Re: ipv6 implementation forwardfor except

From: Mike Hoffs <m.hoffs#mijn-sleutel.com>
Date: Sun, 17 Oct 2010 21:41:23 +0200


Beantwoorden Allen beantwoorden Doorsturen Van: Mike Hoffs <m.hoffs#mijn-sleutel.com> Aan: Willy Tarreau <w#1wt.eu>
Datum: 10/17/2010 09:40 PM
Onderwerp: Re: ipv6 implementation forwardfor except
> > > Hi Mike,
> > >
> > > > Is it possible to implement at forwardfor except ipv6 ?
> > >
> > > It should not be hard to do. However, as noted in the source, it's a bit
> > > useless, because while IPv6 is used over the net, it's particularly rare
> > > on the local network, and the "except" keyword is only used to reference
> > > your local SSL proxies. Most often, it will only contain 127.0.0.0/8 or
> > > your local LAN address.
> >
> > I know but then we need two entry's for haproxy for one single ipv6
> address that we tunnel to ipv4.
> >
> > >
> > > > Now it is only possible to except a ipv4 address. If that is possible
> we
> > > can also make the legacy stuff with ssl ipv6 reachable.
> > >
> > > In my opinion, this is independant. You can very well have your SSL
> reverse
> > > proxy receive IPv6 traffic and forward it to haproxy on 127.0.0.1
> (IPv4).
> > >
> > > Do you have a concrete example where it's really needed ?
> >
> > Yes;
> >
> > Haproxy is configured to listen on ipv6 at port 80, both should be
> reachable (80 & 443). With stunnel we capture 443 traffic, and tunnel it to
> the single entry in haproxy. Haproxy is configured with forwardfor, stunnel
> also. Now we have 2 ipv6 in the headers, and it would be nice to except the
> local ipv6. With the solution to handle it on the local ipv4 should do the
> trick but with many ssl hosts its a bit messy. With single entry we keep te
> haproxy config clean.
>
> OK I see. I agree with you that if your setup is IPv6-only, then it makes
> sense. It's not a common setup though. I'll try to figure out the required
> changes to support that.

I think more hosters in the same situation who want to adopt ipv6 also for the legacy stuff will run in this situation. It will be a great addition for us and hopefully for others. We run version 1.4.8 if u want i can test the changes.

>
> Regards,
> Willy
>

Thanks in advance,
Regards,
Mike Received on 2010/10/17 21:41

This archive was generated by hypermail 2.2.0 : 2010/10/17 21:45 CEST