IPv4 to IPv6 Proxy configuration
What is this?
Our IPv4 to IPv6 reverse proxies allow you to host a website on an IPv6-only server and make it accessible to all users, including those who only have an IPv4 connection.
Why is this needed?
IPv4 addresses are in short supply, which is why we offer cheaper, IPv6-only servers. Unfortunately, not all users have an IPv6-enabled connection yet, and so would not normally be able to view a site on an IPv6-only server.
What problem does this solve?
Our IPv4 to IPv6 reverse proxy will relay traffic for common services, such as HTTP and HTTPS, from a shared IPv4 address to your server's IPv6 address, making your website accessible to users on an IPv4-only connection.
Important information to remember
To use this service, the domains that you wish to host websites on must be known to our control panel. If the domain is not registered through us, you can add it as a "third party domain".
Our proxies will also relay IPv6 traffic, which can simplify configuration, as you can direct all traffic to your site by the same route.
HTTPS and other secure services
Our proxy uses Server Name Indication (SNI) to pass HTTPS and certain other secure protocols through to your server without decrypting the traffic. This means that we don't need access to your certificate.
Configuring a reverse proxy
Head to IPv4 to IPv6 Reverse Proxy section, under Servers, in the control panel.
Enter the hostname, and select the domain you wish to use. So if you wish to host www.example.com, set the hostname to www and select example.com from the list of domains.
If you wish to host a website on the bare domain name (e.g. https//example.com) you should enter a hostname of @.
Enter the IPv6 address of your server in the Endpoint address field and then press the Add button.
You should leave the location set to the default of 'ALL' which will use all available proxies.
Next, you need to update the DNS records for your domain to direct traffic to
our proxy servers. The best way to use the proxies is to set up a CNAME or
ANAME record, pointing to proxy.mythic-beasts.com.
Generally if you are setting up a record for a hostname within your domain (e.g. www.example.com) you can, and should, use a CNAME. If you are setting up a record for a bare domain (e.g. example.com) you won't be able to use a CNAME record, and you should use an ANAME psuedo-record instead.
For almost every hostname, you can use CNAME records instead which require less configuration. However, if you already have a hostname configured (for example sub.domain.tld as MX, and sub.domain.tld as AAAA), you must use the AAAA and A records.
If the DNS for your domain is not managed by Mythic Beasts, and you are unable to use either a CNAME or ANAME record, then you can use A and AAAA records using the details below.
Example
As an example, to create a working proxy for www.mydomain.tld you would need to put the following parts into the Reverse Proxy, and Manage DNS pages;
..in the IPv4 to IPv6 Reverse Proxy section
Hostname Domain Data centre Endpoint address -------- ------ ----------- --------------- www mydomain.tld ALL 2001:db8:0::1
..in the Manage DNS section
Hostname Type Data -------- ---- ---- www CNAME proxy.mythic-beasts.com. @ ANAME proxy.mythic-beasts.com.
Done!
Please note that our reverse proxies only update their configuration once every five minutes, and there may also be delays before DNS changes are fully active.
Worked example
There is a walkthrough on our blog about how to host a website on an IPv6-only Raspberry Pi server, though most of the instructions will apply to any kind of server.
PROXY protocol
One disadvantage of using the proxy service is that all requests will appear to come from our proxy server, rather than from the end user. This will mean that the end user's IP address will not be visible in your server logs, and will prevent IP-based access controls. To a large extent this can be addressed by using PROXY protocol, a protocol which adds an additional header to all requests that includes the actual client IP address. In order to use this, you will need to configure your server software to handle PROXY protocol.
If you enable PROXY protocol, you should take steps (e.g. a firewall) to only accept HTTP/HTTPS requests from our proxy servers, as otherwise it is trivial for third parties to spoof their IP address.
Most web servers have support for PROXY protocol, in the case of apache2 and nginx this can be done as follows.
NGINX
Append proxy_protocol to your listen directive, and use ngx_http_realip_module to use the client IP address from the PROXY protocol header:
server {
listen 80 proxy_protocol;
listen 443 ssl proxy_protocol;
set_real_ip_from 2a00:1098:0:82:1000:3b:1:1;
set_real_ip_from 2a00:1098:0:80:1000:3b:1:1;
real_ip_header proxy_protocol;
...
}
The set_real_ip_from directive ensures that PROXY protocol will only be trusted when sent from our proxy servers, which prevents other clients from spoofing their IP addresses. We would still recommend adding firewalling to prevent other clients connecting directly to your server.
Apache
Since Apache 2.4.30, there is native PROXY protocol support in the remoteip module.
Enable remoteip module in apache2 with a2enmode remoteip and
append the following directive to your configuration:
RemoteIPProxyProtocol On
Do not forget to firewall connections so only the proxy IP addresses can connect! Otherwise anyone can use PROXY protocol to forge their IP address.
Advanced users
Multiple backends
The service does allow the use of more than one endpoint address and will balance traffic between them, performing TCP healthchecks to avoid sending connections to a down backend. A backend will be selected based on the client's source IP address - so a single IP address should consistently use a single backend.
Proxy location
The default configuration of using a CNAME or ANAME to
proxy.mythic-beasts.com will cause your traffic to be split across all of our
proxy servers, hosted in multiple data centres.
You may direct traffic to a specific proxy server by using the details of individual proxy servers in your DNS records. Details of IPs and hostnames for our individual proxy servers are shown below.
It is also possible to configure different proxy servers to direct traffic to different backend servers. If you have servers in different data centres, you can use this to control the path that traffic takes. Use the data center option in the control panel to restrict a particular configuration to a particular proxy server, and specify different endpoint addresses in different data centres.
Wildcard hostnames
Wildcard addresses are also supported:
Hostname Domain Data centre Endpoint address -------- ------ ----------- --------------- myhostname mydomain ALL 2001:db8:0::1 * mydomain ALL 2001:db8:0::1 @ mydomain ALL 2001:db8:0::1
Proxy details
All proxies
| Type | Value |
|---|---|
| CNAME / ANAME | proxy.mythic-beasts.com |
| A |
46.235.225.189 93.93.129.174 |
| AAAA |
2a00:1098::82:1000:3b:1:1 2a00:1098::80:1000:3b:1:1 |
London City Lifeline (CLL)
| Type | Value |
|---|---|
| CNAME / ANAME | cll.proxy.mythic-beasts.com |
| A |
46.235.225.189 |
| AAAA |
2a00:1098::82:1000:3b:1:1 |
London Sovereign House (SOV)
| Type | Value |
|---|---|
| CNAME / ANAME | sov.proxy.mythic-beasts.com |
| A |
93.93.129.174 |
| AAAA |
2a00:1098::80:1000:3b:1:1 |
Proxied Services
We will proxy the following services to configured backends:| Service | Port |
|---|---|
| HTTP | 80 |
| HTTPS | 443 |
| IMAPS | 993 |
| SMTPS | 465 |
| Gemini | 1965 |