Background:
Have you heard of World IPv6 Day? On June 8 2011, a lot of very prominent web sites, like Google, Facebook, Yahoo and many more, are going to host their web site on dual stack for the day. They do this by publishing a AAAA DNS record, that’s an IPv6 address in DNS, so their site will resolve and be available on both IPv4 and IPv6 simultaneously. In other words, if you type in www.google.com on June 8 2011 and your computer can reach the IPv6 Internet, then your browser will fetch the AAAA record and connect to google’s site via IPv6, instead of IPv4. If you don’t have IPv6, you’ll just connect the same old way you do today. Either way, it’s going to be rather transparent to the end user, unless these sites flash something to users to say “HEY, YOU CONNECTED OVER IPv6”.
Challenge:
So, thinking about any web site out there that currently lives on IPv4, how can we make it dual stack, without owning or touching the existing servers? Answer: with a proxy. We want this proxy to be a separate machine, anywhere on the Internet, that already has dual stack hosting.
The dedicated, dual stacked proxy server will listen on an IPv6 IP address and forward that traffic to an IPv4 address. Can this be done reliably for a web site for World IPv6 Day. I think yes, it can. For one, the percentage of Internet traffic that’ll come over IPv6, even on this day, is only about 1% to 5%. So, as long as this proxy server can handle 5% of your normal load, it’ll work.
You can use HAProxy, available at http://haproxy.1wt.eu/, to turn your Linux or Solaris based dedicated (or virtual dedicated) server into an IPv6 translation proxy! And, it’ll work for both HTTP and HTTPS.
You don’t need to load the HTTPS ssl cert, either. HAProxy can TCP proxy, instead of HTTP proxy, so the end user will be talking directly to the server. The only caveot to this is that all traffic from your proxy will appear to the server as coming from the proxy ipv4 ip. You’ll lose all visibility of src ip.
Read on to see the proof of concept, this in action:
Proof of Concept:
To prove this can work, I took a look at a random 3rd party web site that I’d like to see participate in World IPv6 Day. I choose www.godaddy.com as the test subject.
I did this install on a dedicated server first.
Install HAProxy:
cd /usr/local/src wget wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.11.tar.gz tar -xzf haproxy-1.4.11.tar.gz cd haproxy-1.4.11 make TARGET=linux26 ARCH=i386 make install cd examples/ cp haproxy.init /etc/init.d/haproxy chmod 755 /etc/init.d/haproxy vim /etc/init.d/haproxy # :%s&/usr/sbin/&/usr/local/sbin&g mkdir /etc/haproxy
Then, I dropped this /etc/haproxy/haproxy.cfg file into place:
# # HAProxy configuration file for IPv6 translation to IPv4-only webservice reverse proxy # # Version 1.0 - 2011-02-19 # # This file should be saved as /etc/haproxy/haproxy.cfg # All IP addresses mentioned are meant to be replaced with YOUR IPs, please do so # # Tested with: CentOS 5.5 kernel 2.6.18-164.6.1.el5, haproxy version 1.4.11 # Full documentation about all available options located here: http://haproxy.1wt.eu/ # # Intended use at a seperate dedicated dual-stack server system for ipv6 proxying # Use at least HAProxy version 1.4.11 # This will forward all incoming tcp requests for [2607:f208:1:1000::101] on ports 80 and 443 to 97.74.104.201 global log 127.0.0.1 local0 log 127.0.0.1 local1 notice maxconn 4096 user haproxy group haproxy daemon defaults log global mode tcp option dontlognull retries 3 maxconn 4000 contimeout 5000 clitimeout 50000 srvtimeout 50000 listen ipv6proxy80 2607:f208:1:1000::101:80 mode tcp server ipv4server80 97.74.104.201:80 maxconn 4000 listen ipv6proxy443 2607:f208:1:1000::101:443 mode tcp server ipv4server443 97.74.104.201:443 maxconn 4000
Please note, at the time of making this, www.godaddy.com resolved to 97.74.104.201. If Go Daddy changes this ip, then my configuration breaks. This is just an example. I could have done this with any website.
Start HAProxy (Note: if you’re running anything on port 80 or port 443, like APACHE, you’ll need to stop it for this to work):
/etc/init.d/haproxy start
And now, all Go Daddy needs to do to make their web site dual stack is publish this AAAA record:
2607:f208:1:1000::101 www.godaddy.com
Go Daddy is not going to do this, of course. They’ll roll their own IPv6 solution. Just saying, hypothetically speaking, any web site could use this method to provide their web site on dual stack hosting. Could be the tactic to use for World IPv6 Day.
BUT I WANT TO SEE THIS WORK NOW, CAN I? YES….. I can trick my computer into thinking this AAAA record already exists by jamming it into my HOSTS file, like this:
2607:f208:1:1000::101 www.godaddy.com
Note, the HOSTS file on a MacBook is /etc/hosts. On Windows, it’s C:\windows\system32\drivers\etc\hosts
Restart your browser to make sure it picks up the HOSTS file change, and viola, you are viewing the site through IPv6, assuming you have IPv6 connectivity at home.
If you try this at home, remember to remove this entry from your hosts file when you’re done playing, because you want to be able to get to www.godaddy.com later, and this example is less than 100% reliable/stable.
See my previous article on the topic of Cox Communication (NOT) using IPv6 transition mechanism 6to4 Relay anycast prefix because you may already have IPv6 access and didn’t realize it!
Note: I also tried this on a VM at 2607:f208:201:102::12 and it worked there too.
@Brian – thanks, great suggestion! Just add:
option forwardfor
And that’s it. To get apache to automatically change the source IP for the application stack and the log files, check out http://stderr.net/apache/rpaf/