From 2bde43c6e94c9f9cb818636b1c84858537830300 Mon Sep 17 00:00:00 2001 From: Joe Polny Date: Fri, 5 Feb 2021 19:56:56 +0000 Subject: [PATCH 1/2] remove scoped ipv6 resolvers --- docker-entrypoint.sh | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index b425dfe..6eeada9 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -21,9 +21,16 @@ fi # Compute the DNS resolvers for use in the templates - if the IP contains ":", it's IPv6 and must be enclosed in [] export RESOLVERS=$(awk '$1 == "nameserver" {print ($2 ~ ":")? "["$2"]": $2}' ORS=' ' /etc/resolv.conf | sed 's/ *$//g') + +SCOPED_IPV6_REGEX="\[fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\]" + if [ "x$RESOLVERS" = "x" ]; then - echo "Warning: unable to determine DNS resolvers for nginx" >&2 - unset RESOLVERS + echo "Warning: unable to determine DNS resolvers for nginx" >&2 + unset RESOLVERS +elif [[ $RESOLVERS =~ $SCOPED_IPV6_REGEX ]]; then + echo -n "Warning: Scoped IPv6 addresses removed from resolvers: " >&2 + echo $RESOLVERS | grep -Eo $SCOPED_IPV6_REGEX | paste -s -d ' ' >&2 + export RESOLVERS=$(echo $RESOLVERS | sed -r "s/$SCOPED_IPV6_REGEX//g" | xargs echo -n) fi # If the user has run the default command and the socket doesn't exist, fail From 1a0d0d822ef1b07d1100b1af0cac231d94c35880 Mon Sep 17 00:00:00 2001 From: Joe Polny Date: Sat, 6 Feb 2021 18:47:01 +0000 Subject: [PATCH 2/2] update IPv6 section in README --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 0c62a10..595b461 100644 --- a/README.md +++ b/README.md @@ -67,6 +67,14 @@ You can activate the IPv6 support for the nginx-proxy container by passing the v $ docker run -d -p 80:80 -e ENABLE_IPV6=true -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy +#### Scoped IPv6 Resolvers + +NginX does not support scoped IPv6 resolvers. In [docker-entrypoint.sh](./docker-entrypoint.sh) the resolvers are parsed from resolv.conf, but any scoped IPv6 addreses will be removed. + +#### IPv6 NAT + +By default, docker uses IPv6-to-IPv4 NAT. This means all client connections from IPv6 addresses will show docker's internal IPv4 host address. To see true IPv6 client IP addresses, you must [enable IPv6](https://docs.docker.com/config/daemon/ipv6/) and use [ipv6nat](https://github.com/robbertkl/docker-ipv6nat). You must also disable the userland proxy by adding `"userland-proxy": false` to `/etc/docker/daemon.json` and restarting the daemon. + ### Multiple Ports If your container exposes multiple ports, nginx-proxy will default to the service running on port 80. If you need to specify a different port, you can set a VIRTUAL_PORT env var to select a different one. If your container only exposes one port and it has a VIRTUAL_HOST env var set, that port will be selected.