HAProxy for IPv6 translation to IPv4-only website

Background:
Have you heard of World IPv6 Day? On June 8 2011, a lot of very prominent web sites, like Google, Facebook, Yahoo and many more, are going to host their web site on dual stack for the day. They do this by publishing a AAAA DNS record, that’s an IPv6 address in DNS, so their site will resolve and be available on both IPv4 and IPv6 simultaneously. In other words, if you type in www.google.com on June 8 2011 and your computer can reach the IPv6 Internet, then your browser will fetch the AAAA record and connect to google’s site via IPv6, instead of IPv4. If you don’t have IPv6, you’ll just connect the same old way you do today. Either way, it’s going to be rather transparent to the end user, unless these sites flash something to users to say “HEY, YOU CONNECTED OVER IPv6″.

Challenge:
So, thinking about any web site out there that currently lives on IPv4, how can we make it dual stack, without owning or touching the existing servers? Answer: with a proxy. We want this proxy to be a separate machine, anywhere on the Internet, that already has dual stack hosting.

The dedicated, dual stacked proxy server will listen on an IPv6 IP address and forward that traffic to an IPv4 address. Can this be done reliably for a web site for World IPv6 Day. I think yes, it can. For one, the percentage of Internet traffic that’ll come over IPv6, even on this day, is only about 1% to 5%. So, as long as this proxy server can handle 5% of your normal load, it’ll work.

You can use HAProxy, available at http://haproxy.1wt.eu/, to turn your Linux or Solaris based dedicated (or virtual dedicated) server into an IPv6 translation proxy! And, it’ll work for both HTTP and HTTPS.

You don’t need to load the HTTPS ssl cert, either. HAProxy can TCP proxy, instead of HTTP proxy, so the end user will be talking directly to the server. The only caveot to this is that all traffic from your proxy will appear to the server as coming from the proxy ipv4 ip. You’ll lose all visibility of src ip.

Read on to see the proof of concept, this in action:

Proof of Concept:
To prove this can work, I took a look at a random 3rd party web site that I’d like to see participate in World IPv6 Day. I choose www.godaddy.com as the test subject.

I did this install on a dedicated server first.

Install HAProxy:

cd /usr/local/src
wget wget http://haproxy.1wt.eu/download/1.4/src/haproxy-1.4.11.tar.gz
tar -xzf haproxy-1.4.11.tar.gz
cd haproxy-1.4.11
make TARGET=linux26 ARCH=i386
make install

cd examples/
cp haproxy.init /etc/init.d/haproxy
chmod 755 /etc/init.d/haproxy
vim /etc/init.d/haproxy
#  :%s&/usr/sbin/&/usr/local/sbin&g

mkdir /etc/haproxy

Then, I dropped this /etc/haproxy/haproxy.cfg file into place:

#
# HAProxy configuration file for IPv6 translation to IPv4-only webservice reverse proxy
#
# Version 1.0 - 2011-02-19
#
# This file should be saved as /etc/haproxy/haproxy.cfg
# All IP addresses mentioned are meant to be replaced with YOUR IPs, please do so
#
# Tested with: CentOS 5.5 kernel 2.6.18-164.6.1.el5, haproxy version 1.4.11
# Full documentation about all available options located here: http://haproxy.1wt.eu/
#
# Intended use at a seperate dedicated dual-stack server system for ipv6 proxying
# Use at least HAProxy version 1.4.11

# This will forward all incoming tcp requests for [2607:f208:1:1000::101] on ports 80 and 443 to 97.74.104.201

global
    log 127.0.0.1        local0
    log 127.0.0.1        local1 notice
    maxconn             4096
    user                haproxy
    group               haproxy
    daemon

defaults
    log                 global
    mode                tcp
    option              dontlognull
    retries             3
    maxconn             4000
    contimeout          5000
    clitimeout          50000
    srvtimeout          50000

listen  ipv6proxy80     2607:f208:1:1000::101:80
        mode    tcp
        server  ipv4server80    97.74.104.201:80
        maxconn 4000
listen  ipv6proxy443    2607:f208:1:1000::101:443
        mode    tcp
        server  ipv4server443   97.74.104.201:443
        maxconn 4000

Please note, at the time of making this, www.godaddy.com resolved to 97.74.104.201. If Go Daddy changes this ip, then my configuration breaks. This is just an example. I could have done this with any website.

Start HAProxy (Note: if you’re running anything on port 80 or port 443, like APACHE, you’ll need to stop it for this to work):

/etc/init.d/haproxy start

And now, all Go Daddy needs to do to make their web site dual stack is publish this AAAA record:
2607:f208:1:1000::101 www.godaddy.com

Go Daddy is not going to do this, of course. They’ll roll their own IPv6 solution. Just saying, hypothetically speaking, any web site could use this method to provide their web site on dual stack hosting. Could be the tactic to use for World IPv6 Day.

BUT I WANT TO SEE THIS WORK NOW, CAN I? YES….. I can trick my computer into thinking this AAAA record already exists by jamming it into my HOSTS file, like this:

2607:f208:1:1000::101 www.godaddy.com

Note, the HOSTS file on a MacBook is /etc/hosts. On Windows, it’s C:\windows\system32\drivers\etc\hosts
Restart your browser to make sure it picks up the HOSTS file change, and viola, you are viewing the site through IPv6, assuming you have IPv6 connectivity at home.

If you try this at home, remember to remove this entry from your hosts file when you’re done playing, because you want to be able to get to www.godaddy.com later, and this example is less than 100% reliable/stable.

See my previous article on the topic of Cox Communication (NOT) using IPv6 transition mechanism 6to4 Relay anycast prefix because you may already have IPv6 access and didn’t realize it!

Note: I also tried this on a VM at 2607:f208:201:102::12 and it worked there too.