Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hydra: Not accessible for clients who use IPv6 in preference to IPv4 #284

Closed
j-baker opened this issue Oct 3, 2023 · 3 comments · Fixed by #288
Closed

Hydra: Not accessible for clients who use IPv6 in preference to IPv4 #284

j-baker opened this issue Oct 3, 2023 · 3 comments · Fixed by #288
Labels
bug

Comments

@j-baker
Copy link

j-baker commented Oct 3, 2023

Affected service: Hydra

Describe the issue

https://hydra.nixos.org not accessible behind company proxy.

My company uses the Cloudflare WARP Zero Trust VPN. This is a fairly typical MITM corporate VPN. This VPN prefers IPv6 over v4 if both are present. As observed by me, hydra.nixos.org has an A record of 5.9.122.43 which works fine. It also has an AAAA record of 2a01:4f8:162:71eb:: which does not appear to have a webserver hosted on it on port 80 or 443. The VPN then serves an error response.

While my company's IT org has been great and hardcoded that the VPN should prefer IPv4 for this domain, it feels like a bug that hydra.nixos.org publishes an IPv6 record for a computer with no HTTP server running. To my knowledge there is no requirement that a client which supports both IPv4 and v6 should prefer to use IPv4 for any connection, though this is apparently conventional.
@j-baker j-baker added the bug label Oct 3, 2023
@j-baker j-baker mentioned this issue Oct 3, 2023
Closed
@delroth
Copy link
Contributor

delroth commented Oct 3, 2023
edited
Loading

Confirmed: currently things only "work" because of the v4 fallback in most clients. See e.g. curl -vvv:

$ curl -vvv https://hydra.nixos.org -s -o /dev/null
*   Trying [2a01:4f8:162:71eb::]:443...
* connect to 2a01:4f8:162:71eb:: port 443 failed: Connection refused
*   Trying 5.9.122.43:443...
* Connected to hydra.nixos.org (5.9.122.43) port 443

@vcunat
Copy link
Member

vcunat commented Oct 17, 2023
edited
Loading

A recurrence of #221 ?

EDIT: except that aarch64.nixos.community seems OK.

This was referenced Oct 17, 2023
Closed
Merged
@vcunat
Copy link
Member

vcunat commented Oct 20, 2023

BTW, a side note. I believe it's normal to prefer IPv6 to IPv4, but in that case you try IPv4 when IPv6 fails. (Or even try both in parallel.) https://en.wikipedia.org/wiki/Happy_Eyeballs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

hydra-proxy: explicitly listen on ipv6 addresses adamcstephens/nixos-org-configurations
3 participants
@j-baker @delroth @vcunat