seed_gateway_terminated_listener binds 0.0.0.0:9997 (IPv4 only) — TFGrid Web Gateway cannot reach backend via mycelium IPv6 #55

New issue

Closed

opened 2026-05-25 16:17:46 +00:00 by mik-tf · 1 comment

mik-tf commented

2026-05-25 16:17:46 +00:00

Owner

The s152 D-28 seed function seed_gateway_terminated_listener at crates/hero_proxy_server/src/db.rs:1312 calls add_listener(\"0.0.0.0:9997\", ...) which binds IPv4-only.

TFGrid Web Gateway routes traffic to backends specified by URL. When the backend is on a tenant VM the gateway reaches it via mycelium overlay (IPv6 ULA). With hero_proxy bound to 0.0.0.0:9997, the gateway cannot establish a TCP connection to the mycelium IPv6 backend — every public request returns HTTP 502 Bad Gateway from the upstream.

Reproduced live at s158: deploy_webgateway succeeded substrate-side, gateway URL resolved with valid TLS, but every request returned 502 because the backend http://[mycelium_ip]:9997 was unreachable. Workaround: manually add [::]:9998 listener via listener.add admin RPC and redeploy gateway with backend on :9998. Confirmed working — public URL https://hcockpit.gent01.qa.grid.tf/hero_cockpit/web/services returns HTTP 200 with the IPv6 listener.

Fix: change the seed bind from 0.0.0.0:9997 to [::]:9997 (dual-stack — accepts both IPv4-mapped IPv6 and native IPv6 on Linux when IPV6_V6ONLY=false, which is the default for hyper/axum).

This unblocks every Hero OS TFGrid deploy from needing the manual IPv6 listener workaround.

The s152 D-28 seed function `seed_gateway_terminated_listener` at `crates/hero_proxy_server/src/db.rs:1312` calls `add_listener(\"0.0.0.0:9997\", ...)` which binds IPv4-only. TFGrid Web Gateway routes traffic to backends specified by URL. When the backend is on a tenant VM the gateway reaches it via mycelium overlay (IPv6 ULA). With hero_proxy bound to `0.0.0.0:9997`, the gateway cannot establish a TCP connection to the mycelium IPv6 backend — every public request returns HTTP 502 Bad Gateway from the upstream. Reproduced live at s158: `deploy_webgateway` succeeded substrate-side, gateway URL resolved with valid TLS, but every request returned 502 because the backend `http://[mycelium_ip]:9997` was unreachable. Workaround: manually add `[::]:9998` listener via `listener.add` admin RPC and redeploy gateway with backend on `:9998`. Confirmed working — public URL https://hcockpit.gent01.qa.grid.tf/hero_cockpit/web/services returns HTTP 200 with the IPv6 listener. Fix: change the seed bind from `0.0.0.0:9997` to `[::]:9997` (dual-stack — accepts both IPv4-mapped IPv6 and native IPv6 on Linux when `IPV6_V6ONLY=false`, which is the default for hyper/axum). This unblocks every Hero OS TFGrid deploy from needing the manual IPv6 listener workaround.

mik-tf referenced this issue from lhumina_code/home

2026-05-25 16:33:41 +00:00

[META] Hero OS demo-deployer arc tracker (cockpit + proxy + content + deployer + manifest + integration) #235

mik-tf commented

2026-05-26 02:37:30 +00:00

Author

Owner

Closed by hero_proxy 7a4aa68 — seed_gateway_terminated_listener() at db.rs:1318 now binds [::]:9997 dual-stack instead of IPv4-only 0.0.0.0:9997. Removes the s158 manual :9998 workaround listener. Direct-push squash did not trigger auto-close. 39/39 hero_proxy_server unit tests pass.

Closed by [hero_proxy `7a4aa68`](https://forge.ourworld.tf/lhumina_code/hero_proxy/commit/7a4aa68) — `seed_gateway_terminated_listener()` at `db.rs:1318` now binds `[::]:9997` dual-stack instead of IPv4-only `0.0.0.0:9997`. Removes the s158 manual `:9998` workaround listener. Direct-push squash did not trigger auto-close. 39/39 hero_proxy_server unit tests pass.

mik-tf closed this issue

2026-05-26 02:37:30 +00:00