Bind to IPv4 and IPv6 in haproxy

[saltydk]

Binds both IPv4 and IPv6 to allow IPv6 connectivity without affecting IPv4 only setups.

Issue: #107

[pedrobaeza]

Please rebase properly your branch for avoiding the merge commit.

[saltydk]

Done

[pedrobaeza]

@yajo do you see any side effect doing this? I barely remember that there was a problem with IPv6 that leads us to disable it.

[saltydk]

Git blame suggests that the setting was never changed for what it is worth.

[yajo]

Docker's ipv6 support is not very good. You have moby/moby#44923 if you want to start digging into the rabbit hole. But I see this change is OK, since HAProxy should be able to bind to both just fine. And tests pass.

[pedrobaeza]

OK then. @saltydk please put a proper commit message like [IMP] Bind to IPv4 and IPv6 in haproxy, and we can merge it.

[yajo]

FYI You can choose to squash and merge, and then put the message you like.

[pedrobaeza]

OK, done that way. Thanks for the hint.

[polarathene]

I barely remember that there was a problem with IPv6 that leads us to disable it.

In Docker there was a common issue if the Docker host received an IPv6 client connection but the container only had IPv4. /etc/docker/daemon.json would be needed to opt-out of userland-proxy: true default, which would reject the connection otherwise it would be routed in a way that lost the original client IP, such that on the container side it'd appear as the private subnet gateway IP.

That was a problem if you had some trust policy like "trust this private docker subnet, since any container is on the host and I trust them, but not external client IPs", since now IPv6 client connections would implicitly become trusted allowing them to bypass some security measures. Other issues it could cause are with monitoring such as logs with Fail2Ban triggering and preventing many users over IPv6 from connecting successfully once that gateway IP was banned instead of banning the actual client IP.

I think that might be fixed from Docker v27 now, which should enable containers with IPv6 IPs by default when the host has an IPv6 interface available?

---

That concern applies here since the bind is occurring within the container.

Nothing to worry about here as v4v6 isn't the routing behaviour concern I described above, it just binds with the IPv6 equivalent of 0.0.0.0 (any interface/address).

However the syntax you merged seems off :::port shouldn't that really have been [::]:port?

That is more evident when you look at the logs shared from this issue: #127

[ALERT] 119/204238 (1) : Starting frontend dockerfrontend: cannot create listening socket [:::2375]

• Regarding the follow up fix in Feb fir this PR, there was no reference provided for why ENV could not be used, other than some claim that it wasn't supported for bind ) (I'm doubtful).
• The correct configuration was pointed out by @yajo here
  • With a follow-up comment by the author that they were still getting the same error output. That should not happen considering the config value changed, discussion was inferred to be a quirk with Docker Swarm, but you can clearly see the suggested image tag used prior to the author claiming a fix was the same :edge.
  • The author would not have pulled the updated :edge image (or properly recreated the container to reset internal state). This is a common mistake I encounter as the maintainer of a docker focused project myself and was missed.

So while the issue was fixed by #111 it is a bit misleading in context. The fix came from the updated configuration and the user pulling the proper updated image (once released, and potentially IIRC with compose recreating a container if you modify ENV which is what the user did).

---

FWIW, no failures running the container (without disabling the feature via DISABLE_IPV6=1) despite the container (and host) only having IPv4:

Output of `docker inspect` on the container

        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "a98fbb14fcf512b58a8a454767013e6a5b08635343faecf007cf77dfe222e532",
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "Ports": {
                "2375/tcp": null
            },
            "SandboxKey": "/var/run/docker/netns/a98fbb14fcf5",
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "d0b71988b021fa7d149b33c976b4f4183707c39d7d3c27f72c1b441cebc588ad",
            "Gateway": "172.17.0.1",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "172.17.0.4",
            "IPPrefixLen": 16,
            "IPv6Gateway": "",
            "MacAddress": "02:42:ac:11:00:04",
            "Networks": {
                "bridge": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "NetworkID": "d8c3fee9357864daa2c5a5882b3dbc7e5fc57d9b00b9f3dfbb93a805c8a3ef88",
                    "EndpointID": "d0b71988b021fa7d149b33c976b4f4183707c39d7d3c27f72c1b441cebc588ad",
                    "Gateway": "172.17.0.1",
                    "IPAddress": "172.17.0.4",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:ac:11:00:04",
                    "DriverOpts": null
                }
            }
        }