Apache IPv6 Configuration: Dual Stacked IPv4 & IPv6 Virtual Hosts

How do I configure Apache IPv6 networking under a UNIX / Linux / BSD operating system? How do I configure httpd IPv6 and IPv4 under a RHEL / CentOS / Fedora / Debian / Ubuntu Linux?

You need to update httpd.conf file with the Listen directive. It instructs Apache to listen to only specific IPv4 and IPv6 addresses or ports. By default it responds to requests on all IP interfaces including IPv4 and IPv6 addresses. Our sample setup is as follows:

  1. sxi.io has address 74.86.48.99
  2. sxi.io has IPv6 address 2607:f0d0:1002:11::4

The Apache httpd.conf configuration file remains same under a UNIX / BSD and Linux operating system.

Linux Apache IPv6 Configuration

Open the httpd.conf file, enter:
# vi httpd.conf
To make the server accept connections on 74.86.48.99 and port 80, use:

Listen 74.86.48.99:80

IPv6 addresses must be surrounded in square brackets and port 80, use

Listen [2607:f0d0:1002:11::4]:80

Save and close the file. Restart or reload the Apache server:
# service httpd restart
OR
# systemctl restart httpd.service

Verify Apache Is Working In Dual Stack Mode

Use the netstat command as follows:
# netstat -tulpn | grep :80
Sample Outputs:

tcp        0      0 74.86.48.99:80              0.0.0.0:*                   LISTEN      4473/httpd       
tcp        0      0 2607:f0d0:1002:11::4:80     :::*                        LISTEN      4473/httpd

Configure iptables to Allow Access to the Web Server Via IPv6

The default Ip6tables configuration does not allow inbound access to the HTTP (80) and HTTPS (443) ports used by the web server. This modification allows that access, while keeping other ports on the server in their default protected state. Edit /etc/sysconfig/ip6tables file (IPv6 firewall configuration file under CentOS / RHEL / Fedora Linux):
# vi /etc/sysconfig/ip6tables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain (on a RHEL/CentOS 6.x or older):

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT

Add the following if you have configured HTTPS port:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT

A note about CentOS / RHEL v7.x or above

The rules are as follows:

-A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 443 -j ACCEPT

Save and close the file. Restart firewall, enter:
# service ip6tables restart
OR
# systemctl ip6tables restart

Dual Stacked IPv4 and IPv6 Virtual Hosts Configurations

You need to update httpd.conf as follows for dual stacked httpd virtual hosting:

 #IPv4 configuration
<VirtualHost 74.86.48.99>
	ServerAdmin [email protected]
	DocumentRoot /home/httpd/sxi.io/http
	ServerName sxi.io
	ServerAlias sxi.io
	ErrorLog logs/sxi.io-error_log
	TransferLog logs/sxi.io-access_log
        ErrorLog "/home/httpd/sxi.io/logs/error.log"
        CustomLog "/home/httpd/sxi.io/logs/access.log" common
        ScriptAlias /cgi-bin/ "/home/httpd/sxi.io/cgi-bin/"
 
# For php5 fastcgi add +ExecCGI
 	<Directory "/home/httpd/sxi.io/http">
		Options -Indexes FollowSymLinks +ExecCGI
		AllowOverride AuthConfig FileInfo
		AddHandler php5-fastcgi .php
		Action php5-fastcgi /cgi-bin/php.fcgi
		Order allow,deny
		Allow from all
	</Directory>
 
# Default cgi-bin perms
	<Directory "/home/httpd/sxi.io/cgi-bin">
		AllowOverride None
		Options None
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost> 
 
# Ipv6 config, note down log files
<VirtualHost [2607:f0d0:1002:11::4]>
	ServerAdmin [email protected]
	DocumentRoot /home/httpd/sxi.io/http
	ServerName sxi.io
	ServerAlias sxi.io
	ErrorLog logs/sxi.io-error_log
	TransferLog logs/sxi.io-access_log
        ErrorLog "/home/httpd/sxi.io/logs/ipv6.error.log"
        CustomLog "/home/httpd/sxi.io/logs/ipv6.access.log" common
        ScriptAlias /cgi-bin/ "/home/httpd/sxi.io/cgi-bin/"
 
# For php5 fastcgi add +ExecCGI
 	<Directory "/home/httpd/sxi.io/http">
		Options -Indexes FollowSymLinks +ExecCGI
		AllowOverride AuthConfig FileInfo
		AddHandler php5-fastcgi .php
		Action php5-fastcgi /cgi-bin/php.fcgi
		Order allow,deny
		Allow from all
	</Directory>
 
# Default cgi-bin perms
	<Directory "/home/httpd/sxi.io/cgi-bin">
		AllowOverride None
		Options None
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>

Save and close the file. Restart Apache web server:
# service httpd restart
OR
# systemctl restart httpd

A Note About BSD PF Firewall

You need to update /etc/pf.conf as follows under OpenBSD / FreeBSD operating systems:

# define Ipv6 ips
apache_ipv6 = "{ 2607:f0d0:1002:11::4 }"
# Open port 80
pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port http keep state
# Open port 443
pass in on $ext_if inet6 proto tcp from any to $apache_ipv6 port https keep state

Save and close the file. Reload pf firewall:
# /etc/rc.d/pf reload
OR
# /sbin/pfctl -nf /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf

Additional Resources

Further resources should be consulted for more extensive configuration guidance, especially if particular applications need to be secured:

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.