Dedicated IPv6 addresses for multiple nginx vhosts using SSL?

[Sim]

When I last did a major upgrade of my hosting configuration a few years back, I also migrated to using dedicated IPv6 addresses for each of the (several dozen) websites I host.

When hosting multiple sites on the one server using SSL, the advice at the time (from Linode primarily) was to use a single IPv4 address and SNI, but to configure separate IPv6 addresses for each site (using Linode's supplied /64 block of IPv6 addresses routed to each Linode).

So the nginx server block looked like this:

server {
    server_name     foo.example.com;

    listen 443 ssl http2;
    listen [ipv6:address:goes:here]:443 ssl http2;

    ...
}

server {
    server_name        foo.example.com;

    listen 80;
    listen [ipv6:address:goes:here]:80;

    return 301 https://foo.example.com$request_uri;
}

The first server block is the main one - responding to https requests from the server's IPv4 address (via SNI for SSL) or from the specific IPv6 address specified. The second server block simply redirects all http requests to https requests to be served by the first block - again, using either IPv4+SNI or the dedicated IPv6 address.

However, I'm moving to a new setup now and taking the opportunity to revisit my server configuration and note that the recommended configuration people are using doesn't bother with dedicated IPv6 addresses anymore for each host and simply uses a common configuration where both the IPv4 and IPv6 addresses are shared between sites (ie there is one IPv4 address and one IPv6 address assigned to the server and all websites hosted on that server use those same addresses).

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name foo.example.com;
    
    ...
}

I'm wondering if our experienced server admin people have any thoughts on best practices here?

I think the argument in the past in favour of dedicated IPv6 addresses was relating to separation of sites so that DDOS attacks or IP based blacklists and such would only affect a single site and not all sites on the server (assuming they were specific to the IPv6 address - since IPv4 was still shared). I'd have to go hunting to see if I could find any details from back then to see what other rationale there was.

Curious to hear thoughts (and reasoning!) behind the approach people take.

The shared IPv6 approach is certainly much more pragmatic - no need to configure a dedicated IPv6 address for each website (which requires configuring things at the DNS level, the OS level, and at the nginx level - so certainly not trivial). However, I'm wondering if there are any compelling reasons to maintain using dedicated IPv6 addresses?

 

[HWS]

I like to have a dedicated IP address for each site. I use shared ipv4 addresses for very minor sites only. So I won't go with 1 ipv6 for all.

The reasons: It's easier to move sites between servers, no problems with SSL certs, correct reverse DNS.

The only thing against it is that it is more difficult to setup the server. But, as a sysadmin, this should be no problem at all.

 

[S Thomas]

I think the argument in the past in favour of dedicated IPv6 addresses was relating to separation of sites so that DDOS attacks or IP based blacklists and such would only affect a single site and not all sites on the server (assuming they were specific to the IPv6 address - since IPv4 was still shared). I'd have to go hunting to see if I could find any details from back then to see what other rationale there was.

If I've understood you correctly, you are just assigning IPs to server blocks. In other words, you have created your own shared hosting environment, they are all sharing the same resources. (D)DoSing any of the IPs would have a negative impact on all sites in that case.

It helps with the "blacklist" thingy, as HWS has mentioned, particularly for reverse DNS and probably most impactful in email blacklisting, but it also gives you the option to leak IPs on purpose (e.g. for a web-based VPN, more proxy stuff, etc) without selling out your private IPs. Not to mention that you could assign two IPs to similar server blocks, but give one special privileges (e.g. debug modes).

If you had discrete IPv4s aswell, you could argue that it grants you a certain amount of privacy aswell, but yea.

All in all, dedicated IPs are more useful when used with acutal containers rather than blocks.

 

[Sim]

A bit more context: I host about 15 small WordPress sites, 8 XenForo sites (3 large, 5 small), plus multiple other sites using a variety of technology - mostly Laravel.

I run 9 VPS servers of varying sizes:

1. small VPS running 6 miscellaneous sites - mostly Laravel based apps
2. very large VPS running my 3 largest XenForo sites - all front-ended with Cloudflare
3. medium sized VPS running 14 WordPress sites
4. small VPS running one WordPress site (which I don't trust to run on server #3)
5. small VPS running old vBulletin site (which I don't trust to run on any other server)
6. small VPS running my other 5 small XenForo sites
7. medium VPS running MySQL, serving most sites
8. medium VPS running MySQL, serving my largest site
9. small VPS running ElasticSearch, serving all XenForo sites

I have a private LAN running between the web servers and MySQL / ElasticSearch servers.

In most cases, there is:

1. one public IPv4 address assigned to the VPS - shared between the host VPS and all sites
2. one public IPv6 address assigned to the VPS - dedicated to the host only
3. one private IPv4 address assigned to the VPS - used for communication between VPS instances
4. a /64 block of public routed IPv6 addresses assigned to each VPS - one IPv6 per site

Unfortunately the argument of "dedicated address makes it easy to move a site to a new server" doesn't hold, since the addresses are routed to a specific instance and so you'd be assigned a new block if you spin up a new VPS instance.

FWIW, I'm actually restructuring things because some of my sites have a very specific geographic audience (Australia), while others have a very international audience (ie Australia/Asia is a very small percentage of the traffic) - and so I will be moving them to a more appropriate geography for the audience they serve and not hosting everything out of a single data centre in Singapore.

(D)DoSing any of the IPs would have a negative impact on all sites in that case.

Well yes - any DDOS will have an impact on the server, but the point with using separate IP addresses is that the hosting provider can block inbound traffic to that specific IP without affecting any other inbound traffic to other IP addresses for that VPS. Front-ending sites with Cloudflare avoids these issues in any case (although you'd only do that for larger sites or else it becomes cost prohibitive).

It helps with the "blacklist" thingy, as HWS has mentioned, particularly for reverse DNS and probably most impactful in email blacklisting

Rule #1: never send email from your web server - that's the fastest way to cause problems which are easily avoided by using an ESP for outbound email.

Discrete IPv4 addresses on a single instance is impractical these days - you have to basically sell internal organs to convince a hosting provider to hand more than one over. More practical way is to simply spin up a new VPS instance if you need something to have true separation from other sites - but that's not cost effective for hosting many small sites.

I think the ironic thing about the IPv6 discussion is that the only sites I really care about from a performance / separation point of view are all front-ended with Cloudflare anyway, and so the configuration of the server itself is kind of moot - since nobody ever accesses the sites directly anyway. I may just take the pragmatic approach of shared IPv6 for my other smaller sites and only change if it actually becomes an issue down the track.

FWIW, the new Netplan network configuration tool for Ubuntu 18.04 (I think it was introduced in 17.10?) is a lot easier to work with (once you understand it!) than the old way, IMO.

 

[Xon]

Front-ending sites with Cloudflare avoids these issues in any case (although you'd only do that for larger sites or else it becomes cost prohibitive).

Cloudflare's free plan has unlimited volumetric attack DDOS protection, even then you don't need the fully expensive plan all the time.

 

[WSWD]

Blacklists are done on the /64 level for IPv6, so if one IP gets blacklisted, the entire block is getting blacklisted anyway.

Well yes - any DDOS will have an impact on the server, but the point with using separate IP addresses is that the hosting provider can block inbound traffic to that specific IP without affecting any other inbound traffic to other IP addresses for that VPS. Front-ending sites with Cloudflare avoids these issues in any case (although you'd only do that for larger sites or else it becomes cost prohibitive).

This is likely correct. Really there is no reason not to dedicate an IPv6 to each site, aside from just not wanting to do the configuration work.