StuRa/stura-infra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
stura-infra/hosts/v6proxy
History
goeranh 6ea1a37bef
add v6proxy docs
2026-03-13 17:32:05 +01:00
..
default.nix ipv6 haproxy pass everything to 141.56.51.1 2026-03-13 17:24:06 +01:00
hardware-configuration.nix ipv6 haproxy pass everything to 141.56.51.1 2026-03-13 17:24:06 +01:00
hetzner-disk.nix ipv6 haproxy pass everything to 141.56.51.1 2026-03-13 17:24:06 +01:00
README.md add v6proxy docs 2026-03-13 17:32:05 +01:00

README.md

v6proxy Host - IPv6 Gateway

IPv6 gateway proxy hosted on Hetzner VPS, forwarding all IPv6 traffic to the main IPv4 proxy.

Overview

  • Hostname: v6proxy
  • IPv4 Address: 178.104.18.93/32
  • IPv6 Address: 2a01:4f8:1c19:96f8::1/64
  • Type: Hetzner VPS (Full VM)
  • Services: HAProxy (IPv6 to IPv4 forwarding)
  • Role: IPv6 gateway for StuRa HTW Dresden infrastructure

Architecture

The v6proxy serves as an IPv6 gateway because the main infrastructure at 141.56.51.0/24 is IPv4-only:

  • All IPv6 DNS records (AAAA) point to this host (2a01:4f8:1c19:96f8::1)
  • HAProxy forwards all IPv6 HTTP/HTTPS traffic to the main proxy at 141.56.51.1
  • The main proxy then handles routing to backend services
  • Simple pass-through configuration - no SNI inspection or routing logic

Why This Host Exists

The HTW Dresden network (141.56.51.0/24) does not have native IPv6 connectivity. This Hetzner VPS provides:

  1. IPv6 connectivity: Public IPv6 address for all services
  2. Transparent forwarding: All traffic is forwarded to the IPv4 proxy
  3. No maintenance overhead: Simple configuration, no routing logic

This allows all StuRa services to be accessible via IPv6 without requiring IPv6 support in the HTW network.

Services

HAProxy

HAProxy runs in simple TCP forwarding mode:

HTTP (Port 80)

  • Binds to IPv6 :::80
  • Forwards all traffic to 141.56.51.1:80
  • No HTTP inspection or routing

HTTPS (Port 443)

  • Binds to IPv6 :::443
  • Forwards all traffic to 141.56.51.1:443
  • No SNI inspection or TLS termination

Key features:

  • Logging: All connections logged to systemd journal
  • Stats page: Available at http://127.0.0.1:8404/stats (localhost only)
  • Max connections: 50,000
  • Buffer size: 32,762 bytes
  • Timeouts: 5s connect, 30s client/server

Configuration Philosophy

Unlike the main proxy at 141.56.51.1, this proxy is intentionally simple:

  • No SNI inspection
  • No HTTP host header routing
  • No ACME challenge handling
  • Just pure TCP forwarding

All routing logic happens at the main IPv4 proxy. This keeps the v6proxy configuration minimal and reduces maintenance burden.

Deployment Type

The v6proxy is a Hetzner VPS (full VM):

  • Hosted outside HTW network
  • Uses Hetzner-specific disk layout (hetzner-disk.nix)
  • Network interface: eth0
  • Both IPv4 and IPv6 connectivity

Network Configuration

IPv4

  • Address: 178.104.18.93/32
  • Gateway: 172.31.1.1
  • Interface: eth0

IPv6

  • Address: 2a01:4f8:1c19:96f8::1/64
  • Gateway: fe80::1 (link-local)
  • Route: Default route via fe80::1
  • Interface: eth0

DNS

  • Nameservers: 9.9.9.9, 1.1.1.1 (Quad9 and Cloudflare)
  • Uses public DNS servers (not HTW internal DNS)

Firewall

  • Firewall: nftables enabled
  • Open ports: 22, 80, 443

DNS Configuration

For IPv6 support, configure AAAA records pointing to this host:

proxy.htw.stura-dresden.de       AAAA  2a01:4f8:1c19:96f8::1
*.htw.stura-dresden.de           CNAME proxy.htw.stura-dresden.de

This provides IPv6 access to all services while IPv4 traffic continues to use the main proxy (141.56.51.1).

Deployment

See the main README for deployment methods.

Initial Installation

Using nixos-anywhere (recommended):

nix run github:nix-community/nixos-anywhere -- --flake .#v6proxy --target-host root@178.104.18.93

This handles disk partitioning via disko automatically.

Updates

# From local machine
nixos-rebuild switch --flake .#v6proxy --target-host root@178.104.18.93

# Or use auto-generated script
nix run .#v6proxy-update

Disko Configuration

The v6proxy uses the Hetzner-specific disk layout (hetzner-disk.nix):

  • Filesystem: Btrfs or Ext4 (Hetzner default)
  • Declarative disk management via disko
  • Automatic partitioning on installation

Traffic Flow

IPv6 request flow:

  1. Client connects to 2a01:4f8:1c19:96f8::1 (v6proxy)
  2. v6proxy forwards to 141.56.51.1:443 (main IPv4 proxy)
  3. Main proxy performs SNI inspection and routes to backend
  4. Backend responds through the chain

For the client, the IPv6 connectivity is transparent - they don't know the backend infrastructure is IPv4-only.

HAProxy Configuration

The HAProxy configuration is minimal:

frontend http-in
  bind :::80
  use_backend http_80

frontend sni_router
  bind :::443
  mode tcp
  use_backend http_443

backend http_80
  mode http
  server proxy 141.56.51.1:80

backend http_443
  mode tcp
  server proxy 141.56.51.1:443

This is intentionally simple - all routing intelligence is at 141.56.51.1.

HAProxy Stats

Access HAProxy statistics page (localhost only):

# SSH into v6proxy
ssh root@178.104.18.93

# Access stats via curl
curl http://127.0.0.1:8404/stats

# Or forward port to your local machine
ssh -L 8404:127.0.0.1:8404 root@178.104.18.93
# Then browse to http://localhost:8404/stats

The stats page shows:

  • Current connections to main proxy backend
  • Traffic statistics
  • Connection status

Monitoring

Check HAProxy Status

# HAProxy service status
systemctl status haproxy

# View HAProxy logs
journalctl -u haproxy -f

# Check configuration
haproxy -c -f /etc/haproxy/haproxy.cfg

Test Connectivity

# Test IPv6 HTTP forwarding
curl -6 -v http://[2a01:4f8:1c19:96f8::1]/

# Test IPv6 HTTPS forwarding
curl -6 -vk https://[2a01:4f8:1c19:96f8::1]/

# Test backend connectivity (IPv4 to main proxy)
curl -v http://141.56.51.1/
curl -vk https://141.56.51.1/

# Check IPv6 routing
ip -6 route show
ping6 2a01:4f8:1c19:96f8::1

Troubleshooting

HAProxy not starting

# Check HAProxy status
systemctl status haproxy

# Check configuration syntax
haproxy -c -f /etc/haproxy/haproxy.cfg

# View HAProxy logs
journalctl -u haproxy -f

IPv6 connectivity issues

# Verify IPv6 address is configured
ip -6 addr show eth0

# Check IPv6 routing
ip -6 route show

# Test IPv6 connectivity
ping6 2606:4700:4700::1111  # Cloudflare DNS

# Check IPv6 firewall rules
nft list ruleset | grep ip6

Backend (main proxy) unreachable

# Test IPv4 connectivity to main proxy
ping 141.56.51.1
curl -v http://141.56.51.1/
curl -vk https://141.56.51.1/

# Check HAProxy backend status
curl http://127.0.0.1:8404/stats | grep proxy

# View connection errors
journalctl -u haproxy | grep -i error

DNS not resolving

# Check nameserver configuration
cat /etc/resolv.conf

# Test DNS resolution
dig git.adm.htw.stura-dresden.de A
dig git.adm.htw.stura-dresden.de AAAA

# Test with specific nameserver
dig @9.9.9.9 git.adm.htw.stura-dresden.de

Security Considerations

  • No TLS termination: Traffic is passed through encrypted to main proxy
  • No deep packet inspection: Simple TCP forwarding only
  • Minimal attack surface: No routing logic or service-specific configuration
  • Public IPv6 address: Exposed to the internet, firewall must be properly configured

Performance Considerations

  • Additional hop: IPv6 traffic goes through an extra proxy hop
  • Latency: Hetzner → HTW network adds some latency
  • Bandwidth: Hetzner provides high bandwidth, unlikely to be a bottleneck
  • Connection limits: HAProxy configured for 50,000 concurrent connections

For most use cases, the additional latency is negligible (typically <10ms within Germany).

Cost and Hosting

  • Provider: Hetzner Cloud
  • Type: VPS (Virtual Private Server)
  • Location: Germany (likely Falkenstein or Helsinki datacenter)
  • Cost: Minimal - basic VPS tier sufficient for forwarding traffic

Future Improvements

Possible improvements (not currently needed):

  1. Native IPv6 at HTW: If HTW network gains IPv6, this proxy can be decommissioned
  2. GeoDNS: Use GeoDNS to route IPv4 and IPv6 separately
  3. Monitoring: Add automated monitoring and alerting
  4. Failover: Add a second IPv6 proxy for redundancy

Files and Directories

  • HAProxy config: /etc/haproxy/haproxy.cfg (generated by Nix)
  • Disk config: ./hetzner-disk.nix (disko configuration)
  • Hardware config: ./hardware-configuration.nix (Hetzner VPS hardware)
  • NixOS config: ./default.nix (v6proxy configuration)

Relationship to Main Proxy

Feature v6proxy (IPv6 Gateway) proxy (Main Proxy)
IP Version IPv4 + IPv6 IPv4 only
Location Hetzner Cloud HTW network (141.56.51.0/24)
Function Simple forwarding SNI routing, service routing
Complexity Minimal Complex routing logic
HAProxy Mode TCP forwarding TCP + HTTP with SNI inspection
TLS Handling Pass-through Pass-through (SNI inspection)
ACME Handling None Forwards challenges to backends

The v6proxy is intentionally minimal - all intelligence lives at the main proxy.

See Also