GuidoD
January 29, 2023, 11:24am
1
for your information, I just did create a pull request for the web.ssl.template.yml to be able to use the IPv6 NAT function of Docker in a Discourse instance.
discourse:main ← GuidoDr:patch-1
opened 11:14AM - 29 Jan 23 UTC
the "listen [::]:443 ssl http2;" is also required in the first rewrite section w… here it was only rewritten to "listen 443 ssl http2;" Otherwise Discourse will reject requests from pure IP6 webbrowser access.
it has to be:
- replace: filename: "/etc/nginx/conf.d/discourse.conf" from: /listen 80;\s+listen \[::\]:80;\s+gzip on;/m to: | listen 443 ssl http2; listen [::]:443 ssl http2; SSL_TEMPLATE_SSL_BLOCK
With this change the docker IPv6 NAT is handled correctly by Discourse.
In order to enable IP6 in docker without the userland-proxy do create the file /etc/docker/daemon.json and do restart the docker daemon. Then the original IP6 from the accessing client is visible in Discourse for the admins under last IP address and can be checked with the IP check. With the userland-proxy only the IP4 address of the docker daemon would be shown there.
Here the content of my daemon.json (I just anonymized my DNS servers a little bit with the xxx): {
"userland-proxy": false,
"ipv6": true,
"fixed-cidr-v6": "fd00::/80",
"experimental": true,
"ip6tables": true,
"dns": ["xxx.169.148.34","xxx.214.7.22","8.8.8.8","8.8.4.4"]
}
With this the docker container is not exposed directly to the internet with a global IPv6 but instead it is running with a ULA that is not accessible globally. So IP6 is handled in docker with NAT like IP4.
And Discourse is now reachable by IP4 and IP6 and always the original IP address is visible in Discourse.
1 Like
GuidoD
April 4, 2023, 10:35am
2
can someone from the discourse core developer team please check my PR.
sam
April 4, 2023, 10:45am
3
The trouble here is that I am not sure we want to increase this surface by default.
I am mixed on changing this for all installs, exposing v6 may or may not be the intent of the user.
Will ask internally if we would like to make the change or not.
3 Likes
Agreed. The following is a better way to do this and gives an easy avenue to opt into this behaviour:
discourse:main ← discourse:ipv6_template
opened 05:39PM - 04 Apr 23 UTC
By default nginx in the container only listens for IPv4 connections. Some users
… want to enable direct IPv6 connectivity to the container either via forwarding
or NAT. This provides an easy method to allow that.
6 Likes
GuidoD
April 5, 2023, 6:47am
6
thanks for the PR.and that is was merged immediately into discourse docker.git pull, enabled the “templates/web.ipv6.template.yml” in the app.yml and did the rebuild of the app after I had disabled my changes in web.ssl.template.yml.
Our site is still running fine on IPv4 and IPv6.
2 Likes
system
May 5, 2023, 6:48am
7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
