'Last IP address' being prefixed by '::ffff:'


(AstonJ) #1

This appears to have started recently - if you go to a user’s profile > admin - their last IP address is shown as prefixed with ::ffff: (and so when you do an ip lookup it does not work).


(AstonJ) #3

Why would it be done for GDPR?

Only references to it in the repo are:


(Jeff Atwood) #4

No repro here on meta.


(AstonJ) #5

Could this be related:

I did add a record to allow IPv6 recently, so could that be it? Do you have IPv6 enabled here?


(Jeff Atwood) #6

This (meta) is running on AWS as a dogfooding experiment, so it is possible it is not, because as I understand it AWS doesn’t use ipv6 at all… but we’d need to ask @mpalmer


(Rafael dos Santos Silva) #7

Meta is now fully IPv6 compatible.


(AstonJ) #8

Nice! Were you getting the ::ffff: problem too?


(Rafael dos Santos Silva) #9

It looks just fine for me:

I bet a beer you use a reverse proxy and not vanilla Discourse with only the internal nginx :beers:


(AstonJ) #10

Sorry only just coming back to this. Yes I use HAProxy on the front :slight_smile:

Do I need to do anything special on the Discourse side to enable IPV6?

On the HAProxy side I believe I have changed everything I need to, specifically:

bind *:80
to
bind :::80 v4v6

and

bind *:443 ssl crt /etc/haproxy/certs/
to
bind :::443 v4v6 ssl crt /etc/haproxy/certs/

On http://ready.chair6.net everything passes except for:

IPv6 Connectivity - FAIL - Could not connect (to site) on port 443 over IPv6.

Any idea what I might be missing?


(Michael Brown) #11

Try instead using two lines as follows:

bind *:80
bind :::80 

bind *:443 ssl crt /etc/haproxy/certs/
bind :::443 ssl crt /etc/haproxy/certs/

(AstonJ) #12

Hi Michael, updated to:

  #bind *:80
  #bind :::80 v4v6
  #bind *:443 ssl crt /etc/haproxy/certs/
  #bind :::443 v4v6 ssl crt /etc/haproxy/certs/
  bind *:80
  bind :::80 
  bind *:443 ssl crt /etc/haproxy/certs/
  bind :::443 ssl crt /etc/haproxy/certs/

But I’m still getting the same thing. Here’s the full report in case it helps.


(Michael Brown) #13

fe80::6e62:6dff:fe46:abf9 is a link-local address, only intended to be used by a machine on the same broadcast domain as the server. Nothing else on the Internet will ever be able to connect to it.

Does the server have a “real” IPv6 address (such as something starting with a 2)?


(AstonJ) #14

Awesome - fixed! (I needed to change my server from IPv6 discovery to Static configuration and add the range manually.)

Thanks for your help :heart: