Providing an IPv6 address for an IPv4 legacy web server

We have a corporate web server which doesn’t have IPv6 connectivity. It’s behind firewalls which haven’t yet been updated for IPv6 and the server itself is managed by others in our company who are still getting up to speed with IPv6. Despite the fact that we have IPv6 rolled out over our core network, have multiple IPv6 transit connections and have DNS working for AAAA and PTR records, it still looks bad that our own web server isn’t yet enabled. What to do?

Well trawling around the Interwebz I’ve seen a few people with similar problems. In particular this posting looks pretty close to what I had in mind. There were however a few wrinkles (aren’t there always?) which made things more interesting. First the web site in question has an address (let’s say it’s www.mycorp.com) which is a CNAME for another address (let’s say www.actual.net). Secondly the web server running www.actual.net is configured so that it will only respond to requests specifying either of those two addresses in the HTTP request header.

My solution was to configure Apache on a spare dual stacked server and to set up a new virtual host with the skeleton of the configuration as follows:

<VirtualHost [2001:xxxx:yyyy::1]:80>
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://A.B.C.D/
</VirtualHost>

I created a new AAAA record for www.actual.net; this is the 2001:xxxx:yyyy::1 address in the configuration above. Once DNS has updated this means that when you do a query for www.actual.net it will have both the original A record and the new AAAA record. Remember that many browsers are set up to use an AAAA record preferentially over an A record when both are available.

There are three things to note. The “ProxyRequests Off” directive is very important because it’s what stops your server becoming an open proxy whilst enabling it to act as a reverse proxy. The “ProxyPreserveHost On” directive is there so that the legacy server sees requests for www.mycorp.com or www.actual.net rather than http://A.B.C.D/. Lastly A.B.C.D is the IPv4 address of www.actual.net and is there in order to force the proxy server to connect to the legacy server over IPv4 rather than the IPv6 address it would see if it looked up www.actual.net. You could also set up another A record such as ipv4.actual.net with this address and use that instead.

For completeness, I’m running Apache version 2.2.9 on Debian Lenny and remember to run “a2enmod proxy” to enable proxying (or else Apache won’t recognise the proxy related directives).

About Serif

An old skool Unix hacker, minus the beard and the sandals, who has currently found a nice warm place to spend his days at the offices of an ISP.
This entry was posted in systems. Bookmark the permalink.