Unable to get IPv6 to work (Apache)

[WhiteDog]

Hello,

I am experimenting with cPanel 11.40.0.9 and IPv6. The server itself runs CentOS 5.9.

When I test my domain using e.g. IPv6 test - web site reachability I get the following result:
Checking for AAAA DNS record = 2001:XXXX:4300:YYYY:3::1
Checking for IPv6 web server = web server is unreachable

I can ping 2001:XXXX:4300:YYYY:3:0:0:0 using an external site
Executing ping6 ipv6.google.com also works

This is what i have done so far:
1. added "NETWORKING_IPV6=yes" to /etc/sysconfig/network
2. added "IPV6INIT=yes + IPV6ADDR=2001:XXXX:4300:YYYY:3:0:0:0 + IPV6_DEFAULTGW=2001:1af8:4300:YYYY:0:0:0:1" (+ = newline) to /etc/sysconfig/network-scripts/ifcfg-eth0
3. Added the range 2001:XXXX:4300:YYYY:3:0:0:0/112 in cPanel
4. Enabled IPv6 for a site using the cPanel interface.
5. Executed service network restart + /etc/init.d/ipaliases restart + apache restart

Observation:
When I enable or disable IPv6 using the cPanel interface for a domain, I receive the error "Request Timed Out". When I check back a minute later the domain is marked as "ENABLED".

So it appears IPv6 is working on my server but that Apache is not configured to listen to it or blocking it.
I also tried to temporarely disable the CSF firewall.

Any idea what I'm missing or where the "Request Timed Out" comes from?
Any log files I can check?

Many thanks!

 

[cPanelKenneth]

Are the IPv6 addresses added to the Apache Configuration?

 

[WhiteDog]

Are the IPv6 addresses added to the Apache Configuration?

Hi Kenneth,

How do I check / change that?
Is this not done when using the "Enable IPv6" or the "IPv6 Ranges" feature in cPanel?

 

[cPanelKenneth]

Look in /usr/local/apache/conf/httpd.conf. You should find, at minimum, an IPv6 address for each virtualhost associated with an account you granted IPv6 functionality too. This check is simply a standard troubleshooting step.

If there are no IPv6 entries in the Apache config then something is amiss. In that case I recommend you open a support ticket with us https://support.cpanel.net

 

[WhiteDog]

Look in /usr/local/apache/conf/httpd.conf. You should find, at minimum, an IPv6 address for each virtualhost associated with an account you granted IPv6 functionality too. This check is simply a standard troubleshooting step.

If there are no IPv6 entries in the Apache config then something is amiss. In that case I recommend you open a support ticket with us https://support.cpanel.net

I can find a bunch of IPv6 entries:

</VirtualHost>
NameVirtualHost [AAAA:BBBB:XXXX:YYYY:0003:0000:0000:0000]:80
<VirtualHost 12.34.56.78:80 [AAAA:BBBB:XXXX:YYYY:0003:0000:0000:0000]:80>
    ServerName domain.com

I have now also enabled the IPv6 firewall in CSF. As I am using a pre 2.6.20 kernel CSF is configured to IPV6_SPI = 0 and all outgoing ports open as CSF instructs.
I can also see incoming ipv6 traffic in the iptables log. Even more, if I remove port 80 from the allowed incoming ports the web server check i mentioned above is actively blocked:
Oct 18 16:07:08 cloud kernel: Firewall: *TCP6IN Blocked* IN=eth0 OUT= MAC=00:50:56:82:38:41:00:d0:00:fb:90:00:86:dd SRC=2001:41d0:0008:e8ad:0000:0000:0000:0001 DST=2001:XXXX:4300:YYYY:0003:0000:0000:0000 LEN=80 TC=0 HOPLIMIT=57 FLOWLBL=0 PROTO=TCP SPT=44472 DPT=80 WINDOW=14400 RES=0x00 SYN URGP=0

I think this rules out this being a problem on network or firewall level.

 

[WhiteDog]

Testing with Validador IPv6 - Teste seu sítio I get:
* The server does not responds to a HEAD requisition. This is the most important test, this site is not accessible over IPv6!
* It is possible to ping the server over IPv6.
* The authoritative DNS server is accessible over IPv6.

 

[WhiteDog]

When I update in htpd.conf "Listen 0:0:0:0:80" to "Listen *:80" all the IPv6 tests start working

I know the proper way to adjust this is via "Tweak Settings". Is it normal that I have to change this manually? Or should this change not be required?