You need to update httpd.conf file with the Listen directive. It instructs Apache to listen to only specific IPv4 and IPv6 addresses or ports. By default it responds to requests on all IP interfaces including IPv4 and IPv6 addresses. Our sample setup is as follows:
- cyberciti.biz has address 74.86.48.99
- cyberciti.biz has IPv6 address 2607:f0d0:1002:11::4
The Apache httpd.conf configuration file remains same under a UNIX / BSD and Linux operating system.
Linux Apache IPv6 Configuration
Open the httpd.conf file, enter:
# vi httpd.conf
To make the server accept connections on 74.86.48.99 and port 80, use:
Listen 74.86.48.99:80
IPv6 addresses must be surrounded in square brackets and port 80, use
Listen [2607:f0d0:1002:11::4]:80
Save and close the file. Restart or reload the Apache server:
# service httpd restart
OR
# systemctl restart httpd.service
Verify Apache Is Working In Dual Stack Mode
Use the netstat command as follows:
# netstat -tulpn | grep :80
Sample Outputs:
tcp 0 0 74.86.48.99:80 0.0.0.0:* LISTEN 4473/httpd tcp 0 0 2607:f0d0:1002:11::4:80 :::* LISTEN 4473/httpd
Configure iptables to Allow Access to the Web Server Via IPv6
The default Ip6tables configuration does not allow inbound access to the HTTP (80) and HTTPS (443) ports used by the web server. This modification allows that access, while keeping other ports on the server in their default protected state. Edit /etc/sysconfig/ip6tables file (IPv6 firewall configuration file under CentOS / RHEL / Fedora Linux):
# vi /etc/sysconfig/ip6tables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain (on a RHEL/CentOS 6.x or older):
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT
Add the following if you have configured HTTPS port:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT
A note about CentOS / RHEL v7.x or above
The rules are as follows:
-A INPUT -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
Save and close the file. Restart firewall, enter:
# service ip6tables restart
OR
# systemctl ip6tables restart
Dual Stacked IPv4 and IPv6 Virtual Hosts Configurations
You need to update httpd.conf as follows for dual stacked httpd virtual hosting:
#IPv4 configuration <VirtualHost 74.86.48.99> ServerAdmin webmaster@cyberciti.com DocumentRoot /home/httpd/cyberciti.biz/http ServerName cyberciti.biz ServerAlias www.cyberciti.biz ErrorLog logs/cyberciti.biz-error_log TransferLog logs/cyberciti.biz-access_log ErrorLog "/home/httpd/cyberciti.biz/logs/error.log" CustomLog "/home/httpd/cyberciti.biz/logs/access.log" common ScriptAlias /cgi-bin/ "/home/httpd/cyberciti.biz/cgi-bin/" # For php5 fastcgi add +ExecCGI <Directory "/home/httpd/cyberciti.biz/http"> Options -Indexes FollowSymLinks +ExecCGI AllowOverride AuthConfig FileInfo AddHandler php5-fastcgi .php Action php5-fastcgi /cgi-bin/php.fcgi Order allow,deny Allow from all </Directory> # Default cgi-bin perms <Directory "/home/httpd/cyberciti.biz/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> </VirtualHost> # Ipv6 config, note down log files <VirtualHost [2607:f0d0:1002:11::4]> ServerAdmin webmaster@cyberciti.com DocumentRoot /home/httpd/cyberciti.biz/http ServerName cyberciti.biz ServerAlias www.cyberciti.biz ErrorLog logs/cyberciti.biz-error_log TransferLog logs/cyberciti.biz-access_log ErrorLog "/home/httpd/cyberciti.biz/logs/ipv6.error.log" CustomLog "/home/httpd/cyberciti.biz/logs/ipv6.access.log" common ScriptAlias /cgi-bin/ "/home/httpd/cyberciti.biz/cgi-bin/" # For php5 fastcgi add +ExecCGI <Directory "/home/httpd/cyberciti.biz/http"> Options -Indexes FollowSymLinks +ExecCGI AllowOverride AuthConfig FileInfo AddHandler php5-fastcgi .php Action php5-fastcgi /cgi-bin/php.fcgi Order allow,deny Allow from all </Directory> # Default cgi-bin perms <Directory "/home/httpd/cyberciti.biz/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> </VirtualHost>
Save and close the file. Restart Apache web server:
# service httpd restart
OR
# systemctl restart httpd
A Note About BSD PF Firewall
You need to update /etc/pf.conf as follows under OpenBSD / FreeBSD operating systems:
# define Ipv6 ips apache_ipv6 = "{ 2607:f0d0:1002:11::4 }" # Open port 80 pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port http keep state # Open port 443 pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port https keep state
Save and close the file. Reload pf firewall:
# /etc/rc.d/pf reload
OR
# /sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
Additional Resources
Further resources should be consulted for more extensive configuration guidance, especially if particular applications need to be secured:
- Red Hat / CentOS: Chroot Apache 2 Web Server
- FreeBSD Configure Apache PHP with mod_fastcgi Module
- Red Hat / CentOS Apache 2 FastCGI PHP Configuration
- Apache FastCGI / mod_fastcgi PHP fcgi Script
- See all our Apache related FAQs and tutorials published on the nixCraft.
- Apache Core Features
🐧 6 comments so far... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Vivek;
I just read through your article on Dual Stack setup for Apache looking for a clue to solve a problem I have here. I’m trying to set up a Tomcat over Java to run in a IPv6 only test network with no luck. I can’t get the ports 8080, 8081 and 8082 to bind to IPv6. I’ve dug around in both Tomcat and Java and found what I thought were some promising fixes like Java’s java.net.preferIPv4Stack=false and java.net.preferIPv6Addresses=true. I can’t quite figure out what I need to do to get the 8080 ports to bin to IPv6. I’d be happy if I could get the ports to bind with both IPv6 and IPv4.
The Tomcat configuration works fine under IPv4. When I attempt to connect to the website using IPv6 the connection request is reset by the server, I’m guessing because the port isn’t available on IPv6.
Any thoughts? I’m searching for clues…..
Thanks…
Larry
Making two ‘Listen’ statements gives an error that port 80 is already in use. Any ideas, anyone?
$ sudo /etc/init.d/apache2 start
* Starting web server apache2
(98)Address already in use: make_sock: could not bind to address [2600:3c01::f03c:91ff:fe96:edba]:80
The correct way to do this is
……
That’s a space after the ipv4 address and then encase in square brackets your IPv6 address
ensure your namevirtualhost setting is defined for both
NameVirtualHost 74.86.48.99
NameVirtualHost [dead:beef:::1]
and to Scott, you could just use Listen *:80, but I cant see why it would complain for two separate statements
Instead of having two duplicate VirtualHosts you can create a VirtualHost with both ipv4 and Ipv6 addresses. See http://www.viathinksoft.de/?page=codelib&showid=100
You can just use a * for the and have a listen 80 directive. If there’s an IPv6 address in the system, Apache runs dual-stacked out-of-the-box.
apache web server on centos
1. ipv4 and ipv6 are network interface.
2. the httpd.conf file have listen to them bot
Listen 162.218.210.229:80
Listen [2602:ffea:1:58c::89ea]:80
3. listen on each vhost for ipv4 and ipv6
4. it has aaaa record in dns forward zone
5. ipv6 has permit in/out network connection for tcp6/udp6 from ip6tables