deb.sury.org
deb.sury.org copied to clipboard
oerdnj
packages.sury.org/php/apt.gpg not available through IPv6
Describe the bug
The https://packages.sury.org/php/apt.gpg file is not available through IPv6, only through IPv4.
To Reproduce Steps to reproduce the behaviour.
- Go to the terminal and run the following commands:
curl -6 https://packages.sury.org/php/apt.gpg
curl: (7) Failed to connect to packages.sury.org port 443: Connection timed out
or
wget -S --inet6-only http://packages.sury.org/php/apt.gpg
--2022-05-02 19:45:07-- http://packages.sury.org/php/apt.gpg
Resolving packages.sury.org (packages.sury.org)... 2a02:6ea0:c306::2
Connecting to packages.sury.org (packages.sury.org)|2a02:6ea0:c306::2|:80... failed: Connection timed out.
Retrying.
(...)
Expected behaviour
Since most of the resources under https://packages.sury.org/ are available through IPv6 it was expected that the https://packages.sury.org/php/apt.gpg file should be also available through IPv6.
Distribution (please complete the following information):
- OS: Debian or Ubuntu or macOS
- Architecture: amd64
- Repository: packages.sury.org
Additional context
Pings through IPv6 to packages.sury.org works just fine!
ping6 packages.sury.org
PING debsuryorg.b-cdn.net (2a02:6ea0:c306::2): 56 data bytes
64 bytes from unn-mad.cdn77.com: icmp_seq=0 ttl=51 time=11.759 ms
64 bytes from unn-mad.cdn77.com: icmp_seq=1 ttl=51 time=11.246 ms
64 bytes from unn-mad.cdn77.com: icmp_seq=2 ttl=51 time=11.327 ms
(...)
It depends on the location - Bunny CDN has some PoPs available over IPv6 and some not. You can use rsync to create a local APT mirror to IPv6 only locations.
Can you do something? On my servers IPv6 only I can't use your repo, I'm sad.
Can you do something? On my servers IPv6 only I can't use your repo, I'm sad.
Try to ask your provider if IPv4 behind NAT is available for your server, for us it works,..
Let me emphasize again: "You can use rsync to create a local APT mirror to IPv6-only locations."
The point is that if you've actually read what I replied the first time, you would know that you are wrong. BunnyCDN has some PoPs that are available over IPv6 and some PoPs are not. And I f you are unlucky, you can rsync from the master source that IS available over IPv6. So, please take your fight elsewhere.
it's a shame in 2022 how many big companies not really support ipv6: apple (verify receipts etc), paypal, microsoft (github), oracle (mysql ppa), wordpress (updates) and more. We solved this for us setting up a http proxy (tinyproxy).
A question to anyone who has this problem.. Are you using the crowdsec software on the server? I had the same problem and i found the problem in crowdsec. They add the ip addresses from packages.sury.org to a blacklist. You have to configure crowsec to whitelist the ips.
Had also an issue with crowdsec, i contacted them and did the following:
- created an CAPI whitelist with the packages.sury.org IP: https://docs.crowdsec.net/docs/next/whitelist/create_capi/
- clear descision:
cscli decision delete --ip 169.150.247.38 - restarted all components:
systemctl restart crowdsec.service && systemctl restart crowdsec-firewall-bouncer.service
After that i was able to complete apt update again.
You can see that the IP has a bad standing: https://app.crowdsec.net/cti/169.150.247.37, i guess its the same for the ipv6 one. They told me @oerdnj could contact them at [email protected], so they can resolve this.
It’s a CDN address, so it’s absolute nonsense to do any kind of reputation check for it.
generally true, but usually a cdn is not involved in outbound attacks either. maybe it's time to look for a more reputable cdn.
1.5y later, Bunny CDN still does not support IPv6 from everywhere (AWS IE in my case). With AWS pushing for IPv6 only, it's a shame. Add 2400:52e0:1e02::1073:1 packages.sury.org to /etc/hosts to force IPv6 PoP resolution.
