Apache IPv6 Configuration: Dual Stacked IPv4 & IPv6 Virtual Hosts

Posted on in Categories , , , , , , , , , , , , , last updated September 13, 2015

How do I configure Apache IPv6 networking under a UNIX / Linux / BSD operating system? How do I configure httpd IPv6 and IPv4 under a RHEL / CentOS / Fedora / Debian / Ubuntu Linux?

You need to update httpd.conf file with the Listen directive. It instructs Apache to listen to only specific IPv4 and IPv6 addresses or ports. By default it responds to requests on all IP interfaces including IPv4 and IPv6 addresses. Our sample setup is as follows:

  1. cyberciti.biz has address 74.86.48.99
  2. cyberciti.biz has IPv6 address 2607:f0d0:1002:11::4

The Apache httpd.conf configuration file remains same under a UNIX / BSD and Linux operating system.

Linux Apache IPv6 Configuration

Open the httpd.conf file, enter:
# vi httpd.conf
To make the server accept connections on 74.86.48.99 and port 80, use:

Listen 74.86.48.99:80

IPv6 addresses must be surrounded in square brackets and port 80, use

Listen [2607:f0d0:1002:11::4]:80

Save and close the file. Restart or reload the Apache server:
# service httpd restart
OR
# systemctl restart httpd.service

Verify Apache Is Working In Dual Stack Mode

Use the netstat command as follows:
# netstat -tulpn | grep :80
Sample Outputs:

tcp        0      0 74.86.48.99:80              0.0.0.0:*                   LISTEN      4473/httpd       
tcp        0      0 2607:f0d0:1002:11::4:80     :::*                        LISTEN      4473/httpd

Configure iptables to Allow Access to the Web Server Via IPv6

The default Ip6tables configuration does not allow inbound access to the HTTP (80) and HTTPS (443) ports used by the web server. This modification allows that access, while keeping other ports on the server in their default protected state. Edit /etc/sysconfig/ip6tables file (IPv6 firewall configuration file under CentOS / RHEL / Fedora Linux):
# vi /etc/sysconfig/ip6tables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain (on a RHEL/CentOS 6.x or older):

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT

Add the following if you have configured HTTPS port:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT

A note about CentOS / RHEL v7.x or above

The rules are as follows:

-A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 443 -j ACCEPT

Save and close the file. Restart firewall, enter:
# service ip6tables restart
OR
# systemctl ip6tables restart

Dual Stacked IPv4 and IPv6 Virtual Hosts Configurations

You need to update httpd.conf as follows for dual stacked httpd virtual hosting:

 #IPv4 configuration
<VirtualHost 74.86.48.99>
	ServerAdmin [email protected]
	DocumentRoot /home/httpd/cyberciti.biz/http
	ServerName cyberciti.biz
	ServerAlias www.cyberciti.biz
	ErrorLog logs/cyberciti.biz-error_log
	TransferLog logs/cyberciti.biz-access_log
        ErrorLog "/home/httpd/cyberciti.biz/logs/error.log"
        CustomLog "/home/httpd/cyberciti.biz/logs/access.log" common
        ScriptAlias /cgi-bin/ "/home/httpd/cyberciti.biz/cgi-bin/"
 
# For php5 fastcgi add +ExecCGI
 	<Directory "/home/httpd/cyberciti.biz/http">
		Options -Indexes FollowSymLinks +ExecCGI
		AllowOverride AuthConfig FileInfo
		AddHandler php5-fastcgi .php
		Action php5-fastcgi /cgi-bin/php.fcgi
		Order allow,deny
		Allow from all
	</Directory>
 
# Default cgi-bin perms
	<Directory "/home/httpd/cyberciti.biz/cgi-bin">
		AllowOverride None
		Options None
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost> 
 
# Ipv6 config, note down log files
<VirtualHost [2607:f0d0:1002:11::4]>
	ServerAdmin [email protected]
	DocumentRoot /home/httpd/cyberciti.biz/http
	ServerName cyberciti.biz
	ServerAlias www.cyberciti.biz
	ErrorLog logs/cyberciti.biz-error_log
	TransferLog logs/cyberciti.biz-access_log
        ErrorLog "/home/httpd/cyberciti.biz/logs/ipv6.error.log"
        CustomLog "/home/httpd/cyberciti.biz/logs/ipv6.access.log" common
        ScriptAlias /cgi-bin/ "/home/httpd/cyberciti.biz/cgi-bin/"
 
# For php5 fastcgi add +ExecCGI
 	<Directory "/home/httpd/cyberciti.biz/http">
		Options -Indexes FollowSymLinks +ExecCGI
		AllowOverride AuthConfig FileInfo
		AddHandler php5-fastcgi .php
		Action php5-fastcgi /cgi-bin/php.fcgi
		Order allow,deny
		Allow from all
	</Directory>
 
# Default cgi-bin perms
	<Directory "/home/httpd/cyberciti.biz/cgi-bin">
		AllowOverride None
		Options None
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>

Save and close the file. Restart Apache web server:
# service httpd restart
OR
# systemctl restart httpd

A Note About BSD PF Firewall

You need to update /etc/pf.conf as follows under OpenBSD / FreeBSD operating systems:

# define Ipv6 ips
apache_ipv6 = "{ 2607:f0d0:1002:11::4 }"
# Open port 80
pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port http keep state
# Open port 443
pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port https keep state

Save and close the file. Reload pf firewall:
# /etc/rc.d/pf reload
OR
# /sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf

Additional Resources

Further resources should be consulted for more extensive configuration guidance, especially if particular applications need to be secured:

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Share this on:

6 comment

  1. Vivek;

    I just read through your article on Dual Stack setup for Apache looking for a clue to solve a problem I have here. I’m trying to set up a Tomcat over Java to run in a IPv6 only test network with no luck. I can’t get the ports 8080, 8081 and 8082 to bind to IPv6. I’ve dug around in both Tomcat and Java and found what I thought were some promising fixes like Java’s java.net.preferIPv4Stack=false and java.net.preferIPv6Addresses=true. I can’t quite figure out what I need to do to get the 8080 ports to bin to IPv6. I’d be happy if I could get the ports to bind with both IPv6 and IPv4.

    The Tomcat configuration works fine under IPv4. When I attempt to connect to the website using IPv6 the connection request is reset by the server, I’m guessing because the port isn’t available on IPv6.

    Any thoughts? I’m searching for clues…..

    Thanks…
    Larry

    Reply Report comment

  2. Making two ‘Listen’ statements gives an error that port 80 is already in use. Any ideas, anyone?

    $ sudo /etc/init.d/apache2 start
    * Starting web server apache2
    (98)Address already in use: make_sock: could not bind to address [2600:3c01::f03c:91ff:fe96:edba]:80

    Reply Report comment

  3. The correct way to do this is

    ……

    That’s a space after the ipv4 address and then encase in square brackets your IPv6 address

    ensure your namevirtualhost setting is defined for both
    NameVirtualHost 74.86.48.99
    NameVirtualHost [dead:beef:::1]

    and to Scott, you could just use Listen *:80, but I cant see why it would complain for two separate statements

    Reply Report comment

  6. apache web server on centos
    1. ipv4 and ipv6 are network interface.
    2. the httpd.conf file have listen to them bot
    Listen 162.218.210.229:80
    Listen [2602:ffea:1:58c::89ea]:80
    3. listen on each vhost for ipv4 and ipv6

    4. it has aaaa record in dns forward zone
    5. ipv6 has permit in/out network connection for tcp6/udp6 from ip6tables

    Reply Report comment

Leave a Comment

Tagged as: Tags , , , , , , , , , , , ,