IPv4 to IPv6 Proxy configuration

What is this?

Our IPv4 to IPv6 reverse proxies allow you to host a website on an IPv6-only server and make it accessible to all users, including those who only have an IPv4 connection.

Why is this needed?

IPv4 addresses are in short supply, which is why we offer cheaper, IPv6-only servers. Unfortunately, not all users have an IPv6-enabled connection yet, and so would not normally be able to view a site on an IPv6-only server.

What problem does this solve?

Our IPv4 to IPv6 reverse proxy will relay traffic for common services, such as HTTP and HTTPS, from a shared IPv4 address to your server's IPv6 address, making your website accessible to users on an IPv4-only connection.

Important information to remember

To use this service, the domains that you wish to host websites on must be known to our control panel. If the domain is not registered through us, you can add it as a "third party domain".

Our proxies will also relay IPv6 traffic, which can simplify configuration, as you can direct all traffic to your site by the same route.

HTTPS and other secure services

Our proxy uses Server Name Indication (SNI) to pass HTTPS and certain other secure protocols through to your server without decrypting the traffic. This means that we don't need access to your certificate.

Configuring a reverse proxy

Head to IPv4 to IPv6 Reverse Proxy section, under Servers, in the control panel.

Enter the hostname, and select the domain you wish to use. So if you wish to host www.example.com, set the hostname to www and select example.com from the list of domains.

If you wish to host a website on the bare domain name (e.g. https//example.com) you should enter a hostname of @.

Enter the IPv6 address of your server in the Endpoint address field and then press the Add button.

You should leave the location set to the default of 'ALL' which will use all available proxies.

Next, you need to update the DNS records for your domain to direct traffic to our proxy servers. The best way to use the proxies is to set up a CNAME or ANAME record, pointing to proxy.mythic-beasts.com.

Generally if you are setting up a record for a hostname within your domain (e.g. www.example.com) you can, and should, use a CNAME. If you are setting up a record for a bare domain (e.g. example.com) you won't be able to use a CNAME record, and you should use an ANAME psuedo-record instead.

For almost every hostname, you can use CNAME records instead which require less configuration. However, if you already have a hostname configured (for example sub.domain.tld as MX, and sub.domain.tld as AAAA), you must use the AAAA and A records.

If the DNS for your domain is not managed by Mythic Beasts, and you are unable to use either a CNAME or ANAME record, then you can use A and AAAA records using the details below.

Example

As an example, to create a working proxy for www.mydomain.tld you would need to put the following parts into the Reverse Proxy, and Manage DNS pages;

..in the IPv4 to IPv6 Reverse Proxy section
Hostname  Domain        Data centre  Endpoint address
--------  ------        -----------  ---------------
www       mydomain.tld  ALL          2001:db8:0::1
..in the Manage DNS section
Hostname  Type   Data
--------  ----   ----
www       CNAME  proxy.mythic-beasts.com.
@         ANAME  proxy.mythic-beasts.com.

Done!

Please note that our reverse proxies only update their configuration once every five minutes, and there may also be delays before DNS changes are fully active.

Worked example

There is a walkthrough on our blog about how to host a website on an IPv6-only Raspberry Pi server, though most of the instructions will apply to any kind of server.

Advanced users

PROXY protocol

One disadvantage of using the proxy service, is that all requests will appear to come from our proxy server, rather than from the end user. This will mean that the end user's IP address will not be visible in your server logs, and will prevent IP-based access controls. To a large extent this can be addressed by using PROXY protocol, a protocol which adds an additional header to all requests that includes the actual client IP address. In order to use this, you will need to configure your server software to handle PROXY protocol. At time of wriiting, nginx has native support for PROXY protocol, and Apache has support in the form of an optional module.

If you enable PROXY protocol, you should take steps (e.g. a firewall) to only accept HTTP/HTTPS requests from our proxy servers, as otherwise it is trivial for third parties to spoof their IP address.

Configuring your server for PROXY protocol

Most web servers have support for PROXY protocol, in the case of apache2 and nginx this can be done as follows.

NGINX

Append proxy_protocol to your listen directive:

server {
    listen 80   proxy_protocol;
    listen 443  ssl proxy_protocol;
    ...
}
Apache 2.4.30 and above

Enable remoteip module in apache2 with a2enmode remoteip and append the following directive to your configuration:

RemoteIPProxyProtocol On
Apache 2.4.29 and below

This guide assumes you are using an apt based packaging distribution (Debian ,Ubuntu..). For older versions, you will need to add support via a third party module, mod_proxy_protocol

This is a little more involved, as the necessary module isn’t currently packaged as part of the standard Apache distribution (although this is changing), so we need to download and build it ourselves. First some extra packages are needed:

apt-get install apache2-dev git

This will install a good number of packages, and take a few minutes to complete. Once done, you can download, install and build mod_proxy_protocol

git clone https://github.com/roadrunner2/mod-proxy-protocol.git
cd mod-proxy-protocol
make

At this point you should be able to type make install. If this fails you may also copy the mobile manually into place:

cp .libs/mod_proxy_protocol.so /usr/lib/apache2/modules/

Now you can load the module:

echo "LoadModule proxy_protocol_module /usr/lib/apache2/modules/mod_proxy_protocol.so" > /etc/apache2/mods-available/proxy_protocol.load
a2enmod proxy_protocol

You will also need to configure Apache to use this new module. To do this, edit /etc/apache2/sites-enabled/000-default.conf and replace each line that containers CustomLog with the following two lines:

ProxyProtocol On
CustomLog ${APACHE_LOG_DIR}/access.log "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""

This tells Apache to use PROXY protocol, and to use the supplied IP address in its log files. Now restart Apache:

systemctl reload apache2

Visit your website, if all is working you should see actual client IP addresses in the log file, /var/log/apache2/access_log:

93.93.130.44 - - [24/Feb/2017:20:13:25 +0000] "GET / HTTP/1.1" 200 10701 "-" "curl/7.26.0"

Do not forget to firewall connections! Otherwise anyone can use PROXY protocol to forge their IP address.

Multiple backends

The service does allow the use of more than one endpoint address and will round robin between them accordingly. There is no guarantee that a client will be directed back to the same endpoint on subsequent requests.

Proxy location

The default configuration of using a CNAME or ANAME to proxy.mythic-beasts.com will cause your traffic to be split across all of our proxy servers, hosted in multiple data centres.

You may direct traffic to a specific proxy server by using the details of individual proxy servers in your DNS records. Details of IPs and hostnames for our individual proxy servers are shown below.

It is also possible to configure different proxy servers to direct traffic to different backend servers. If you have servers in different data centres, you can use this to control the path that traffic takes. Use the data center option in the control panel to restrict a particular configuration to a particular proxy server, and specify different endpoint addresses in different data centres.

Wildcard hostnames

Wildcard addresses are also supported:

Hostname     Domain    Data centre  Endpoint address
--------     ------    -----------  ---------------
myhostname   mydomain  ALL          2001:db8:0::1
*            mydomain  ALL          2001:db8:0::1
@            mydomain  ALL          2001:db8:0::1

Proxy details

All proxies

Type Value
CNAME / ANAME proxy.mythic-beasts.com
A 46.235.225.189
93.93.129.174
AAAA 2a00:1098::82:1000:3b:1:1
2a00:1098::80:1000:3b:1:1

London City Lifeline (CLL)

Type Value
CNAME / ANAME cll.proxy.mythic-beasts.com
A 46.235.225.189
AAAA 2a00:1098::82:1000:3b:1:1

London Sovereign House (SOV)

Type Value
CNAME / ANAME sov.proxy.mythic-beasts.com
A 93.93.129.174
AAAA 2a00:1098::80:1000:3b:1:1

Proxied Services

We will proxy the following services to configured backends:
Service Port
HTTP 80
HTTPS 443
IMAPS 993
SMTPS 465
Gemini 1965
If you would like to run an IPv6-only DNS or Email server, you can use our Secondary DNS and Fallback MX services to make these available to IPv4-only users. Please get in touch if you would like this set up.