Workaround Guide to enable IPv6 with EasyEngine


#1

Since I just created another post with my first question where I need help, I would like to contribute to the forum on a topic where I know the solution. I am a fan of short and specific steps that can be of help to anyone, not just admin experts. So here it is, all in one place:

EE is not setup to enable IPv6. The workaround is a few modifications that need to be done for every website you install with EE. It’s really easy, but also very annoying so I wish this will be taken care of in the next EE release, maybe with an –IPv6 switch.

Motivation: In my case it was not only a desire to support IPv6, but I actually had problems connecting to my website without IPv6 enabled on the website. My phone connected fine, but my home PC did not. My ATT U-Verse ISP is IPv6 enabled so I am not sure if that created problems when trying to connect to my website server that might have been partially IPv6 enabled. I had to configure IPv6 in all the required places to be able to access the website. Assuming the website name is mysite.com, here are the steps and files that need to be modified. The new lines are commented with #Add this line.

/etc/nginx/conf.d/force-ssl-mysite.com.conf

server {
        listen 80;
        listen [::]:80;                       #add this line
        server_name www.mysite.com mysite.com;
        return 301 https://mysite.com$request_uri;
}

/var/www/mysite.com/conf/nginx/ssl.conf

listen 443 ssl http2;
listen [::]:443 ssl http2;                    #Add this line
ssl on;
ssl_certificate     /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/mysite.com/privkey.pem;
ssl_ciphers AESGCM:HIGH:!aNULL:!MD5;

Note the ssl_ciphers… line at the end of the file does not relate to IPv6, but it’s the solution for certain web browser complaining about weak ciphers with error message: ERR_SPDY_INADEQUATE_TRANSPORT_ SECURITY

Those are the two files you need to update for every site you install (on the same server) .

To enable IPv6 for the admin tools access, you also need to update: /etc/nginx/sites-enabled/22222

server {
  listen 22222 default_server ssl http2;
  listen [::]:22222 default_server ssl http2;      #Add this line
  ssl_ciphers AESGCM:HIGH:!aNULL:!MD5;
--

Again, the ssl_ciphers line is not related to IPv6, but needed to address the newly introduced ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY problem with certain web browsers.

After the changes we need to check for syntax errors and restart Nginx: sudo nginx -t sudo service nginx restart //Restart nginx

Now we can test to see that the additional ports listening with IPv6:

sudo lsof -i :80
COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   22776     root   12u  IPv4 190830      0t0  TCP *:http (LISTEN)
nginx   22776     root   13u  IPv6 190831      0t0  TCP *:http (LISTEN)
nginx   22777 www-data   12u  IPv4 190830      0t0  TCP *:http (LISTEN)
nginx   22777 www-data   13u  IPv6 190831      0t0  TCP *:http (LISTEN)

To check the other ports also:

sudo lsof -i :443
sudo lsof -i :22222

The last thing worth mentioning is that besides these Nginx mods, IPv6 should be enabled for the host itself in /etc/hosts. For the example below the hostname is “myhost” and the site name” mysite.com” is used in the Fully Qualified Domain Name (FQDN) myhost.mysite.com. The hostname used here should be the same as defined in /etc/hostname. Note that the FDQN site name can be different than the domain website name(s) being hosted, but I use the same hostname as one of the website domain names.

/etc/hosts

127.0.0.1       localhost
127.0.1.1       ubuntu.members.linode.com       Ubuntu		//Default for Linode
[IPv4 address here]  myhost.mysite.com myhost		       
[IPv6 address here]  myhost.mysite.com myhost  

Don’t forget to add AAAA DNS records with the IPv6 address for the domain name server and/or Cloudflare.

Finally, it’s good to check that the SSLs and IPv6 work for the website are working from the outside: https://www.ssllabs.com/ssltest/

Again, these are very easy workarounds. It should incorporate this into next release of EE. This way we don’t have to manually go in and update the files every time. A command switch such as -IPv6 would be great.


EE 3 with letsencrypt
#2