Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Traefik with IPv6 on frontend and X-Forwarded-For #977
I am running the latest 1.1.2 release of Traefik with docker. My GitLab container show me the last sign on IP from users. I have seen, that some users have 172.17.0.1(docker host) as their sign on IP logged. After debugging, I found out, that it was IPv6 related.
traefik: image: traefik command: --web --docker --docker.domain=docker.localhost --logLevel=DEBUG ports: - "80:80" - "8080:8080" volumes: - /var/run/docker.sock:/var/run/docker.sock - /dev/null:/traefik.toml whoami1: image: emilevauge/whoami labels: - "traefik.backend=whoami" - "traefik.frontend.rule=Host:whoami.docker.localhost" whoami2: image: emilevauge/whoami labels: - "traefik.backend=whoami" - "traefik.frontend.rule=Host:whoami.docker.localhost"
Now let domain.com be a domain having an A and AAAA record for IPv4 and IPv6. Client have native dualstack IPv6/IPv4 WAN network.
Over IPv6 (default):
Only for IPv4 the X-Forwarded-For header has the real value. Any way to fix that?
I'm running Traefik 1.2.0-rc1 with file-based config on some Amazon Ubuntu 14.04 instances and am getting the correct IPv6 addresses in X-Forwarded-For.
So, I'm not sure why it's different for you. Perhaps it's fixed in the newer versions, or maybe something about the Docker environment?
@timwhite I stumbled over the same problematic while setting up my loadbalancer. I solved the problem by using docker-ipv6nat. Here is a working docker-compose which I ran on my public host obtaining following results:
version: '2.3' services: traefik: image: traefik command: --web --docker --docker.domain=docker.localhost --logLevel=DEBUG ports: - "80:80" - "8080:8080" volumes: - /var/run/docker.sock:/var/run/docker.sock - /dev/null:/traefik.toml whoami: image: emilevauge/whoami labels: - "traefik.backend=whoami" - "traefik.frontend.rule=Host:whoami.docker.localhost" - "traefik.port=80" ipv6nat: image: robbertkl/ipv6nat privileged: true network_mode: "host" volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - /lib/modules:/lib/modules:ro networks: default: driver: bridge enable_ipv6: true ipam: driver: default config: # must be a ULA range - subnet: fd00:dead:beef::/48
I'm having the exact same problem. When using IPv6 to connect to the server, Traefik seems not redirecting the correct IPv6 address to the backend, per the below:
When I use IPv4, everything seems to be fine. The whitelist will now work, so I get a expected 403 forbidden. It's most likely Traefik can't correctly handle IPv6 requests or the implementation in Docker of IPv6 has some issue. I'm not familiar with the lower-level implementation details, so I wish someone can give this issue a closer look.
@ldez maybe you should re-open the issue?
I was facing the same problem when using whitelists on apache2 containers with traefik. After some research I added a very generic rule on ip6tables:
Basically I got the IPv6 address of my Traefik container and added a rule to forward all traffic to Traefik also in IPv6. After that the RemoteAddr parameter of Traefik got the correct IP of request. Look at my whoami container after rule was added:
May be something missing on Traefik implementation?