How to enable IPv6 for your webserver (LEMP)?
What does this mean for a LEMP (ubuntu)?
* Enabling it for your linode seems simple enough.
I found how to add an entry for IPv6 in the /etc/hosts
The firewall ufw seems to support IPv6 by default. I have opened 3 ports (22,80,443) and when I execute the command ufw status they are listed twice ("ALLOW Anywhere" and "Allow Anywhere (v6)")
Nginx is installed with IPv6 support. Do I have to do anything else but uncommenting "listen [::]:80 default ipv6only=on;" for the virtual hosts? I am not to sure about the ipv6only, should I remove that?
I have configured php5-fpm to use unix sockets instead of tcp, so no changes here?
What changes do I have to make in the Linode DNS manager?
What changes do I have to make with my registrar?
What about Fail2Ban?
What about Logwatch (and postfix)?
What about MySQL and phpmyadmin?
Munin?
SSH?
awstats?
Anything I overlooked? Or should I do nothing?
Thanks.
2 Replies
@pannix:
Nginx is installed with IPv6 support. Do I have to do anything else but uncommenting "listen [::]:80 default ipv6only=on;" for the virtual hosts? I am not to sure about the ipv6only, should I remove that?
I'm not using ipv6only, but I do explicitly list each IP I want to listen on. I have:
listen 192.0.2.1:80;
listen [2001:db8::123]:80;
I can verify this with netstat -ntl:
$ netstat -ntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.0.2.1:80 0.0.0.0:* LISTEN
tcp6 0 0 2001:db8::123:80 :::* LISTEN
> I have configured php5-fpm to use unix sockets instead of tcp, so no changes here?
If your applications care about IPs, they will have to deal with IPv6 addresses showing up in HTTPREMOTEADDR, etc.
> What changes do I have to make in the Linode DNS manager?
For each A record you have, add a second AAAA record with the IPv6 IP. (No square brackets or anything, just the IP.
> What changes do I have to make with my registrar?
Nothin'! The changes have already been made (assuming you're using ns(1..5).linode.com for your nameservers). Drilling down on a Linode-hosted domain:
;; Received 490 bytes from 2001:500:2d::d#53(d.root-servers.net) in 39 ms
;; Received 291 bytes from 2001:503:a83e::2:30#53(a.gtld-servers.net) in 96 ms
;; Received 307 bytes from 2600:3c01::a#53(ns2.linode.com) in 97 ms
> What about Fail2Ban?
What about Logwatch (and postfix)?
What about MySQL and phpmyadmin?
fail2ban and logwatch might choke a bit, but I use neither. postfix is happy with IPv6. MySQL doesn't need to know about IPv6, phpmyadmin doesn't care enough.
> Munin?
If you're using the ip_ plugin (the one with the magic iptables rules), it won't work with IPv6 addresses. I have forked and modified it to work
> SSH?
Happy as a clam.
> awstats?
Probably OK. Most log parsers learned long ago to not think too hard about what web servers stick in the remote address field. I think the worst that can happen is it won't recognize an IPv6 address as a network address (big-endian, resolve to group by top-level domain) and will instead try to treat it as a hostname (little-endian, resolve to group by network block). That would be a bug, if it's the case.
tl;dr: try it and see
