Serious issue on IPv6 enabled systems

[ssuess]

There seems to be a serious issue with IPv6 enabled systems using EE. The nginx proxy seems to convert any source IPv6 address into a LOCAL IPv4 which then makes any hacking/login/whatever attacks seem like they are coming from the local machine and thus be unable to be blocked by security mechanisms or plugins (like wordfence). I initially reported this as a support request (#1620) but now believe this to be a bug in EE.

System Information

• ee cli info:

| OS                | Linux 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 |
| Shell             | /bin/bash                                                                  |
| PHP binary        | /usr/bin/php7.4                                                            |
| PHP version       | 7.4.3                                                                      |
| php.ini used      | /etc/php/7.4/cli/php.ini                                                   |
| EE root dir       | phar://ee.phar                                                             |
| EE vendor dir     | phar://ee.phar/vendor                                                      |
| EE phar path      | /root                                                                      |
| EE packages dir   |                                                                            |
| EE global config  | /opt/easyengine/config/config.yml                                          |
| EE project config |                                                                            |
| EE version        | 4.3.1                                                                      |

• lsb_release -a

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.3 LTS
Release:	20.04
Codename:	focal

• docker version

Client: Docker Engine - Community
 Version:           20.10.9
 API version:       1.41
 Go version:        go1.16.8
 Git commit:        c2ea9bc
 Built:             Mon Oct  4 16:08:29 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.9
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.8
  Git commit:       79ea9d3
  Built:            Mon Oct  4 16:06:37 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.11
  GitCommit:        5b46e404f6b9f661a205e28d59c982d3634148f8
 runc:
  Version:          1.0.2
  GitCommit:        v1.0.2-0-g52b36a2
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

• docker-compose version

docker-compose version 1.25.0, build unknown
docker-py version: 4.1.0
CPython version: 3.8.10
OpenSSL version: OpenSSL 1.1.1f  31 Mar 2020

I found the problem, and if I am correct it is a quite serious one for EE, pointing either to some problem with off the shelf, default ee setup or somehow something I have missed. But here it is in a nutshell:

• On machines that have IPv6 enabled, an IPv6 request will get translated by the proxy to internal local IPv4
• This allows all number of attempted hacks to bypass security mechanisms, BECAUSE THEY APPEAR TO BE LOCAL

Here is how I figured it out and tested it:

• Ran an ipv6 reachability test (https://ipv6-test.com/validate.php) on a couple of my sites (one ee, one manual setup on another machine) which both passed.
• When i check the logs on the ee machine (in the logs in /opt/easyengine/services/nginx-proxy/logs/access.log) that test shows up as coming from 172.19.0.1
• When I check the logs on the manually configured apache machine, that test shows up as coming from 2001:41d0:701:1100::29c8

So clearly either my machine (although I setup a fresh ee machine to test just this from scratch with only one site) or the proxy setup for ee does not properly forward or deal with IPv6, and it really needs to if we are to avoid hacking attempts like this. For now I have disabled ipv6 on my ee machine and I am watching for further attacks, but so far there have not been any. That said this has only been in place for an hour, so it is possible I missed something and will be monitoring closely.

[ssuess]

I have found a switch for enabling IPv6 supposedly, but when I follow the instructions here (https://easyengine.io/handbook/customising-docker-compose-stack-in-easyengine-v4/) it does not seem to work. I created a new file in /opt/easyengine/services/ called docker-compose-custom.yml, inside of which I added the following:

version: '3.5'

services:

  global-nginx-proxy:
    environment:
      - ENABLE_IPV6=true

Then tried all of the following:
ee site enable --force (fails without site name, but I am changing a service)
ee service enable --force (also fails)
ee service restart nginx-proxy (works, but no ipv6 is found in the logs for nginx-proxy as I hoped after this
full machine reboot (same as above, no ipv6 recognized in logs still)

Any other suggestions? I would like to be able to run my sites over IPv6, but without some changes here (which I believe should be supported by default at this point in time) hackers can run roughshod over my sites if I enable IPv6 on the machine.

[ssuess]

After a little further reading here (https://github.com/nginx-proxy/nginx-proxy#ipv6-support) it seems like I ALSO have to mess around with a separate IPv6 NAT install? And create a daemon.json file in /etc/docker? For now I will just disable IPv6 on the machine, but it is a real shame.

[ssuess]

at the very least, if there will not be support for IPv6 in the product, there needs to be a big warning in the docs somewhere that it is a huge security risk to install EE on an IPv6 enabled machine.

[dhsathiya]

Thanks for reporting the issue. I am looking into it.

[dhsathiya]

@ssuess I checked the same documents and tried other ways as well but, at this point, I have not reached a positive outcome.
As of now, it doesn't seem like the issue is from EasyEngine as I tried the solution given in the Nginx-Proxy repo but didn't work out for me.

Maybe try creating an issue on the Nginx-proxy repo for now and see what other people suggest.

Related:
nginx-proxy/nginx-proxy#1453
nginx-proxy/nginx-proxy#1283

[ssuess]

Ok, thanks for looking into this, I will make a report there. Nonetheless, at this point I think it is a pretty critical thing to add to the ee documentation, so that people do not set this up on an IPv6 enabled system. Otherwise they are opening themselves up to serious security issues.

[ssuess]

as an add-on gotcha to this, let's encrypt was failing to renew and it wasn't immediately obvious why. Turned out I still had AAAA records for these sites in my DNS and I needed to delete those as well as disabling IPv6 on my server. Hope this helps someone else who might be experiencing the same issue.