You need to update httpd.conf file with the Listen directive. It instructs Apache to listen to only specific IPv4 and IPv6 addresses or ports. By default it responds to requests on all IP interfaces including IPv4 and IPv6 addresses. Our sample setup is as follows:
- cyberciti.biz has address 74.86.48.99
- cyberciti.biz has IPv6 address 2607:f0d0:1002:11::4
The Apache httpd.conf configuration file remains same under a UNIX / BSD and Linux operating system.
Linux Apache IPv6 Configuration
Open the httpd.conf file, enter:
# vi httpd.conf
To make the server accept connections on 74.86.48.99 and port 80, use:
Listen 74.86.48.99:80 |
IPv6 addresses must be surrounded in square brackets and port 80, use
Listen [2607:f0d0:1002:11::4]:80 |
Save and close the file. Restart or reload the Apache server:
# service httpd restart
OR
# systemctl restart httpd.service
Verify Apache Is Working In Dual Stack Mode
Use the netstat command as follows:
# netstat -tulpn | grep :80
Sample Outputs:
tcp 0 0 74.86.48.99:80 0.0.0.0:* LISTEN 4473/httpd tcp 0 0 2607:f0d0:1002:11::4:80 :::* LISTEN 4473/httpd
Configure iptables to Allow Access to the Web Server Via IPv6
The default Ip6tables configuration does not allow inbound access to the HTTP (80) and HTTPS (443) ports used by the web server. This modification allows that access, while keeping other ports on the server in their default protected state. Edit /etc/sysconfig/ip6tables file (IPv6 firewall configuration file under CentOS / RHEL / Fedora Linux):
# vi /etc/sysconfig/ip6tables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain (on a RHEL/CentOS 6.x or older):
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT |
Add the following if you have configured HTTPS port:
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT |
A note about CentOS / RHEL v7.x or above
The rules are as follows:
-A INPUT -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m tcp -p tcp --dport 443 -j ACCEPT |
Save and close the file. Restart firewall, enter:
# service ip6tables restart
OR
# systemctl ip6tables restart
Dual Stacked IPv4 and IPv6 Virtual Hosts Configurations
You need to update httpd.conf as follows for dual stacked httpd virtual hosting:
#IPv4 configuration
<VirtualHost 74.86.48.99>
ServerAdmin webmaster@cyberciti.com
DocumentRoot /home/httpd/cyberciti.biz/http
ServerName cyberciti.biz
ServerAlias www.cyberciti.biz
ErrorLog logs/cyberciti.biz-error_log
TransferLog logs/cyberciti.biz-access_log
ErrorLog "/home/httpd/cyberciti.biz/logs/error.log"
CustomLog "/home/httpd/cyberciti.biz/logs/access.log" common
ScriptAlias /cgi-bin/ "/home/httpd/cyberciti.biz/cgi-bin/"
# For php5 fastcgi add +ExecCGI
<Directory "/home/httpd/cyberciti.biz/http">
Options -Indexes FollowSymLinks +ExecCGI
AllowOverride AuthConfig FileInfo
AddHandler php5-fastcgi .php
Action php5-fastcgi /cgi-bin/php.fcgi
Order allow,deny
Allow from all
</Directory>
# Default cgi-bin perms
<Directory "/home/httpd/cyberciti.biz/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
# Ipv6 config, note down log files
<VirtualHost [2607:f0d0:1002:11::4]>
ServerAdmin webmaster@cyberciti.com
DocumentRoot /home/httpd/cyberciti.biz/http
ServerName cyberciti.biz
ServerAlias www.cyberciti.biz
ErrorLog logs/cyberciti.biz-error_log
TransferLog logs/cyberciti.biz-access_log
ErrorLog "/home/httpd/cyberciti.biz/logs/ipv6.error.log"
CustomLog "/home/httpd/cyberciti.biz/logs/ipv6.access.log" common
ScriptAlias /cgi-bin/ "/home/httpd/cyberciti.biz/cgi-bin/"
# For php5 fastcgi add +ExecCGI
<Directory "/home/httpd/cyberciti.biz/http">
Options -Indexes FollowSymLinks +ExecCGI
AllowOverride AuthConfig FileInfo
AddHandler php5-fastcgi .php
Action php5-fastcgi /cgi-bin/php.fcgi
Order allow,deny
Allow from all
</Directory>
# Default cgi-bin perms
<Directory "/home/httpd/cyberciti.biz/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost> |
Save and close the file. Restart Apache web server:
# service httpd restart
OR
# systemctl restart httpd
A Note About BSD PF Firewall
You need to update /etc/pf.conf as follows under OpenBSD / FreeBSD operating systems:
# define Ipv6 ips apache_ipv6 = "{ 2607:f0d0:1002:11::4 }" # Open port 80 pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port http keep state # Open port 443 pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port https keep state |
Save and close the file. Reload pf firewall:
# /etc/rc.d/pf reload
OR
# /sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf
Additional Resources
Further resources should be consulted for more extensive configuration guidance, especially if particular applications need to be secured:
- Red Hat / CentOS: Chroot Apache 2 Web Server
- FreeBSD Configure Apache PHP with mod_fastcgi Module
- Red Hat / CentOS Apache 2 FastCGI PHP Configuration
- Apache FastCGI / mod_fastcgi PHP fcgi Script
- See all our Apache related FAQs and tutorials published on the nixCraft.
- Apache Core Features
- RSS feed or Weekly email newsletter
- Share to Twitter • Facebook • 6 comments... add one ↓
Linux Network IP Accounting
CentOS / Redhat Iptables Firewall Configuration Tutorial
Linux Iptables Setup Firewall For a Web Server
How to save iptables firewall rules permanently on Linux
Linux Configure Firewall Using Shorewall Under RHEL / CentOS- How to set up a UFW firewall on Ubuntu 16.04 LTS server
Set Up a Basic Iptables Firewall on Amazon Linux AMI
| Category | List of Unix and Linux commands |
|---|---|
| File Management | cat |
| Network Utilities | dig • host • ip • nmap |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
Vivek;
I just read through your article on Dual Stack setup for Apache looking for a clue to solve a problem I have here. I’m trying to set up a Tomcat over Java to run in a IPv6 only test network with no luck. I can’t get the ports 8080, 8081 and 8082 to bind to IPv6. I’ve dug around in both Tomcat and Java and found what I thought were some promising fixes like Java’s java.net.preferIPv4Stack=false and java.net.preferIPv6Addresses=true. I can’t quite figure out what I need to do to get the 8080 ports to bin to IPv6. I’d be happy if I could get the ports to bind with both IPv6 and IPv4.
The Tomcat configuration works fine under IPv4. When I attempt to connect to the website using IPv6 the connection request is reset by the server, I’m guessing because the port isn’t available on IPv6.
Any thoughts? I’m searching for clues…..
Thanks…
Larry
Making two ‘Listen’ statements gives an error that port 80 is already in use. Any ideas, anyone?
$ sudo /etc/init.d/apache2 start
* Starting web server apache2
(98)Address already in use: make_sock: could not bind to address [2600:3c01::f03c:91ff:fe96:edba]:80
The correct way to do this is
……
That’s a space after the ipv4 address and then encase in square brackets your IPv6 address
ensure your namevirtualhost setting is defined for both
NameVirtualHost 74.86.48.99
NameVirtualHost [dead:beef:::1]
and to Scott, you could just use Listen *:80, but I cant see why it would complain for two separate statements
Instead of having two duplicate VirtualHosts you can create a VirtualHost with both ipv4 and Ipv6 addresses. See http://www.viathinksoft.de/?page=codelib&showid=100
You can just use a * for the and have a listen 80 directive. If there’s an IPv6 address in the system, Apache runs dual-stacked out-of-the-box.
apache web server on centos
1. ipv4 and ipv6 are network interface.
2. the httpd.conf file have listen to them bot
Listen 162.218.210.229:80
Listen [2602:ffea:1:58c::89ea]:80
3. listen on each vhost for ipv4 and ipv6
4. it has aaaa record in dns forward zone
5. ipv6 has permit in/out network connection for tcp6/udp6 from ip6tables