2024-05-17T09:27:17,165420712+00:00
With the vast address space of IPv6, every device can get a unique global IPv6 address. This is the case for my smart tv box at home running Armbian OS. I’ve covered the setup previously about self hosting a simple webspace with my repurposed smart tv box.
The challenge faced that IPv6 access is not always available. The self hosted site has to be reachable for everyone, whether they are on IPv6 or only have IPv4.
So I reconfigure my cloud vps to act as IPv4 gateway for the self hosted website.
I’ve attempted several approach before coming to this conclusion.
The setup works, but there is a hard limit on data transfer for the
free tier. I also can’t get visitor ip addresses for performance
analytics purpose since the visitor always has the address of
localhost on the webserver log.
This setup works, but there is port conflict and another certificate
to manage. The site cannot be served on the same hostname, so the site
is accessed by another domain name,
e.g. rk322x-box.tailb4603.ts.net for my use case. I also
abandoned this setup since I want to serve the traffic directly from
single web server.
This setup is almost what I want. It is as easy as adding Netiter IPv4 address as A record next to the available IPv6 AAAA record.
This setup comes with a drawback. The IPv4 latency is so high (more than 300ms), so I feel my site slow when accessed via the IPv4 address. The site should not be this slow, so I fired up tailscale tunnel and accessed my site via its magic dns address (the same domain name as when it is served by funnel but only accessible inside my tailscale network) and the site performance is acceptable (around 100ms latency or less).
Learning from previous attempts, I think it’s time for me to setup netiter like v4 frontend for my self hosted webspace.
Current setup is making the webserver on the cloud vps as the IPv4 gateway while hosting its own webspace and forward TLS traffic to appropriate hosts based on SNI (Server Name Indication).
The setup involves running a haproxy instance on the cloud vps, forwarding traffics to my self hosted server if SNI matches the domain of my self hosted webspace, otherwise the cloud hosted website is served.
Here is a snippet of relevant haproxy configuration. The setup involves a haproxy instance acting as frontend listener on both 80 and 443 tcp ports. All http requests on port 80 will be redirected to the https port and then haproxy decides where to route the requests according to SNI hostname.
The cloud hosted webspace is configured to listen on another port and
only accepting connection with proxy_protocol so the
webserver knows where the requests come from. With
proxy_protocol listener enabled, haproxy will send client
ip address via the additional proxy_protocol tcp header so
there is no need to make the cloud vps as TLS terminator
for connections addressed to my self hosted webserver.
The backends (i.e. self hosted webservers) are all connected via
wireguard tunnel to the cloud vps with the IPv6 private address of
fd42:42:42::/64 prefix.
listen http_to_https
bind :::80
mode http
http-request redirect code 302 scheme https
frontend fe_tls_vip
bind :::443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend bk_ssl_default
backend bk_ssl_default
mode tcp
acl mxq_server req_ssl_sni -i -m end mydeardiary.freeddns.org
use-server mxq if mxq_server
use-server cloudvps if !mxq_server
option ssl-hello-chk
server mxq fd42:42:42::4:443 check
server cloudvps fd42:42:42::1:4433 check send-proxy-v2
So far so great, since the cloud vps is closer to my self hosted webserver. The latency of IPv4 proxied website is almost as fast as the website when accessed via tailscale network.
I am so glad with this setup and I would recommend this approach for those who face similar problem of making IPv6 only webserver accessible via IPv4.
The downside is that I have to spend some budget to keep the cloud vps gateway running, which is acceptable since the cloud vps is rather cheap.
For anyone with no budget to spare, I recommend to give Netiter v4 frontend a try to check if the free service is good enough. Otherwise, the above setup has more performance and flexibility compared to the free Netiter v4 frontend, since the cloud vps gateway is not shared between many users.