Apache IPv6 Configuration: Dual Stacked IPv4 & IPv6 Virtual Hosts

How do I configure Apache IPv6 networking under UNIX / Linux / BSD operating systems? How do I configure httpd IPv6 and IPv4 under RHEL / CentOS / Fedora / Debian / Ubuntu Linux?

You need to update httpd.conf file with the Listen directive. It instructs Apache to listen to only specific IPv4 and IPv6 addresses or ports. By default it responds to requests on all IP interfaces including IPv4 and IPv6 addresses. Our sample setup is as follows:

  1. cyberciti.biz has address 74.86.48.99
  2. cyberciti.biz has IPv6 address 2607:f0d0:1002:11::4

httpd.conf configuration remains same under UNIX / BSD and Linux operating systems.

Linux Apache IPv6 Configuration

Open httpd.conf, enter:
# vi httpd.conf
To make the server accept connections on 74.86.48.99 and port 80, use:

Listen 74.86.48.99:80

IPv6 addresses must be surrounded in square brackets and port 80, use

Listen [2607:f0d0:1002:11::4]:80

Save and close the file. Restart / reload Apache:
# service httpd restart

Verify Apache Is Working In Dual Stack Mode

Use netstat command as follows:
# netstat -tulpn | grep :80
Sample Outputs:

tcp        0      0 74.86.48.99:80              0.0.0.0:*                   LISTEN      4473/httpd
tcp        0      0 2607:f0d0:1002:11::4:80     :::*                        LISTEN      4473/httpd

Configure iptables to Allow Access to the Web Server Via IPv6

The default Ip6tables configuration does not allow inbound access to the HTTP (80) and HTTPS (443) ports used by the web server. This modification allows that access, while keeping other ports on the server in their default protected state. Edit /etc/sysconfig/ip6tables (IPv6 firewall configuration file under CentOS / RHEL / Fedora).
# vi /etc/sysconfig/ip6tables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT

Add the following if you have configured HTTPS port:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT

Save and close the file. Restart firewall, enter:
# service ip6tables restart

Dual Stacked IPv4 and IPv6 Virtual Hosts Configurations

You need to update httpd.conf as follows for dual stacked httpd virtual hosting:

 #IPv4 configuration
<VirtualHost 74.86.48.99>
	ServerAdmin webmaster@cyberciti.com
	DocumentRoot /home/httpd/cyberciti.biz/http
	ServerName cyberciti.biz
	ServerAlias www.cyberciti.biz
	ErrorLog logs/cyberciti.biz-error_log
	TransferLog logs/cyberciti.biz-access_log
        ErrorLog "/home/httpd/cyberciti.biz/logs/error.log"
        CustomLog "/home/httpd/cyberciti.biz/logs/access.log" common
        ScriptAlias /cgi-bin/ "/home/httpd/cyberciti.biz/cgi-bin/"

# For php5 fastcgi add +ExecCGI
 	<Directory "/home/httpd/cyberciti.biz/http">
		Options -Indexes FollowSymLinks +ExecCGI
		AllowOverride AuthConfig FileInfo
		AddHandler php5-fastcgi .php
		Action php5-fastcgi /cgi-bin/php.fcgi
		Order allow,deny
		Allow from all
	</Directory>

# Default cgi-bin perms
	<Directory "/home/httpd/cyberciti.biz/cgi-bin">
		AllowOverride None
		Options None
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>

# Ipv6 config, note down log files
<VirtualHost [2607:f0d0:1002:11::4]>
	ServerAdmin webmaster@cyberciti.com
	DocumentRoot /home/httpd/cyberciti.biz/http
	ServerName cyberciti.biz
	ServerAlias www.cyberciti.biz
	ErrorLog logs/cyberciti.biz-error_log
	TransferLog logs/cyberciti.biz-access_log
        ErrorLog "/home/httpd/cyberciti.biz/logs/ipv6.error.log"
        CustomLog "/home/httpd/cyberciti.biz/logs/ipv6.access.log" common
        ScriptAlias /cgi-bin/ "/home/httpd/cyberciti.biz/cgi-bin/"

# For php5 fastcgi add +ExecCGI
 	<Directory "/home/httpd/cyberciti.biz/http">
		Options -Indexes FollowSymLinks +ExecCGI
		AllowOverride AuthConfig FileInfo
		AddHandler php5-fastcgi .php
		Action php5-fastcgi /cgi-bin/php.fcgi
		Order allow,deny
		Allow from all
	</Directory>

# Default cgi-bin perms
	<Directory "/home/httpd/cyberciti.biz/cgi-bin">
		AllowOverride None
		Options None
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>

Save and close the file. Restart Apache web server:
# service httpd restart

A Note About BSD PF Firewall

You need to update /etc/pf.conf as follows under OpenBSD / FreeBSD operating systems:

# define Ipv6 ips
apache_ipv6 = "{ 2607:f0d0:1002:11::4 }"
# Open port 80
pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port http keep state
# Open port 443
pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port https keep state

Save and close the file. Reload pf firewall:
# /etc/rc.d/pf reload
OR
# /sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf

Additional Resources

Further resources should be consulted for more extensive configuration guidance, especially if particular applications need to be secured:

http://www.cyberciti.biz/faq/ipv6-apache-configuration-tutorial/

 

IPv6 sub-interfaces on Centos

This issue is solved of IPv6 sub-interfaces with adding multi IP addresses on the eth0 interfaces network script to be like the below:

#Intel Corporation 82576 Gigabit Network Connection
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:26:55:80:d0:ec
ONBOOT=yes
TYPE=Ethernet
NETMASK=255.255.255.240
IPADDR=8*.*35.*.**
GATEWAY=8*.*35.*.**
IPV6INIT=yes
IPV6ADDR=2001:16a0:*:*::11
IPV6_DEFAULTGW=2001:16a0:3:1::1
IPV6ADDR_SECONDARIES=”2001:16a0:*:*::12 \
2001:16a0:*:*::13 \
2001:16a0:*:*::14 \
2001:16a0:*:*::15 \
2001:16a0:*:*::16 \
2001:16a0:*:*::17 \
2001:16a0:*:*::18 \
2001:16a0:*:*::19 \
2001:16a0:*:*::20 \
2001:16a0:*:*::21″

http://www.centos.org/modules/newbb/viewtopic.php?topic_id=37125&forum=58