildcard addresses are also supported:
Hostname Domain Data centre Endpoint address -------- ------ ----------- --------------- myhostname mydomain ALL 2001:db8:0::1 * mydomain ALL 2001:db8:0::1 @ mydomain ALL 2001:db8:0::1
Proxy details
All proxies
| Type | Value |
|---|---|
| CNAME / ANAME | proxy.mythic-beasts.com |
| A |
46.235.225.189 93.93.129.174 |
| AAAA |
2a00:1098::82:1000:3b:1:1 2a00:1098::80:1000:3b:1:1 |
London City Lifeline (CLL)
| Type | Value |
|---|---|
| CNAME / ANAME | cll.proxy.mythic-beasts.com |
| A |
46.235.225.189 |
| AAAA |
2a00:1098::82:1000:3b:1:1 |
London Sovereign House (SOV)
| Type | Value |
|---|---|
| CNAME / ANAME | sov.proxy.mythic-beasts.com |
| A |
93.93.129.174 |
| AAAA |
2a00:1098::80:1000:3b:1:1 |
Proxied Services
We will proxy the following services to configured backends:| Service | Port |
|---|---|
| HTTP | 80 |
| HTTPS | 443 |
| IMAPS | 993 |
| SMTPS | 465 |
| Gemini | 1965 |