IPV6-only server / domain with Cloudflare (using CaddyV2 and no Argo)

Hello guys,

I’m trying to setup my web server to listen only to :: on port 443 using IPV6 with CaddyV2, meaning no listening on IPV4 (only localhost is listening on IPV4).

I followed some tutorials to get this setup working, including removing A records of my domain in Cloudflare DNS menu hoping the resolve and forward proxy from Cloudflare would connect to my AAAA record in IPV6 as it was related in some tutorials and forums.

I checked my CaddyV2 setup which seems to work as expected when I have A records in Cloudflare DNS settings. I can connect to the web server domain normally when Cloudflare A records are up and TLS is working in full strict mode.

But to my surprise Cloudflare domain name resolution / DNS seems to just not work without some A record in Cloudflare DNS menu.

I can connect to the Caddy server on port 443 using real server IPV6 address but not using the domain name if only the AAAA records are present and no A records, which seems unexpected behavior to me.

I recalled I did similar setup a couple of years ago using Traeffik and had no issue linking my Cloudflare domain to some Treaffik server in IPV6 mode only.

Also it seems from my readings in forums on this topic that Cloudflare has changed the way it handle their DNS/proxy IPV4/IPV6 connections during this period.

Aside I tried also “cloudflared” Argo/VPN but it doesn’t really fit with my setup although I could maybe retry it but this time not using their Ingress feature as I did (stupidly) first and and try to rely only on Caddy for Ingress as I should… so maybe I should retry “cloudflared”… but I rather avoid using exotic tunnels and such if possible :smiley:

In short I am not sure anymore of what to do to get IPV6-only server /domain name resolution / https working “as expected” with Cloudflare… maybe it is not possible anymore as it used to be… I just don’t know.

Help would be appreciated :smiley:

(edited for clarity)

I am venturing a guess there is some error in the DNS config on Cloudflare.

Any chance you could share the DNS page with a screenshot (remember, this is a public forum, censor what you do not wish to share)?

I’m gonna vouch for cloudflared, though. Easy to setup (no longer requires a config file, you can do everything via the dashboard and no open ports at all.

cloudflared is tempting and might (maybe…) solve my immediate “IPV6-only” issue but if If could just rely on it for admin purposes and rather rely on “standard” CaddyV2 and IPV6-only configs / setups for the “others things” I’d slightly prefer :smiley:

Here is my cleansed very basic DNS Cloudflare page :

If I remove the A record for domain.io and the A record wildcard entry (while keeping the A record for mail.domain.io to keep the mail server working) leaving only the AAAA ones, it just doesnt work anymore :frowning:

Even if I restrict CaddyV2 to listen to IPV6-only and such (I doubt Caddy is the issue…), Cloudflare seems to just not contact the server anymore if no A records are present in their DNS config page :frowning:

Once again it could be Cloudflare that has changed their settings … maybe to encourage usage of Argo/cloudflared, I just don’t really know :frowning: and I am somehow very surprised with all those IPV6-only VPS cheap offers and such that this IPV6-only topic is not more highlighted and documented within Cloudflare community.

That IPv6 IP ending with :: seems weird for a specific device’s IP, you sure is the full thing?

That setup looks good, though. You sure there are no blocks on the Cloudflare IPs on the server’s side?

Additional question, why do you have those NS records down there? I don’t think you are authorised to have subdomain zones on Cloudflare, so those are most likely wrong.

So according to you it “should” work without A records… hum.

My server is a OVH/Kimsufi host, I doubt they would block Cloudflare IPV6 IPs while letting the IPV4 ones… but who knows… I should ask them to be really sure maybe… I know they are sometimes acting “weirdly”… and somehow I would not be THAT surprised they are doing this (to me) :smiley:

Else I think the IPV6 ending with :: is correct , although I could try using ::0 maybe… and also the IPV6 used is a ::/66 (and not ::/64 as usually) since I divided the ::/64 IPV6 from my OVH/Kimsufi server into 4 ::/66 blocks.

One final option is trying to unproxy the records and try to access it directly, it might be a configuration error about IPv6 in the server itself.

You told me direct IP access works?

It’d be the same, totally fine then.

I tried with only AAAA records in Cloudflare DNS settings unproxied but in “DNS-only” mode as you suggested.

Problem remains… so from my understanding… it is rather some IPV6-only DNS settings issue coming from Cloudflare itself… it seems more likely than OVH/Kimsufi blocking for no reason all Cloudflare IPV6s trying to connect to my real server at OVH on port 443 using IPV6… although I am NOT totaly sure yet :smiley:

Direct IPV6 access works means “curl -v $MYCADDYHOSTREALIPV6” works. So apparently CaddyV2 server do respond to IPV6 as expected and is not the issue.

In DNS-only mode OVH doesn’t see Cloudflare IP, you are connecting directly. I suspect the issue is with Caddy and something to do with the actual domain coming in attached to the IP.

1 Like

Thanks for your insights, you are maybe correct, it could be CaddyV2 (and my podman setup) not Ingressing “correctly”, like maybe it is using IPV4 internally or such things… I am going to dig / debug this a bit more… maybe first by installing a basic / simple https server with TLS on the host itself to see if it works as “expected” using IPV6-only with Cloudflare without A records. Hopefully I’ll find a solution to this :smiley:

1 Like

Using a longer prefix than /64 is strongly discouraged and breaks some IPv6 features, including some routers being unable to handle it properly.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.