packages.sury.org/php/apt.gpg not available through IPv6

[pedrorosadodias]

Describe the bug The https://packages.sury.org/php/apt.gpg file is not available through IPv6, only through IPv4.

To Reproduce Steps to reproduce the behaviour.

1. Go to the terminal and run the following commands:

   curl -6  https://packages.sury.org/php/apt.gpg
   curl: (7) Failed to connect to packages.sury.org port 443: Connection timed out

or

wget -S --inet6-only  http://packages.sury.org/php/apt.gpg
--2022-05-02 19:45:07--  http://packages.sury.org/php/apt.gpg
Resolving packages.sury.org (packages.sury.org)... 2a02:6ea0:c306::2
Connecting to packages.sury.org (packages.sury.org)|2a02:6ea0:c306::2|:80... failed: Connection timed out.
Retrying.
(...)

Expected behaviour Since most of the resources under https://packages.sury.org/ are available through IPv6 it was expected that the https://packages.sury.org/php/apt.gpg file should be also available through IPv6.

Distribution (please complete the following information):

• OS: Debian or Ubuntu or macOS
• Architecture: amd64
• Repository: packages.sury.org

Additional context

Pings through IPv6 to packages.sury.org works just fine!

ping6 packages.sury.org
PING debsuryorg.b-cdn.net (2a02:6ea0:c306::2): 56 data bytes
64 bytes from unn-mad.cdn77.com: icmp_seq=0 ttl=51 time=11.759 ms
64 bytes from unn-mad.cdn77.com: icmp_seq=1 ttl=51 time=11.246 ms
64 bytes from unn-mad.cdn77.com: icmp_seq=2 ttl=51 time=11.327 ms
(...)

[oerdnj]

It depends on the location - Bunny CDN has some PoPs available over IPv6 and some not. You can use rsync to create a local APT mirror to IPv6 only locations.

[luigifab]

Can you do something? On my servers IPv6 only I can't use your repo, I'm sad.

[ETNyx]

Can you do something? On my servers IPv6 only I can't use your repo, I'm sad.

Try to ask your provider if IPv4 behind NAT is available for your server, for us it works,..

[Fabi]

packages.sury.org is not ipv6 compatible at all

[oerdnj]

Let me emphasize again: "You can use rsync to create a local APT mirror to IPv6-only locations."

[Fabi]

That is not the point.

[oerdnj]

The point is that if you've actually read what I replied the first time, you would know that you are wrong. BunnyCDN has some PoPs that are available over IPv6 and some PoPs are not. And I f you are unlucky, you can rsync from the master source that IS available over IPv6. So, please take your fight elsewhere.

[qeepcologne]

it's a shame in 2022 how many big companies not really support ipv6: apple (verify receipts etc), paypal, microsoft (github), oracle (mysql ppa), wordpress (updates) and more. We solved this for us setting up a http proxy (tinyproxy).

[ghost]

I still cannot reach through IPv6..

[TheCry]

A question to anyone who has this problem.. Are you using the crowdsec software on the server? I had the same problem and i found the problem in crowdsec. They add the ip addresses from packages.sury.org to a blacklist. You have to configure crowsec to whitelist the ips.

[tall1on]

Had also an issue with crowdsec, i contacted them and did the following:

• created an CAPI whitelist with the packages.sury.org IP: https://docs.crowdsec.net/docs/next/whitelist/create_capi/
• clear descision: cscli decision delete --ip 169.150.247.38
• restarted all components: systemctl restart crowdsec.service && systemctl restart crowdsec-firewall-bouncer.service

After that i was able to complete apt update again.

You can see that the IP has a bad standing: https://app.crowdsec.net/cti/169.150.247.37, i guess its the same for the ipv6 one. They told me @oerdnj could contact them at support@crowdsec.net, so they can resolve this.

[oerdnj]

It’s a CDN address, so it’s absolute nonsense to do any kind of reputation check for it.

[tall1on]

generally true, but usually a cdn is not involved in outbound attacks either. maybe it's time to look for a more reputable cdn.

[ddebin]

1.5y later, Bunny CDN still does not support IPv6 from everywhere (AWS IE in my case). With AWS pushing for IPv6 only, it's a shame. Add 2400:52e0:1e02::1073:1 packages.sury.org to /etc/hosts to force IPv6 PoP resolution.