[PR #1111] [MERGED] add IPv6 support for docker network #957

New Issue

GiteaMirror · 2025-11-13T12:14:49-06:00

GiteaMirror commented

2025-11-13 12:14:49 -06:00

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/1111
Author: @Xentrice
Created: 7/22/2025
Status: ✅ Merged
Merged: 7/22/2025
Merged by: @oschwartz10612

Base: main ← Head: main

📝 Commits (1)

7c12b8a add IPv6 support for docker network

📊 Changes

2 files changed (+3 additions, -1 deletions)

View changed files

📝 docker-compose.example.yml (+2 -1)
📝 install/config/docker-compose.yml (+1 -0)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

Adding IPv6 support to the docker network to ensure no NATing takes place and the IP addresses are logged correctly. This ensures correct behavior of middlewares, for example Crowdsec or GeoBlock.
Successfully tested on Debian based systems with different IP configurations (IPv4 only/IPv6 only/both). Also successfully tested on an existing install (IPv4/6 dual, Debian 12).
I did however only test on Hetzner VPS. There might be some differences in the server setup across providers, but i doubt they would impact this change.

Some follow up thoughts regarding #110:
Upon further thinking I came to the conclusion that step 1 might be disruptive - blocking IPv6 completely might break some installs if users are using an IPv6 only server (unlikely, as GitHub doesn't have IPv6 support yet, but not completely ruled out).

I also put some thoughts again into enabling IPv6 by default on all new installations, and can't think of any reason not to. My initial hesitation was due to increased complexity, especially with dockers tendency to punch through existing firewall policies. After giving this some thought, i came to the conclusion that some basic tech knowledge can be expected from the user, and I think it is a reasonable expectation that someone provisioning an IPv6 capable server is aware of the implications. So, as of now, I don't see any downside to enable IPv6 on all new installations.

In the end, this was basically just adding one line and running a lot of tests. So @oschwartz10612... https://github.com/fosrl/pangolin/issues/110#issuecomment-2994275283 you were completely correct :)

Changing this to ask the user during installation would be trivial now that the tests are done, just let me know if you prefer this. TBH tho, after my tests, I don't see a reason anymore.

I am unsure about how to handle existing installations, if at all. A note in the release notes might be sufficient.

How to test?

Provision a fresh install or change the docker-compose.yml on an existing install
Ensure connection works from both IPv4 and IPv6 clients
Ensure the IP forwarding works as expected, for example by checking the traefik access.log. IPv6 addresses should now show correctly.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/1111 **Author:** [@Xentrice](https://github.com/Xentrice) **Created:** 7/22/2025 **Status:** ✅ Merged **Merged:** 7/22/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `main` ← **Head:** `main` --- ### 📝 Commits (1) - [`7c12b8a`](https://github.com/fosrl/pangolin/commit/7c12b8ae25452cc4173b58eba42d1ac711d2dc14) add IPv6 support for docker network ### 📊 Changes **2 files changed** (+3 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `docker-compose.example.yml` (+2 -1) 📝 `install/config/docker-compose.yml` (+1 -0) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description Adding IPv6 support to the docker network to ensure no NATing takes place and the IP addresses are logged correctly. This ensures correct behavior of middlewares, for example Crowdsec or GeoBlock. Successfully tested on Debian based systems with different IP configurations (IPv4 only/IPv6 only/both). Also successfully tested on an existing install (IPv4/6 dual, Debian 12). I did however only test on Hetzner VPS. There might be some differences in the server setup across providers, but i doubt they would impact this change. Some follow up thoughts regarding #110: Upon further thinking I came to the conclusion that step 1 might be disruptive - blocking IPv6 completely might break some installs if users are using an IPv6 only server (unlikely, as GitHub doesn't have IPv6 support yet, but not completely ruled out). I also put some thoughts again into enabling IPv6 by default on all new installations, and can't think of any reason not to. My initial hesitation was due to increased complexity, especially with dockers tendency to punch through existing firewall policies. After giving this some thought, i came to the conclusion that some basic tech knowledge can be expected from the user, and I think it is a reasonable expectation that someone provisioning an IPv6 capable server is aware of the implications. So, as of now, I don't see any downside to enable IPv6 on all new installations. In the end, this was basically just adding one line and running a lot of tests. So @oschwartz10612... https://github.com/fosrl/pangolin/issues/110#issuecomment-2994275283 you were completely correct :) Changing this to ask the user during installation would be trivial now that the tests are done, just let me know if you prefer this. TBH tho, after my tests, I don't see a reason anymore. I am unsure about how to handle existing installations, if at all. A note in the release notes might be sufficient. ## How to test? Provision a fresh install or change the docker-compose.yml on an existing install Ensure connection works from both IPv4 and IPv6 clients Ensure the IP forwarding works as expected, for example by checking the traefik access.log. IPv6 addresses should now show correctly. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2025-11-13 12:14:49 -06:00

GiteaMirror closed this issue

2025-11-13 12:14:49 -06:00

Sign in to join this conversation.

Branches Tags

main

jit

dev

dependabot/npm_and_yarn/prod-minor-updates-47a8475ba0

dependabot/npm_and_yarn/dev-patch-updates-c4a0f28f13

dependabot/go_modules/install/minor-updates-a98db8910e

crowdin_dev

delete-domains

dependabot/npm_and_yarn/eslint-10.0.3

dependabot/npm_and_yarn/next-16.1.6

dependabot/npm_and_yarn/recharts-3.7.0

dependabot/go_modules/install/github.com/charmbracelet/huh-1.0.0

dependabot/github_actions/docker/login-action-4.0.0

dependabot/github_actions/actions/setup-node-6.3.0

msg-opt

dependabot/docker/docker/library/node-25-slim

dependabot/github_actions/actions/upload-artifact-7.0.0

dependabot/github_actions/actions/setup-go-6.3.0

cache

multi-role

logs-database

ssh

cloud-multi-org

delete-account

new-pricing

msg-delivery

org-only-idp

cicd

clients-user

1.12.3

policies

patch

site-targets-auto-login

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#957