Hurricane Electric's IPv6 Tunnel Broker Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Software configs  (Read 18980 times)

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1667
    • View Profile
    • Another IPv6 Blog...
Software configs
« on: November 20, 2008, 10:46:16 PM »

So by default, at least on the more recent versions of Fedora, CentOS, Ubuntu and FreeBSD that I've configured, most services seem ready out of the box for IPv6, mostly in a dual-stack default way.

OpenSSH: sshd_config
Code: [Select]
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
Should already be set, which makes it listen on any address configured, IPv4 or IPv6. So if you only want it available on 1 IP, set it there.

Postfix: main.cf
Code: [Select]
inet_interfaces = all
inet_protocols = all
Since I run dual-stack, the second line makes it use both IPv4 & IPv6. First line I have that way by default, but would make sense if you've terminated a tunnel on your mail server and need that interface included.

Apache: httpd.conf
Code: [Select]
Listen 80This again has been dual-stack happy since by default it is configured to just listen on port 80 regardless of the IP. You can of course do the whole virtual-hosting, and configure like:
Code: [Select]
<VirtualHost x.x.x.x:80 [A:B:C:D::F]:80>Where x.x.x.x is your IPv4 address and A:B:C:D::F your IPv6.

Dovecot: dovecot.conf
Code: [Select]
listen = [*]
listen = [::]
Again I run dual-stack so I want both configured. You can always lock it down to single IPs.


If anyone has more examples, please share!
« Last Edit: July 24, 2010, 03:30:43 PM by broquea »
Logged

kriteknetworks

  • Full Member
  • ***
  • Posts: 245
    • View Profile
    • aRDy Music
Icecast
« Reply #1 on: November 21, 2008, 09:01:09 AM »

Code: [Select]
<bind-address>::</bind-address>

will listen on all ipv4/6 interfaces by default
Optionally specific addresses can be assigned, ipv4/6
« Last Edit: November 21, 2008, 09:15:34 AM by kriteknetworks »
Logged

kriteknetworks

  • Full Member
  • ***
  • Posts: 245
    • View Profile
    • aRDy Music
Sendmail
« Reply #2 on: November 21, 2008, 09:11:50 AM »

in your sendmail.mc (or $HOSTNAME.mc fbsd 7.x) put the following:

Code: [Select]
dnl Enable for both IPv4 and IPv6 (optional)
DAEMON_OPTIONS(`Name=IPv4, Family=inet, Addr=xxx.xxx.xxx.xxx')dnl
DAEMON_OPTIONS(`Name=IPv6, Family=inet6, Addr=200x:xxxx:xxxx:xxxx::xxxx')dnl

rebuild sendmail.cf, backup old sendmail.cf, cp new one over, restart sendmail, lsof -itcp:25 or netstat to confirm listening on specified IPs.

NOTE: slackware linux does not enable ipv6 in sendmail, requires building from scratch. I have no experience with sendmail on other linux distros, so I don't know what support they ship sendmail with.
« Last Edit: November 21, 2008, 11:07:36 AM by kriteknetworks »
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1667
    • View Profile
    • Another IPv6 Blog...
Re: Software configs
« Reply #3 on: December 02, 2008, 03:48:38 PM »

BIND(9):

Here are some examples from working in-production personal stuff. These are just how I've always configured my zones from some ancient bind zone-file generating script long lost and not forgotten.

named.conf; reverse zone for /64:
Code: [Select]
zone "9.0.0.0.1.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa" {
type master;
file "/etc/bind/reverse-2001-470-1-9_64.IP6.ARPA";
allow-transfer {
};
};

reverse-2001-470-1-9_64.IP6.ARPA:
Code: [Select]
$TTL 300
@ IN SOA 9.0.0.0.1.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa. broquea.deus-exmachina.net. (
200810210 ; Serial number (YYYYMMdd)
24h ; Refresh time
30m ; Retry time
2d ; Expire time
3d ; Default TTL (bind 8 ignores this, bind 9 needs it)
)

                                ; Name server entries
                                IN     NS     ns1.deus-exmachina.net.
; IPv6 PTR entries

; Subnet #1
$ORIGIN 9.0.0.0.1.0.0.0.0.7.4.0.1.0.0.2.ip6.arpa.

a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     master.deus-exmachina.net.
b.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     deus-exmachina.net.
c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     ns1.deus-exmachina.net.
6.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0         IN      PTR     onion-cafe.com.

Zonefile for one of my domains, showing AAAA examples:
Code: [Select]
$TTL 300
onion-cafe.com. IN    SOA   ns1.deus-exmachina.net. broquea.deus-exmachina.net. (
                  200810220   ;serial
                  8H       ;refresh
                  2H         ;retry
                  1W         ;expire
                  1D )

IN NS ns1.deus-exmachina.net.
IN NS ns2.deus-exmachina.net.
IN MX 1 mail.onion-cafe.com.
IN A 72.52.116.26
IN AAAA    2001:470:1:9::26
mail IN A 72.52.116.26
IN AAAA 2001:470:1:9::26
www IN A 72.52.116.26
IN AAAA 2001:470:1:9::26

This is not the secret message.
« Last Edit: December 02, 2008, 04:27:18 PM by broquea »
Logged

ericj

  • Newbie
  • *
  • Posts: 12
  • Sage
    • View Profile
ProFTPD
« Reply #4 on: December 02, 2008, 06:00:19 PM »

/etc/proftpd/proftpd.conf
Code: [Select]
UseIPv6 on(usually set by default)
Logged

ericj

  • Newbie
  • *
  • Posts: 12
  • Sage
    • View Profile
ircd-hybrid
« Reply #5 on: December 02, 2008, 06:15:51 PM »

/etc/ircd-hybrid/ircd.conf
Code: [Select]
listen {
        host = "0.0.0.0"; # Bind to all IPv4
        host = "::"; # Bind to all IPv6
        port = 6665 .. 6669; # Use Ports 6665 to 6669
};
Logged

carrerasg

  • Guest
Privacy extensions
« Reply #6 on: December 07, 2008, 06:15:34 PM »

This enables privacy extensions on ubuntu (8.10), maybe some others too.
Add to the bottom of /etc/sysctl.conf (note the reference to the interface in the second statement)

Code: [Select]
# Fix to create temporary addresses (privacy extensions)
net.ipv6.conf.eth0.use_tempaddr=2
net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.default.use_tempaddr=2
Logged

wamble

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: Software configs
« Reply #7 on: October 06, 2010, 06:08:03 PM »

Dovecot: dovecot.conf
Code: [Select]
listen = [*]
listen = [::]

I tried this and couldn't get it to work. Looking at http://wiki.dovecot.org/MainConfig it tells me to use both one line:
Code: [Select]
listen=*,[::]
Logged

allen4names

  • Newbie
  • *
  • Posts: 48
    • View Profile
Re: Software configs
« Reply #8 on: October 06, 2010, 10:38:21 PM »

Hiawatha does not bind to IPv6 addresses by default.

Code: [Select]
Binding {
    Interface = ::1
    Port = 80
}

Whereas you do not need to bind an interface for IPv4.

Code: [Select]
Binding {
    Port = 80
}

The author welcomes bug reports.

Hugo Leisink <hugo@hiawatha-webserver.org> - http://www.hiawatha-webserver.org/

Allen4names
Logged

s3n

  • Newbie
  • *
  • Posts: 5
    • View Profile
Re: Software configs
« Reply #9 on: January 31, 2011, 08:14:05 AM »

To make ejabberd listen on ipv4 and ipv6 interfaces add inet6 option.
Code: [Select]
...
{listen,
  [
    {5222, ejabberd_c2s, [
      inet6,
      {access, c2s},
      {shaper, c2s_shaper},
      ...

For nginx (also dual-stack configuration):
Code: [Select]
server {
    listen [::]:80;
    ...
« Last Edit: January 31, 2011, 08:16:28 AM by s3n »
Logged

DOMBlogger

  • Newbie
  • *
  • Posts: 17
    • View Profile
Re: Software configs
« Reply #10 on: September 15, 2011, 07:54:35 AM »

Note on the Apache config - since IPv6 addresses are readily available, I'm doing virtual hosts a wee bit differently.
Example domain.net.conf in my /etc/httpd/conf.d directory:

Code: [Select]
NameVirtualHost [2600:3c00::xx:yyyy]:80

<VirtualHost nnn.nnn.nnn.nnn:80>
ServerName www.domain.tld
DocumentRoot "/srv/domains/domain.tld/www"
ErrorLog logs/www.domain.tld.error_log
CustomLog logs/www.domain.tld.access_log combined
</VirtualHost>

<VirtualHost [2600:3c00::xx:yyyy]:80>
ServerName www.domain.tld
DocumentRoot "/srv/domains/domain.tld/www"
ErrorLog logs/www.domain.tld.error_log
CustomLog logs/www.domain.tld.access_log combined
</VirtualHost>

<VirtualHost nnn.nnn.nnn.nnn:80>
ServerName domain.tld
RewriteEngine On
RewriteRule ^(.*)$ http://www.domain.tld$1 [R]
</VirtualHost>

<VirtualHost [2600:3c00::xx:yyyy]:80>
ServerName domain.tld
RewriteEngine On
RewriteRule ^(.*)$ http://www.domain.tld$1 [R]
</VirtualHost>

<Directory "/srv/domains/domain.tld/www">
  Options FollowSymLinks
  AllowOverride All
</Directory>

<Directory "/srv/domains/domain.tld/www/junk">
  Options FollowSymLinks Indexes
  AllowOverride All
</Directory>

I probably could (and should) combine the top two into 1 and bottom two into 1.

IPv4 address is used for several domains.
IPv6 is used only for the specific domain.tld and www.domain.tld - which is why the domain specific conf file is where the NameVirtualHost for the IPv6 goes (and is actually only needed for the mod_rewrite when the non www domain is requested)

Using a unique IP for each domain.tld in IPv6 lets me use that same unique IPv6 for each domain on port 443.

I know most if not every browser that supports IPv6 also supports NSI but since NSI isn't really needed for IPv6 - I don't want to rely on the NSI support being there, so if I ever want/need to add an SSL host to that domain, it's good to already have a unique IPv6 for it.

IPv4 users - well, they might get an SSL cert mis-match, as I do not wish to be greedy with IPv4 address.

Only potential issue I see is I may need to issue kernel directive to increase number of IPv6 addresses (I think default max is 16 on RHEL/CentOS 6, I'll have to check. Increasing it isn't hard though)
Logged

gaomizhe001

  • readonly_member
  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Software configs
« Reply #11 on: October 12, 2011, 12:06:51 AM »

Note on the Apache config - since IPv6 addresses are readily available, I'm doing virtual hosts a wee bit differently.
Example domain.net.conf in my /etc/httpd/conf.d directory:

Code: [Select]
NameVirtualHost [2600:3c00::xx:yyyy]:80

<VirtualHost nnn.nnn.nnn.nnn:80>
ServerName www.domain.tld
DocumentRoot "/srv/domains/domain.tld/www"
ErrorLog logs/www.domain.tld.error_log
CustomLog logs/www.domain.tld.access_log combined
</VirtualHost>

<VirtualHost [2600:3c00::xx:yyyy]:80>
ServerName www.domain.tld
DocumentRoot "/srv/domains/domain.tld/www"
ErrorLog logs/www.domain.tld.error_log
CustomLog logs/www.domain.tld.access_log combined
</VirtualHost>

<VirtualHost nnn.nnn.nnn.nnn:80>
ServerName domain.tld
RewriteEngine On
RewriteRule ^(.*)$ http://www.domain.tld$1 [R]
</VirtualHost>

<VirtualHost [2600:3c00::xx:yyyy]:80>
ServerName domain.tld
RewriteEngine On
RewriteRule ^(.*)$ http://www.domain.tld$1 [R]
</VirtualHost>

<Directory "/srv/domains/domain.tld/www">
  Options FollowSymLinks
  AllowOverride All
</Directory>

<Directory "/srv/domains/domain.tld/www/junk">
  Options FollowSymLinks Indexes
  AllowOverride All
</Directory>

I probably could (and should) combine the top two into 1 and bottom two into 1.

IPv4 address is used for several domains.
IPv6 is used only for the specific domain.tld and www.domain.tld - which is why the domain specific conf file is where the NameVirtualHost for the IPv6 goes (and is actually only needed for the mod_rewrite when the non www domain is requested)

Using a unique IP for each domain.tld in IPv6 lets me use that same unique IPv6 for each domain on port 443.

I know most if not every browser that supports IPv6 also supports NSI but since NSI isn't really needed for IPv6 - I don't want to rely on the NSI support being there, so if I ever want/need to add an SSL host to that domain, it's good to already have a unique IPv6 for it.

IPv4 users - well, they might get an SSL cert mis-match, as I do not wish to be greedy with IPv4 address.

Only potential issue I see is I may need to issue kernel directive to increase number of IPv6 addresses (I think default max is 16 on RHEL/CentOS 6, I'll have to check. Increasing it isn't hard though)
Logged