Skip to content

Instantly share code, notes, and snippets.

@Ikke

Ikke/_README.md

Created August 6, 2022 21:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Ikke/f9f537ef2f6302dc7415fa9159c62ec2 to your computer and use it in GitHub Desktop.
Save Ikke/f9f537ef2f6302dc7415fa9159c62ec2 to your computer and use it in GitHub Desktop.
Download ZIP
Docker + traefik + ipv6
Raw
_README.md

IPv6 via traefik in docker

This adds an additional network to the traefik container with a public IPv6 network attached to it. Docker will automatically assign a free address to the traefik container from the IPv6 subnet

Internally traefik will still forward traefik over an IPv4 network

Note that, because docker does not do any NAT for IPv6 or proxying, and this uses publically routable IPv6 addresses, traffic directly reaches the containers, unless you block it with a firewall. For 80/443, you actually want this to happen though.

In some circumstances, I noticed that the IPv6 subnets assigned to docker were net externally reachable. This is because the external gateway is trying to discover the destination with NPD, and nothing is responding. Linux does not do that by default.

There is a sysctl setting called sys.net.ipv6.conf.all.proxy_npd which should enable this, but for me this still didn't was enough. Installing a service called npd6 and setting the assigned subnet in the confiugration finally made it work.

Raw
service-docker-compose.yml
version: '3.5'
services:
gitlab:
labels:
traefik.enable: "true"
traefik.http.routers.example.rule: Host(`service.example.com`)
traefik.http.routers.example.entrypoints: https
traefik.http.routers.example.tls: true
networks:
- web
- default
- gitlab_email
service-ssh:
labels:
traefik.enable: "true"
traefik.tcp.routers.example-ssh.rule: HostSNI(`*`)
traefik.tcp.routers.example-ssh.entrypoints: ssh
ports:
- "22:22"
networks:
- ssh
networks:
web:
external: true
ssh:
name: ssh
Raw
traefik-config-traefik.yml
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: web
file:
filename: /etc/traefik/traefik.yml
watch: true
tls:
certificates:
- certFile: "/etc/ssl/acme/example.com/fullchain.pem"
keyFile: "/etc/ssl/acme/example.com/privkey.pem"
entrypoints:
http:
address: :80
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: :443
ssh:
address: '[2001:db8:e001:15a:1::2]:22'
Raw
traefik-docker-compose.yml
version: '3.5'
services:
traefik:
image: traefik:2.5
container_name: traefik
restart: always
command:
- --configfile=/etc/traefik/traefik.toml
ports:
- "80:80"
- "443:443"
volumes:
- /etc/ssl/acme:/etc/ssl/acme:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./config:/etc/traefik:ro
networks:
- web
- ssh
- ipv6
networks:
web:
name: web
ssh:
external: true
ipv6:
name: ipv6
enable_ipv6: true
ipam:
config:
- subnet: 2001:db8:e001:15a:1::/80
gateway: 2001:db8:e001:15a:1::1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment