New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traefik with IPv6 on frontend and X-Forwarded-For #977

Closed
CuBiC3D opened this Issue Dec 17, 2016 · 8 comments

Comments

Projects
None yet
8 participants
@CuBiC3D
Copy link

CuBiC3D commented Dec 17, 2016

I am running the latest 1.1.2 release of Traefik with docker. My GitLab container show me the last sign on IP from users. I have seen, that some users have 172.17.0.1(docker host) as their sign on IP logged. After debugging, I found out, that it was IPv6 related.
Example setup from docs on the Server:

traefik:
  image: traefik
  command: --web --docker --docker.domain=docker.localhost --logLevel=DEBUG
  ports:
    - "80:80"
    - "8080:8080"
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - /dev/null:/traefik.toml

whoami1:
  image: emilevauge/whoami
  labels:
    - "traefik.backend=whoami"
    - "traefik.frontend.rule=Host:whoami.docker.localhost"

whoami2:
  image: emilevauge/whoami
  labels:
    - "traefik.backend=whoami"
    - "traefik.frontend.rule=Host:whoami.docker.localhost"

Now let domain.com be a domain having an A and AAAA record for IPv4 and IPv6. Client have native dualstack IPv6/IPv4 WAN network.

Over IPv6 (default):

user@notebook:~$ curl -H Host:whoami.docker.localhost http://domain.com
Hostname: c5dd7935ecd7
IP: 127.0.0.1
IP: ::1
IP: 172.17.0.4
IP: fe80::42:acff:fe11:4
GET / HTTP/1.1
Host: whoami.docker.localhost
User-Agent: curl/7.47.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.17.0.1
X-Forwarded-Host: whoami.docker.localhost
X-Forwarded-Proto: http
X-Forwarded-Server: 907cbcedd362

Over IPv4:

user@notebook:~$ curl -4 -H Host:whoami.docker.localhost http://domain.com
Hostname: c5dd7935ecd7
IP: 127.0.0.1
IP: ::1
IP: 172.17.0.4
IP: fe80::42:acff:fe11:4
GET / HTTP/1.1
Host: whoami.docker.localhost
User-Agent: curl/7.47.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 79.212.xx.xxx
X-Forwarded-Host: whoami.docker.localhost
X-Forwarded-Proto: http
X-Forwarded-Server: 907cbcedd362

Only for IPv4 the X-Forwarded-For header has the real value. Any way to fix that?
BTW: I❤️Traefik ;)

@Yggdrasil

This comment has been minimized.

Copy link
Contributor

Yggdrasil commented Mar 2, 2017

I'm running Traefik 1.2.0-rc1 with file-based config on some Amazon Ubuntu 14.04 instances and am getting the correct IPv6 addresses in X-Forwarded-For.

So, I'm not sure why it's different for you. Perhaps it's fixed in the newer versions, or maybe something about the Docker environment?

@ldez

This comment has been minimized.

Copy link
Member

ldez commented Jun 8, 2017

I'll close this issue, because I think the question is answered, but feel free to continue the conversation.

@ldez ldez closed this Jun 8, 2017

@lvnilesh

This comment has been minimized.

Copy link

lvnilesh commented Jul 27, 2017

@Yggdrasil appreciate if you can please describe your file based config. I am running into somewhat related issue #1880

@timwhite

This comment has been minimized.

Copy link

timwhite commented May 30, 2018

I'm also having this issue. The fixes in #1880 seem directed at swarm mode, and I'm just using docker-compose with a single host. Any ideas?

@smueller18

This comment has been minimized.

Copy link

smueller18 commented Jun 2, 2018

@timwhite I stumbled over the same problematic while setting up my loadbalancer. I solved the problem by using docker-ipv6nat. Here is a working docker-compose which I ran on my public host obtaining following results:

version: '2.3'

services:

  traefik:
    image: traefik
    command: --web --docker --docker.domain=docker.localhost --logLevel=DEBUG
    ports:
      - "80:80"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /dev/null:/traefik.toml

  whoami:
    image: emilevauge/whoami
    labels:
      - "traefik.backend=whoami"
      - "traefik.frontend.rule=Host:whoami.docker.localhost"
      - "traefik.port=80"

  ipv6nat:
    image: robbertkl/ipv6nat
    privileged: true
    network_mode: "host"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /lib/modules:/lib/modules:ro

networks:
  default:
    driver: bridge
    enable_ipv6: true
    ipam:
      driver: default
      config:
        # must be a ULA range
        - subnet: fd00:dead:beef::/48
> curl -4 -H Host:whoami.docker.localhost http://<MY_PUBLIC_DOMAIN>
Hostname: fdaf799d8bc1
IP: 127.0.0.1
IP: ::1
IP: 172.18.0.2
IP: fd00:dead:beef::2
IP: fe80::42:acff:fe12:2
GET / HTTP/1.1
Host: whoami.docker.localhost
User-Agent: curl/7.58.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 79.195.xxx.xxx
X-Forwarded-Host: whoami.docker.localhost
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: 80d0cd2addfa
X-Real-Ip: 79.195.xxx.xxx
> curl -6 -H Host:whoami.docker.localhost http://<MY_PUBLIC_DOMAIN>
Hostname: fdaf799d8bc1
IP: 127.0.0.1
IP: ::1
IP: 172.18.0.2
IP: fd00:dead:beef::2
IP: fe80::42:acff:fe12:2
GET / HTTP/1.1
Host: whoami.docker.localhost
User-Agent: curl/7.58.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 2003:c2:xxxx:xxxx:xxxx:xxxx:xxxx:6bec
X-Forwarded-Host: whoami.docker.localhost
X-Forwarded-Port: 80
X-Forwarded-Proto: http
X-Forwarded-Server: 80d0cd2addfa
X-Real-Ip: 2003:c2:xxxx:xxxx:xxxx:xxxx:xxxx:6bec
@BirkhoffLee

This comment has been minimized.

Copy link

BirkhoffLee commented Aug 4, 2018

I'm having the exact same problem. When using IPv6 to connect to the server, Traefik seems not redirecting the correct IPv6 address to the backend, per the below:

$ curl --header 'Host: xxxxxxxx.example.com' -k https://\[xxxxxxxxxxxxxxxx\]
Hostname: 78e82b30a25f
IP: 127.0.0.1
IP: 172.18.0.3
IP: 172.30.0.2
GET / HTTP/1.1
Host: xxxxxxxx.example.com
User-Agent: curl/7.54.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.19.0.1
X-Forwarded-Host: xxxxxxxx.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: b2464766e864
X-Real-Ip: 172.19.0.1

When I use IPv4, everything seems to be fine. The whitelist will now work, so I get a expected 403 forbidden. It's most likely Traefik can't correctly handle IPv6 requests or the implementation in Docker of IPv6 has some issue. I'm not familiar with the lower-level implementation details, so I wish someone can give this issue a closer look.

@ldez maybe you should re-open the issue?

@diogosm

This comment has been minimized.

Copy link

diogosm commented Aug 6, 2018

Hello guys,

I was facing the same problem when using whitelists on apache2 containers with traefik. After some research I added a very generic rule on ip6tables:

IPV6=$(docker inspect traefik | grep -m1 GlobalIPv6Address | cut -d "\"" -f4)

sudo ip6tables -t nat -A PREROUTING \! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination "[$IPV6]:80"

Basically I got the IPv6 address of my Traefik container and added a rule to forward all traffic to Traefik also in IPv6. After that the RemoteAddr parameter of Traefik got the correct IP of request. Look at my whoami container after rule was added:

IP: 127.0.0.1                                                                                                                   
IP: ::1                                                         
IP: 172.17.0.51                                                 
IP: 2001:12f0:d1c:XXXX:XXXX:XXXX:XXXX:XXXX                                        
IP: fe80::42:acff:fe11:33                                       
GET / HTTP/1.1                                                  
Host: whoami.sites.ufam.edu.br                                  
User-Agent: curl/7.55.1                                         
Accept: */*                                                     
Accept-Encoding: gzip                                           
X-Forwarded-For: 2001:12f0:d1c:XXXX:XXXX:XXXX:XXXX:XXXX         
X-Forwarded-Host: whoami.sites.ufam.edu.br                      
X-Forwarded-Port: 80                                            
X-Forwarded-Proto: http                                         
X-Forwarded-Server: f4ea5a9a3732                                
X-Real-Ip: 2001:12f0:d1c:XXXX:XXXX:XXXX:XXXX:XXXX         

May be something missing on Traefik implementation?

@diogosm

This comment has been minimized.

Copy link

diogosm commented Aug 6, 2018

Just updating..

It looks like an open issue on docker implementation. Look this thread on official docker libnetworking repo: #2023

@j7an j7an referenced this issue Sep 13, 2018

Closed

IPv6 Configuration #45

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment