My web server (Ubuntu, Nginx) have both IPv4 and IPv6 addresses assigned by the host. For my website, shall I bind it to only an IPv6 address? Is it the standard recommended way? Or, shall I use both IPv4 and IPv6 addresses?
-
13You are asking the wrong question (to the wrong people) -- Ask yourself "Do I need to be able to access this site from IPv4 clients, IPv6 clients, or both?". The answer to that is also the answer to what addresses your web server needs to be listening on. – voretaq7 Aug 27 '12 at 02:40
-
6Ordinarily, I'd completely agree with a "get your specs first" answer like that, but in this case, oddly, I don't; I agree with Michael. "v6 only" is still, sadly, vanishingly unlikely to be the requirement (though if it is, this comment is wholly wrong). If it's not, then we're down to "mixed stack" and "v4 only". Even if your users all say "v4 only" is right, at this point, it's wrong; mixed-stack is the way to go for future-proofing, no matter what the current user community says. – MadHatter May 19 '13 at 06:40
-
@MadHatter At this point, we can safely eliminate "v4-only". The inherent limits of large scale NAT make v4-only untenable for the operator of a web site or quite possibly any other Internet service. More details in my updated answer. – Michael Hampton Aug 08 '15 at 01:45
-
@MichaelHampton still agreeing with you. – MadHatter Aug 08 '15 at 04:53
2 Answers
Use both IPv4 and IPv6
You should use both IPv4 and IPv6 addresses.
Nearly everyone on the Internet currently has an IPv4 address, or is behind a NAT of some kind, and can access IPv4 resources.
However, at the time of writing only about 0.7% 2.3% 3.8% 6.5% 9% 12% 19% 22% 26% 32% 37% of the Internet is IPv6 capable, but that number is steadily growing as IPv6 begins to roll out worldwide.
In a very few places, ISPs are providing primarily IPv6 or only IPv6 to residential customers and using large scale NAT, NAT64 or other such solutions for IPv4 connectivity. This number is expected to grow as IPv4 address space is finally exhausted. These users will typically have better performance over IPv6.
Where ISPs have deployed large scale NAT to solve IPv4 exhaustion, users stuck with this will suffer reduced reliability of all their Internet connections due to the connection limits inherent in the large scale NAT gateways. For instance, a web page might only load some but not all of its resources, leaving broken icons where images should be, missing styles and scripts, etc. This is similar to connection limit exhaustion on a home router, but affecting all users of the ISP intermittently and seemingly randomly. If you want your site to be reliable for these users, you must serve it via IPv6 (and the ISP must have deployed IPv6).
Since IPv6 is where the Internet is going, having your web site IPv6 enabled now puts you ahead of the game and lets you resolve any problems long before they become serious.
Configure nginx
By default with Linux and nginx, you can bind to both IPv4 and IPv6 at the same time by changing your listen
directives to:
listen [::]:80;
listen 80;
Or, for SSL sites:
listen [::]:443 ssl;
listen 443 ssl;
- 103
- 2
- 237,123
- 42
- 477
- 940
-
Ok thanks... one more question.. Now I have setup the server... In the DNS recurs, I have to put two records A and AAAA (with the host name @) and pointing to the relavant ips? – THpubs Aug 27 '12 at 02:59
-
3Yes, the `A` record is for your IPv4 address and the `AAAA` record is for your IPv6 address. – Michael Hampton Aug 27 '12 at 02:59
-
-
Is there any case where trying to bind to both could fail and crash Nginx - like, where the server doesn't have both kinds of addresses? – Nathan Long Oct 30 '20 at 20:23
-
@NathanLong Yes, but if you're having a problem you should hit the Ask Question button. Comments aren't really the place for new questions. – Michael Hampton Oct 30 '20 at 22:23
Bind to both!
We had an IIS web site whose code did an internal reference to itself, using the DNS name that the client had used. This process would always fail.
Another symptom was that a browser running locally on the server could not find the web site by the name of the server, only by the IPv4 address. That is, http://192.168.55.139
would work, but http://myhost
would fail. Using ping myhost
would, by default, return the IPv6 address (ping myhost -4
would return the IPv4 address).
The fix was to open IIS and change the Bindings of the web site to bind to the IPv6 address, as well as the IPv4 address.
- 435
- 2
- 7
- 17
-
6[It's not necessary to obfuscate private addresses.](http://meta.serverfault.com/q/963/126632) Though, you should also bind to your global IPv6 address so that your site can be reached externally via IPv6. – Michael Hampton Jun 03 '14 at 17:38
-
-
2Having a service accessible both internally and externally is easier when you don't use NAT. And it is easier to avoid NAT, if you are using IPv6. But blindly connecting to a hostname provided by a client sounds like a design flaw. It is entirely possible for the client to send you a `Host` header with a domain name that doesn't belong to you. – kasperd Feb 09 '16 at 08:54