I had an idea recently. Could a person use an http proxy server to access the IPv6 portions of the Internet? The answer is, yes.
To test this out, I spun up a cloud server at Rackspace. Rackspace assigns IPv6 Addresses to their ‘Next Generation’ Cloud Servers. In this instance, I used Linux and installed squid and httpd-tools.
[[email protected] ~]# ip addr show dev eth0 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether bc:76:4e:04:54:39 brd ff:ff:ff:ff:ff:ff inet 184.108.40.206/24 brd 220.127.116.11 scope global eth0 inet6 2001:4800:780e:510:e026:3332:ff04:5439/64 scope global valid_lft forever preferred_lft forever inet6 fe80::be76:4eff:fe04:5439/64 scope link valid_lft forever preferred_lft forever [[email protected] ~]# history | grep yum 2 yum -y install squid 28 yum -y --disableexcludes=all update 58 yum -y install setroubleshoot 63 yum whatprovides "*/finger" 87 yum search squid 124 yum whatprovides "*/htpasswd" 125 yum install --help 126 yum deplist httpd_tools 127 yum install httpd_tools 128 yum deplist httpd-tools 129 yum install httpd-tools 195 history | grep yum [[email protected] ~]# head -n 50 /etc/squid/squid.conf # # Recommended minimum configuration: # acl manager proto cache_object #acl localhost src 127.0.0.1/32 ::1 #acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 auth_param basic program /usr/lib64/squid/ncsa_auth /etc/squid/passwd acl sgn proxy_auth REQUIRED http_access allow sgn http_access deny all # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network #acl localnet src 172.16.0.0/12 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost #http_access allow manager localhost #http_access deny manager # Deny requests to certain unsafe ports #http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user [[email protected] ~]# history | grep htpasswd 124 yum whatprovides "*/htpasswd" 130 htpasswd 131 htpasswd -cm /etc/squid/passwd someuser 197 history | grep htpasswd [[email protected] ~]# cat /etc/squid/passwd someuser:$apr1$SjAEUZGj$3FhI5utUY/Bp1ARFa4fhDwaDjTjCsE$ClKtuD/ [[email protected] ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:squid REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
As you can see, all that I did with squid was set it up to allow connections from authenticated users rather than IP Addresses. This would allow somebody to be mobile and still use the proxy. I then used ‘htpasswd’ from the httpd-tools package to generate the /etc/squid/passwd file, and finally, I opened up squid on the firewall.
The only other changes would need to be made on your local machine. You would need to use DNS servers that served AAAA records. Googles servers do this. 18.104.22.168 and 22.214.171.124. Your local ISP may serve the AAAA records as well. You can test this with the dig or nslookup command.
dig aaaa packetgeek.net @ns1.rackspace.com
Lastly, you’ll need to configure your browser to point to your proxy server. As you can see in the screenshot below. The IP Address from http://www.whatismyipv6.com/ is listed as the IPv6 Address of my proxy server.