category

Making IPv6 HTTP Servers reachable from IPv4 2018-12-13 link

Given that IPv4 addresses are starting to cost more and more it's becoming useful to only give IPv6 addresses to internal containers. When doing this you run into the problem that a lot of people currently don't have a network connection that supports IPv6.

This problem is usually solved by adding a transparent reverse HTTP proxy on an ip that's globally reachable through IPv4. The downside of this is that that HTTP proxy will need to know all the certificates of the hosts that it's proxying. This can present a security risk and makes it hard to deploy LetsEncrypt.

A better solution might be to use something called an TLS SNI proxy. A modern HTTPS connection starts with a packet indicating which domain name the client is connecting to. It's therefore possible to only look at the first packet and subsequently transparently send the data to the right IPv6 address. This makes it impossible to intercept the encrypted data in the proxy and gives the downstream server full control over the certificate.