IPv6 and HE certification web server question
-
@johnpoz mine certification says โexplorerโ right now. For an Apache web server I am able to just nat the wan connection to the web server in pfSense for ipv4. For the ipv6 do I just nat the tunnel IPv6 address to the web servers ipv6 address? Is it the clients or the server address that is issued to me in HE tunnel? The client is it the ::2?
-
Noop.
Explorer it will be, as you didn't get yet what this is all about.
In few words : IPv6, also in your case, a web server behind a router = pfSense (or any other router out there) .... means ..... no more NAT like IPv4!!It's IPv6 these days, so :
Your ISP give you a IPv6 WAN IP .... and (roll the intro) at least a /64 prefix.
This prefix is a 64 bit network with 2^64 IPv6 addresses, and you assign one to your web server. You can use the DHCPv6 server on your LAN, give it the /64 prefix it obtained from your ISP (or ISP router, in my case), and your done.On the pfSense WAN interface, add a IPv6 rule that allows the IPv6 - TCP - destination port 80 and 443.
Just a firewall rule, no NAT rule !
And now your web server is accessible using IPv6 from the Internet.The HE test, when using a domain name will get the A = IPv4 record, and tries to access the server.
When testing using IPv6, you have to set up a AAAA record in your domain name zone, that points to the IPv6 that is your server is using.When using just the IPv6 - so no host name, the DNS step isn't needed : HE will access the server directly as the DNS step isn't needed.
If memory serves me well, as my badge dates from 2014, there will also be a DNS AAAA record test. Which means you have to set up a AAAA record for your web server.@johnpoz said in IPv6 and HE certification web server question:
I still have my t-shirt btw ;) heheh
Mine is a bit worn these days. Do they still have them ? If so, I should take the test again.
Btw : there should also be a comparable test for DNSSEC test. And a Letsencrypt-like certificate (certification ) test. With these two, "DANE" becomes possible and that will be the end of all CA's as they are not needed anymore.
-
Just curios, what does "sage" again, other than to be able to open port 25?
I did it two times because I lost my first account some time ago...
And I was brute forcing it because I usually don't run a web-server.
Recently I began using it again for having static IPv6-addresses on all interfaces and then using NPtv6 on my native IPv6-WAN from my ISP. Best of both worlds, static IPv6 for pfSense, all GUA, so they are still preferred everywhere and best speed by using my ISP with its dynamic IPv6.
-
@Bob-Dig said in IPv6 and HE certification web server question:
and then using NPtv6 on my native IPv6-WAN from my ISP.... by using my ISP with its dynamic IPv6
Yeah, nice, but still somewhat 'burk'.
At least my ISP plays it by the book, also called 'RFC', and allocates the same prefix /56 for an extended period of time.@Bob-Dig said in IPv6 and HE certification web server question:
Just curios, what does "sage" again
An acknowledgement that you answered all the questions correctly - nothing more, nothing less. For me, I'm still the same moron, but with a nice t-Shirt that no one understands.
It's just another (cotton !) paper that states : 'well done, boy'.@Bob-Dig said in IPv6 and HE certification web server question:
other than to be able to open port 25?
I don't think HE will ask you to fire up a mail server, as most ISPs block that incoming "TCP 25 port" - they don't want you to host mail servers as there is already enough spam running arround. Same thing for outgoing : I can connect (but never use them) to my ISP mail servers using "TCP port 25 outgoing".
Hosting your own web server is normally doable - that is, if you are not behind some IPv4 CGNAT scheme.
-
@Gertjan said in IPv6 and HE certification web server question:
I don't think HE will ask you to fire up a mail server
You misunderstand. You need to be "sage" to be able to open port 25 incoming with HE. I just asked what else you gonna gain.
-
aahhhh, I get it.
HE can be considered as an ISP, and as such - see above - the will block "TCP 25".
So being sage unblocks that ? Nice to know. -
@Gertjan Yepp. Go to your tunnel and then klick on advanced. If it is not there when you are "sage", you might have to contact support.
-
@Gertjan said in IPv6 and HE certification web server question:
Btw : there should also be a comparable test for DNSSEC test. And a Letsencrypt-like certificate (certification ) test. With these two, "DANE" becomes possible and that will be the end of all CA's as they are not needed anymore.
I stopped using DANE because it became to burdensome with Letsencrypt. Sadly.
But you are right, something certbot-like together with DANE could end things.
-
@Bob-Dig said in IPv6 and HE certification web server question:
I stopped using DANE because it became to burdensome with Letsencrypt.
Here : this will take care of your issues : https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Add these to your zone :
I have a domain name 'test-domaine.fr', and added the current 5 signing certificate hashes :$ORIGIN mail.test-domaine.fr. _25._tcp TLSA 2 1 1 2bbad93ab5c79279ec121507f272cbe0c6647a3aae52e22f388afab426b4adba _25._tcp TLSA 2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 _25._tcp TLSA 2 1 1 919c0df7a787b597ed056ace654b1de9c0387acf349f73734a4fd7b58cf612a4 _25._tcp TLSA 2 1 1 025490860b498ab73c6a12f27a49ad5fe230fafe3ac8f6112c9b7d0aad46941d _25._tcp TLSA 2 1 1 f1647a5ee3efac54c892e930584fe47979b7acd1c76c1271bca1c5076d869888 _25._tcp TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
and now I'm good up until the moment these start to fade out, and new one get added and used.
Check here : https://dane.sys4.de/smtp/test-domaine.fr - one of them matches, so DANE will be ok.
I'm using Letsencrypt certs for everything : web, smtp, pop, imap, you name it. -
@Gertjan Thanks but I pass. Also, no one had a problem with my servers when DANE was failing...
-
@Bob-Dig said in IPv6 and HE certification web server question:
no one had a problem with my servers
Well they had a problem with the info you published in your DNS zone info ^^
Publish the correct info, and everybody is happy.
Like DKIM - like SPF - like DMARC. Like a correct reverse host name. H*ll, like a certificate on your web and mail server that is in the 'valid' for your servers. Like DNSSEC.
Some of them are a must have these days, some are more or less optional.
Try sending a mail from your domain - mail server to a gmail, and then check how gmail 'scores' your mail.And normally, we don't want a A+ because it's looks nice (no one cares actually), we want the A+ because it means we probably, maybe, understood the things we work with.
-
@Gertjan No A+ for me because I don't run any public web server.
And there is no score in an email to gmail right? It just says if you passed the usual stuff.
But I "enabled" gmail's Postmaster Tools now. Probably will do nothing because I rarely send email. -
@Bob-Dig said in IPv6 and HE certification web server question:
I just asked what else you gonna gain.
Understanding of IPv6 and how it functions being the top one to be honest. And the cool tshirt..
-
@Gertjan Ooooo yeah!!!
mirroredanalytics.com is up and running :) ipv6 and ipv4
Now I have to create a ipv6 webserver with the port 25 thing you guys are talking about. I am going to use iRedMail over Kali. I just have to make a new copy of Kali my current one is to old to download anything anymore...
Got to tell you I loved my old CD days with PHLAK linux Pen testing software
-
I can almost make a post in the HE forum ... almost to sage...
I just need An IPv6 enabled mail system, with working RDNS.
The last step took my gmail as a working ipv6 email. I guess there was a time that was not the case...
-
@JonathanLee If I recall with the email section - I just used their free dns and setup the PTR records, etc.
-
@johnpoz thanks for the recommendations again!!
I know the basics of IPv6. I can configure an ipv6 webserver that is behind a secure firewall inside of a IPv6 tunnel broker that tunnels inside of a IPv4 only ISP provider. I can manage and parse out AAAA records for streaming services that do not support tunnel brokers. I understand glue-records and have my website mirroredanalytics.com working (just the basics I have not spent any time really designing it. Right now, my web server is still under construction) YEAHHHH Buddy!
Plus they said I get a T-Shirt :)