Public IPv6 and a domain
Hello, I did my due research but I'm in no way experienced enough with this, so I'd like a confirmation.
In theory, it should be possible to have only the public IPv6 address set up in zerops for a service (node.js Astro project) and route IPv4 through Cloudflare's proxied AAAA DNS record pointing to the public IPv6 right?
As I said I searched some information on Google and Cloudflare's forums, and it should be doable. Do any of you have some experience with such thing? Thanks?
25 Replies
The domain should get resolved for users only with IPv4 through Cloudflare and Cloudflare should then route the traffic to the service if I understand it correctly.
Yep, It is doable. Just put your ipv6 address to your domain as AAAA record and turn on proxy for such record (proxy status -> proxied), for example
zeropstest.yourdomain.com AAAA your:v6:zer:ops:ip
When you try to resolve zeropstest.yourdomain.com
then, you'll get IP addresses of the Cloudflare's proxy servers (your real ipv6 will be "hidden"/proxied).
There must be some other configuration for SSL/HTTPS to work, but plain proxy without SSL will work out of the box this way.btw we just confirmed @Dally
https://proxytest.zerops.dev
AAAA pointing to Zerops IPv6 as "Proxied", working in "Full" mode.. only "Always use HTTP" has to be turned off so let's encrypt can validate the certificate on our side
Awesome! Thanks
For the note - as I wrote - if you try to resolve such record you'll get CF's addresses (both v4 and v6, random):
any idea why this proxytest url is throwing 523 err
we probably removed it, it was just for a test
alrightt then
thanks will use that method
😄
Will this somehow affect the routing?
@Jan Saidl @wocis
btw are you still encountering those 502 @Dally? we've released a major improvement in the way we are resolving DNS
It won't. The ISRG Root X1 is created with new(est) set of encryption algorithms which old devices can't cope with.
No, haven't seen them in a while
Unknown User•5mo ago
Message Not Public
Sign In & Join Server To View
@Michal Saloň what's the latest correct way to configure this pls?
we made some changes to make it more straightforward, either @Michal Saloň or @wocis will tell you the proper way to configure it
Unknown User•5mo ago
Message Not Public
Sign In & Join Server To View
You really need to make sure you have Full or Full (strict) mode in Cloud Flare enabled, otherwise you go to CF via https, but CF calls our servers via http, but our servers (if you set it to install certificates) will automaticaly redirect from http to https.
If you didn't have Full mode and changed it later, you might need to try in anonymous window or clear your browser cache.
what about the "Always use HTTPS" option @Michal Saloň ?
That post is still the way to do it. So it should work if it was followed exactly.
Unknown User•5mo ago
Message Not Public
Sign In & Join Server To View
Yeah saw that few weeks ago as well with one other domain, thought it was a one-off issue. Might need to mention somewhere in docs to refresh the page and re-check if it's truly in Full mode.
Btw, I would recommend Full (strict) mode if all the proxied domains point to a server with valid SSL certificates.
Will this setup still work with the lightweight core? It should right, even though there's no SSL certificate provisioning
Light core should still have SSL certificate provisioning and TLS termination, it's similar to Serious core, just on one container and with lower free build time, egress bandwidth and backup storage.
Oh the comparison makes it look like it doesn't
It should have it (see the last part of the first section in lightweight core), it's just all on one container and I think SSL termination and generation was accidentally omitted from there.
Unless something changed, it should work on lightweight core.