Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
It seems the iptables rules didn't work. Even though I specified -d ipv6.mydomain.com, when I list the tables, it seems iptables looks at ipv6.mydomain.com as franklin.mydomain.com.

It cannot tell the difference. So when I setup the iptables rules to block IPv4 traffic to ipv6.mydomain.com, it blocks it for all the cPanel services, franklin (the hostname), etc. Looks like there might not be a way to block ipv4 traffic to ipv6.mydomain.com, without removing the A rule from the DNS zone, but then AutoSSL won't work.

There's already a feature request for cPanel to support IPv6 only addresses, because in some countries, I guess IPv6 addresses are the only ones they can get. It's been there for a while, and doesn't look like it's going to get implemented anytime soon. So we'll just have to wait until it gets implemented. I understand cPanel is extremely busy, and I understand that this probably isn't on their top list of things to do.

Thanks for the help.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

Regarding the proxy subdomains supported with the AutoSSL feature, here's the last response from the support ticket:

At this time, AutoSSL will not handle those proxy subdomains. It currently only handles:
1) The domain.tld itself (no www)
2) www.domain.tld
3) cpanel.domain.tld
4) webmail.domain.tld
5) webdisk.domain.tld
6) whm.domain.tld (as long as the account is a reseller)

I checked with the team that created the AutoSSL system and there are presently no plans to include cpcontacts or cpcalendars at this time. Adding a feature request is likely going to be your best option to get the ear of our development team.
Thank you.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
Thanks for confirming cPanel Michael. I have submitted a feature request. Now I just have to find a way to block IPv4 access to ipv6.example.com. One of the tech people opened a support ticket for me, but we're not really getting anymore. I might open a topic on the forums to see if anyone can help.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

You may also want to consider setting up a custom deny/allow rule in the .htaccess file, or a mod_rewrite rule that uses a regular expression to block any non-IPv6 IP addresses.

Thank you.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
@cPanelMichael, that's a good idea, but that only blocks non-IPv6 access to Apache, right? The idea is to block all non-IPv6 to ipv6.example.com, so when I try something like ping ipv6.example.com, if I'm using the IPv4 protocol, ping should fail. I think with .htaccess and mod_rewrite rules, ping would still succeed.

I don't think I can use iptables either to block access (I thought this was possible but didn't have a good enough understanding of iptables and now believe this is in fact impossible to do).

I think my only true option is to wait until my feature request is implemented, if it ever is implemented.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
Hello,

That's correct. Deny or rewrite rules in the .htaccess file would only apply to access over Apache. With the requirements you mentioned, it does seem like a change to the product to support IPv6-only would be the best way to have this working as you intend. Here's a link to the feature request in-case anyone else sees this thread and would like to vote for it:

Support IPv6-only

Thank you.
 

Spork Schivago

Well-Known Member
Jan 21, 2016
597
64
28
corning, ny
cPanel Access Level
Root Administrator
It's too bad this wasn't a higher priority with cPanel. I understand how busy you guys are and everything, but my understanding is that in some countries, it's very hard to get IPv4 addresses, and in those countries, people cannot run cPanel at all. We know IPv4 addresses are pretty much used up, and granted, I'm sure there's ways to recover a good amount of the addresses out there (people being assigned class B networks, for example, when they only need a class C and maybe using NAT or something), etc. But in the end, we all need to move to IPv6 sooner or later.

Eventually, cPanel will need to support IPv6-only I'd think. It'd be nice to see the change implemented. That request was submitted over three years ago, and from the people that I've talked to at cPanel, there's no current plans to implement IPv6 only addresses at this point in time. I doubt many people will vote for this feature request.

The people that only have IPv6 addresses are probably not going to create an account to vote for it, having never tried cPanel before. All the other users that have accounts more than likely have cPanel installed, and have IPv4 addresses, so they probably won't care much.

I think the only hope is if the cPanel developers decide to implement the feature. I don't think the general public is going to vote much for the feature request.