Thursday , November 21 2019
Home / Uncategorized / ungleich Blog – How to break IPv4 HTTP?

ungleich Blog – How to break IPv4 HTTP?


Suppose you have just woken up and decided that all your services should be running on IPv6 only systems. This is exactly what happened to us and started at Although you may have a (strong) distaste for IPv4, you must recognize that there are still some users who do not have IPv6. For this reason, you decide to configure a proxy number to connect IPv4 to the IPv6 world.


This is what happened here on ungleich and this blog article describes one of our proxies and its challenges.

Let's start easy

As Aldous Huxley said: things first. Before trying to run the https proxy, let's first try to run the HTTP proxy. This is why we decided to use a simple nginx configuration that can be easily extended:

map $ http_host $ proxy_dest {
hostname;     [2a0a:e5c0:2:12:400:f0ff:fea9:c3c4];     [2a0a:e5c0:2:12:400:f0ff:fea9:c3dd];

default                  [2a0a:e5c0:0:2:400:b3ff:fe39:79ff];

server {
listen 80 default_server;
listen [::]: 80 default_server;

Position / {
root / var / www / html;
try_files $ uri @ ipv6backend;

location @ ipv6backend {
proxy_pass http: // $ proxy_dest: 80;
proxy_set_header Host $ host;
proxy_set_header X-Forwarded-For $ remote_addr;

It works well and the backend, our IPv6-only web server gets information about who originally requested via the X-Forwarded-For HTTP header. Nice and easy, no?


We become cryptic

If http were that easy, https should not be more complicated, right? Mistaken. Before entering into a solution, let's take a look at the fundamental difference: with http, there is no encryption, no signature, no trust. So whoever is between you and the Web server you want to access can easily configure a proxy and "sniff" your data. This is why the industry has moved to https. For https you need a valid certificate that enables encryption and data signature so that nobody can see or change the content between you and the web server.

Assuming that https is safe, does this mean that our proxy project has already failed here?

Try 1: Letsencrypt for the rescue?


What is the peculiarity of our proxy situation? Usually the IPv4 and IPv6 address of a domain name (such as points to the * same * machine. In this case, however, we want IPv6 traffic to go directly to the IPv6 system and IPv4 traffic to our proxy.

In terms of DNS configuration, this means that the AAAA input points directly to the server (real), but the A item points to the proxy.

Our first approach to solving this problem is the use of letsencrypt, which offers free automatic certificates, so we are not talking about getting 2 certificates for the same name on different systems.

Well, nothing? It turns out that the certbot, which is mainly used to recover the certificates, does not allow to select the protocol (IPv4 vs IPv6) on which the challenge is expected.

Although this is a potential problem, we have found a way around this problem with nginx. Let's review again a part of the configuration from the top:

                Position / {
root / var / www / html;
try_files $ uri @ ipv6backend;

Because we do not know how the challenge is performed, we try to find the challenge locally (using try_files) and if we can not find it, the
The IPv6 host must have requested a challenge and forward it. Nice and easy, no?

In this way we can configure a server block for each https backend in nginx:

server {
listen 443;
listen [::]: 443;


access_log /var/log/nginx/access.log;

ssl on;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

client_max_body_size 1024m;

Position / {
root / var / www / html;
try_files $ uri @ ipv6backend;

location @ ipv6backend {
proxy_pass https: // $ proxy_dest: 443;
proxy_set_header Host $ host;
proxy_set_header X-Forwarded-For $ remote_addr;

Open the Pandora box

Nice, is not it? We say yes and no at the same time:

The way we have set up the proxy, we as ungleich could potentially read and even modify requests coming to your server. The person running the IPv6 services allows us to do this by adding the AAAA entry pointing to our proxy. This is not a problem for our systems. And for customers?

It can be said that running on any provider infrastructure makes the provider reliable and therefore this should not be a problem.

However, we take the position that we DO NOT WANT TO SEE YOUR DATA. We do not care and we want to make ourselves unable to see it.

This is also why we encourage all those who run a web server to redirect all http traffic to https.

Test 2: change the protocol

Let's stop for a moment and think back to what we want to do. We want to enable the IPv6 host only to receive http and https traffic
from the IPv4 world. For http proxy it is not a problem, because it is a normal text in any case and the addition of our proxy in the middle does not
change something about it. For https the situation has become a little more complicated, since something that is supposed to be encrypted end-to-end is divided in half.

Instead of looking at level 7, http / https, let's take a look at the IP. So, what if we only look at the destination IPv4 address and then forward it to the correct IPv6 host?

Well, it would actually go back to the original reason IPv6 was created: we should have an IPv4 address for every IPv6 address – it does not look very promising, does it?

Try 3: In the middle

So, if breaking https is too much, sending on an IP basis is too low, and if we could go in between? It turns out that the HA proxy actually supports SNI-based detection (indication of the server name) of the destination host. The interesting thing is that, instead of running the proxy based on https, the HA proxy can only proxy the connection over TCP.

This has a couple of advantages: there is no decryption and encryption involved in the proxy and therefore there are not even certificates required on the proxy.


A fundamental problem

So all right? Well, unfortunately, using the TCP-based proxy has a very serious disadvantage: it is impossible to modify the request and therefore it is also impossible to add information about which IPv4 address originally sent the request.

So the problem is that the connection is opened by the proxy and the headers can be entered on the source or the original request information is lost.

Interestingly though, this problem does not exist for http in the first place.

Request for comment

Our mission in Ungleich is to enable the IPv6 world, because we love IPv6. However this proxy is a bit of a philosophical challenge.

To solve it, we would like to hear your opinion!

  • Is it better to open https and add the source IP?
  • Do you prefer the TCP-based proxy without any changes?
  • There is a better way!

We hear your opinion on twitter!

Update n. 1: use of haproxy on the ipv6 only host

We have just received notification that haproxy may actually be able to transmit the source IP using a haproxy-based protocol. We will investigate this.

Update n. 2: IP rewriting a :: ffff: 0: A.B.C.D /96

We have just received a proposal to simply rewrite the IPv4 address a.b.c.d in :: ffff: 0: A.B.C.D /96 which is specfied for the stateless IP / ICMP translation (SIIT). As far as we can see at the moment, this would be a very interesting way, as the native IPv6 application can directly read the source IPv4 address. However it requires to implement reverse translation and routing.

The credits for this go to Gene Redinger, thank you for pointing out!

Update n. 3: follow-up of IP rewriting

During the update n. 2 we have described the embedding of the IPv4 address of origin in the well known IPv6 prefix :: ffff: 0: A.B.C.D /96, a simpler variant could also be available: in all our data centers we have already implemented NAT64 to allow our only IPv6 hosts to reach the IPv4 Internet. In order for it to work properly, we use our specific prefixes for DC.

Although this seems very tempting and in theory the http-https-ipv4-ipv6 proxy would "only" need to perform level 7 inspection (SNI or http host header), there is a routing problem fundamental here: when IPv6 only VM responds, the response will not go through the http proxy and therefore will have a generic IPv4 source address that will not match that of the http proxy and thus the TCP connection will fail.

However, if the NAT64 gateway was indeed the same machine as the http proxy, then this approach could work.

Soon we will test this approach in our laboratory!

Source link

One comment

  1. Мы представляем лучшие услуги прокси-серверов пакетами. Вам лично нужен неизменный частный прокси для работы в Instagram, Вконтакте,Однокласниках или Авито? Вы интересуетесь букмекерскими ставками или покером? SEO,SMM, по настоящему безопасный серфинг или остальные темы? Тогда вы по адресу.

    Мы представляем анонимные, элитные, прокси-сервера с лучшей круглосуточной поддержкой. Все наши прокси подходят для разнообразных программ,сервисов, социальных сетей, онлайн игр и не только. Авторизация по логин – паролю или IP адресу.

    Быстрые прокси ipv4 и ipv6 (до 100 мбит/с) гарантируют стабильную работу. Необходимы различные подсети, у нас их много. Так же вы сможете выбрать тип протокола HTTP/SOCKS.

    ipv4 купить

Leave a Reply

Your email address will not be published.