|
|
|
@ -219,6 +219,37 @@ By convention, the main `app` service is wired up to the "global" traefik overla
|
|
|
|
|
|
|
|
|
|
|
|
To deal with this, we make an additional "internal" network for each app which is namespaced to that app. So, if you deploy a Wordpress instance called `my_wordpress_blog` then there will be a network called `my_wordpress_blog_internal` created. This allows all the services in an app to speak to each other but not be reachable on the public internet.
|
|
|
|
To deal with this, we make an additional "internal" network for each app which is namespaced to that app. So, if you deploy a Wordpress instance called `my_wordpress_blog` then there will be a network called `my_wordpress_blog_internal` created. This allows all the services in an app to speak to each other but not be reachable on the public internet.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### IPv6 Client IP Detection in Docker Swarm
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
With Traefik using host-mode networking, you may notice that preserving the real Client IP works fine for IPv4, but fails for IPv6. Instead of the actual remote IPv6 address, the application receives a local IPv4 address (typically from the `172.18.0.x` range).
|
|
|
|
|
|
|
|
When a Docker Swarm is initialized, it automatically creates a default bridge network called `docker_gwbridge` to handle external communications for swarm containers. By default, this network does not have IPv6 enabled.
|
|
|
|
|
|
|
|
When an IPv6 connection arrives at a host-published port, Docker must translate this into an IPv4 connection to reach Traefik on the IPv4 only network. This effectively masks the original client's IPv6 address behind the gateway's internal IPv4 address on the `docker_gwbridge` network.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
**Enable IPv6 on `docker_gwbridge`**
|
|
|
|
|
|
|
|
To preserve the real IPv6 Client IP, the `docker_gwbridge` network must be created with IPv6 enabled **before** initializing Swarm. This allows traffic to be routed correctly without loosing the original client's IPv6 address.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
|
|
|
|
# 1. Enable IPv6 in the Docker daemon
|
|
|
|
|
|
|
|
# Add "ipv6": true to /etc/docker/daemon.json
|
|
|
|
|
|
|
|
mkdir -p /etc/docker
|
|
|
|
|
|
|
|
if [ -s /etc/docker/daemon.json ]; then
|
|
|
|
|
|
|
|
contents="$(jq '.ipv6 = true' /etc/docker/daemon.json)" && echo -E "${contents}" > /etc/docker/daemon.json
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
echo '{
|
|
|
|
|
|
|
|
"ipv6": true
|
|
|
|
|
|
|
|
}' > /etc/docker/daemon.json
|
|
|
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
# 2. Restart the Docker service to apply the daemon configuration
|
|
|
|
|
|
|
|
systemctl restart docker
|
|
|
|
|
|
|
|
# 3. Create the IPv6-enabled docker_gwbridge
|
|
|
|
|
|
|
|
docker network create --ipv6 \
|
|
|
|
|
|
|
|
--opt com.docker.network.bridge.name=docker_gwbridge \
|
|
|
|
|
|
|
|
--opt com.docker.network.bridge.enable_ip_forwarding=true \
|
|
|
|
|
|
|
|
--opt com.docker.network.bridge.enable_ip_masquerade=true \
|
|
|
|
|
|
|
|
docker_gwbridge
|
|
|
|
|
|
|
|
# 4. Initialize the swarm (it will adopt the existing docker_gwbridge)
|
|
|
|
|
|
|
|
docker swarm init
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
## Multiple apps on the same domain?
|
|
|
|
## Multiple apps on the same domain?
|
|
|
|
|
|
|
|
|
|
|
|
At time of writing (Jan 2022), we think there is a limitation in our design which doesn't support multiple apps sharing the same domain (e.g. `example.com/app1/` & `example.com/app2/`). `abra` treats each domain as unique and as the single reference for a single app.
|
|
|
|
At time of writing (Jan 2022), we think there is a limitation in our design which doesn't support multiple apps sharing the same domain (e.g. `example.com/app1/` & `example.com/app2/`). `abra` treats each domain as unique and as the single reference for a single app.
|
|
|
|
|
