IPv6 Configuration

[j7an]

It looks like the .env only support IPv4 addresses. By default does the .env file support IPv6 as well? If so, what is the configuration format or example to enable IPv6 for Nginx?

[evertramos]

Try to add the following to your compose file on the proxy container:

environment:
    ENABLE_IPV6: true

And set up your ipv6 address in .env file as well.

[j7an]

Looks like true needs to be in quotes

ERROR: The Compose file './docker-compose.yml' is invalid because:
services.nginx-web.environment.ENABLE_IPV6 contains true, which is an invalid type, it should be a string, number, or a null
ERROR: The Compose file './docker-compose.yml' is invalid because:
services.nginx-web.environment.ENABLE_IPV6 contains true, which is an invalid type, it should be a string, number, or a null

like so

    environment:
      ENABLE_IPV6: 'true'

[j7an]

Working great once I added the IPv6 environment variable in .env. Then adding same to the docker-compose.yml. Thought I needed to modify Compose version to 2 as Docker's website says IPv6 is not compatible with latest version 3. But its working great with 3. So I'll keep it as-is.

I was able to verify Nginx now successfully responds to IPv6 from one of the IPv6 test sites. Would be great if you can add this to the existing repo.

[evertramos]

I will add later on today.

Thanks for sharing!

[evertramos]

If you could send a PR I will be glad to push it. But if not I will look into that in the next coming weeks.

[j7an]

@evertramos PR created: #48

[j7an]

@evertramos The reason I didn't get an error when using following is because I had added the environment variable to nginx-web service.

ENABLE_IPV6: 'true'

When I added to networks, I got following. So this verifies v3 Docker Compose does not support IPv6 for internal containers.

ERROR: The Compose file './docker-compose.yml' is invalid because:
networks.default.external value Additional properties are not allowed ('enable_ipv6' was unexpected)

[j7an]

@evertramos Adding ENABLE_IPV6: 'true' to nginx-web does not add an IPv6 address to the container. After starting the stack and doing a docker inspect [container_id] on nginx-web, I see the following which only shows IPv4.

            "Networks": {
                "webproxy": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": [
                        "nginx-web",
                        "5c67b349d187"
                    ],
                    "NetworkID": "bfcd947128121bff67fb0a32055560ec212fc78f48384f42e709a95acb5c761b",
                    "EndpointID": "905cae022a311798f9db9c3b6ce9e766e918a43a49cb7d06f535868082c47a60",
                    "Gateway": "172.18.0.1",
                    "IPAddress": "172.18.0.2",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:ac:12:00:02",
                    "DriverOpts": null
                }

I believe a true IPv6 implementation is only possible using v2 Docker Compose and enabling IPv6 under networks:

My implementation doesn't enable IPv6 in Docker containers. It is only forwarding host IPv6 requests to nginx-web container. It works but has a flaw. IPv6 requests in nginx-web will be seen as coming from the Docker gateway, in my case its "Gateway": "172.18.0.1" instead of real IPv6 address.

It may be better to have a separate docker-compose.yml v2 file for IPv6 or just wait for Docker to implement IPv6 in a future Compose v3+ update.

[evertramos]

@j7an Thank you very much for your help!

I think you are right. As far as I could test on my side I could not get it to run with IPv6 as well, reason why I have not merged yet. But as soon as we get the new version we can arrange that. If you want to contribute to that please send pull request with full implementation when it´s ready and I will be glad to test it and merge.

Best regards,

[j7an]

@evertramos Pls close PR for now. Thanks.

[MardariG]

I was able to create IPv6 network by modifying network creation command from start.sh like:

docker network create --ipv6 --subnet 2001:41d0:401:3200::1/80 $NETWORK

I guess we can check if $IPv6 in .env and put it there like:

docker network create --ipv6 --subnet $IPv6 $NETWORK

until docker-compose v 3 will support enable_ipv6

[j7an]

@evertramos There's might be a solution to IPv6 via example code here: traefik/traefik#977 (comment)

I'll have to play around with the repo and see how well it performs.

[evertramos]

Hello @j7an!

Traefik... I have started to study... but still could not get an automtion as we have today with @jwilder contianers... but it seems to be a good point.

I will keep track of it and if you get some automation as we do have now let me know, I have very much interest on that.

Also to comply with swarm as well.

Thanks for you message I will give a try in a few weeks.

[j7an]

Hi @evertramos, I'm referring to docker-ipv6nat mentioned in the linked comment. Since Traefik is very similar to your repo, I think your project might work with docker-ipv6nat as well. The example code the commenter posted is a good starting point to getting IPv6 working for your project.

[evertramos]

@j7an I see actually I cloned the repo and check a few things... and might work along, you are right. I am in another project for the moment, but as soon as I finish it I will come back to this subject.

Thanks again!

Did you get it working? If you do, you are welcome to do a PR we will get a new branch ipv6 for that!

[j7an]

@evertramos I will look into it on my end and will get back to you with my findings.

Swarm is nice. I've been reading Traefik documentation. Although they never specified how DNS A/AAAA records should be configured with their load balancer. Their doc did specify that their load balancer needs to be installed into the Swarm managers. So it might be possible to implement Swarm for High Availability with @jwilder Nginx container installed same way.

I've asked my own question on Swarm DNS here. Apparently DNS records need to point to all Swarm managers for load balancing. Using Cloudflare API will allow a Swarm manager's IP be removed from DNS if it fails for DNS Round Robin Failover.

Thanks.

[j7an]

@evertramos @MardariG I have promising results.

Modified start.sh with following

# 2. Create docker network
# docker network create $NETWORK
docker run -d --restart=always -v /var/run/docker.sock:/var/run/docker.sock:ro --privileged --net=host robbertkl/ipv6nat
docker network create --ipv6 --subnet=fd00:dead:beef::/48 $NETWORK

Having the ipv6nat container started in the docker-compose.yml doesn't enable IPv6 or provide IPv6 addresses to the other containers.

I also modified the ports in docker-compose.yml as docker was complaining about the IPv6 address format to the following:

services:
  nginx-web:
    image: nginx
    labels:
        com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    container_name: ${NGINX_WEB:-nginx-web}
    restart: always
    ports:
      - "80:80"
      - "443:443"

When ipv6nat is started before webproxy is created, running docker network inspect webproxy, I get the following:

[
    {
        "Name": "webproxy",
        "Id": "7a532a0bda2c6d440d090d21395477b7ae4d3a891ef387c84b72065612344780",
        "Created": "2018-09-26T21:36:29.335280283Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": true,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.23.0.0/16",
                    "Gateway": "172.23.0.1"
                },
                {
                    "Subnet": "fd00:dead:beef::/48"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "0682fb3efb26066354fd57e4b31e0d1af01e28aa918eb35c46e43ed1581568eb": {
                "Name": "nginx-web",
                "EndpointID": "5e6f43d346e27dc8115d5c8769fa0e79b55ebc4f58dd013fc9a46fd50cc12e6e",
                "MacAddress": "02:42:ac:17:00:04",
                "IPv4Address": "172.23.0.4/16",
                "IPv6Address": "fd00:dead:beef::4/48"
            },
            "4c97b67fd86d109526d08ec2d0d09eebaf4c247ca1ca10a905ddf2818651e556": {
                "Name": "nginx-letsencrypt",
                "EndpointID": "d6a2981decf1b39fd5a9cf55e9e1fd0cfb1468dd3c781402fa7c6dcad54acf27",
                "MacAddress": "02:42:ac:17:00:03",
                "IPv4Address": "172.23.0.3/16",
                "IPv6Address": "fd00:dead:beef::3/48"
            },
            "4d3736a9c7261d6728e74d3365df00e225ec9e532d849e1d404b56f6e84b36c4": {
                "Name": "nginx-gen",
                "EndpointID": "89f4d9bf081bfd0a8c50f21cf1cda2ad747cd4502cc3b596217b1d5b5b0f145e",
                "MacAddress": "02:42:ac:17:00:02",
                "IPv4Address": "172.23.0.2/16",
                "IPv6Address": "fd00:dead:beef::2/48"
            }
        },
        "Options": {},
        "Labels": {}
    }
]

I can do a PR for start.sh but @evertramos I'll need your help in looking into IPv6 configuration in .env and docker-compose.yml files. Although Traefik configuration from the commenter I referenced earlier only specified port numbers.

[evertramos]

I will check and reply! Thanks!!! Give me a couple weeks ok? =)

[samip5]

Can someone please tell me why is NAT being used here for IPv6? @j7an

There are cases when people have /56 blocks, and my default docker bridge has a /60 prefix allocated to it as I have set it so.

[j7an]

@samip5 It's mainly for logging/diagnostic purposes when a visitor to your server uses IPv6. If the Docker containers only support IPv4 then docker logs command will show traffic arriving from the Docker gateway if the visitor is using IPv6. One use case would be to use an internal analytics tool that tracks visitors via IP which can be more accurate than Google Analytics that can be blocked by Ad Blocking browser extensions. Another use case would be to track real IPs including IPv6 addresses if your server is getting DDOSed.

[samip5]

@j7an You mean like so?

172.20.0.3 - - [18/Feb/2020:23:14:24 +0000] "GET / HTTP/1.1" 401 581 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36" "172.20.0.1"
172.20.0.3 - - [18/Feb/2020:23:14:25 +0000] "GET / HTTP/1.1" 401 581 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36" "172.20.0.1"

[j7an]

@samip5 Correct.