How to force Client to use specific/local IPv6 address to access webserver

DerPeer asked:

I’m running an Apache 2.4.29 web server with virtual hosts, of which some are publicly available, other shall only be accessible via local network. I have IPv6 up and running.

The corresponding setting in vhost config:

<Directory /var/www/mylocalapp>
   Require ip 192.168.10.0/24
   Require ip fd4f:2854:491d:9469::/64
   Require host mynetwork.local
</Directory>

Here’s the problem:

  • Some of the clients in the network use IPv4 addresses -> works
  • Some of them use their local IPv6 address (prefix or full address assigned via DHCPv6)
  • Some use their global IPv6 address -> NOT WORKING

Example:
When I open a webbrowser to access the local web application, I get the typical error:

Forbidden
You don't have permission to access / on this server.

I can’t see any way to force clients to use the locally assigned IPv6 addresses on the local network. Would additional routing information be helpful? But where to put? and how?

Example address listing from one of the Win10 machines. Local network is mentioned as preferred (“Bevorzugt”). But this doesn’t help.

C:\Users\me> ipconfig /all
Drahtlos-LAN-Adapter WLAN:

   Verbindungsspezifisches DNS-Suffix: heimnetz.loc
   Beschreibung. . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7265
   Physische Adresse . . . . . . . . : 64-5D-86-9A-6F-05
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   IPv6-Adresse. . . . . . . . . . . : 2a01:5c0:e080:0001::1a9(Bevorzugt)
   Lease erhalten. . . . . . . . . . : Donnerstag, 2. Mai 2019 00:20:59
   Lease läuft ab. . . . . . . . . . : Donnerstag, 2. Mai 2019 01:50:58
   IPv6-Adresse. . . . . . . . . . . : 2a01:5c0:e080:2090:b4a0:a49:c44e:c698(Bevorzugt)
   IPv6-Adresse. . . . . . . . . . . : 2a01:5c0:e089:0001::1a9(Bevorzugt)
   Lease erhalten. . . . . . . . . . : Montag, 22. April 2019 03:37:54
   Lease läuft ab. . . . . . . . . . : Sonntag, 8. Juni 2155 07:24:25
   IPv6-Adresse. . . . . . . . . . . : fd4f:2854:491d:9469::1a9(Bevorzugt)
   Lease erhalten. . . . . . . . . . : Donnerstag, 2. Mai 2019 00:20:59
   Lease läuft ab. . . . . . . . . . : Donnerstag, 2. Mai 2019 01:50:58
   IPv6-Adresse. . . . . . . . . . . : fd4f:2854:491d:9469:b4a0:a49:dead:beef(Bevorzugt)
   Temporäre IPv6-Adresse. . . . . . : 2a01:5c0:e080:0001:a413:ba9d:f05e:154(Bevorzugt)
   Temporäre IPv6-Adresse. . . . . . : fd4f:2854:491d:9469:a413:ba9d:f05e:154(Bevorzugt)
   Verbindungslokale IPv6-Adresse  . : fe80::b4a0:a49:0001:c698%12(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 192.168.100.89(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Lease erhalten. . . . . . . . . . : Mittwoch, 1. Mai 2019 22:20:55
   Lease läuft ab. . . . . . . . . . : Donnerstag, 2. Mai 2019 01:50:56
   Standardgateway . . . . . . . . . : fe80::be05:43ff:0001:926f%12
                                       192.168.10.1
   DHCP-Server . . . . . . . . . . . : 192.168.10.2
   DHCPv6-IAID . . . . . . . . . . . : 174349702
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-23-58-60-FE-9C-EB-E8-57-D7-E7
   DNS-Server  . . . . . . . . . . . : fd4f:2854:491d:9469:133a:920e:1234:5678
                                       2a01:5c0:e080:0001:65f0:bda5:8765:4321
                                       192.168.10.2
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

Desired behaviour is, that all machines prefer local IPv6 addresses to access resources in the local network. This behaviour shall be automatically assigned (e.g. via DHCP option).

My answer:


There are a few ways to solve this:

  1. Your internal DNS servers should serve to internal clients only ULA addresses for resources inside your network, not global addresses. Or…
  2. You can allow the global IPv6 address range in the Apache configuration.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.