Learn about Centmin Mod LEMP Stack today
Become a Member

Nginx Beta Branch Invitation To Test Native Nginx IPv6 Vhost Config Support in 130.00beta01

Discussion in 'Beta release code' started by eva2000, Nov 14, 2022.

  1. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    12:36 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod Nginx vhost creation routines don't support IPv6 Nginx vhost creation out of the box right now. You have to manually make Nginx vhost config changes to enable IPv6 support. But native Nginx IPv6 vhost config support is long overdue, with @Tracy Perry @wmtech @happyhacking being the latest users to remind me of this issue.

    So I have some experimental patch code for Centmin Mod 130.00beta01 that I have been working on, which will add native Nginx IPv6 vhost config support conditionally when Centmin Mod detects that the server has a publicly resolving IPv6 IP address only. If your server isn't setup for IPv6, then a publicly resolving IPv6 IP address won't be detected.

    Testing Invitation


    I invite folks to test this experimental patch code and report feedback in this thread. To test this Centmin Mod local code on your server, run the following commands as root user in SSH:

    Commands below as at November 29, 2022, committed the patched code to 130.00beta01 branch
    Code (Text):
    # update 130.00beta01 locally
    cmupdate
    # run centmin.sh menu once and exit to apply changes
    echo 24 | centmin
    

    To enable this patched code set in persistent config file /etc/centminmod/custom_config.inc the variables:
    Code (Text):
    VPS_IPSIX_CHECK_DISABLE='n'
    VPS_IPSIX_CHECK_DISABLE_DEBUG='y'

    Then run centmin.sh menu option 2, 22 menu based Nginx vhost creation routines or run nv or addons/acmetool.sh commandline based Nginx vhost creation routines and see if your domain's Nginx vhost config files have setup IPv6 listen directives in:
    • /usr/local/nginx/conf/conf.d/yourdomain.com.ssl.conf
    • /usr/local/nginx/conf/conf.d/yourdomain.com.conf
    i.e. for HTTPS nginx vhost
    Code (Text):
    server {
      listen 443 ssl http2;
      listen   [::]:443 ssl http2;
      server_name yourdomain.com www.yourdomain.com;

    and non-HTTPS nginx vhost
    Code (Text):
    server {
      listen   80;
      listen   [::]:80;
      server_name yourdomain.com www.yourdomain.com;

    When you run centmin.sh menu option 2, 22 you will see some debug output from enabling VPS_IPSIX_CHECK_DISABLE_DEBUG='y'
    Code (Text):
    VPS_IPSIX_CHECK_DISABLE=n
    IP_SYSTEM_VALIDATE_V4=0
    IP_SYSTEM_VALIDATE_V6=0
    DEDI_LISTEN="listen   80;"
    DEDI_LISTEN_V6="listen   [::]:80;"
    DEDI_LISTEN_HTTPS_V6="listen   [::]:443 ssl http2;"
    DEDI_LISTEN=listen   80;
    DEDI_LISTEN_V6=listen   [::]:80;

    • First line verifies VPS_IPSIX_CHECK_DISABLE=n is appropriately set to enable to dynamic check.
    • Second & third lines for IP_SYSTEM_VALIDATE_V4 and IP_SYSTEM_VALIDATE_V6 are to check for valid IPv4 and IPv6 resolving server IP addresses. If valid, value of variable should = 0 if invalid, variable value = 1
    • Last 5 lines are just checking the values assigned to variables that will populate in your created Nginx vhost config files.
    Notes:
    • You can test this on a test VPS server or test Nginx vhost domain creation subdomain/domain and don't necessarily need to test on live production sites.
    • This patch only works when SECOND_IP variable isn't set in the persistent config file /etc/centminmod/custom_config.inc. If you use SECOND_IP variable for dedicated IPv4 IPs defined for Nginx vhost, then the native Nginx IPv6 vhost config support is currently disabled as it's more complicated to implement and will leave that for a later stage to work on.
    • If later on, you run cmupdate command, it will wipe the patched code from your local install and revert back to the unpatched code. So you will need to rerun the patch commands to be able to test this again.
    • Future 130.00beta01 updates may break the patch commands below. Once folks reported feedback and bugs in this thread and I see the patches are working, I will add it to the default 130.00beta01 code base so that future cmupdate command run will be enough to get these updates.
     
  2. pdinh97qng

    pdinh97qng Member

    121
    15
    18
    Jan 24, 2016
    Ratings:
    +39
    Local Time:
    6:36 AM
    Even though I'm fine with manually adding IPv6 to the ghost, but it's good to see this feature, especially with people who use Let's Encrypted. Many times, I have dns for ipv6 setup but forget to add ipv6 in vhost so that Let's Encrypt fail to issue the SSL.
     
  3. wmtech

    wmtech Active Member

    175
    44
    28
    Jul 22, 2017
    Ratings:
    +132
    Local Time:
    3:36 PM
    I would like to test that out soon and I am almost sure it will work as expected. ;-)

    However, with IPv6 it is not the best way to just add "[::]" as the global IPv6 address into the vhost and use name-based distinction in Nginx. This was a workaround in IPV4 (because you have to save addresses at almost all costs) to share one IP address between several vhosts.

    With IPv6 each vHost should and will have its unique IPv6 address.

    The best way for your CMM script would be to ask for the hostname of the vHost (as you already do) and resolve the IPv4 and IPv6 addresses of that hostname and insert the address(es) you find into the vHost configuration. When doing so, you could even scratch the "SECOND_IP" variable in custom config which would be very complicated to use in IPv4 / IPv6 mixed environments.

    In addition, you should check if the result of the IP resolution of the new hostname matches the available IP addresses of the server. If not, you can assume someone is setting up a hostname in preparation for a future IP switch and therefore won't request a TLS certificate with the new vHost setup. In that case you simply can set up the new vhost configuration like you do it now with "80" and/or "[::]:80" and have the server admin do the exact configuration later.
     
    Last edited: Nov 15, 2022
  4. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    12:36 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah ideally. Though for noobs, it will be complicated with IPv6 format and recognising and defining an individual IP address versus a range
    Yeah thought about that but if your domain is behind a reverse proxy like Cloudflare, resolving the domain's IPv6 would be the Cloudflare IPv6 IP address and not the server's.
    Yeah one reason I haven't do so for SECOND_IP setups right now

    Yeah the way I lookup the publicly resolving IPv6 for the server, it should always be an IPv6 IP available on the server. You can manually check via these commands too
    Code (Text):
    curl -4s https://geoip.centminmod.com/v4 | jq -r '.ip'
    curl -6s https://geoip.centminmod.com/v4 | jq -r '.ip'
    

    Let me know if they end up with incorrect server publicly resolving IPv4/IPv6 IP addresses.
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    12:36 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Oh re-read that, you mean if folks want to add a new IPv6 IP address later and after the Centmin Mod Nginx vhost was created.
     
  6. wmtech

    wmtech Active Member

    175
    44
    28
    Jul 22, 2017
    Ratings:
    +132
    Local Time:
    3:36 PM
    The only real difference in handling IPv4 and IPv6 addresses is the much more complicated regex for IPv6. ;-)

    Besides that, IPv6 can be handled exactly like IPv4. A range is a range and an address is an address. Just the format and numbers are different.

    Yes, that can happen. In that case I would not set up the vHost with exact addresses and leave the exact configuration to the server admin. The ability to request a TLS cert at vHost generation should be removed in such cases.

    "SECOND_IP" was a workaround. Since we don't have an IPv4 shortage, we always had and have a bunch of IP addresses at each server. We could have needed a "THIRTYEST_IP" variable. ;-)

    With IPv6 there always will be a lot of active IP addresses at a server. There needs to be another way to work with such much more common cases in the IPv6 area.

    Both commands give me the real IP address of each kind of the server configured for general outgoing traffic. But with

    Code (Text):
    ip -6 addr
    ip -4 addr

    I get much more addresses, all actively configured and working at the server.

    The easiest way would be to use

    Code (Text):
    nmcli connection show <DEVICENAME> | grep ipv4.addresses
    nmcli connection show <DEVICENAME> | grep ipv6.addresses

    and compare that to the DNS resolution of the hostname.
     
    Last edited: Nov 15, 2022
  7. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    12:36 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah I overlooked that for Letsencrypt web root validation. If you're using Cloudflare, skip webroot letsencrypt validation and use Cloudflare DNS API as per Letsencrypt Free SSL Certificates
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    12:36 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Yeah but anything requiring end user input will ultimately rely the end users knowledge around this. Right now centmin.sh menu option 2 and 22 are only options with end user input as an option interactively. Command line nv or addons/acmetool.sh and centmin.sh menu option 2/22 would need to be updated to support adding end user defined individual IPv6 IP addresses for setup.

    For tighter Cloudflare integration I am also working on supporting end users defining a custom JSON site config file which Centmin Mod can read to create Nginx vhosts which are behind Cloudflare via Cloudflare API - so it can also setup Cloudflare DNS, settings and SSL etc. Very early alpha version preview at GitHub - centminmod/centminmod-config-json. Haven't worked on it in a while though.

    Depends on the web host though so hosts are only giving a few individual IPv6 IPs and not a full range.

    Yeah was going to use ip command but depends on how server is configured
     
  9. wmtech

    wmtech Active Member

    175
    44
    28
    Jul 22, 2017
    Ratings:
    +132
    Local Time:
    3:36 PM
    Sure, a /64 default IP6 net (the smallest in practical usage) has 18,446,744,073,709,551,616 IP addresses. No one needs that at one server. But many hosts give a /64 per server for free. So you can run a lot of vHosts. ;-)

    And even for the smallest link net (where you need 2 addresses), a /64 is used. Networking feels like a large waste of address space in IPv6.

    We configure IPv6 on servers exactly like IPv4. Exactly as many addresses as we need on the server.
     
  10. Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    8:36 AM
    1.21.6
    MariaDB 10.3.36
    The majority of the hosts that I have recently used issue at least a /64 range.
    And (at least with Hetzner if using a default image) automatically creates the ::1 address for you in your OS and assigns it as active. If you want to add more, you have to do that manually (frequently by a script).

    Now, since I had to mount an AlmaLinux ISO and install that manually, their scripted format did not work correctly on the creation of ANY IPv6 addresses, so I had to do it manually.
    Now that I know what the issue is, I can simply not make any IPv6 DNS entries until after I create my vhost. An option (that is ultimately probably simpler) is to issue a warning to the user during vhost creation that an IPv6 address was detected for the site, and recommend that it be removed until after vhost creation, when it can be recreated and then added into the vhost config file.

    With the number of IPv6 address possible with even a /64 range, some beginning users may have issues trying to figure out
    #1 - how to figure out what actaully IPv6 address to use, along with pertinent gateway info
    #2 - how to configure their VPS to recognize specific IPv6 addresses (I don't want to simply enable the entire /64 range)

    Once they know how to do those two items, entering the IPv6 vhost information into the vhost config file is minor.

    The other option is to simply prompt, during vhost creation, to use the IPv6 address that was detected by some manner. That level of co-ordination is well above what I currently even want to think about (PixInSight is currently driving me nuts).
     
  11. wmtech

    wmtech Active Member

    175
    44
    28
    Jul 22, 2017
    Ratings:
    +132
    Local Time:
    3:36 PM
    You get the gateway address for IPv6 from your provider just like with IPv4 and you also configure it at your server the same way like IPv4.

    No one ever uses a whole /64 IPv6 net at a VPS. I don‘t think it is even possible to configure a server to listen to 18,446,744,073,709,551,616 IP addresses.

    As with IPv4 you set up only addresses you need to listen at the server. The only difference is that with IPv6 you can have any amount of ip addresses where with IPv4 you mostly are limited to 1 address.

    This is why people invented techniques like „name-based“ or „NAT“ or „SNI“ to meet the lack of IP addresses. Those currently common setups will be no longer needed with IPv6 and should not be used with it.
     
  12. Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    8:36 AM
    1.21.6
    MariaDB 10.3.36
    Not always in an area "easy" to find.

    Screen Shot 2022-11-18 at 6.21.10 AM.png

    Screen Shot 2022-11-18 at 6.21.27 AM.png

    And the "gateway" that Hetzner uses is the apparently an fe80::1 address, something that you have to dig into the documentation to find. It is not shown to you in the control panel they use. You have to dig through their linked "docs" area to find it.

    Screen Shot 2022-11-18 at 6.25.52 AM.png

    With other providers I have used (primarily Digital Ocean) they did provide you the gateway info in an area easy to discover.
     
  13. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    12:36 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    My experience too with some web hosts which is another reason IPv6 hasn't been native to Centmin Mod Nginx to date. Right now thinking of just committing the above patch but leave it disabled and let users enable it via the first post persistent config file variables.
     
  14. Tracy Perry

    Tracy Perry Active Member

    280
    118
    43
    Aug 24, 2014
    Texas
    Ratings:
    +210
    Local Time:
    8:36 AM
    1.21.6
    MariaDB 10.3.36
    I would STRONGLY encourage you to implement a warning during VHOST configuration if it detects an IPv6 address in the DNS to warn the user prior to completing the VHOST creation to disable IPv6 in the DNS, exit out of the VHOST creation option and then wait until DNS updates, and then after VHOSt creation and SSL cert issuance add the appropriate entries back to the DNS and then in manually in the VHOST config file.
    Most users of CentMin will know exactly what you are referencing, and even I was able to figure out the main issue without input from here.
    Otherwise, give the user a warning on how to manually add the IPv6 specific address to the VHOST after it is created and then the method to force a reissuance of the cert.
     
  15. wmtech

    wmtech Active Member

    175
    44
    28
    Jul 22, 2017
    Ratings:
    +132
    Local Time:
    3:36 PM
    Everyone knows that CMM is not ready for IPv6. Just like it is not ready for EL9.

    Both topics will have to be addressed sometime in the future. And until then, you need to use a way around it and can use this forum to find one.
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    12:36 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    You referring for when the persistent config variables enabled for this patched updated or when it's disabled by default? I assume the latter? If persistent config variables are enabled then nginx vhost would have IPv6 native support added and I can script that AAAA DNS record on desired vhost domain name resolves to the same server and if it does, then let it continue without further prompts as the user would have already setup the desired AAAA DNS ipv6 address on DNS end. So only prompt/warn if the detected AAAA DNS record does exist or does not resolve to same server and persistent config variables are disabled.

    Or do you want prompts/warnings that facilitate the end result that an individual ipv6 ip address is used rather than listening on all ipv6 addresses available on the server at nginx server level?

    Or just enable persistent config variables by default and enable nginx native ipv6 on all vhosts where server supports ipv6 regardless of whether the vhost domain DNS has a AAAA DNS record?

    Yeah but forum Centmin Mod users only make up a small fraction of total users but then they will find out either way what is not supported heh
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    12:36 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Been thinking about this more using different individual ipv6 ip addresses and how that would work for bulk nginx vhost creation in unattended manner https://community.centminmod.com/th...g-nginx-vhost-mysql-users-and-databases.8257/. When someone bulk creates 100x nginx vhost sites how to assign I individual ipv6 ip addresses to each of those 100x nginx vhost domain names? Then automate setting up the relevant AAAA DNS records for 100 domains. With IPv4 the same ip address can be used for all 100x nginx vhost domain names. Now with individual ipv6 some web hosts provide less than a /64 range so you may not have the required ipv6 individual ip addresses for all 100x of those domains.
     
  18. happyhacking

    happyhacking Member

    111
    18
    18
    Apr 23, 2021
    Ratings:
    +61
    Local Time:
    8:36 AM
    1.22.0
    MariadDB 10.4.25
    finally this will be solved, thanx @eva2000 this was the most annoying lack of feature for me since im constantly registering new domains, btw will this patch be ported to stable version of cmm ?

    pd. somehow im still suffering a bug when adding new vhosts through menu while the new vhost config file are using “reuseport” option every time even if its already used at another vhost config file.
     
  19. wmtech

    wmtech Active Member

    175
    44
    28
    Jul 22, 2017
    Ratings:
    +132
    Local Time:
    3:36 PM
    I don‘t think that any provider will ever have a shortage of IPv6 addresses. But you may have to ask for them. Providers who charge for IPv6 addresses (like they do for IPv4 now) will not be long in business.

    Unattended bulk creation would be easy if you check the IP addresses of each host and put its IP address(es) into the config file like my suggestion last time. Would also be good for IPv4, if the correct IP address is in the config file, since listening at all server addresses can sometimes be a security risk and is not an very elegant way to configure Nginx.
     
  20. eva2000

    eva2000 Administrator Staff Member

    54,389
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    12:36 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Might want to start a bug report at https://community.centminmod.com/forums/bug-reports.12/ :)

    Maybe after several months of testing on Centmin Mod 130.00beta01 at least. Will depend on how much feedback/testing this IPv6 native Nginx patch testing gets on 130.00beta01.

    Yeach but with any CDN reverse proxy in front of the domain, that could mask the real IPv4/IPv6 addresses. But I could check if the detected IPv4/IPv6 below to the Centmin Mod server too.

    i.e. to get list of publicly available IPv6 IP addresses/ranges on server - on some web hosts I get return individual IPv6 IP addresses but on others I get an entire range.
    Code (Text):
    ip -o -6 addr show $(ip -o addr show scope global | grep $(curl -s https://geoip.centminmod.com/v4 | jq -r '.ip') | awk '{print $2}') scope global | sed -e 's/^.*inet6 \([^ ]\+\).*/\1/'