Proxied IPv6 for IPv4 traffic

Hi,

I followed the article at Amazon’s $2bn IPv4 tax — and how you can avoid paying it (cloudflare.com) configuring my AWS server to use IPv6 only, adding the AAAA record in Cloudflare, making sure it was proxied, and then removed the A record.

However, once I did this and the DNS had propagated connections to my site were failing. Tests like the HTTP Test on Bunny.net and Google PageSpeed couldn’t see the website.

From the article I would have expected Cloudflare to create a free IPv4 A record as part of the proxy service but this doesn’t appear to be working.

What am I missing?

What is the domain?

1 Like

I’ve re-added an IPv4 address and A record now due to the issues.
The domain is https://peterhough.co.uk

The domain is Proxied (:orange:) and has both IPv6 and IPv4 connectivity for edge connections (from the visitor to Cloudflare) at the moment.

However, …

  1. How does your Cloudflare Dashboard look, in regards to these specific record(s)?
    … Especially when you set it up with the AAAA, and the problem was there?

  2. What exact error code(s)/message(s) do you see?

Thanks for your help with this - I’ve just deleted the A records so we can debug this.

No error codes displayed; it all looks fine!?

I can confirm both IPv4 and IPv6 work

1 Like

Thanks for testing - it does seem to be working now! It’s really strange - I promise it wasn’t before and all I’ve done is added and then removed the A record - maybe it’s just temperamental!?

I’ll keep an eye on it.

From the shown records, the address for the AAAA works, and accepts your domain, both with and without www, with a valid certificate and everything.

The configuration itself seems fine from my end.

However, -

I see that when trying to access the www variant of your domain, it takes a 30 seconds before the redirect happens, when communicating directly with your web server on the IPv6 address of your origin (Amazon).

The command line tool cURL is hanging at the Client hello of the TLS handshake, and that only happens with the www variant.

Since you redirect from www to the naked domain anyway, you might want to change the AAAA record of the www record to “100::”, and let Cloudflare take care of the redirect for you (e.g. without having to consult your Amazon instance first).

A wild guess, -

If the tests you were conducting also tested the www variant, these long delays could maybe be related, but it would of course also be hard to say for sure, without more specific error code(s)/message(s).

3 Likes

100:: is a new one on me! Thanks for the advice - I’ve change that on the www AAAA record now.

1 Like

The apex also takes ~half a minute to load for me:

curl -svo /dev/null https://peterhough.co.uk
*   Trying 2606:4700:3036::ac43:c3c4:443...
* Connected to peterhough.co.uk (2606:4700:3036::ac43:c3c4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4232 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=peterhough.co.uk
*  start date: May 28 14:35:10 2024 GMT
*  expire date: Aug 26 14:35:09 2024 GMT
*  subjectAltName: host "peterhough.co.uk" matched cert's "peterhough.co.uk"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1P5
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x558551b7eeb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> GET / HTTP/2
> Host: peterhough.co.uk
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [230 bytes data]
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]

At this point it stalls and I need to wait ~half a minute before I get the actual response:

< HTTP/2 200
< date: Fri, 07 Jun 2024 10:28:32 GMT
< content-type: text/html
< last-modified: Wed, 27 Mar 2024 15:16:15 GMT
< vary: Accept-Encoding
< cf-cache-status: DYNAMIC
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nQWbQ6LZ1YmgRaI%2FTSn0Bj6eg3HDFpdnEAmwTw9T5%2FGVqNQRqqyL%2Fj%2Bhi5xE%2BMkzwBYiEYAtQ%2F2ECgl789n2BkseQrD0o5of7EoDdlc0JZRJ7LMTtEIaKg%2FzwcqgdbSVZmKFU9ZS3GZ1HRnIdppv"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 88fff3fcb96176a3-LHR
< alt-svc: h3=":443"; ma=86400
<
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* Connection #0 to host peterhough.co.uk left intact
1 Like

Yes, something has upset it now after that change - the tests are failing again!
HTTP Connectivity Test - Bunny Tools

The problem is not caused by Cloudflare, but also happens when I connect to your server directly.

As @DarkDeviL said in his previous post, the server takes ages for its initial response after the Client hello.

curl -svo /dev/null https://peterhough.co.uk --connect-to ::[2a05:d018:e53:bf00:8922:4408:fad9:be62]
* Connecting to hostname: 2a05:d018:e53:bf00:8922:4408:fad9:be62
*   Trying 2a05:d018:e53:bf00:8922:4408:fad9:be62:443...
* Connected to (nil) (2a05:d018:e53:bf00:8922:4408:fad9:be62) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]

So you will probably need to look at your server configuration.

3 Likes

It is a nice one, if you’re only looking for e.g. redirects, or other features of Cloudflare, but do not otherwise need a “server” to be responding, behind that name.

You would however also need a redirect rule, to make Cloudflare take care of the redirect.

https://dash.cloudflare.com/?to=/:account/:zone/rules/redirect-rules

Hmm … :expressionless:

I did test both the www and apex multiple times, and it was consistently the www on my end then.

But I have to agree - the apex is doing the exact same to me now. :frowning:

3 Likes

Thanks for the support. I’ve added a public IPv4 back on to my server but kept Cloudflare the same with only the IPv6 AAAA record listed and it seems to have come back to life!

There must be something in the server configuration that is looking for a public IPv4 address and only when that reaches a timeout it kicks in to life. I’ll bash my head against that brick wall next!

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.