0

I've got an online web tool and I want to give access to a company. At the moment, access is controlled by IP via the .htaccess file. The company I want to give access to are on an ipv6 address and although I've tried a lot of methods, they are still blocked from accessing the website.

Let's say their ipv6 is: 26b0:21t7:ada2:4a10:38f5:1d56:7a79:c83c

(side note: weirdly, when they visit a website like https://whatismyipaddress.com they also have an ipv4 address which I've whitelisted as well)

I've read this post but it doesn't actually answer the question:

Whitelist an Individual's IPv6 Range via .htaccess

and I've tried a lot of different things such as:

 <RequireAny>
     Require ip 51.203.055.209     # whitelisting ipv4 works fine
     Require ip 26b0:21t7:ada2:4a10::/64  26b0:21t7:ada2::/52  26b0:21t7:ada2:4a10:38f5:1d56:7a79:c83c
     Require ip 26b0:21t7:10::/48 26b0:21t7:11::/48 26b0:21t7:12::/48 26b0:21t7:13::/48 26b0:21t7:14::/48 26b0:21t7:15::/48 26b0:21t7:16::/48 26b0:21t7:17::/48 26b0:21t7:18::/48 26b0:21t7:19::/48 26b0:21t7:1a::/48 26b0:21t7:1b::/48 26b0:21t7:1c::/48 26b0:21t7:1e::/48
 </RequireAny>

...but none of the ipv6 works. I'll be honest, I don't really understand the whole subnets thing in ipv6, but I also don't want to spend ages finding out the intricacies of how it works - I would just like a hard and fast rule to whitelist ipv6 addresses in .htaccess.

Would appreciate any help.

AutoBaker
  • 178
  • 8
  • 1
    Are you sure they're accessing you over IPv6? And 26b0:21t7 is ***not*** a valid IPv6 address for sure. – vidarlo Jun 25 '21 at 08:01
  • @vidarlo Sorry for the confusion. I took their ipv6 and changed a couple of characters for confidentiality which would explain that. – AutoBaker Jun 25 '21 at 08:13
  • As I say, I've whitelisted their ipv4 address, how could they check whether they are accessing me over ipv6 or not? – AutoBaker Jun 25 '21 at 08:14
  • Don't mask IP's. If you have to mask IP's do it properly. To chek how they're accessing you, have a look at access.logs for the site in question. Furthermore, are you sure that Apache allows multiple IP's/ranges listed per Require-statement? – vidarlo Jun 25 '21 at 08:16
  • @vidarlo - yes sure that apache allows multiple IP's - in the real thing I have 5 different IPv4 addresses listed on the first row, these all work fine, never had a problem with them. I added an invalid address at one point, and it prevented the web tool from loading with a server error. At the moment it loads fine for me, just no access for companies with ipv6 – AutoBaker Jun 25 '21 at 08:57
  • 1
    Is your webserver even accessible over IPv6? – vidarlo Jun 25 '21 at 09:05
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/126850/discussion-between-vidarlo-and-5diraptor). – vidarlo Jun 25 '21 at 11:23
  • What is the organization's IPv6 prefix? Ask a networking person, or internet routing tables if they have their own ASN. What you have now with 14 contiguous /48s can be aggregated. – John Mahowald Jun 25 '21 at 20:36
  • 1
    @JohnMahowald If you read the chat discussion, it turns out that 5Diraptor didn't even have AAAA records for the site, so no IPv6 traffic would ever hit him... – vidarlo Jun 26 '21 at 06:45
  • Although I had no AAAA record, I would still very much appreciate knowing the answer to the original question - supposing the IPv6 framework was working fine for my website, I'd still like to know how to include / exclude IPv6 addresses in .htaccess. @vidarlo - special thanks for going above and beyond the question and helping me troubleshoot. – AutoBaker Jun 28 '21 at 05:56
  • The way you did. I see no faults in it. But with IPv6, go with prefixes, e.g. /64 or /48. Individual IP's are meaningless in IPv6 in many configurations. – vidarlo Jun 28 '21 at 07:54
  • Ok so the rule of thumb is to either knock off the last 16 characters, and add `:/64` or knock off the last 20 characters and add `:/48` as I understand it? – AutoBaker Jun 28 '21 at 09:59
  • You can't mechanically knock of a number of characters. /64 and /48 is bitmasks. Groups of zero can be collapsed to ::, so ::1 is a perfectly valid IPv6 address... And so is fc80::1. – vidarlo Jun 28 '21 at 10:36

0 Answers0