Open ssuess opened 2 years ago
I have found a switch for enabling IPv6 supposedly, but when I follow the instructions here (https://easyengine.io/handbook/customising-docker-compose-stack-in-easyengine-v4/) it does not seem to work. I created a new file in /opt/easyengine/services/
called docker-compose-custom.yml
, inside of which I added the following:
version: '3.5'
services:
global-nginx-proxy:
environment:
- ENABLE_IPV6=true
Then tried all of the following: ee site enable --force (fails without site name, but I am changing a service) ee service enable --force (also fails) ee service restart nginx-proxy (works, but no ipv6 is found in the logs for nginx-proxy as I hoped after this full machine reboot (same as above, no ipv6 recognized in logs still)
Any other suggestions? I would like to be able to run my sites over IPv6, but without some changes here (which I believe should be supported by default at this point in time) hackers can run roughshod over my sites if I enable IPv6 on the machine.
After a little further reading here (https://github.com/nginx-proxy/nginx-proxy#ipv6-support) it seems like I ALSO have to mess around with a separate IPv6 NAT install? And create a daemon.json file in /etc/docker
? For now I will just disable IPv6 on the machine, but it is a real shame.
at the very least, if there will not be support for IPv6 in the product, there needs to be a big warning in the docs somewhere that it is a huge security risk to install EE on an IPv6 enabled machine.
Thanks for reporting the issue. I am looking into it.
@ssuess I checked the same documents and tried other ways as well but, at this point, I have not reached a positive outcome. As of now, it doesn't seem like the issue is from EasyEngine as I tried the solution given in the Nginx-Proxy repo but didn't work out for me.
Maybe try creating an issue on the Nginx-proxy repo for now and see what other people suggest.
Related: https://github.com/nginx-proxy/nginx-proxy/issues/1453 https://github.com/nginx-proxy/nginx-proxy/issues/1283
Ok, thanks for looking into this, I will make a report there. Nonetheless, at this point I think it is a pretty critical thing to add to the ee documentation, so that people do not set this up on an IPv6 enabled system. Otherwise they are opening themselves up to serious security issues.
as an add-on gotcha to this, let's encrypt was failing to renew and it wasn't immediately obvious why. Turned out I still had AAAA records for these sites in my DNS and I needed to delete those as well as disabling IPv6 on my server. Hope this helps someone else who might be experiencing the same issue.
There seems to be a serious issue with IPv6 enabled systems using EE. The nginx proxy seems to convert any source IPv6 address into a LOCAL IPv4 which then makes any hacking/login/whatever attacks seem like they are coming from the local machine and thus be unable to be blocked by security mechanisms or plugins (like wordfence). I initially reported this as a support request (https://github.com/EasyEngine/easyengine/discussions/1620) but now believe this to be a bug in EE.
System Information
Server: Docker Engine - Community Engine: Version: 20.10.9 API version: 1.41 (minimum version 1.12) Go version: go1.16.8 Git commit: 79ea9d3 Built: Mon Oct 4 16:06:37 2021 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.4.11 GitCommit: 5b46e404f6b9f661a205e28d59c982d3634148f8 runc: Version: 1.0.2 GitCommit: v1.0.2-0-g52b36a2 docker-init: Version: 0.19.0 GitCommit: de40ad0
docker-compose version 1.25.0, build unknown docker-py version: 4.1.0 CPython version: 3.8.10 OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020