Z
Zerops7mo ago
Dally

Public IPv6 and a domain

Hello, I did my due research but I'm in no way experienced enough with this, so I'd like a confirmation. In theory, it should be possible to have only the public IPv6 address set up in zerops for a service (node.js Astro project) and route IPv4 through Cloudflare's proxied AAAA DNS record pointing to the public IPv6 right? As I said I searched some information on Google and Cloudflare's forums, and it should be doable. Do any of you have some experience with such thing? Thanks?
25 Replies
Dally
DallyOP7mo ago
The domain should get resolved for users only with IPv4 through Cloudflare and Cloudflare should then route the traffic to the service if I understand it correctly.
wocis
wocis7mo ago
Yep, It is doable. Just put your ipv6 address to your domain as AAAA record and turn on proxy for such record (proxy status -> proxied), for example zeropstest.yourdomain.com AAAA your:v6:zer:ops:ip When you try to resolve zeropstest.yourdomain.com then, you'll get IP addresses of the Cloudflare's proxy servers (your real ipv6 will be "hidden"/proxied). There must be some other configuration for SSL/HTTPS to work, but plain proxy without SSL will work out of the box this way.
Aleš
Aleš7mo ago
btw we just confirmed @Dally https://proxytest.zerops.dev AAAA pointing to Zerops IPv6 as "Proxied", working in "Full" mode.. only "Always use HTTP" has to be turned off so let's encrypt can validate the certificate on our side
No description
No description
No description
No description
Dally
DallyOP7mo ago
Awesome! Thanks
wocis
wocis7mo ago
For the note - as I wrote - if you try to resolve such record you'll get CF's addresses (both v4 and v6, random):
No description
nermal
nermal6mo ago
any idea why this proxytest url is throwing 523 err
Aleš
Aleš6mo ago
we probably removed it, it was just for a test
nermal
nermal6mo ago
alrightt then thanks will use that method 😄
Dally
DallyOP5mo ago
Will this somehow affect the routing?
No description
Aleš
Aleš5mo ago
@Jan Saidl @wocis btw are you still encountering those 502 @Dally? we've released a major improvement in the way we are resolving DNS
wocis
wocis5mo ago
It won't. The ISRG Root X1 is created with new(est) set of encryption algorithms which old devices can't cope with.
Dally
DallyOP5mo ago
No, haven't seen them in a while
Unknown User
Unknown User5mo ago
Message Not Public
Sign In & Join Server To View
Aleš
Aleš5mo ago
@Michal Saloň what's the latest correct way to configure this pls? we made some changes to make it more straightforward, either @Michal Saloň or @wocis will tell you the proper way to configure it
Unknown User
Unknown User5mo ago
Message Not Public
Sign In & Join Server To View
Michal Saloň
Michal Saloň5mo ago
You really need to make sure you have Full or Full (strict) mode in Cloud Flare enabled, otherwise you go to CF via https, but CF calls our servers via http, but our servers (if you set it to install certificates) will automaticaly redirect from http to https. If you didn't have Full mode and changed it later, you might need to try in anonymous window or clear your browser cache.
Aleš
Aleš5mo ago
what about the "Always use HTTPS" option @Michal Saloň ?
Michal Saloň
Michal Saloň5mo ago
That post is still the way to do it. So it should work if it was followed exactly.
Unknown User
Unknown User5mo ago
Message Not Public
Sign In & Join Server To View
Michal Saloň
Michal Saloň5mo ago
Yeah saw that few weeks ago as well with one other domain, thought it was a one-off issue. Might need to mention somewhere in docs to refresh the page and re-check if it's truly in Full mode. Btw, I would recommend Full (strict) mode if all the proxied domains point to a server with valid SSL certificates.
Dally
DallyOP2mo ago
Will this setup still work with the lightweight core? It should right, even though there's no SSL certificate provisioning
Michal Saloň
Michal Saloň2mo ago
Light core should still have SSL certificate provisioning and TLS termination, it's similar to Serious core, just on one container and with lower free build time, egress bandwidth and backup storage.
Dally
DallyOP2mo ago
Oh the comparison makes it look like it doesn't
Dally
DallyOP2mo ago
No description
Michal Saloň
Michal Saloň2mo ago
It should have it (see the last part of the first section in lightweight core), it's just all on one container and I think SSL termination and generation was accidentally omitted from there. Unless something changed, it should work on lightweight core.
Want results from more Discord servers?
Add your server