IPv6 Configuration Guide: How to Set Up IPv6 on Nginx and Its Benefits

How to Configure IPv6

The method for configuring IPv6 differs slightly between Nginx and Apache, but the basic procedure is similar. Below, we will explain how to enable IPv6 in Nginx.

For the latest configuration instructions, please refer to the relevant page in the official Nginx documentation.

Configuring IPv6 in Nginx

1. Edit the Nginx Configuration File

To enable IPv6 in Nginx, you need to add the listen directive with an IPv6 address inside the server block. The configuration file is typically located in the /etc/nginx/sites-available/ directory and is associated with the domain name.

The general principle is as follows:

• To handle IPv6 traffic, use listen [::]:port_number;
• To handle IPv4 traffic, use listen port_number;

The port number is 80 for HTTP communication and 443 for HTTPS communication, and both must be specified. Since HTTPS is essential, the port specifications should generally include four entries.

Basic Configuration

• IPv4 communication on port 80 (HTTP): listen 80;
• IPv6 communication on port 80 (HTTP): listen [::]:80;
• IPv4 communication on port 443 (HTTPS): listen 443;
• IPv6 communication on port 443 (HTTPS): listen [::]:443;

Let's go through these configurations in detail.

Configuring IPv4 and IPv6 on Port 80

server {
    listen [::]:80; # [::]:をポート番号80の前に追加。IPv6での通信を扱う。
    listen 8080; # IPv4での通信を扱う。
    server_name example.com; # サーバー名を設定
    # ...その他の設定...
}

This configuration ensures that Nginx accepts connections on port 80 via IPv6. To maximize compatibility, the configuration is set up for dual-stack operation, meaning that both IPv4 and IPv6 communications are supported.

• listen 80; handles IPv4 traffic.
• listen [::]:80; handles IPv6 traffic.

Configuring IPv4 and IPv6 on Port 443 (HTTPS)

When enabling HTTPS, port 443 is used. To allow IPv6 connections on this port, add [::]: before the port number.

server {
    listen [::]:443; # [::]:をポート番号443の前に追加 IPv6での通信を扱う。
    listen 443; # IPv4での通信を扱う。
    server_name example.com; # サーバー名を設定
    # ...その他の設定...
}

This configuration follows the dual-stack approach:

• listen 443; handles IPv4 traffic.
• listen [::]:443; handles IPv6 traffic.

Testing the Nginx Configuration

After editing the configuration file, check if the syntax is correct by running:

sudo nginx -t

Restarting Nginx

If no issues are found, restart Nginx to apply the changes:

sudo systemctl restart nginx

IPv6-Only Configuration vs. Dual-Stack (IPv4 + IPv6)

The above configurations allow both IPv4 and IPv6 traffic. This is known as a dual-stack setup.

If you want to disable IPv4 and allow only IPv6 traffic, you must add ipv6only=on to the configuration. Below are examples of IPv6-only configurations.

Configuring Port 80 for IPv6-Only Traffic

server {
    listen [::]:80 ipv6only=on; 
    # listen 80;が削除されている、これはipv4での通信を排除するため。
    server_name example.com;
    # その他の設定...
}

In this setup:

• listen [::]:80; handles IPv6 traffic.
• listen 80; is removed to disable IPv4 traffic.
• The addition of ipv6only=on ensures that only IPv6 communication is allowed.

Configuring Port 443 for IPv6-Only Traffic

server {
    listen [::]:443 ipv6only=on; 
    # listen 443;が削除されている、これはipv4での通信を排除するため。
    server_name example.com;
    # その他の設定...
}

In this setup:

• listen [::]:443; handles IPv6 traffic.
• listen 443; is removed to disable IPv4 traffic.
• The addition of ipv6only=on ensures that only IPv6 communication is allowed.

By removing listen 443;, Nginx will no longer listen for IPv4 connections.

How to Automatically Generate an IPv6-Compatible Server Configuration File: Mozilla SSL Configuration Generator

With Mozilla SSL Configuration Generator, you can easily generate a server configuration template that supports IPv6.

By selecting the appropriate server software from Server Software and choosing Modern or Intermediate from Mozilla Configuration, you can generate the necessary settings. Below is an example using Intermediate, which offers the highest compatibility.

Mozilla SSL Configuration Generator IPv6-Compatible Code

Nginx Intermediate Configuration with Dual-Stack Support for Both Port 80 and 443

# generated 2024-03-11, Mozilla Guideline v5.7, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.7
server {
    listen 80 default_server;
    listen [::]:80 default_server;
 
    location / {
        return 301 https://$host$request_uri;
    }
}
 
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
 
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;
 
    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
    ssl_dhparam /path/to/dhparam;
 
    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;
 
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
 
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
 
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
 
    # replace with the IP address of your resolver
    resolver 127.0.0.1;
}

What is IPv6?

IPv6 (Internet Protocol version 6) is a communication protocol used on the internet and is the latest version of the Internet Protocol (IP). It was developed to solve the issues of IPv4. The key features of IPv6 include:

Expanded Address Space

• IPv4 provides only about 4.3 billion IP addresses.
• IPv6 adopts a 128-bit address structure, offering approximately 340 undecillion (3.4×10³⁸) unique IP addresses.
• This expansion solves the IP address shortage problem caused by the increasing number of internet-connected devices.

Enhanced Security

• IPv6 integrates IPsec (IP Security) as a fundamental protocol feature.
• This allows built-in encryption and authentication, improving communication security.

Efficient Packet Processing

• IPv6 simplifies the header structure, allowing routers to process packets more efficiently.
• IPv6 handles fragmentation at the sender-side, reducing the network’s processing burden.

Automatic Configuration

• IPv6 includes Stateless Address Autoconfiguration (SLAAC), allowing devices to automatically assign themselves an IP address.
• This reduces the need for manual network configuration and makes network management easier.

Although IPv6 adoption is progressing, it is not yet universally implemented across all networks and services. Since IPv4 and IPv6 are not directly compatible, a transitional approach called dual-stack technology is commonly used to support both protocols simultaneously.

IPv4 vs. IPv6: Address Exhaustion & Security Improvements

Considering IP address exhaustion and security improvements, we can compare IPv4 and IPv6 as follows:

IP Address Exhaustion Issue

IPv4:

• IPv4 provides only about 4.3 billion IP addresses, which have been rapidly depleted due to the growth of the internet.
• The limited number of addresses restricts internet expansion and may hinder new devices and services from being connected online.
• To temporarily manage this issue, Network Address Translation (NAT) is widely used, but it is merely a workaround and introduces security and connectivity issues.

IPv6:

• With its 128-bit address length, IPv6 offers an almost limitless supply of unique addresses (~340 undecillion).
• This completely resolves the IP address exhaustion problem and ensures sufficient address space for all future devices.
• The widespread adoption of IPv6 will enable sustainable internet growth and foster the development of new technologies and services.

Security Enhancements

IPv4:

• IPv4 lacks built-in security, as security mechanisms like IPsec were later introduced as optional features.
• Security in IPv4 depends heavily on network configuration and design.
• NAT (Network Address Translation) offers some level of protection for private networks, but it limits end-to-end security and transparency.

IPv6:

• IPv6 was designed with security in mind and mandates IPsec as a core feature.
• This ensures data confidentiality, integrity, and authentication, making internet communication more secure.
• Since IPv6 reduces the need for NAT, it enhances end-to-end connectivity and simplifies security policies and monitoring.

IPv6 Adoption Rate Among Japanese Listed Companies' Websites: 9.53%

According to a survey on TLS 1.3 adoption among 3,715 websites of Japanese listed companies, the IPv6 adoption rate among these websites is 9.53%. This means that 90% of them are not yet IPv6-compatible as of July 2023.

Source:

SSL/TLS Security Vulnerability Dashboard of the Official Websites of 3,715 Japanese Listed Companies

IPv6 Adoption Status by Industry

The table below shows IPv6 adoption rates by industry. The "is_ipv6_on" column (second from the right in the image) indicates whether IPv6 is enabled.

• The oil and coal industry has the highest IPv6 adoption rate at 27%.
• All other industries have lower adoption rates.
• Industries handling highly confidential information, such as banking (5%), securities (8%), and information and communications (14%), have relatively low IPv6 adoption rates.
• Some industries still show an IPv6 adoption rate of 0%, meaning no company in the sector has enabled IPv6.

Source:

SSL/TLS Security Vulnerability Dashboard of the Official Websites of 3,715 Japanese Listed Companies

IPv6 adoption is correlated with security scores, making its implementation strongly recommended.

Source:

SSL/TLS Security Vulnerability Dashboard of the Official Websites of 3,715 Japanese Listed Companies

Benefits of Enabling IPv6 on Your Website

Most modern Wi-Fi routers already support IPv6, meaning users are ready for IPv6 connectivity. By enabling IPv6 on corporate websites and online services, companies can:

• Efficiently handle requests from IPv6-enabled devices.
• Improve security by leveraging IPv6’s built-in security features.

However, adopting IPv6 is not just about changing settings. It often requires network redesigns and security policy updates, making a strategic, planned approach necessary.

With the growing number of IoT devices and the increasing risk of IPv4 address exhaustion, early preparation for IPv6 migration is crucial for:

• Long-term scalability
• Improved security
• Future-proofing corporate networks

Conclusion

Since enabling IPv6 in Nginx only requires adding "[::]:" before the port number, we strongly recommend implementing it as soon as possible.