Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
Matt & Łukasz, > Am 07.02.2022 um 19:23 schrieb Łukasz Moskała : > > Actually the request is: > > GET / HTTP/1.1 > Host: example.com > > Host header is REQUIRED by HTTP/1.1 specification: > https://datatracker.ietf.org/doc/html/rfc2616#section-14.23 > > HTTPS also sends host header, but SNI is still used to choose correct > certificate. > Am 07.02.2022 um 18:15 schrieb Matthew Ernisse : > > On Mon, Feb 07, 2022 at 05:23:03PM +0100, Mike Fischer said: >> >> Not quite true. I do use DNS and for practical applications I also >> use HTTPS and SNI. But DNS is secondary and sometimes adds another >> layer of complexity. Also SNI is not available for services not >> secured by SSL/TLS to my knowledge. E.g. in my example for a web >> server on port 80 the hostname comes into play only to resolve the >> IP. The actual request would be "GET / HTTP/1.1" — no hostname in >> sight. > > FWIW, the assertion about HTTP is incorrect here. HTTP 1.1 defines the Host > header which is mandatory in requests which and has been used for decades to > provide name based virtual hosting sharing an IP address. > > https://datatracker.ietf.org/doc/html/rfc2616/#section-14.23 > > In practice DNS isn't even needed, an entry in your client's hosts(5) file > has been sufficient. > > —Matt You are both correct! I hadn’t realized the header was mandatory for HTTP/1.1. Thanks for pointing that out. (I wonder if curl(8) adds that header automatically? Though that is off topic for this thread…) Mike
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
On Mon, Feb 07, 2022 at 05:23:03PM +0100, Mike Fischer said: > > Not quite true. I do use DNS and for practical applications I also > use HTTPS and SNI. But DNS is secondary and sometimes adds another > layer of complexity. Also SNI is not available for services not > secured by SSL/TLS to my knowledge. E.g. in my example for a web > server on port 80 the hostname comes into play only to resolve the > IP. The actual request would be "GET / HTTP/1.1" — no hostname in > sight. FWIW, the assertion about HTTP is incorrect here. HTTP 1.1 defines the Host header which is mandatory in requests which and has been used for decades to provide name based virtual hosting sharing an IP address. https://datatracker.ietf.org/doc/html/rfc2616/#section-14.23 In practice DNS isn't even needed, an entry in your client's hosts(5) file has been sufficient. --Matt -- Matthew Ernisse merni...@ub3rgeek.net https://www.going-flying.com/
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
W dniu 7.02.2022 o 17:23, Mike Fischer pisze: Am 06.02.2022 um 22:48 schrieb Brian Brombacher : At this point I would reconfigure httpd to use two separate ports (80, 81) for each site, or two local IP addresses (::1, ::2, I wouldn’t personally do this, I would go multi port), and then use PF rules to forward the (em0) port 80 as usual and then (em1) port 80 I would forward to rdomain 0, port 81 (example port). You mean: have only one instance of httpd listen on IPs in rdomain 0 for different ports and use PF to forward packets for IPs in rdomain 1 to these IP/port combinations in rdomain 0? I’ll give that a try in the next few days… All of this is beyond the scope of a normal setup. I would usually just do as described by others and rely on hostname rather than IP for httpd to process requests. If for some reason this isn’t feasible, I’d be curious why. This is mainly for learning. In a production setup I’d agree that this seems much too complicated. Also generally HTTPS would be used which allows for SNI to choose the virtual hosts. For services other than HTTPS that might be more difficult. There might be actual use cases for this in home/small office settings though. Buisness internet line should have static prefix On Feb 6, 2022, at 4:51 PM, Brian Brombacher wrote: From your posts I know why you don’t want to use hostnames. Not quite true. I do use DNS and for practical applications I also use HTTPS and SNI. But DNS is secondary and sometimes adds another layer of complexity. Also SNI is not available for services not secured by SSL/TLS to my knowledge. E.g. in my example for a web server on port 80 the hostname comes into play only to resolve the IP. The actual request would be "GET / HTTP/1.1" — no hostname in sight. Actually the request is: GET / HTTP/1.1 Host: example.com Host header is REQUIRED by HTTP/1.1 specification: https://datatracker.ietf.org/doc/html/rfc2616#section-14.23 HTTPS also sends host header, but SNI is still used to choose correct certificate. I can see utility in using different IPs for different sites if you don’t want to advertise that the sites are related by their IP. Yes, though in truth having the same prefix would be unavoidable and would let an outsider know that the services are related in some way. It would leave open whether the services are using the same host though. Not really, since that IP could possibly point to loadbalancer or reverse proxy, instead of end server Like I wrote this is mainly for learning at the moment. I am somewhat amazed at the subtle differences between IPv4 and IPv6. IPv6 is obviously not just IPv4 with more address space. My approach is to figure out how things work and what is possible, then for practical applications decide whether a particular solution is too complicated to maintain or to set up, or too fragile to be of long term use. I wouldn't be learning about hosting on dynamic prefix - it's not really what you would do in real world. Just set static IPs and pretend that they don't change, for the sake of learning. Or maybe your ISP could give you static prefix As for privacy my aim is to be able to leak as little information as possible to reduce any attack surface. Naturally when hosting a service on the public Internet the service itself is exposed. That can’t be helped. But anything not directly related to the service should IMHO stay hidden as much as possible. If you have a.example.com with A record 1.2.3.4 and record 2001:db8::dead:beef and b.example.com with A record 1.2.3.4 and record 2001:db8::c0:ffee, then potential attacker already can tell, that either: - 2001:db8::dead:beef and 2001:db8::c0:ffee is the same machine - 1.2.3.4 is reverse proxy or load balancer, possibly serving more sites Or, you could even use something like cloudflare to hide your IP - then your service will share IP with probably hundreds of other (unrelated) services, so IP will not tell attacker anything. Thanks! Mike -- Łukasz Moskała
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
> Am 06.02.2022 um 22:48 schrieb Brian Brombacher : > > At this point I would reconfigure httpd to use two separate ports (80, 81) > for each site, or two local IP addresses (::1, ::2, I wouldn’t personally do > this, I would go multi port), and then use PF rules to forward the (em0) port > 80 as usual and then (em1) port 80 I would forward to rdomain 0, port 81 > (example port). You mean: have only one instance of httpd listen on IPs in rdomain 0 for different ports and use PF to forward packets for IPs in rdomain 1 to these IP/port combinations in rdomain 0? I’ll give that a try in the next few days… > All of this is beyond the scope of a normal setup. I would usually just do > as described by others and rely on hostname rather than IP for httpd to > process requests. If for some reason this isn’t feasible, I’d be curious why. This is mainly for learning. In a production setup I’d agree that this seems much too complicated. Also generally HTTPS would be used which allows for SNI to choose the virtual hosts. For services other than HTTPS that might be more difficult. There might be actual use cases for this in home/small office settings though. >> On Feb 6, 2022, at 4:51 PM, Brian Brombacher wrote: > From your posts I know why you don’t want to use hostnames. Not quite true. I do use DNS and for practical applications I also use HTTPS and SNI. But DNS is secondary and sometimes adds another layer of complexity. Also SNI is not available for services not secured by SSL/TLS to my knowledge. E.g. in my example for a web server on port 80 the hostname comes into play only to resolve the IP. The actual request would be "GET / HTTP/1.1" — no hostname in sight. > I can see utility in using different IPs for different sites if you don’t > want to advertise that the sites are related by their IP. Yes, though in truth having the same prefix would be unavoidable and would let an outsider know that the services are related in some way. It would leave open whether the services are using the same host though. Like I wrote this is mainly for learning at the moment. I am somewhat amazed at the subtle differences between IPv4 and IPv6. IPv6 is obviously not just IPv4 with more address space. My approach is to figure out how things work and what is possible, then for practical applications decide whether a particular solution is too complicated to maintain or to set up, or too fragile to be of long term use. As for privacy my aim is to be able to leak as little information as possible to reduce any attack surface. Naturally when hosting a service on the public Internet the service itself is exposed. That can’t be helped. But anything not directly related to the service should IMHO stay hidden as much as possible. Thanks! Mike
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
> On Feb 6, 2022, at 4:51 PM, Brian Brombacher wrote:
>
>
>
>> On Feb 6, 2022, at 4:32 PM, Mike Fischer wrote:
>>
>>
Am 06.02.2022 um 21:13 schrieb Brian Brombacher :
>>>
> You can work around it by putting both interfaces in diffrent rdomains,
> then running two httpd instances, one in rdomain with first IP, second in
> rdomain with second IP.
>>>
>>> This will work. You can use PF rules to cross rdomains if you require.
>>
>> Thanks for that info!
>>
>>
>> rdomains are a new concept for me. From what I currently understand after
>> reading rdomain(4) I don’t get why I would need to run two instances of my
>> service, e.g. httpd(8) to use rdomains? Is a process somehow tied to an
>> rdomain?
>>
>> And while the PF mechanism to cross rdomains might be needed in some setups
>> I don’t see where it would help in my scenario? I want to use my service
>> mainly from outside the host. (Though for local access I would understand
>> the need to configure some PF rules.)
>>
>> I tried the following:
>> Starting state: em0 and em1 each configured for IPv4 and IPv6, the later
>> using autoconf
>> em0:
>> …
>> inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255
>> inet6 fe80::20c:29ff:fd9c:4b7%em0 prefixlen 64 scopeid 0x1
>> inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 978 vltime
>> 6912
>> …
>>
>> em1:
>> …
>> inet 192.168.0.20 netmask 0xff00 broadcast 192.168.0.255
>> inet6 fe80::20c:29ff:fd9c:4c1%em0 prefixlen 64 scopeid 0x1
>> inet6 2001:db8::20c:29ff:fd9c:4c1 prefixlen 64 autoconf pltime 978 vltime
>> 6912
>> …
>>
>> # netstat -R
>> Rdomain 0
>> Interfaces: lo0 em0 em1 enc0 pflog0
>> Routing table: 0
>>
>> #
>>
>> Change #1:
>>
>> # ifconfig em1 rdomain 1
>>
>> New state:
>> em0: (same as above)
>> …
>> inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255
>> inet6 fe80::20c:29ff:fd9c:4b7%em0 prefixlen 64 scopeid 0x1
>> inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 978 vltime
>> 6912
>> …
>>
>> em1: (no IPs)
>> …
>> …
>>
>> # netstat -R
>> Rdomain 0
>> Interfaces: lo0 em0 enc0 pflog0
>> Routing table: 0
>>
>> Rdomain 1
>> Interfaces: em1 lo1
>> Routing table: 1
>>
>> #
>>
>> Change #2: Re-add the IPs:
>> # ifconfig em1 inet 192.168.0.20 netmask 255.255.255.0 broadcast
>> 192.168.0.255
>> # ifconfig em1 inet6 autoconf -temporary -soii
>>
>> New state: IPs on em1 are now set as in the original state, em1 is in
>> rdomain 1.
>>
>> So far so good!
>>
>
> At this point I would reconfigure httpd to use two separate ports (80, 81)
> for each site, or two local IP addresses (::1, ::2, I wouldn’t personally do
> this, I would go multi port), and then use PF rules to forward the (em0) port
> 80 as usual and then (em1) port 80 I would forward to rdomain 0, port 81
> (example port).
>
> All of this is beyond the scope of a normal setup. I would usually just do
> as described by others and rely on hostname rather than IP for httpd to
> process requests. If for some reason this isn’t feasible, I’d be curious why.
>
>From your posts I know why you don’t want to use hostnames. I can see utility
>in using different IPs for different sites if you don’t want to advertise that
>the sites are related by their IP.
>
>>
>> After restarting httpd it failed with message: "parent: send server: Can't
>> assign requested address“ in /var/log messages
>> Ok, so there seems to be a reason for needing another instance of httpd. But
>> how would that work? What would I have to do to get that second instance to
>> listen on IPs from rdomain 1?
>>
>> I have tried setting up a copy of /usr/sbin/httpd (actually a symbolic link
>> using the name /root/bin/httpd_em1) and I have created a new
>> /etc/httpd.2.conf with only the em1 related content. I have also duplicated
>> /etc/rc.d/httpd to /etc/rc.d/httpd_em1 and changed
>> daemon='/root/bin/httpd_em1' (the path to my symbolic link) and
>> daemon_flags="${daemon_flags} -f /etc/httpd.2.conf"
>> No joy! rcctl start httpd_em1 results in the same message in
>> /var/log/messages.
>>
>>
>> Thanks for any pointers you can give me.
>>
>> Mike
>>
>
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
> On Feb 6, 2022, at 4:32 PM, Mike Fischer wrote:
>
>
>> Am 06.02.2022 um 21:13 schrieb Brian Brombacher :
>>
You can work around it by putting both interfaces in diffrent rdomains,
then running two httpd instances, one in rdomain with first IP, second in
rdomain with second IP.
>>>
>>
>> This will work. You can use PF rules to cross rdomains if you require.
>
> Thanks for that info!
>
>
> rdomains are a new concept for me. From what I currently understand after
> reading rdomain(4) I don’t get why I would need to run two instances of my
> service, e.g. httpd(8) to use rdomains? Is a process somehow tied to an
> rdomain?
>
> And while the PF mechanism to cross rdomains might be needed in some setups I
> don’t see where it would help in my scenario? I want to use my service mainly
> from outside the host. (Though for local access I would understand the need
> to configure some PF rules.)
>
> I tried the following:
> Starting state: em0 and em1 each configured for IPv4 and IPv6, the later
> using autoconf
> em0:
> …
>inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255
>inet6 fe80::20c:29ff:fd9c:4b7%em0 prefixlen 64 scopeid 0x1
>inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 978 vltime
> 6912
> …
>
> em1:
> …
>inet 192.168.0.20 netmask 0xff00 broadcast 192.168.0.255
>inet6 fe80::20c:29ff:fd9c:4c1%em0 prefixlen 64 scopeid 0x1
>inet6 2001:db8::20c:29ff:fd9c:4c1 prefixlen 64 autoconf pltime 978 vltime
> 6912
> …
>
> # netstat -R
> Rdomain 0
> Interfaces: lo0 em0 em1 enc0 pflog0
> Routing table: 0
>
> #
>
> Change #1:
>
> # ifconfig em1 rdomain 1
>
> New state:
> em0: (same as above)
> …
>inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255
>inet6 fe80::20c:29ff:fd9c:4b7%em0 prefixlen 64 scopeid 0x1
>inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 978 vltime
> 6912
> …
>
> em1: (no IPs)
> …
> …
>
> # netstat -R
> Rdomain 0
> Interfaces: lo0 em0 enc0 pflog0
> Routing table: 0
>
> Rdomain 1
> Interfaces: em1 lo1
> Routing table: 1
>
> #
>
> Change #2: Re-add the IPs:
> # ifconfig em1 inet 192.168.0.20 netmask 255.255.255.0 broadcast 192.168.0.255
> # ifconfig em1 inet6 autoconf -temporary -soii
>
> New state: IPs on em1 are now set as in the original state, em1 is in rdomain
> 1.
>
> So far so good!
>
At this point I would reconfigure httpd to use two separate ports (80, 81) for
each site, or two local IP addresses (::1, ::2, I wouldn’t personally do this,
I would go multi port), and then use PF rules to forward the (em0) port 80 as
usual and then (em1) port 80 I would forward to rdomain 0, port 81 (example
port).
All of this is beyond the scope of a normal setup. I would usually just do as
described by others and rely on hostname rather than IP for httpd to process
requests. If for some reason this isn’t feasible, I’d be curious why.
>
> After restarting httpd it failed with message: "parent: send server: Can't
> assign requested address“ in /var/log messages
> Ok, so there seems to be a reason for needing another instance of httpd. But
> how would that work? What would I have to do to get that second instance to
> listen on IPs from rdomain 1?
>
> I have tried setting up a copy of /usr/sbin/httpd (actually a symbolic link
> using the name /root/bin/httpd_em1) and I have created a new
> /etc/httpd.2.conf with only the em1 related content. I have also duplicated
> /etc/rc.d/httpd to /etc/rc.d/httpd_em1 and changed
> daemon='/root/bin/httpd_em1' (the path to my symbolic link) and
> daemon_flags="${daemon_flags} -f /etc/httpd.2.conf"
> No joy! rcctl start httpd_em1 results in the same message in
> /var/log/messages.
>
>
> Thanks for any pointers you can give me.
>
> Mike
>
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
> Am 06.02.2022 um 21:13 schrieb Brian Brombacher :
>
>>> You can work around it by putting both interfaces in diffrent rdomains,
>>> then running two httpd instances, one in rdomain with first IP, second in
>>> rdomain with second IP.
>>
>
> This will work. You can use PF rules to cross rdomains if you require.
Thanks for that info!
rdomains are a new concept for me. From what I currently understand after
reading rdomain(4) I don’t get why I would need to run two instances of my
service, e.g. httpd(8) to use rdomains? Is a process somehow tied to an rdomain?
And while the PF mechanism to cross rdomains might be needed in some setups I
don’t see where it would help in my scenario? I want to use my service mainly
from outside the host. (Though for local access I would understand the need to
configure some PF rules.)
I tried the following:
Starting state: em0 and em1 each configured for IPv4 and IPv6, the later using
autoconf
em0:
…
inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::20c:29ff:fd9c:4b7%em0 prefixlen 64 scopeid 0x1
inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 978
vltime 6912
…
em1:
…
inet 192.168.0.20 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::20c:29ff:fd9c:4c1%em0 prefixlen 64 scopeid 0x1
inet6 2001:db8::20c:29ff:fd9c:4c1 prefixlen 64 autoconf pltime 978
vltime 6912
…
# netstat -R
Rdomain 0
Interfaces: lo0 em0 em1 enc0 pflog0
Routing table: 0
#
Change #1:
# ifconfig em1 rdomain 1
New state:
em0: (same as above)
…
inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255
inet6 fe80::20c:29ff:fd9c:4b7%em0 prefixlen 64 scopeid 0x1
inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 978
vltime 6912
…
em1: (no IPs)
…
…
# netstat -R
Rdomain 0
Interfaces: lo0 em0 enc0 pflog0
Routing table: 0
Rdomain 1
Interfaces: em1 lo1
Routing table: 1
#
Change #2: Re-add the IPs:
# ifconfig em1 inet 192.168.0.20 netmask 255.255.255.0 broadcast 192.168.0.255
# ifconfig em1 inet6 autoconf -temporary -soii
New state: IPs on em1 are now set as in the original state, em1 is in rdomain 1.
So far so good!
After restarting httpd it failed with message: "parent: send server: Can't
assign requested address“ in /var/log messages
Ok, so there seems to be a reason for needing another instance of httpd. But
how would that work? What would I have to do to get that second instance to
listen on IPs from rdomain 1?
I have tried setting up a copy of /usr/sbin/httpd (actually a symbolic link
using the name /root/bin/httpd_em1) and I have created a new /etc/httpd.2.conf
with only the em1 related content. I have also duplicated /etc/rc.d/httpd to
/etc/rc.d/httpd_em1 and changed daemon='/root/bin/httpd_em1' (the path to my
symbolic link) and daemon_flags="${daemon_flags} -f /etc/httpd.2.conf"
No joy! rcctl start httpd_em1 results in the same message in /var/log/messages.
Thanks for any pointers you can give me.
Mike
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
> On Feb 6, 2022, at 12:07 PM, Mike Fischer wrote:
>
> Hi Łukasz,
>
>>> Am 06.02.2022 um 12:08 schrieb Łukasz Moskała :
>>>
>>> W dniu 6.02.2022 o 05:28, Mike Fischer pisze:
>>> OpenBSD 7.0 stable amf64
>>> My host has two ethernet interfaces, em0 and em1.
>>> Note: The host is a VM with two virtual interfaces.
>>> Both interfaces are configured like this for IPv6 in the /etc/hostname.em0
>>> and /etc/hostname.em1 files:
>>> inet6 autoconf -temporary -soii
>>> They are connected to the same LAN and each produces a unique IPv6 address
>>> using the same prefix and an EUI64 interface identifier as expected*.
>>> $ ifconfig em0|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)'
>>>inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 1070
>>> vltime 7043
>>> $ ifconfig em1|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)‘
>>>inet6 2001:db8::20c:29ff:fd9c:4c1 prefixlen 64 autoconf pltime 1032
>>> vltime 7005
>>> DNS records have been set up*:
>>> $ dig +short a.example.com
>>> 2001:db8::20c:29ff:fd9c:4b7
>>> $ dig +short b.example.com
>>> 2001:db8::20c:29ff:fd9c:4c1
>>> $
>>> My httpd.conf looks like this*:
>>> ipa = "2001:db8::20c:29ff:fd9c:4b7"
>>> ipb = "2001:db8::20c:29ff:fd9c:4c1"
>>> server "a.example.com" {
>>>listen on $ipa port 80
>>>directory index index.html
>>>location "/*" {
>>>root "/htdocs/a"
>>>}
>>> }
>>> server "b.example.com" {
>>>listen on $ipb port 80
>>>directory index index.html
>>>location "/*" {
>>>root "/htdocs/b"
>>>}
>>> }
>>> /var/www/htdocs/a/index.html and /var/www/htdocs/b/index.html exist and
>>> each contains a minimal HTML page.
>>> httpd -n sees no problem.
>>> rcctl start httpd works fine.
>>> However trying to access http://a.example.com or
>>> http://[2001:db8::20c:29ff:fd9c:4b7] gets a timeout.
>>> Accessing http://b.example.com or http://[2001:db8::20c:29ff:fd9c:4c1]
>>> works fine.
>>> Trying to find the cause I checked:
>>> $ netstat -an|grep LISTEN
>>> …
>>> tcp6 0 0 2001:db8::.80*.*LISTEN
>>> tcp6 0 0 2001:db8::.80*.*LISTEN
>>> …
>>> $
>>> Which seems weird because only the prefix is listed not the complete IPv6
>>> addresses.
>>> Am I seeing a bug or is my expectation that both servers (virtual hosts)
>>> work wrong?
>>> *) Hostnames and IPs anonymized.
>>> Thanks!
>>> Mike
>>
>> "They are connected to the same LAN"
>> This is most likely your problem. Having two IPs on two interfaces in the
>> same subnet will usually cause problems. Most likely you also have two
>> default routes.
>
> Yes, you are right. There are 2 default routes for IPv6.
>
> Not sure why IPv6 works like this but that’s what I’m trying to learn. I am
> using this machine as a test bed for figuring out IPv6. My expectation was
> that IPv6 would work just like IPv4 in this scenario.
>
> Note: For IPv4 the same setup works fine, yielding a web server that serves
> both a.example.com and b.example.com on different IPs. The expectation would
> be that replies would be send through the same interface the request came in
> on. IPv4 has the drawback that I only have 1 public IPv4 address. So I need
> to differentiate bei port number on the Internet side of my router to map to
> the correct LAN IP.
>
> So I learned something here, which was my goal. Thanks!
>
>
>> You can work around it by putting both interfaces in diffrent rdomains, then
>> running two httpd instances, one in rdomain with first IP, second in rdomain
>> with second IP.
>
This will work. You can use PF rules to cross rdomains if you require.
> I’ll look into this (more as a way to learn more about how this works than to
> actually fill a pressing need). Thanks for the idea.
>
>
>> Or, assign both IPs statically to em0 (one with prefix /64, second with
>> prefix /128), then remove em1 - I'm 99% sure this will solve your problem.
>
> Yes. But in my experimental setup this would not be practical because the
> IPv6 prefix is dynamic. Assigning a static IPv6 address will cease to work
> when the prefix changes, at least for connections from the Internet. There
> are issues with the setup of port forwarding on my router as well. I thought
> I could get around all of these issues by using the second interface.
>
> For this experiment the goal was get a single host to serve two websites on
> separate IPv6 addresses. All this in a LAN setting where the public IPv6
> prefix is dynamic. Getting it to work short term is easy using static IPs.
> But ensuring it will work across prefix changes is more complicated. I do
> have a script that triggers on prefix changes and could be used to adjust the
> static IPs and the httpd.conf as needed. I don’t much like that solution
> though.
>
>
> Thanks for your reply!
>
>
> Mike
>
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
W dniu 6.02.2022 o 18:04, Mike Fischer pisze:
Hi Łukasz,
Am 06.02.2022 um 12:08 schrieb Łukasz Moskała :
W dniu 6.02.2022 o 05:28, Mike Fischer pisze:
OpenBSD 7.0 stable amf64
My host has two ethernet interfaces, em0 and em1.
Note: The host is a VM with two virtual interfaces.
Both interfaces are configured like this for IPv6 in the /etc/hostname.em0 and
/etc/hostname.em1 files:
inet6 autoconf -temporary -soii
They are connected to the same LAN and each produces a unique IPv6 address
using the same prefix and an EUI64 interface identifier as expected*.
$ ifconfig em0|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)'
inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 1070
vltime 7043
$ ifconfig em1|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)‘
inet6 2001:db8::20c:29ff:fd9c:4c1 prefixlen 64 autoconf pltime 1032
vltime 7005
DNS records have been set up*:
$ dig +short a.example.com
2001:db8::20c:29ff:fd9c:4b7
$ dig +short b.example.com
2001:db8::20c:29ff:fd9c:4c1
$
My httpd.conf looks like this*:
ipa = "2001:db8::20c:29ff:fd9c:4b7"
ipb = "2001:db8::20c:29ff:fd9c:4c1"
server "a.example.com" {
listen on $ipa port 80
directory index index.html
location "/*" {
root "/htdocs/a"
}
}
server "b.example.com" {
listen on $ipb port 80
directory index index.html
location "/*" {
root "/htdocs/b"
}
}
/var/www/htdocs/a/index.html and /var/www/htdocs/b/index.html exist and each
contains a minimal HTML page.
httpd -n sees no problem.
rcctl start httpd works fine.
However trying to access http://a.example.com or
http://[2001:db8::20c:29ff:fd9c:4b7] gets a timeout.
Accessing http://b.example.com or http://[2001:db8::20c:29ff:fd9c:4c1] works
fine.
Trying to find the cause I checked:
$ netstat -an|grep LISTEN
…
tcp6 0 0 2001:db8::.80*.*LISTEN
tcp6 0 0 2001:db8::.80*.*LISTEN
…
$
Which seems weird because only the prefix is listed not the complete IPv6
addresses.
Am I seeing a bug or is my expectation that both servers (virtual hosts) work
wrong?
*) Hostnames and IPs anonymized.
Thanks!
Mike
"They are connected to the same LAN"
This is most likely your problem. Having two IPs on two interfaces in the same
subnet will usually cause problems. Most likely you also have two default
routes.
Yes, you are right. There are 2 default routes for IPv6.
Not sure why IPv6 works like this but that’s what I’m trying to learn. I am
using this machine as a test bed for figuring out IPv6. My expectation was that
IPv6 would work just like IPv4 in this scenario.
Note: For IPv4 the same setup works fine, yielding a web server that serves
both a.example.com and b.example.com on different IPs. The expectation would be
that replies would be send through the same interface the request came in on.
IPv4 has the drawback that I only have 1 public IPv4 address. So I need to
differentiate bei port number on the Internet side of my router to map to the
correct LAN IP.
So I learned something here, which was my goal. Thanks!
You can work around it by putting both interfaces in diffrent rdomains, then
running two httpd instances, one in rdomain with first IP, second in rdomain
with second IP.
I’ll look into this (more as a way to learn more about how this works than to
actually fill a pressing need). Thanks for the idea.
Or, assign both IPs statically to em0 (one with prefix /64, second with prefix
/128), then remove em1 - I'm 99% sure this will solve your problem.
Yes. But in my experimental setup this would not be practical because the IPv6
prefix is dynamic. Assigning a static IPv6 address will cease to work when the
prefix changes, at least for connections from the Internet. There are issues
with the setup of port forwarding on my router as well. I thought I could get
around all of these issues by using the second interface.
For this experiment the goal was get a single host to serve two websites on
separate IPv6 addresses. All this in a LAN setting where the public IPv6 prefix
is dynamic. Getting it to work short term is easy using static IPs. But
ensuring it will work across prefix changes is more complicated. I do have a
script that triggers on prefix changes and could be used to adjust the static
IPs and the httpd.conf as needed. I don’t much like that solution though.
Thanks for your reply!
Mike
If that's the case, then I'd just serve both websites on the same IP. I
think that would be the most "clean" way to solve your problem, but
that's ignoring point of your experiment.
However, I think that every datacenter you will get static prefix, so
that you will not have to worry about it, if you will ever do it outside
of home network.
Best regards
--
Łukasz Moskała
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
Hi Łukasz,
> Am 06.02.2022 um 12:08 schrieb Łukasz Moskała :
>
> W dniu 6.02.2022 o 05:28, Mike Fischer pisze:
>> OpenBSD 7.0 stable amf64
>> My host has two ethernet interfaces, em0 and em1.
>> Note: The host is a VM with two virtual interfaces.
>> Both interfaces are configured like this for IPv6 in the /etc/hostname.em0
>> and /etc/hostname.em1 files:
>> inet6 autoconf -temporary -soii
>> They are connected to the same LAN and each produces a unique IPv6 address
>> using the same prefix and an EUI64 interface identifier as expected*.
>> $ ifconfig em0|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)'
>> inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 1070
>> vltime 7043
>> $ ifconfig em1|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)‘
>> inet6 2001:db8::20c:29ff:fd9c:4c1 prefixlen 64 autoconf pltime 1032
>> vltime 7005
>> DNS records have been set up*:
>> $ dig +short a.example.com
>> 2001:db8::20c:29ff:fd9c:4b7
>> $ dig +short b.example.com
>> 2001:db8::20c:29ff:fd9c:4c1
>> $
>> My httpd.conf looks like this*:
>> ipa = "2001:db8::20c:29ff:fd9c:4b7"
>> ipb = "2001:db8::20c:29ff:fd9c:4c1"
>> server "a.example.com" {
>> listen on $ipa port 80
>> directory index index.html
>> location "/*" {
>> root "/htdocs/a"
>> }
>> }
>> server "b.example.com" {
>> listen on $ipb port 80
>> directory index index.html
>> location "/*" {
>> root "/htdocs/b"
>> }
>> }
>> /var/www/htdocs/a/index.html and /var/www/htdocs/b/index.html exist and each
>> contains a minimal HTML page.
>> httpd -n sees no problem.
>> rcctl start httpd works fine.
>> However trying to access http://a.example.com or
>> http://[2001:db8::20c:29ff:fd9c:4b7] gets a timeout.
>> Accessing http://b.example.com or http://[2001:db8::20c:29ff:fd9c:4c1] works
>> fine.
>> Trying to find the cause I checked:
>> $ netstat -an|grep LISTEN
>> …
>> tcp6 0 0 2001:db8::.80*.*LISTEN
>> tcp6 0 0 2001:db8::.80*.*LISTEN
>> …
>> $
>> Which seems weird because only the prefix is listed not the complete IPv6
>> addresses.
>> Am I seeing a bug or is my expectation that both servers (virtual hosts)
>> work wrong?
>> *) Hostnames and IPs anonymized.
>> Thanks!
>> Mike
>
> "They are connected to the same LAN"
> This is most likely your problem. Having two IPs on two interfaces in the
> same subnet will usually cause problems. Most likely you also have two
> default routes.
Yes, you are right. There are 2 default routes for IPv6.
Not sure why IPv6 works like this but that’s what I’m trying to learn. I am
using this machine as a test bed for figuring out IPv6. My expectation was that
IPv6 would work just like IPv4 in this scenario.
Note: For IPv4 the same setup works fine, yielding a web server that serves
both a.example.com and b.example.com on different IPs. The expectation would be
that replies would be send through the same interface the request came in on.
IPv4 has the drawback that I only have 1 public IPv4 address. So I need to
differentiate bei port number on the Internet side of my router to map to the
correct LAN IP.
So I learned something here, which was my goal. Thanks!
> You can work around it by putting both interfaces in diffrent rdomains, then
> running two httpd instances, one in rdomain with first IP, second in rdomain
> with second IP.
I’ll look into this (more as a way to learn more about how this works than to
actually fill a pressing need). Thanks for the idea.
> Or, assign both IPs statically to em0 (one with prefix /64, second with
> prefix /128), then remove em1 - I'm 99% sure this will solve your problem.
Yes. But in my experimental setup this would not be practical because the IPv6
prefix is dynamic. Assigning a static IPv6 address will cease to work when the
prefix changes, at least for connections from the Internet. There are issues
with the setup of port forwarding on my router as well. I thought I could get
around all of these issues by using the second interface.
For this experiment the goal was get a single host to serve two websites on
separate IPv6 addresses. All this in a LAN setting where the public IPv6 prefix
is dynamic. Getting it to work short term is easy using static IPs. But
ensuring it will work across prefix changes is more complicated. I do have a
script that triggers on prefix changes and could be used to adjust the static
IPs and the httpd.conf as needed. I don’t much like that solution though.
Thanks for your reply!
Mike
Re: httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
W dniu 6.02.2022 o 05:28, Mike Fischer pisze:
OpenBSD 7.0 stable amf64
My host has two ethernet interfaces, em0 and em1.
Note: The host is a VM with two virtual interfaces.
Both interfaces are configured like this for IPv6 in the /etc/hostname.em0 and
/etc/hostname.em1 files:
inet6 autoconf -temporary -soii
They are connected to the same LAN and each produces a unique IPv6 address
using the same prefix and an EUI64 interface identifier as expected*.
$ ifconfig em0|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)'
inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 1070
vltime 7043
$ ifconfig em1|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)‘
inet6 2001:db8::20c:29ff:fd9c:4c1 prefixlen 64 autoconf pltime 1032
vltime 7005
DNS records have been set up*:
$ dig +short a.example.com
2001:db8::20c:29ff:fd9c:4b7
$ dig +short b.example.com
2001:db8::20c:29ff:fd9c:4c1
$
My httpd.conf looks like this*:
ipa = "2001:db8::20c:29ff:fd9c:4b7"
ipb = "2001:db8::20c:29ff:fd9c:4c1"
server "a.example.com" {
listen on $ipa port 80
directory index index.html
location "/*" {
root "/htdocs/a"
}
}
server "b.example.com" {
listen on $ipb port 80
directory index index.html
location "/*" {
root "/htdocs/b"
}
}
/var/www/htdocs/a/index.html and /var/www/htdocs/b/index.html exist and each
contains a minimal HTML page.
httpd -n sees no problem.
rcctl start httpd works fine.
However trying to access http://a.example.com or
http://[2001:db8::20c:29ff:fd9c:4b7] gets a timeout.
Accessing http://b.example.com or http://[2001:db8::20c:29ff:fd9c:4c1] works
fine.
Trying to find the cause I checked:
$ netstat -an|grep LISTEN
…
tcp6 0 0 2001:db8::.80*.*LISTEN
tcp6 0 0 2001:db8::.80*.*LISTEN
…
$
Which seems weird because only the prefix is listed not the complete IPv6
addresses.
Am I seeing a bug or is my expectation that both servers (virtual hosts) work
wrong?
*) Hostnames and IPs anonymized.
Thanks!
Mike
"They are connected to the same LAN"
This is most likely your problem. Having two IPs on two interfaces in
the same subnet will usually cause problems. Most likely you also have
two default routes.
You can work around it by putting both interfaces in diffrent rdomains,
then running two httpd instances, one in rdomain with first IP, second
in rdomain with second IP.
Or, assign both IPs statically to em0 (one with prefix /64, second with
prefix /128), then remove em1 - I'm 99% sure this will solve your problem.
Best regards
--
Łukasz Moskała
httpd.conf: 2 interfaces, 2 listen, IPv6, only one server works
OpenBSD 7.0 stable amf64
My host has two ethernet interfaces, em0 and em1.
Note: The host is a VM with two virtual interfaces.
Both interfaces are configured like this for IPv6 in the /etc/hostname.em0 and
/etc/hostname.em1 files:
inet6 autoconf -temporary -soii
They are connected to the same LAN and each produces a unique IPv6 address
using the same prefix and an EUI64 interface identifier as expected*.
$ ifconfig em0|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)'
inet6 2001:db8::20c:29ff:fd9c:4b7 prefixlen 64 autoconf pltime 1070
vltime 7043
$ ifconfig em1|grep inet6|grep -vE '(fe80:| fd|temporary|deprecated)‘
inet6 2001:db8::20c:29ff:fd9c:4c1 prefixlen 64 autoconf pltime 1032
vltime 7005
DNS records have been set up*:
$ dig +short a.example.com
2001:db8::20c:29ff:fd9c:4b7
$ dig +short b.example.com
2001:db8::20c:29ff:fd9c:4c1
$
My httpd.conf looks like this*:
ipa = "2001:db8::20c:29ff:fd9c:4b7"
ipb = "2001:db8::20c:29ff:fd9c:4c1"
server "a.example.com" {
listen on $ipa port 80
directory index index.html
location "/*" {
root "/htdocs/a"
}
}
server "b.example.com" {
listen on $ipb port 80
directory index index.html
location "/*" {
root "/htdocs/b"
}
}
/var/www/htdocs/a/index.html and /var/www/htdocs/b/index.html exist and each
contains a minimal HTML page.
httpd -n sees no problem.
rcctl start httpd works fine.
However trying to access http://a.example.com or
http://[2001:db8::20c:29ff:fd9c:4b7] gets a timeout.
Accessing http://b.example.com or http://[2001:db8::20c:29ff:fd9c:4c1] works
fine.
Trying to find the cause I checked:
$ netstat -an|grep LISTEN
…
tcp6 0 0 2001:db8::.80*.*LISTEN
tcp6 0 0 2001:db8::.80*.*LISTEN
…
$
Which seems weird because only the prefix is listed not the complete IPv6
addresses.
Am I seeing a bug or is my expectation that both servers (virtual hosts) work
wrong?
*) Hostnames and IPs anonymized.
Thanks!
Mike
