-
Notifications
You must be signed in to change notification settings - Fork 431
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Serious issue on IPv6 enabled systems #1621
Comments
I have found a switch for enabling IPv6 supposedly, but when I follow the instructions here (https://easyengine.io/handbook/customising-docker-compose-stack-in-easyengine-v4/) it does not seem to work. I created a new file in
Then tried all of the following: Any other suggestions? I would like to be able to run my sites over IPv6, but without some changes here (which I believe should be supported by default at this point in time) hackers can run roughshod over my sites if I enable IPv6 on the machine. |
After a little further reading here (https://github.com/nginx-proxy/nginx-proxy#ipv6-support) it seems like I ALSO have to mess around with a separate IPv6 NAT install? And create a daemon.json file in |
at the very least, if there will not be support for IPv6 in the product, there needs to be a big warning in the docs somewhere that it is a huge security risk to install EE on an IPv6 enabled machine. |
Thanks for reporting the issue. I am looking into it. |
@ssuess I checked the same documents and tried other ways as well but, at this point, I have not reached a positive outcome. Maybe try creating an issue on the Nginx-proxy repo for now and see what other people suggest. Related: |
Ok, thanks for looking into this, I will make a report there. Nonetheless, at this point I think it is a pretty critical thing to add to the ee documentation, so that people do not set this up on an IPv6 enabled system. Otherwise they are opening themselves up to serious security issues. |
as an add-on gotcha to this, let's encrypt was failing to renew and it wasn't immediately obvious why. Turned out I still had AAAA records for these sites in my DNS and I needed to delete those as well as disabling IPv6 on my server. Hope this helps someone else who might be experiencing the same issue. |
There seems to be a serious issue with IPv6 enabled systems using EE. The nginx proxy seems to convert any source IPv6 address into a LOCAL IPv4 which then makes any hacking/login/whatever attacks seem like they are coming from the local machine and thus be unable to be blocked by security mechanisms or plugins (like wordfence). I initially reported this as a support request (#1620) but now believe this to be a bug in EE.
System Information
I found the problem, and if I am correct it is a quite serious one for EE, pointing either to some problem with off the shelf, default ee setup or somehow something I have missed. But here it is in a nutshell:
Here is how I figured it out and tested it:
So clearly either my machine (although I setup a fresh ee machine to test just this from scratch with only one site) or the proxy setup for ee does not properly forward or deal with IPv6, and it really needs to if we are to avoid hacking attempts like this. For now I have disabled ipv6 on my ee machine and I am watching for further attacks, but so far there have not been any. That said this has only been in place for an hour, so it is possible I missed something and will be monitoring closely.
The text was updated successfully, but these errors were encountered: