Score:0

Server

How to whitelist ipv6 in .htaccess to allow website access

5Diraptor

10/25/22, 7:19 AM

I've got an online web tool and I want to give access to a company. At the moment, access is controlled by IP via the .htaccess file. The company I want to give access to are on an ipv6 address and although I've tried a lot of methods, they are still blocked from accessing the website.

Let's say their ipv6 is: 26b0:21t7:ada2:4a10:38f5:1d56:7a79:c83c

(side note: weirdly, when they visit a website like https://whatismyipaddress.com they also have an ipv4 address which I've whitelisted as well)

I've read this post but it doesn't actually answer the question:

Whitelist an Individual's IPv6 Range via .htaccess

and I've tried a lot of different things such as:

 <RequireAny>
     Require ip 51.203.055.209     # whitelisting ipv4 works fine
     Require ip 26b0:21t7:ada2:4a10::/64  26b0:21t7:ada2::/52  26b0:21t7:ada2:4a10:38f5:1d56:7a79:c83c
     Require ip 26b0:21t7:10::/48 26b0:21t7:11::/48 26b0:21t7:12::/48 26b0:21t7:13::/48 26b0:21t7:14::/48 26b0:21t7:15::/48 26b0:21t7:16::/48 26b0:21t7:17::/48 26b0:21t7:18::/48 26b0:21t7:19::/48 26b0:21t7:1a::/48 26b0:21t7:1b::/48 26b0:21t7:1c::/48 26b0:21t7:1e::/48
 </RequireAny>

...but none of the ipv6 works. I'll be honest, I don't really understand the whole subnets thing in ipv6, but I also don't want to spend ages finding out the intricacies of how it works - I would just like a hard and fast rule to whitelist ipv6 addresses in .htaccess.

Would appreciate any help.

538

0 + 13

ipv6

.htaccess

apache-2.4

vidarlo

10/25/22, 8:01 AM

Are you sure they're accessing you over IPv6? And 26b0:21t7 is ***not*** a valid IPv6 address for sure.

5Diraptor

10/25/22, 8:13 AM

@vidarlo Sorry for the confusion. I took their ipv6 and changed a couple of characters for confidentiality which would explain that.

5Diraptor

10/25/22, 8:14 AM

As I say, I've whitelisted their ipv4 address, how could they check whether they are accessing me over ipv6 or not?

vidarlo

10/25/22, 8:16 AM

Don't mask IP's. If you have to mask IP's do it properly. To chek how they're accessing you, have a look at access.logs for the site in question. Furthermore, are you sure that Apache allows multiple IP's/ranges listed per Require-statement?

5Diraptor

10/25/22, 8:57 AM

@vidarlo - yes sure that apache allows multiple IP's - in the real thing I have 5 different IPv4 addresses listed on the first row, these all work fine, never had a problem with them. I added an invalid address at one point, and it prevented the web tool from loading with a server error. At the moment it loads fine for me, just no access for companies with ipv6

vidarlo

10/25/22, 9:05 AM

Is your webserver even accessible over IPv6?

vidarlo

10/25/22, 11:23 AM

Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/126850/discussion-between-vidarlo-and-5diraptor).

John Mahowald

10/25/22, 8:36 PM

What is the organization's IPv6 prefix? Ask a networking person, or internet routing tables if they have their own ASN. What you have now with 14 contiguous /48s can be aggregated.

vidarlo

10/26/22, 6:45 AM

@JohnMahowald If you read the chat discussion, it turns out that 5Diraptor didn't even have AAAA records for the site, so no IPv6 traffic would ever hit him...

5Diraptor

10/28/22, 5:56 AM

Although I had no AAAA record, I would still very much appreciate knowing the answer to the original question - supposing the IPv6 framework was working fine for my website, I'd still like to know how to include / exclude IPv6 addresses in .htaccess. @vidarlo - special thanks for going above and beyond the question and helping me troubleshoot.

vidarlo

10/28/22, 7:54 AM

The way you did. I see no faults in it. But with IPv6, go with prefixes, e.g. /64 or /48. Individual IP's are meaningless in IPv6 in many configurations.

5Diraptor

10/28/22, 9:59 AM

Ok so the rule of thumb is to either knock off the last 16 characters, and add `:/64` or knock off the last 20 characters and add `:/48` as I understand it?

vidarlo

10/28/22, 10:36 AM

You can't mechanically knock of a number of characters. /64 and /48 is bitmasks. Groups of zero can be collapsed to ::, so ::1 is a perfectly valid IPv6 address... And so is fc80::1.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to whitelist ipv6 in .htaccess to allow website access

TH: วิธีอนุญาต ipv6 ใน .htaccess เพื่ออนุญาตการเข้าถึงเว็บไซต์

RO: Cum să puneți pe lista albă ipv6 în .htaccess pentru a permite accesul la site

RU: Как внести ipv6 в белый список в .htaccess, чтобы разрешить доступ к сайту

VI: Cách đưa ipv6 vào danh sách trắng trong .htaccess để cho phép truy cập trang web

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.