Just like I finally felt ready to move my first site from shared-hosting to self-hosting, Linode changes the game by adding IPv6 into the mix. Not funny

What does this mean for a LEMP (ubuntu)?

• Enabling it for your linode seems simple enough.
• I found how to add an entry for IPv6 in the /etc/hosts
• The firewall ufw seems to support IPv6 by default. I have opened 3 ports (22,80,443) and when I execute the command ufw status they are listed twice ("ALLOW Anywhere" and "Allow Anywhere (v6)")
• Nginx is installed with IPv6 support. Do I have to do anything else but uncommenting "listen [::]:80 default ipv6only=on;" for the virtual hosts? I am not to sure about the ipv6only, should I remove that?
• I have configured php5-fpm to use unix sockets instead of tcp, so no changes here?
• What changes do I have to make in the Linode DNS manager?
• What changes do I have to make with my registrar?
• What about Fail2Ban?
• What about Logwatch (and postfix)?
• What about MySQL and phpmyadmin?
• Munin?
• SSH?
• awstats?

Anything I overlooked? Or should I do nothing?

Thanks.

Cherry-picking the parts I know about:



I'm not using ipv6only, but I do explicitly list each IP I want to listen on. I have:

listen 192.0.2.1:80;
listen [2001:db8::123]:80;

I can verify this with netstat -ntl:

$ netstat -ntl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.0.2.1:80            0.0.0.0:*               LISTEN     
tcp6       0      0 2001:db8::123:80        :::*                    LISTEN     

If your applications care about IPs, they will have to deal with IPv6 addresses showing up in HTTP_REMOTE_ADDR, etc.



For each A record you have, add a second AAAA record with the IPv6 IP. (No square brackets or anything, just the IP.



Nothin'! The changes have already been made (assuming you're using ns(1..5).linode.com for your nameservers). Drilling down on a Linode-hosted domain:

;; Received 490 bytes from 2001:500:2d::d#53(d.root-servers.net) in 39 ms
;; Received 291 bytes from 2001:503:a83e::2:30#53(a.gtld-servers.net) in 96 ms
;; Received 307 bytes from 2600:3c01::a#53(ns2.linode.com) in 97 ms

fail2ban and logwatch might choke a bit, but I use neither. postfix is happy with IPv6. MySQL doesn't need to know about IPv6, phpmyadmin doesn't care enough.



If you're using the ip_ plugin (the one with the magic iptables rules), it won't work with IPv6 addresses. I have forked and modified it to work. I suspect the real ip_ plugin ought to be fixed by now, though, since it was 90% of the way there...



Happy as a clam.



Probably OK. Most log parsers learned long ago to not think too hard about what web servers stick in the remote address field. I think the worst that can happen is it won't recognize an IPv6 address as a network address (big-endian, resolve to group by top-level domain) and will instead try to treat it as a hostname (little-endian, resolve to group by network block). That would be a bug, if it's the case.

tl;dr: try it and see

_________________

/* TODO: need to add signature to posts */

doesn't care, but if you're using the geoip databases, those lookups won't work, because the databases they use don't have ipv6 in them yet