IPv6 Request to Google API Returns 403, While IPv4 Returns 200 - Seeking Help

Questions / Help
1

I’m experiencing an issue on Fly.io where making a request to the Google API via IPv4 works as expected, returning HTTP 200, but when using IPv6, the request results in HTTP 403 (Forbidden).

Here are the commands I ran:

  • curl -4 'https://www.googleapis.com/oauth2/v1/certs' → returns 200 OK
  • curl -6 'https://www.googleapis.com/oauth2/v1/certs' → returns 403 Forbidden

Does anyone have insights on why this might be happening and how I can resolve it? Thanks in advance for your help!

2 
fly ssh console

curl -4 -v 'https://www.googleapis.com/oauth2/v1/certs'
* Host www.googleapis.com:443 was resolved.
* IPv6: (none)
* IPv4: 142.250.71.234, 142.250.207.74, 172.217.24.106, 172.217.24.234, 172.217.25.10, 172.217.27.10, 172.217.27.42, 172.217.31.10, 142.250.71.138, 142.250.76.10, 142.250.76.234, 142.250.196.234, 142.250.197.10, 142.250.197.170, 142.250.197.202, 142.250.71.202
*   Trying 142.250.71.234:443...
* Connected to www.googleapis.com (142.250.71.234) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=upload.video.google.com
*  start date: Aug 12 07:18:03 2024 GMT
*  expire date: Nov  4 07:18:02 2024 GMT
*  subjectAltName: host "www.googleapis.com" matched cert's "*.googleapis.com"
*  issuer: C=US; O=Google Trust Services; CN=WR2
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.googleapis.com/oauth2/v1/certs
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.googleapis.com]
* [HTTP/2] [1] [:path: /oauth2/v1/certs]
* [HTTP/2] [1] [user-agent: curl/8.9.1]
* [HTTP/2] [1] [accept: */*]
> GET /oauth2/v1/certs HTTP/2
> Host: www.googleapis.com
> User-Agent: curl/8.9.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
< server: scaffolding on HTTPServer2
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< date: Wed, 11 Sep 2024 09:46:05 GMT
< expires: Wed, 11 Sep 2024 16:24:54 GMT
< cache-control: public, max-age=23929, must-revalidate, no-transform
< content-type: application/json; charset=UTF-8
< age: 38
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< accept-ranges: none
< vary: Origin,X-Origin,Referer,Accept-Encoding

curl -v 'https://www.googleapis.com/oauth2/v1/certs'
* Host www.googleapis.com:443 was resolved.
* IPv6: 2404:6800:4005:808::200a, 2404:6800:4005:801::200a, 2404:6800:4005:802::200a, 2404:6800:4005:807::200a
* IPv4: 142.250.71.138, 142.250.76.10, 142.250.76.234, 142.250.196.234, 142.250.197.10, 142.250.197.170, 142.250.197.202, 142.250.71.202, 142.250.71.234, 142.250.207.74, 172.217.24.106, 172.217.24.234, 172.217.25.10, 172.217.27.10, 172.217.27.42, 172.217.31.10
*   Trying [2404:6800:4005:808::200a]:443...
* Connected to www.googleapis.com (2404:6800:4005:808::200a) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=upload.video.google.com
*  start date: Aug 12 07:18:03 2024 GMT
*  expire date: Nov  4 07:18:02 2024 GMT
*  subjectAltName: host "www.googleapis.com" matched cert's "*.googleapis.com"
*  issuer: C=US; O=Google Trust Services; CN=WR2
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.googleapis.com/oauth2/v1/certs
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.googleapis.com]
* [HTTP/2] [1] [:path: /oauth2/v1/certs]
* [HTTP/2] [1] [user-agent: curl/8.9.1]
* [HTTP/2] [1] [accept: */*]
> GET /oauth2/v1/certs HTTP/2
> Host: www.googleapis.com
> User-Agent: curl/8.9.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 403 
< content-type: text/html; charset=UTF-8
< referrer-policy: no-referrer
< content-length: 1594
< date: Wed, 11 Sep 2024 09:47:39 GMT
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.