nginx reverse proxy IPv6 --> IPv4

Started by Tubs, May 04, 2019, 05:33:55 PM

Previous topic - Next topic
Hello,

can I use nginx plugin as reverse proxy from IPv6 address to internal server with IPv4 address only?

With all I tried so I do not get it running.

My starting point is that my IPv4 setup is running: WAN IPv4 --> nginx --> DMZ IPv4
I set-up IPv6 GIF tunnel (HE) and in firewall I allow on tunnel interface ICMP and port 80 and 443 to "this firewall'.
No further set-up of IPv6 address to any other interface.
When I look on sockets bindings of nginx to ports looks OK for IPv6:
  www  nginx  tcp6   *:443   *:*
  root   nginx  tcp6    *:80    *:*
  root   nginx  tcp6    *:443    *:*
Ping from outside to local GIF address is working fine.

But http and https access from outside to local GIF address timed out. Nothing I can see in the firewall logs.

Any idea what to do?
Or is it simple not possible what I want to do?

What kind of timeout (before or after nginx)?

In theory your setup should not cause any issues as it is intended to be supported.

Client <-- IPv6 --> OPNsense (nginx) <-- IPv4 --> Backend
Client <-- IPv4 --> OPNsense (nginx) <-- IPv6 --> Backend

Can you try curl on "::1" as it should work as well but no external network is used (I would expect a routing issue) and it is not a firewall rule or routing issue.

Good to hear that in general it should work what I want to do.

But it looks like my explanation was not precise enough.

The timeout I got on external machine (IPv4/IPv6 client) before opnsense WAN interface.
From the same external machine over IPv4 I can reach webserver on backend and I can ping opnsense
From the same external machine over IPv6 I can ping opnsense.

I tested curl on opnsense cli, both to localhost and to external IP:

ping 127.0.0.1       --> OK
ping6 ::1               --> OK
ping xxx.xxx.xxx.xxx  --> OK
ping6 xxxx:xxxx:xxxx:xxxx::xxxx  --> OK

curl http://127.0.0.1  --> empty return
curl http://[::1]   -->  curl: no match
curl http://xxx.xxx.xxx.xxx   --> OK, response from nginx
curl http://[xxx:xxxx:xxxx:xxxx::xxxx]  --> curl: no match

So, I am a little bit closer. Routing issue or issue with binding of nginx to IPv6.

Any further ideas where to look next?

May 05, 2019, 11:01:54 AM #3 Last Edit: May 05, 2019, 11:04:19 AM by fabian
Looks like there is some internal issue in FreeBSD.


root@opn:~ # curl -I "http://[global unicast ip]:8080/"
HTTP/1.1 403 Forbidden
Server: nginx
Date: Sun, 05 May 2019 08:53:42 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: PHPSESSID=821af9dcbd0717c132159e99ba9fe06e; path=/
Set-Cookie: PHPSESSID=821af9dcbd0717c132159e99ba9fe06e; path=/; secure; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache


and


root@opn:~ # curl -Iv "http://[::1]:8080/"
*   Trying ::1...
* TCP_NODELAY set
* Immediate connect fail for ::1: No route to host
* Closing connection 0
curl: (7) Couldn't connect to server

With ULA:
curl -Iv "http://[fe80::a00:27ff:fe5b:210a]:8080/"
*   Trying fe80::a00:27ff:fe5b:210a...
* TCP_NODELAY set
* Immediate connect fail for fe80::a00:27ff:fe5b:210a: No route to host
* Closing connection 0
curl: (7) Couldn't connect to server


Since all vhosts in the nginx plugin are bound to ::, nginx listens on all interfaces and IP addresses.

@fichtner, @lattera: maysomething in the kernel network stack be broken? No route to host on localhost is quite strange (even when pf is disabled).

Are there any news about this topic?
Is it something on OPNsense side or is it only my system that is screwed up?

The update to 19.1.8 did not changed anything and I do not know where to continue to search.