Hi Björn, On Tue, May 06, 2025 at 09:26:01AM +0200, Björn Jacke wrote: > Hi, > > I recently ran into the problem, that using "send-proxy" with Apache's > mod_remoteip and RemoteIPProxyProtocol on fails for all IPv4 addresses. The > main problem is mod_remoteup, which doesn't accept IPv4-mapped IPv6 > addresses. I've reported that bug in > https://bz.apache.org/bugzilla/show_bug.cgi?id=69672 and hope that this will > get fixed. > > Of course you can work around the problem by not listening on ":::443" for > both IPv6 and IPv4 at the same time but use "v6only" and listen on "*:443" > separately. > > People might argue however, that it's not ideal to report IPv4-mapped IPv6 > addresses via the proxy protocol. You might consider to change haproxy here, > too, so that IPv4 addresses are reported, even if the incoming address > technically was a IPv4-mapped IPv6 address. I would prefer that actually.
I think that makes sense indeed. As you say, the IPv4-mapped IPv6 addresses are only a technical hack that permits an IPv6 socket to receive IPv4 traffic, but in this case both the source and the destination are in IPv4. As soon as the address is sent to the PP (or even in a header), I think we should use the IPv4 format instead. > Let me know if you want this as a bug report to track this as an issue for > haproxy. Indeed, it can be useful to open an issue for this, as I guess it will have more ramifications than we currently imagine. I remember that we had to make some choices long ago for stick-tables for example, so that both IPv4 and IPv6 can coexist as valid keys. I tend to think that everywhere we turn an address to text, we should make a special case for the v4-in-v6 one and emit it as v4 (since in text form there's no ambiguity). And the proxy protocol (at least for v1) would need to do that. For v2, I don't know. It's sent as binary with the family appended. Maybe we should still emit them as v4 regardless. Willy
