Munzy
November 4, 2019, 6:22pm
1
Hey everyone,
I am looking for a little help. I’ve been trying to get nginx-proxy: GitHub - nginx-proxy/nginx-proxy: Automated nginx proxy for Docker containers using docker-gen working with IPv6. It works but the IP address is an IPv4 address from the docker server. I don’t want this… I want it to show my actual IPv6 client address. I use this for some of my apps.
X-Real-IP X-Forward-For is showing the wrong IP address as well.
The problem is that the below give me a fix that breaks the lets-encrypt companion.
Convos about it:
opened 09:12PM - 08 Jun 19 UTC
closed 12:22PM - 12 Jun 19 UTC
Hello,
By setting `nginx-proxy` with `docker-compose` and an external network… the remote ip address is the internal IP address and not the client IP address.
```
version: '2'
services:
app:
image: node:12-alpine
restart: always
command: sh -c "npm install && npm start"
working_dir: /app
expose:
- 3000
volumes:
- ./dist:/app
environment:
- VIRTUAL_HOST=domain.com
- VIRTUAL_PORT=3000
proxy:
image: jwilder/nginx-proxy
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./vhost.d:/etc/nginx/vhost.d
- ./certs:/etc/nginx/certs:ro
- ./html:/usr/share/nginx/html
- /var/run/docker.sock:/tmp/docker.sock:ro
environment:
- ENABLE_IPV6=true
logging:
driver: "none"
networks:
default:
external:
name: nginx-proxy
```
Result:
```
'x-real-ip': '172.23.0.1',
'x-forwarded-for': '172.23.0.1',
'x-forwarded-proto': 'https',
'x-forwarded-ssl': 'on',
'x-forwarded-port': '443',
```
https://github.com/jwilder/nginx-proxy/issues/1283
Alas, any help would be appreciated. Even a different proxy would work for me.
1 Like
WSS
November 4, 2019, 6:46pm
2
Munzy:
IPv6
I’m not sure there’s an easy way to do that without using DNAT, as docker sets up masquerade by default for all containers. Try launching with -P to expose the port, or use KVM as GOD and COUNTRY intended.
Munzy
November 4, 2019, 7:08pm
3
I think I might have figured it out, and -P doesn’t work just as an FYI.
Munzy
November 4, 2019, 7:10pm
4
WSS
November 4, 2019, 10:17pm
5
Huh. Surprised that it doesn’t, but assigning an IPv6 address should just work.
NealS
November 4, 2019, 10:24pm
6
I thought nginx-proxy was abandoned. traefik is a far more useful and elegant front-end proxy for docker containers IMHO. At least for my use cases.
Munzy
November 4, 2019, 11:34pm
7
I tried Traefik before, it was a mess to setup. Half the documentation wasn’t accurate or valid for the current release.
I spent a few days trying to set it up, only to find out that it wasn’t supported unless you bought the premium package.
Do you have a docker-compose with a working let’s encrypt bundle?
Also, it looks like nginx-proxy is being maintained to me:
https://github.com/jwilder/nginx-proxy/commits/master
NealS
November 5, 2019, 1:20am
8
Let’s encrypt certs support is built in to traefik, so that helps.
Here’s some relevant files. Maybe I should have PM’d them?
my docker-compose for traefik:
version: '2'
services:
reverse-proxy:
image: traefik # The official Traefik docker image
restart: always
ports:
# - "80:80" # The HTTP port
- "443:443" # HTTPS
- "10.25.99.123:1880:8080" # The Web UI exposed to my vpn (enabled by --api)
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/me/docker/traefik/acme.json:/acme.json
- /home/me/docker/traefik/traefik.toml:/traefik.toml
- /home/me/docker/traefik/logs:/var/log
networks:
- proxy
networks:
proxy:
external: true
… and the traefik.toml:
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[retry]
[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "my-domain.com"
watch = true
exposedByDefault = false
[api]
[acme]
email = "[email protected] "
storage = "acme.json"
entryPoint = "https"
onHostRule = true
then in a docker-compose for a container that’s going to be exposed…
services:
service-name:
...
labels:
- traefik.enable=true
- traefik.backend=<service-name>
- traefik.frontend.rule=Host:service.my-domain.com
- traefik.docker.network=proxy
- traefik.port=80
networks:
- default
- proxy
...
the acme.json file is created and maintained by traefik. It holds certs and other info from Let’s Encrypt.
[Edit] And actually your IPv6 issues have been discussed (and solved I think) with traefik here .
3 Likes
Munzy
November 5, 2019, 4:03am
9
Thank you and Thank you!
And the IPv6 fix is what I did with Nginx-proxy. Exact same fix to be honest.
Daevien
November 6, 2019, 1:10am
10
There is also GitHub - Neilpang/nginx-proxy: Automated nginx proxy for Docker containers using docker-gen which is a cleaner setup IMO. I’ve only messed around with it a bit in testing and for a low usage test case but it works well for that.
Munzy
November 6, 2019, 2:25am
11
Did you get it to work with IPv6. I tried it a few days ago, and it failed to work with IPv6.