前几天iOS的App提交给苹果审核没通过,给出的原因是:该应用在 IPv6 的环境下无法使用。
检查发现:阿里云优化过的系统没有启用IPv6协议,需要配置启用一下,
但是只单独启用IPv6也是无法直接提供访问的,可以使用 Hurricane Electric提供的IPv6 Tunnel Broker 来让 ECS 支持 IPv6 。
1.检查确认阿里云ECS服务器状态
1.1.检查确认服务器状态
以下命令返回值为0表示IPv6启用,1表示禁用,
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
cat /proc/sys/net/ipv6/conf/default/disable_ipv6
文件不存在表示被禁用了
1.2.查看IP进一步确认
ifconfig
ip address list
只有IPv4的IP地址,可以确认IPv6功能并没有启用
1.3.配置服务器启用IPv6功能
# 修改网络配置信息
vim /etc/sysconfig/network
-------------------------
# made for IPv6
NETWORKING_IPV6=yes
-------------------------
# 增加dns解析地址
vim /etc/resolv.conf
-------------------------
......
# IPv6 DNS by google
nameserver ::::
nameserver ::::
-------------------------
# 修改内核参数,启用IPv6配置
vim /etc/sysctl.conf
-------------------------
# for enable ipv6
net.ipv6.conf.all.disable_ipv6 =
net.ipv6.conf.default.disable_ipv6 =
net.ipv6.conf.lo.disable_ipv6 =
-------------------------
sysctl -p
发现报错了:错误如下:
error: "net.ipv6.conf.all.disable_ipv6" is an unknown key
error: "net.ipv6.conf.default.disable_ipv6" is an unknown key
error: "net.ipv6.conf.lo.disable_ipv6" is an unknown key
报错原因:IPv6模块没有启用
使用以下命令查看IPv6模块的启用状态
lsmod | grep ipv6
-----------------------
[root@zstest ~]# lsmod | grep ipv6
ipv6 ib_ipoib,ib_addr
-----------------------
类似上面的返回信息,ipv6有用到但不是我们需要的,执行以下命令手动调用IPv6模块
modprobe ipv6
----------------------
[root@zstest ~]# modprobe ipv6
FATAL: Module off not found.
----------------------
依然报错:原因是IPv6模块的配置文件为禁用状态,需要编辑下
找到该文件,修改为如下内容
vim /etc/modprobe.d/disable_ipv6.conf
----------------------
#alias net-pf- off
#alias ipv6 off
options ipv6 disable=
----------------------
再次执行modprobe ipv6,无返回执行成功
再次执行lsmod | grep ipv6
[root@zstest ~]# lsmod | grep ipv6
ipv6
再次执行以下命令,可以正常运行,如果不成功可以重启系统
sysctl -p
执行以下命令,可以看到IPv6地址已经存才
ifconfig
ip address list
-------------------------
[root@zstest ~]# ifconfig
eth0 Link encap:Ethernet HWaddr ::3E::E2:CA
inet addr:10.10.1.151 Bcast:10.10.1.255 Mask:255.255.255.0
inet6 addr: fe80:::3eff:fe06:e2ca/ Scope:Link
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (414.6 KiB) TX bytes: (1.6 MiB) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::/ Scope:Host
UP LOOPBACK RUNNING MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (64.8 KiB) TX bytes: (64.8 KiB) [root@zstest ~]# ip address list
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP qlen
link/ether ::3e::e2:ca brd ff:ff:ff:ff:ff:ff
inet 10.10.1.151/ brd 10.10.1.255 scope global eth0
inet6 fe80:::3eff:fe06:e2ca/ scope link
valid_lft forever preferred_lft forever
------------------------
至此阿里云服务器的IPv6功能启用完成,接下来需要配置IPv6的隧道提供对外的IPv6访问
2.创建IPv6隧道
2.1.首先在官方网站注册一个账户:
2.2.配置IPv6隧道
登陆账号后,创建隧道Create Regular Tunnel
在接下来的页面需要选择以下两个选项
IPv4 Endpoint (Your side)--->填ECS的公网 IP 地址,
Available Tunnel Servers--->选择隧道服务器位置,一般来说 亚洲的HK离大陆近延迟低,
选择完毕“Create Tunnel”创建隧道
2.3.查看隧道信息
单击左上角“Main Page”打开首页,找到刚创建的隧道
单击进入,查看详情
补充填入描述信息---> Description:
跟着是一些隧道的IP地址信息,需要记录下来
2.4.生成创建隧道网卡的命令
在隧道详情页,单击“Example Configurations”标签,选择对应的系统类型
我的系统是64位的CentOS-6.9,可以选择两种模式进行配置
(1)模式1:linux-net-tools模式
在阿里云服务器上执行生成的命令:
# linux-net-tools模式
-----------------------
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::66.220.18.42
ifconfig sit1 up
ifconfig sit1 inet6 add ::c:6c3::/
route -A inet6 add ::/ dev sit1
-----------------------
查看ip信息,发现多了两个网卡sit0和sit1
ifconfig
ip address list
-----------------------
[root@zstest ~]# ifconfig
eth0 Link encap:Ethernet HWaddr ::3E::E2:CA
inet addr:10.10.1.151 Bcast:10.10.1.255 Mask:255.255.255.0
inet6 addr: fe80:::3eff:fe06:e2ca/ Scope:Link
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (1.3 MiB) TX bytes: (8.5 MiB) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::/ Scope:Host
UP LOOPBACK RUNNING MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (388.1 KiB) TX bytes: (388.1 KiB) sit0 Link encap:IPv6-in-IPv4
inet6 addr: ::127.0.0.1/ Scope:Unknown
inet6 addr: ::10.10.1.151/ Scope:Compat # 这个是阿里云服务器内网的IP
UP RUNNING NOARP MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 b) TX bytes: (0.0 b) sit1 Link encap:IPv6-in-IPv4
inet6 addr: ::c:6c3::/ Scope:Global
inet6 addr: fe80::a0a:/ Scope:Link
UP POINTOPOINT RUNNING NOARP MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 b) TX bytes: (0.0 b) [root@zstest ~]# ip address list
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP qlen
link/ether ::3e::e2:ca brd ff:ff:ff:ff:ff:ff
inet 10.10.1.151/ brd 10.10.1.255 scope global eth0
inet6 fe80:::3eff:fe06:e2ca/ scope link
valid_lft forever preferred_lft forever
: sit0: <NOARP,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/sit 0.0.0.0 brd 0.0.0.0
inet6 ::10.10.1.151/ scope global
valid_lft forever preferred_lft forever
inet6 ::127.0.0.1/ scope host
valid_lft forever preferred_lft forever
: sit1: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/sit 0.0.0.0 peer 66.220.18.42
inet6 ::c:6c3::/ scope global
valid_lft forever preferred_lft forever
inet6 fe80::a0a:/ scope link
valid_lft forever preferred_lft forever
-------------------------
使用以下命令可以查看IPv6的路由信息
route -A inet6
-------------------------
[root@zstest ~]# route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
*/ * U sit0
::c:6c3::/ * U sit1
fe80::/ * U eth0
fe80::/ * U sit1
*/ * U sit1
localhost/ * U lo
::10.10.1.151/ * U lo
localhost/ * U lo
ipv6.zuiyoujie.com/ * U lo
fe80::a0a:/ * U lo
fe80:::3eff:fe06:e2ca/ * U lo
ff00::/ * U eth0
ff00::/ * U sit1
-------------------------
接下来使用ping6命令测试隧道的联通性
[root@zstest ~]# ping6 ipv6.google.com
PING ipv6.google.com(hkg12s02-in-x0e.1e100.net) data bytes
bytes from hkg12s02-in-x0e.1e100.net: icmp_seq= ttl= time= ms
bytes from hkg12s02-in-x0e.1e100.net: icmp_seq= ttl= time= ms
bytes from hkg12s02-in-x0e.1e100.net: icmp_seq= ttl= time= ms
bytes from hkg12s02-in-x0e.1e100.net: icmp_seq= ttl= time= ms
^C
--- ipv6.google.com ping statistics ---
packets transmitted, received, % packet loss, time 5974ms
rtt min/avg/max/mdev = 326.864/327.732/330.198/1.480 ms
通过tcpdump抓包如下:
[root@zstest ~]# tcpdump -nn -i sit1
tcpdump: WARNING: sit1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on sit1, link-type RAW (Raw IP), capture size bytes
::59.532401 IP6 ::c:6c3:: > :::::200e: ICMP6, echo request, seq , length
::00.531604 IP6 ::c:6c3:: > :::::200e: ICMP6, echo request, seq , length
::01.531606 IP6 ::c:6c3:: > :::::200e: ICMP6, echo request, seq , length
::01.858483 IP6 :::::200e > ::c:6c3::: ICMP6, echo reply, seq , length
::02.532339 IP6 ::c:6c3:: > :::::200e: ICMP6, echo request, seq , length
::02.859174 IP6 :::::200e > ::c:6c3::: ICMP6, echo reply, seq , length
::03.534006 IP6 ::c:6c3:: > :::::200e: ICMP6, echo request, seq , length
::03.864169 IP6 :::::200e > ::c:6c3::: ICMP6, echo reply, seq , length
::04.534990 IP6 ::c:6c3:: > :::::200e: ICMP6, echo request, seq , length
::04.861923 IP6 :::::200e > ::c:6c3::: ICMP6, echo reply, seq , length
^C
packets captured
packets received by filter
packets dropped by kernel
[root@zstest ~]#
至此,linux-net-tools模式就配置成功了
(2)模式2:linux-router2模式
在阿里云服务器执行以下命令:
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 66.220.18.42 local 10.10.1.151 ttl
ip link set he-ipv6 up
ip addr add ::c:6c3::/ dev he-ipv6
ip route add ::/ dev he-ipv6
ip -f inet6 addr
# 注意:local后面网站默认生成的是阿里云公网的地址,是无法使用的,需要修改成对应的内网地址,这里是10.10.1.151
# 查看ip信息,发现多了1个网卡:he-ipv6
# he-ipv6是隧道的客户端IP,也就是上面的“Client IPv6 Address:”
ifconfig
ip address list
-------------------------
[root@zstest ~]# ifconfig
eth0 Link encap:Ethernet HWaddr ::3E::E2:CA
inet addr:10.10.1.151 Bcast:10.10.1.255 Mask:255.255.255.0
inet6 addr: fe80:::3eff:fe06:e2ca/ Scope:Link
UP BROADCAST RUNNING MULTICAST MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (1.5 MiB) TX bytes: (9.2 MiB) he-ipv6 Link encap:IPv6-in-IPv4
inet6 addr: ::c:6c3::/ Scope:Global
inet6 addr: fe80::a0a:/ Scope:Link
UP POINTOPOINT RUNNING NOARP MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (0.0 b) TX bytes: (0.0 b) lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::/ Scope:Host
UP LOOPBACK RUNNING MTU: Metric:
RX packets: errors: dropped: overruns: frame:
TX packets: errors: dropped: overruns: carrier:
collisions: txqueuelen:
RX bytes: (431.5 KiB) TX bytes: (431.5 KiB) [root@zstest ~]# ip address list
: lo: <LOOPBACK,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/loopback ::::: brd :::::
inet 127.0.0.1/ scope host lo
inet6 ::/ scope host
valid_lft forever preferred_lft forever
: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu qdisc pfifo_fast state UP qlen
link/ether ::3e::e2:ca brd ff:ff:ff:ff:ff:ff
inet 10.10.1.151/ brd 10.10.1.255 scope global eth0
inet6 fe80:::3eff:fe06:e2ca/ scope link
valid_lft forever preferred_lft forever
: sit0: <NOARP> mtu qdisc noqueue state DOWN
link/sit 0.0.0.0 brd 0.0.0.0
: he-ipv6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu qdisc noqueue state UNKNOWN
link/sit 10.10.1.151 peer 66.220.18.42
inet6 ::c:6c3::/ scope global
valid_lft forever preferred_lft forever
inet6 fe80::a0a:/ scope link
valid_lft forever preferred_lft forever
------------------------
# 使用以下命令可以查看IPv6的路由信息
route -A inet6
------------------------
[root@zstest ~]# route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
::c:6c3::/ * U he-ipv6
fe80::/ * U eth0
fe80::/ * U he-ipv6
*/ * U he-ipv6
localhost/ * U lo
ipv6.zuiyoujie.com/ * U lo
fe80::a0a:/ * U lo
fe80:::3eff:fe06:e2ca/ * U lo
ff00::/ * U eth0
ff00::/ * U he-ipv6
-----------------------
接下来使用ping6命令测试隧道的联通性
[root@zstest ~]# ping6 ipv6.google.com
PING ipv6.google.com(hkg07s21-in-x0e.1e100.net) data bytes
bytes from hkg07s21-in-x0e.1e100.net: icmp_seq= ttl= time= ms
bytes from hkg07s21-in-x0e.1e100.net: icmp_seq= ttl= time= ms
bytes from hkg07s21-in-x0e.1e100.net: icmp_seq= ttl= time= ms
bytes from hkg07s21-in-x0e.1e100.net: icmp_seq= ttl= time= ms
^C
--- ipv6.google.com ping statistics ---
packets transmitted, received, % packet loss, time 4052ms
rtt min/avg/max/mdev = 352.681/353.712/356.706/1.875 ms
[root@zstest ~]#
使用tcpdump抓包如下:
[root@zstest ~]# tcpdump -nn -i he-ipv6
tcpdump: WARNING: he-ipv6: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on he-ipv6, link-type RAW (Raw IP), capture size bytes
::52.308875 IP6 ::c:6c3:: > :::::200e: ICMP6, echo request, seq , length
::52.661535 IP6 :::::200e > ::c:6c3::: ICMP6, echo reply, seq , length
::53.310354 IP6 ::c:6c3:: > :::::200e: ICMP6, echo request, seq , length
::53.663056 IP6 :::::200e > ::c:6c3::: ICMP6, echo reply, seq , length
::54.311855 IP6 ::c:6c3:: > :::::200e: ICMP6, echo request, seq , length
::54.668535 IP6 :::::200e > ::c:6c3::: ICMP6, echo reply, seq , length
::55.313331 IP6 ::c:6c3:: > :::::200e: ICMP6, echo request, seq , length
::55.666041 IP6 :::::200e > ::c:6c3::: ICMP6, echo reply, seq , length
::56.314835 IP6 ::c:6c3:: > :::::200e: ICMP6, echo request, seq , length
::56.667574 IP6 :::::200e > ::c:6c3::: ICMP6, echo reply, seq , length
^C
packets captured
packets received by filter
packets dropped by kernel
这种模式下,依然可以ping6通,注意修改生成的IP即可
两种模式的对比:
1)操作方面:模式1的方法比模式2的简单,模式2的需要修改IP地址,推荐使用
2)网卡条目:模式1创建的网卡项目比模式2创建的多
3)路由条目:模式1创建的路由条目比模式2创建的多
3.配置IPv6的网站进行调试
可以使用nginx提供IPv6的网站访问,
3.1.配置IPv6域名解析记录
由于要进行页面的访问,需要在阿里云对域名进行相应的解析,添加IPv6的AAAA记录
3.2.保证nginx安装完成,配置好
nginx的安装优化就不演示了,下载地址如下:
http://nginx.org/download/nginx-1.8.0.tar.gz
我的是源码编译安装的,编译参数如下:注意需要添加IPv6的支持
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-ipv6
3.3.编辑好页面文件
cd /usr/local/nginx/html/
cp index.html index.html.ori
vim index.html
-------------------------
ipv6.zuiyoujie.com
-------------------------
3.4.编辑nginx相关配置文件,提供ipv6访问
vim ipv6.zuiyoujie.com.conf
-------------------------
# ipv6web
server {
listen [::c:6c3::]:;
server_name ipv6.zuiyoujie.com;
charset utf-;
location / {
root html;
index index.html index.htm;
}
}
-------------------------
3.5.重启nginx进行页面访问测试
service nginx reload
3.6.IPv6网站的测试方法
1)linux命令-curl
[root@zstest extra]# curl - ipv6.zuiyoujie.com
ipv6.zuiyoujie.com
2)linux命令-wget
[root@zstest extra]# wget - ipv6.zuiyoujie.com
---- ::-- http://ipv6.zuiyoujie.com/
Resolving ipv6.zuiyoujie.com... ::c:6c3::
Connecting to ipv6.zuiyoujie.com|::c:6c3::|:... connected.
HTTP request sent, awaiting response... OK
Length: [text/html]
Saving to: “index.html” %[======================================>] --.-K/s in 0s -- :: (5.32 MB/s) - “index.html” saved [/] [root@zstest extra]# cat index.html
ipv6.zuiyoujie.com
3)使用网页版的IPv6测试工具
http://ipv6-test.com/validate.php
由绿色的框里的信息可知,IPv6的访问可以成功
至此,阿里云服务器对于IPv6的网站支持就配置好了,可以完美支持苹果爸爸对app的IPv6检测
拓展: 对于早期的阿里云服务器,以上方法无法成功配置IPv6的隧道
原因:早期的阿里云服务器内外网IP地址都配置在服务器内部,如下
如果是这种类型的服务器,在使用模式1的方法配置后,sit0和sit1的IPv6地址会多增加一个,如下图
配置完成进行测试,使用以下命令测试与Google的联通性:
ping6 ipv6.google.com
可以看到能成功解析到,但没有完全ping通,使用tcpdump抓包:
只有去的包,没有回的包,查看路由表
[root@zstest ~]# route -A inet6
Kernel IPv6 routing table
Destination Next Hop Flags Metric Ref Use Iface
*/ * U sit0
::c:6c3::/ * U sit1
google-public-dns-a.google.com/ google-public-dns-a.google.com UC sit1
hkg07s01-in-x0e.1e100.net/ hkg07s01-in-x0e.1e100.net UC sit1
fe80::/ * U eth0
fe80::/ * U eth1
fe80::/ * U sit1
*/ * U sit1
localhost/ * U lo
::10.44.202.10/ * U lo
::101.200.230.217/ * U lo
localhost/ * U lo
tunnel483503-pt.tunnel.tserv15.lax1.ipv6.he.net/ * U lo
fe80::a2c:ca0a/ * U lo
fe80::65c8:e6d9/ * U lo
fe80:::3eff:fe03:a015/ * U lo
fe80:::3eff:fe2e:ab15/ * U lo
ff00::/ * U eth0
ff00::/ * U eth1
ff00::/ * U sit1
[root@zstest ~]#
尝试禁用掉某个网卡进行配置,也无法解决这个
ifdown eth1
ifconfig sit0 up
ifconfig sit0 inet6 tunnel ::66.220.18.42
ifconfig sit1 up
ifconfig sit1 inet6 add ::c:6c3::/
route -A inet6 add ::/ dev sit1
ifup eth1
eth0和eth1都不成功,且会临时断掉服务器连接,测试前需要确认可以直接连接到控制台命令行
以上问题比较难解决,不太擅长,有兴趣的可以研究下
完毕,呵呵呵呵