Join the community today
Become a Member

Nginx IPV6

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by Shaiffulnizam Mohamad, Dec 16, 2015.

  1. Shaiffulnizam Mohamad

    Shaiffulnizam Mohamad New Member

    29
    8
    3
    Jun 6, 2014
    Ratings:
    +9
    Local Time:
    3:41 PM
    1.7.0
    5.5
    Hi Everyone, I need to ask, until recently. I use listen []:80; listen []:443; inside the vhost my server up and running very well and all the IPV6 domain tester can reach my server. But Now, whenever I put the IPV6 IP or to listen to IPV6 whether on port 80 or 443, the domain with the IPV6 config shows The default Test Page. If I didn't put the IPV6 port on any of the server, the IPV6 is not enable at all. What is happening now? Can someone point me on the right direction? Because after reading from the web, seems to me. At least one of the domain need to have IPV6 config and after that other domain will show IPV6, but the problem is this domain will show the Default test Page.

    So for now, my solution is to create a dummy vhost with IPV6 configuration, be it on port 80 or Port 443 so other domain will not showing any default Test Page.
    BTW running on Nginx 1.9.9.
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    5:41 PM
    Nginx 1.13.x
    MariaDB 5.5
    FAQ item 34 shows how IPv6 vhosts should be configured for both global listen on all IPv6 and for specific IPv6 address (they have different synax)

    When you create a new nginx vhost domain via centmin.sh menu option 2 or /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags | Centmin Mod Community

    Also contents of your main /usr/local/nginx/conf/conf.d/virtual.conf
     
  3. Shaiffulnizam Mohamad

    Shaiffulnizam Mohamad New Member

    29
    8
    3
    Jun 6, 2014
    Ratings:
    +9
    Local Time:
    3:41 PM
    1.7.0
    5.5
    Thanks for the reply Eva,
    Here is the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #  server_name apasaja.my www.apasaja.my;
    #  return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
      server_name apasaja.my www.apasaja.my;
    
      ssl_dhparam /usr/local/nginx/conf/ssl/apasaja.my/dhparam.pem;
      ssl_certificate  /etc/letsencrypt/live/apasaja.my/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/apasaja.my/privkey.pem;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:$
      ssl_prefer_server_ciphers  on;
      ###add_header Alternate-Protocol  443:npn-spdy/3;
      # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      add_header Public-Key-Pins 'pin-sha256="tjnj4eupRv+2BmOytG9uWOTPd3hkwb8ofpxJYOrjzPw="; pin-sha256="hkM8e74cUabq2gewMsriNhwbjlpH+g1T5UqHroC5Yrk="; max-age=86400; includeSubDomains';
      # exclude subdomains
      add_header Public-Key-Pins 'pin-sha256="tjnj4eupRv+2BmOytG9uWOTPd3hkwb8ofpxJYOrjzPw="; pin-sha256="hkM8e74cUabq2gewMsriNhwbjlpH+g1T5UqHroC5Yrk="; max-age=86400';
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      add_header  X-Content-Type-Options "nosniff";
      add_header X-Frame-Options DENY;
      ###spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
    

    Here is my contents for /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
    # server {
    #  server_name apasaja.my www.apasaja.my;
    #  return 302 https://$server_name$request_uri;
    # }
    
    server {
      listen 443 ssl http2;
    
      server_name apasaja.my www.apasaja.my;
    
      # mozilla recommended
      ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-R$
      ssl_prefer_server_ciphers  on;
      ###add_header Alternate-Protocol  443:npn-spdy/3;
     # HTTP Public Key Pinning Header uncomment only one that applies include or exclude domains.
      # You'd want to include subdomains if you're using SSL wildcard certificates
      # include subdomain
      add_header Public-Key-Pins 'pin-sha256="5aZxkWfaC+jNYJX10BIMy3i3fsIdam1KUL+NYViiVMQ="; pin-sha256="KPz+VrchTRjnulApp8bsJmfDbY3YYVu375bREZtPzqE="; max-age=86400; includeSubDomains';
      # exclude subdomains
      add_header Public-Key-Pins 'pin-sha256="5aZxkWfaC+jNYJX10BIMy3i3fsIdam1KUL+NYViiVMQ="; pin-sha256="KPz+VrchTRjnulApp8bsJmfDbY3YYVu375bREZtPzqE="; max-age=86400';
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      add_header  X-Content-Type-Options "nosniff";
      add_header X-Frame-Options DENY;
      ###spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
    
      # enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/letsencrypt/live/apasaja.my/fullchain.pem;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/apasaja.my/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/apasaja.my/log/error.log;
    
      root /home/nginx/domains/apasaja.my/public;
    
      # prevent access to ./directories and files
     location ~ (?:^|/)\. {
      deny all;
      }
    
      location / {
     try_files $uri $uri/ /index.php?$args;
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
      # Enables directory listings when index file not found
      #autoindex  on;
    
      # Shows file listing times as local time
      #autoindex_localtime on;
    
      # Enable for vBulletin usage WITHOUT vbSEO installed
      # More example Nginx vhost configurations at
      # http://centminmod.com/nginx_configure.html
      #try_files  $uri $uri/ /index.php;
    
      }
     }
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
      include /usr/local/nginx/conf/cfip.conf;
    }
    
    
    This is the contents of virtual.conf
    Code:
    server {
    #  listen  80;
      listen  80 default_server backlog=2048 reuseport;
      server_name apasaja.my;
      root  html;
    
      access_log  /var/log/nginx/localhost.access.log  main buffer=256k flush=5m;
      error_log  /var/log/nginx/localhost.error.log  error;
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
    # limit_conn limit_per_ip 16;
    # ssi  on;
    
      location /nginx_status {
      stub_status on;
      access_log  off;
      allow 127.0.0.1;
      #allow youripaddress;
      deny all;
      }
    
      location / {
    
    # block common exploits, sql injections etc
    #include /usr/local/nginx/conf/block.conf;
    
    #  Enables directory listings when index file not found
    #  autoindex  on;
    
    #  Shows file listing times as local time
    #  autoindex_localtime on;
    
    #  Enable for vBulletin usage WITHOUT vbSEO installed
    #  try_files  $uri $uri/ /index.php;
    
      }
    
      # example nginx-http-concat
      # /csstest/??one.css,two.css
      #location /csstest {
      #concat on;
       #concat_max_files 20;
      #}
    
    include /usr/local/nginx/conf/staticfiles.conf;
    include /usr/local/nginx/conf/php.conf;
    #include /usr/local/nginx/conf/phpstatus.conf;
    include /usr/local/nginx/conf/drop.conf;
    #include /usr/local/nginx/conf/errorpage.conf;
    include /usr/local/nginx/conf/vts_mainserver.conf;
    
      }
    
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    5:41 PM
    Nginx 1.13.x
    MariaDB 5.5
    you don't have IPv6 listen directives set ? what were you setting them to ? try what is outlined at FAQ item 34
     
  5. Shaiffulnizam Mohamad

    Shaiffulnizam Mohamad New Member

    29
    8
    3
    Jun 6, 2014
    Ratings:
    +9
    Local Time:
    3:41 PM
    1.7.0
    5.5
    Ok, so I set to this conf like
    listen [2400:6180:0:d0::127:6001]:80;
    in the /usr/local/nginx/conf/conf.d/newdomain.com.conf

    and in the /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    listen [2400:6180:0:d0::127:6001]:443;

    After that all, my domain will have IPV6 enable,
    but then after that, this domain will show the The Default Test page, but in other domain, they are ok (IPV6 enable) and doesn't have any of this problem.

    That is the reason that I have to create another dummy.com.conf and dummy.com.ssl.conf with the IPV6 IP and then I will not encounter any problem with the domain becoming "default test page", even though this dummy conf is not configured to any real domains.
     
  6. Shaiffulnizam Mohamad

    Shaiffulnizam Mohamad New Member

    29
    8
    3
    Jun 6, 2014
    Ratings:
    +9
    Local Time:
    3:41 PM
    1.7.0
    5.5
    you can view it at apasaja.my this is where I put the ipv6 listening port,
    another domain in the server is apasaja.my without any ipv6 listening port.
     
  7. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    5:41 PM
    Nginx 1.13.x
    MariaDB 5.5
    that's incorrect for individual IPv6 addresses, see FAQ item 34 and how individual IPv6 addresses are set
     
  8. Shaiffulnizam Mohamad

    Shaiffulnizam Mohamad New Member

    29
    8
    3
    Jun 6, 2014
    Ratings:
    +9
    Local Time:
    3:41 PM
    1.7.0
    5.5
    Ok, let me try it 1st, will let you know the results.