Failing to bind to IPv6 address

[Kevin Reid]

Background:
Now that free wildcard certs are a thing, I figured I'd get my self-hosted Sandstorm instance actually working. Important context is that the machine in question is already running an Apache web server, which doesn't currently do HTTPS but I want to in the future, so I can't dedicate 80-and-443 to Sandstorm.

I could configure Apache (instead of nginx) as a reverse proxy with SSL, but I figured that would be hairy to configure and keep running, so I decided to just use another IP address -- which, with IPv6, isn't hard to get any more.

Since the old install predated Sandcats, I reran the installer. But of course since it doesn't know about my plans, it saw the conflict on port 80. I went with the alternate port and then edited the config file to:

SERVER_USER=sandstorm
PORT=80
HTTPS_PORT=443
MONGO_PORT=6081
BIND_IP=2600:3c03:e000:18c::1
BASE_URL=https://switchborg.sandcats.io
WILDCARD_HOST=*.switchborg.sandcats.io
UPDATE_CHANNEL=dev
ALLOW_DEV_ACCOUNTS=false
SANDCATS_BASE_DOMAIN=sandcats.io

However, the server now won't start. /opt/sandstorm/var/log/sandstorm.log says:

sandstorm/util.c++:845: fatal: *exception = sandstorm/run-bundle.c++:1846: failed: bind(sockFd, reinterpret_cast<sockaddr *>(&sa), sizeof sa): Cannot assign requested address
stack: 0x4b48a2 0x4b485a 0x5944fe
** Front-end died immediately after starting.

Is Sandstorm not IPv6-clean?
Do I need to set some additional config option I missed?
(Is there a _reference_ for the config keys? I didn't find one.)
Am I doing something else wrong?

I've tried listening on the same address and port as
sudo nc -l -s 2600:3c03:e000:18c::1 -p 80
sudo nc -l -s 2600:3c03:e000:18c::1 -p 443
and it works, so the problem seems to be specific to Sandstorm.

--
Kevin Reid <http://switchb.org/kpreid/>

[Asheesh Laroia]

FWIW, you don't have to use a separate IPv6 address for this. The two of them can "share" port 443 via https://github.com/dlundquist/sniproxy . https://xamar.sandcats.io/shared/Bqa9dftNbc1Ni06D-SgBdkFuM_iky8VHAlTw0Rk1lzN is a 3/4 done tutorial on that.

Pablo Jamar and I have been revising that document over the past few days.

I say all this because Sandcats does not support IPv6 at the moment, and maybe Sandstorm itself doesn't (not sure; would have to investigate more). But via sniproxy you should be able to "share" port 443.

--
You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kevin Reid]

On Jan 19, 2016, at 22:12, Asheesh Laroia <ash...@sandstorm.io> wrote:

> FWIW, you don't have to use a separate IPv6 address for this. The two of them can "share" port 443 via https://github.com/dlundquist/sniproxy . https://xamar.sandcats.io/shared/Bqa9dftNbc1Ni06D-SgBdkFuM_iky8VHAlTw0Rk1lzN is a 3/4 done tutorial on that.

That is interesting information for future applications, but:

1. As a paranoid* and extremely lazy sysadmin, I don't want to run more server software than necessary.

2. The thing I am trying to do _ought to work_. And modern software ought to be capable of operating IPv6 only.

> I say all this because Sandcats does not support IPv6 at the moment,

Filed: https://github.com/sandstorm-io/sandstorm/issues/1394

> and maybe Sandstorm itself doesn't (not sure; would have to investigate more).

Filed: https://github.com/sandstorm-io/sandstorm/issues/1393

This one looks like maybe a simple bug!

All this said, I think I can proceed _for now_ by simply giving my main site HTTP server port 80 and my Sandstorm server port 443, only. This gives less-than-ideal results redirect-to-other-protocol-wise, and prevents me from getting around to enabling HTTPS on my main site, but it'll do until the above is fixed.


* Actually not paranoia: they** are out to get _all of us_.
** Security bugs.

[Asheesh Laroia]

Kevin, thanks for filing those! I'm looking forward to seeing them fixed.