v6proxy Host - IPv6 Gateway#

IPv6 gateway proxy hosted on Hetzner VPS, forwarding all IPv6 traffic to the main IPv4 proxy.

Overview#

• Hostname: v6proxy
• IPv4 Address: 178.104.18.93/32
• IPv6 Address: 2a01:4f8:1c19:96f8::1/64
• Type: Hetzner VPS (Full VM)
• Services: HAProxy (IPv6 to IPv4 forwarding)
• Role: IPv6 gateway for StuRa HTW Dresden infrastructure

Architecture#

The v6proxy serves as an IPv6 gateway because the main infrastructure at 141.56.51.0/24 is IPv4-only:

• All IPv6 DNS records (AAAA) point to this host (2a01:4f8:1c19:96f8::1)
• HAProxy forwards all IPv6 HTTP/HTTPS traffic to the main proxy at 141.56.51.1
• The main proxy then handles routing to backend services
• Simple pass-through configuration - no SNI inspection or routing logic

Why This Host Exists#

The HTW Dresden network (141.56.51.0/24) does not have native IPv6 connectivity. This Hetzner VPS provides:

1. IPv6 connectivity: Public IPv6 address for all services
2. Transparent forwarding: All traffic is forwarded to the IPv4 proxy
3. No maintenance overhead: Simple configuration, no routing logic

This allows all StuRa services to be accessible via IPv6 without requiring IPv6 support in the HTW network.

Services#

HAProxy#

HAProxy runs in simple TCP forwarding mode:

HTTP (Port 80)

• Binds to IPv6 :::80
• Forwards all traffic to 141.56.51.1:80
• No HTTP inspection or routing

HTTPS (Port 443)

• Binds to IPv6 :::443
• Forwards all traffic to 141.56.51.1:443
• No SNI inspection or TLS termination

Key features:

• Logging: All connections logged to systemd journal
• Stats page: Available at http://127.0.0.1:8404/stats (localhost only)
• Max connections: 50,000
• Buffer size: 32,762 bytes
• Timeouts: 5s connect, 30s client/server

Configuration Philosophy#

Unlike the main proxy at 141.56.51.1, this proxy is intentionally simple:

• No SNI inspection
• No HTTP host header routing
• No ACME challenge handling
• Just pure TCP forwarding

All routing logic happens at the main IPv4 proxy. This keeps the v6proxy configuration minimal and reduces maintenance burden.

Deployment Type#

The v6proxy is a Hetzner VPS (full VM):

• Hosted outside HTW network
• Uses Hetzner-specific disk layout (hetzner-disk.nix)
• Network interface: eth0
• Both IPv4 and IPv6 connectivity

Network Configuration#

IPv4#

• Address: 178.104.18.93/32
• Gateway: 172.31.1.1
• Interface: eth0

IPv6#

• Address: 2a01:4f8:1c19:96f8::1/64
• Gateway: fe80::1 (link-local)
• Route: Default route via fe80::1
• Interface: eth0

DNS#

• Nameservers: 9.9.9.9, 1.1.1.1 (Quad9 and Cloudflare)
• Uses public DNS servers (not HTW internal DNS)

Firewall#

• Firewall: nftables enabled
• Open ports: 22, 80, 443

DNS Configuration#

For IPv6 support, configure AAAA records pointing to this host:

proxy.htw.stura-dresden.de       AAAA  2a01:4f8:1c19:96f8::1
*.htw.stura-dresden.de           CNAME proxy.htw.stura-dresden.de

This provides IPv6 access to all services while IPv4 traffic continues to use the main proxy (141.56.51.1).

Deployment#

See the main README for deployment methods.

Initial Installation#

Using nixos-anywhere (recommended):

nix run github:nix-community/nixos-anywhere -- --flake .#v6proxy --target-host root@178.104.18.93

This handles disk partitioning via disko automatically.

Updates#

# From local machine
nixos-rebuild switch --flake .#v6proxy --target-host root@178.104.18.93

# Or use auto-generated script
nix run .#v6proxy-update

Disko Configuration#

The v6proxy uses the Hetzner-specific disk layout (hetzner-disk.nix):

• Filesystem: Btrfs or Ext4 (Hetzner default)
• Declarative disk management via disko
• Automatic partitioning on installation

Traffic Flow#

IPv6 request flow:

1. Client connects to 2a01:4f8:1c19:96f8::1 (v6proxy)
2. v6proxy forwards to 141.56.51.1:443 (main IPv4 proxy)
3. Main proxy performs SNI inspection and routes to backend
4. Backend responds through the chain

For the client, the IPv6 connectivity is transparent - they don’t know the backend infrastructure is IPv4-only.

HAProxy Configuration#

The HAProxy configuration is minimal:

frontend http-in
  bind :::80
  use_backend http_80

frontend sni_router
  bind :::443
  mode tcp
  use_backend http_443

backend http_80
  mode http
  server proxy 141.56.51.1:80

backend http_443
  mode tcp
  server proxy 141.56.51.1:443

This is intentionally simple - all routing intelligence is at 141.56.51.1.

HAProxy Stats#

Access HAProxy statistics page (localhost only):

# SSH into v6proxy
ssh root@178.104.18.93

# Access stats via curl
curl http://127.0.0.1:8404/stats

# Or forward port to your local machine
ssh -L 8404:127.0.0.1:8404 root@178.104.18.93
# Then browse to http://localhost:8404/stats

The stats page shows:

• Current connections to main proxy backend
• Traffic statistics
• Connection status

Monitoring#

Check HAProxy Status#

# HAProxy service status
systemctl status haproxy

# View HAProxy logs
journalctl -u haproxy -f

# Check configuration
haproxy -c -f /etc/haproxy/haproxy.cfg

Test Connectivity#

# Test IPv6 HTTP forwarding
curl -6 -v http://[2a01:4f8:1c19:96f8::1]/

# Test IPv6 HTTPS forwarding
curl -6 -vk https://[2a01:4f8:1c19:96f8::1]/

# Test backend connectivity (IPv4 to main proxy)
curl -v http://141.56.51.1/
curl -vk https://141.56.51.1/

# Check IPv6 routing
ip -6 route show
ping6 2a01:4f8:1c19:96f8::1

Troubleshooting#

HAProxy not starting#

# Check HAProxy status
systemctl status haproxy

# Check configuration syntax
haproxy -c -f /etc/haproxy/haproxy.cfg

# View HAProxy logs
journalctl -u haproxy -f

IPv6 connectivity issues#

# Verify IPv6 address is configured
ip -6 addr show eth0

# Check IPv6 routing
ip -6 route show

# Test IPv6 connectivity
ping6 2606:4700:4700::1111  # Cloudflare DNS

# Check IPv6 firewall rules
nft list ruleset | grep ip6

Backend (main proxy) unreachable#

# Test IPv4 connectivity to main proxy
ping 141.56.51.1
curl -v http://141.56.51.1/
curl -vk https://141.56.51.1/

# Check HAProxy backend status
curl http://127.0.0.1:8404/stats | grep proxy

# View connection errors
journalctl -u haproxy | grep -i error

DNS not resolving#

# Check nameserver configuration
cat /etc/resolv.conf

# Test DNS resolution
dig git.adm.htw.stura-dresden.de A
dig git.adm.htw.stura-dresden.de AAAA

# Test with specific nameserver
dig @9.9.9.9 git.adm.htw.stura-dresden.de

Security Considerations#

• No TLS termination: Traffic is passed through encrypted to main proxy
• No deep packet inspection: Simple TCP forwarding only
• Minimal attack surface: No routing logic or service-specific configuration
• Public IPv6 address: Exposed to the internet, firewall must be properly configured

Performance Considerations#

• Additional hop: IPv6 traffic goes through an extra proxy hop
• Latency: Hetzner → HTW network adds some latency
• Bandwidth: Hetzner provides high bandwidth, unlikely to be a bottleneck
• Connection limits: HAProxy configured for 50,000 concurrent connections

For most use cases, the additional latency is negligible (typically <10ms within Germany).

Cost and Hosting#

• Provider: Hetzner Cloud
• Type: VPS (Virtual Private Server)
• Location: Germany, Nürnberg, Falkenstein war voll.
• Cost: Minimal - basic VPS tier sufficient for forwarding traffic

Future Improvements#

Possible improvements (not currently needed):

1. Native IPv6 at HTW: If HTW network gains IPv6, this proxy can be decommissioned
2. GeoDNS: Use GeoDNS to route IPv4 and IPv6 separately
3. Monitoring: Add automated monitoring and alerting
4. Failover: Add a second IPv6 proxy for redundancy

Files and Directories#

• HAProxy config: /etc/haproxy/haproxy.cfg (generated by Nix)
• Disk config: ./hetzner-disk.nix (disko configuration)
• Hardware config: ./hardware-configuration.nix (Hetzner VPS hardware)
• NixOS config: ./default.nix (v6proxy configuration)

Relationship to Main Proxy#

The v6proxy is intentionally minimal - all intelligence lives at the main proxy.

See Also#

• Main README - Deployment methods and architecture
• Proxy README - Main IPv4 proxy configuration
• HAProxy Documentation
• Hetzner Cloud Docs