Originally, my blog setup was planned as a pure IPv6 project via WireGuard, as the whole thing is hosted on a home server (by the way, you can get free IPv6 addresses at route64.org). To increase accessibility, I have now added an external IPv4 proxy (thanks to @Larvitz).

However, this immediately caused SSL issues: since both the A and AAAA records were originally routed through the proxy, the Let's Encrypt validation on my server failed.

The Solution: The "IPv6 Hack"

The solution was to explicitly point the AAAA record directly to my server's WireGuard IP instead of routing it through the proxy as well.

• Domain: blog.burningboard.org
• A-Record (Proxy): 194.28.98.217
• AAAA-Record (Server): 2a11:6c7:f05:a8::2 (WireGuard)

With this direct AAAA record pointing to my WireGuard IP, Let's Encrypt continues to reach my server directly via IPv6 (since the AAAA record is prioritized by default) and issues the SSL certificate. IPv4 traffic is forwarded to me by the proxy in encrypted form.

The Final Configuration

To ensure smooth communication, we had to adjust the Caddy servers:

1. On my server (NixOS, blog.nix)

To ensure that the real visitor IPs arrive correctly and are not overwritten by the proxy's IP, the proxy must be marked as trusted:

services.caddy.globalConfig = ''
  servers {
      trusted_proxies static 2a06:9801:1c:1000::10
  }
'';

2. On the external proxy (Caddy)

To ensure the proxy addresses my server correctly via HTTPS, it must send the hostname (SNI):

reverse_proxy [https://[2a11:6c7:f05:a8::2]:443](https://[2a11:6c7:f05:a8::2]:443) {
    header_up Host {host}
    transport http {
        tls_server_name blog.burningboard.org
    }
}

The blog is now accessible via IPv4 and IPv6, securely encrypted, and my home IP remains private! 🚀