Setting up an Nginx reverse proxy with Docker Compose and IPv6 NAT might sound complex, but it’s a powerful combination for managing and securing web traffic.
In this guide, we’ll walk you through the steps to configure Nginx as a reverse proxy, use Docker Compose to manage containers, and set up IPv6 NAT (Network Address Translation) to ensure smooth and efficient communication across your network.
Whether you’re new to these tools or looking to improve your setup, this guide will help you get everything running smoothly.
This setup was tested using an RPM package-based distro, so the tool of choice is Dnf, but it could be Yum as well.
1 – Installing Docker
Preparing the repo and installing Docker:
# dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo
# dnf install docker-ce docker-ce-cli containerd.io
# systemctl enable docker
# systemctl start dockerInstall docker-compose:
# wget https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-$(uname -s)-$(uname -m) -O /usr/local/bin/docker-compose
# chmod +x /usr/local/bin/docker-compose2 – Adding IPv6 support to Linux and Docker
Prepare a Linux host and Docker to support IPv6 connections:
Make sure your Linux server has IPV6 enabled in your network card.
Enable IPv6 for all network interfaces.
# sysctl -w net.ipv6.conf.all.disable_ipv6=0
# sysctl -w net.ipv6.conf.default.disable_ipv6=0Enable IPv6 for a specific network interface. I use the eth0 network interface in this example.
# sysctl -w net.ipv6.conf.eth0.disable_ipv6=0It is also important to enable forward capabilities for IPv6 connections.
# sysctl -w net.ipv6.conf.all.forwarding=1
# sysctl -w net.ipv6.conf.eth0.proxy_ndp=1
# sysctl -w net.ipv6.conf.eth0.accept_ra=2
# sysctl -w net.ipv6.conf.default.forwarding=1Apply the changes:
# sysctl -pRestart your network service and check if your network card has an IPv6 assigned.
# ip -6 address show dev eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc fq_codel state UP group default qlen 1000
inet6 af30:a1cd:b319:c0f3:c5f8:cd0d:7700:493f/128 scope global dynamic valid_lft 2512sec preferred_lft 2452sec
# ping6 google.com 
PING google.com(in-in-f139.1e100.net (2607:f8b0:4001:c01::8b)) 56 data bytes
64 bytes from in-in-f139.1e100.net (2607:f8b0:4001:c01::8b): icmp_seq=1 ttl=115 time=0.658 ms
64 bytes from in-in-f139.1e100.net (2607:f8b0:4001:c01::8b): icmp_seq=2 ttl=115 time=0.699 ms
64 bytes from in-in-f139.1e100.net (2607:f8b0:4001:c01::8b): icmp_seq=3 ttl=115 time=0.712 msCreate the file /etc/docker/daemon.json
Note that according to the IPv6 Nat project page (https://github.com/robbertkl/docker-ipv6nat), the network block must be in the range fc00::/7.
{
  "ipv6": true,
  "fixed-cidr-v6": "fd00:dead:beef::/64"
}And restart the Docker service:
# systemctl restart docker3 – Creating Docker Compose files
Now, we need to create the directory structure to launch the containers:
# mkdir -p /data/docker/nginx_config
# mkdir /data/docker/nginx_dataAnd create a docker-compose file:
# cd /data/docker
# vi docker-compose.yamldocker-compose.yaml
services:
  redirect:
    container_name: redirect
    image: 'nginx:latest'
    depends_on:
      - ipv6nat
    environment:
      ENABLE_IPV6: true
    restart: unless-stopped
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    networks:
      private:
        ipv4_address: 172.19.0.2
        ipv6_address: fd00:dead:beef:abcd::2
    volumes:
      - ./nginx_config/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./nginx_config/conf.d:/etc/nginx/conf.d/
      - ./nginx_config/ssl/fullchain.pem:/root/fullchain.pem:ro
      - ./nginx_config/ssl/privkey.pem:/root/privkey.pem:ro
      - ./nginx_data/:/var/log/nginx/
      - /etc/localtime:/etc/localtime:ro
  ipv6nat:
    container_name: ipv6nat
    image: robbertkl/ipv6nat
    restart: unless-stopped
    network_mode: "host"
    privileged: true
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /lib/modules:/lib/modules:ro
networks:
  private:
    name: private
    driver: bridge
    enable_ipv6: true
    driver_opts:
      com.docker.network.enable_ipv6: "true"
      com.docker.network.bridge.gateway_mode_ipv6: "nat"
      com.docker.network.bridge.name: "private"
      com.docker.network.bridge.enable_icc: "true"
      com.docker.network.bridge.enable_ip_forwarding: "true"
      com.docker.network.bridge.enable_ip_masquerade: "true"
    ipam:
      driver: default
      config:
        - subnet: "172.19.0.0/16"
          gateway: "172.19.0.1"
        - subnet: "fd00:dead:beef:abcd::/64"4 – Creating Nginx config files and directories
Nginx main config file.
/data/docker/nginx_config/nginx.conf
# nginx
user  nginx;
worker_processes  auto;
error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;
events {
worker_connections  1024;
}
http {
include       /etc/nginx/mime.types;
default_type  application/octet-stream;
# Logging NAT ip
set_real_ip_from 0.0.0.0/0;
set_real_ip_from ::/0;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                '$status $body_bytes_sent "$http_referer" '
                '"$http_user_agent"';
access_log /var/log/nginx/access.log main;
# Basic Settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/conf.d/*.conf;
}Create extra directories:
# mkdir /data/docker/nginx_config/conf.d
# mkdir /data/docker/nginx_config/sslExtended Nginx configuration files.
/data/docker/nginx_config/conf.d/proxy.conf
# Nginx proxy
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_intercept_errors on;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
send_timeout 60s;/data/docker/nginx_config/conf.d/ssl.conf
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";Website to be accessed:
/data/docker/nginx_config/conf.d/00-redir-wordpress.conf
server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.com www.example.com;
    ssl_certificate /root/fullchain.pem;
    ssl_certificate_key /root/privkey.pem;
    include /etc/nginx/conf.d/ssl.conf;
    if ($ssl_protocol = "") {
       rewrite ^   https://$server_name$request_uri? permanent;
    }
    location / {
        include /etc/nginx/conf.d/proxy.conf;
        proxy_pass http://172.19.0.3;
    }
}Copy certificates to the designated directory:
# cp /etc/letsencrypt/live/example.com/fullchain.pem /data/docker/nginx_config/ssl/
# cp /etc/letsencrypt/live/example.com/privkey.pem /data/docker/nginx_config/ssl/5 – Launching the containers and testing the setup
# cd /data/docker
# docker-compose up -dCheck if they were built and run:
# docker ps 
CONTAINER ID   IMAGE                                  COMMAND                  CREATED        STATUS       PORTS                                                                      NAMES
3d2899dfcc8e   nginx:latest                           "/docker-entrypoint.…"   25 hours ago   Up 6 hours   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp   redirect
f5f5f61ebb7e   robbertkl/ipv6nat                      "/docker-ipv6nat-com…"   41 hours ago   Up 6 hours                                                                              ipv6natCheck if the network called “private” was created and has IPv6 assigned to it:
# docker inspect network private
[
    {
        "Name": "private",
        "Id": "ec3013e265ef97be8081df6aa1a161762e1692899b21f5007eb95eb1be9b2347",
        "Created": "2024-08-24T13:31:46.161380218-03:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": true,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.19.0.0/16",
                    "Gateway": "172.19.0.1"
                },
                {
                    "Subnet": "fd00:dead:beef:abcd::/64",
                    "Gateway": "fd00:dead:beef:abcd::1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "3d2899dfcc8ea068739c4a7f4748c723831862dbfe7dcd33ab3afacb8c56435f": {
                "Name": "redirect",
                "EndpointID": "66ab9ee74aabbec9f97319ef11d9516d5d9c0dfde9fe5268d6e11ee261f6b6ab",
                "MacAddress": "02:42:ac:13:00:02",
                "IPv4Address": "172.19.0.2/16",
                "IPv6Address": "fd00:dead:beef:abcd::2/64"
            },
                    "Options": {
            "com.docker.network.bridge.enable_icc": "true",
            "com.docker.network.bridge.enable_ip_forwarding": "true",
            "com.docker.network.bridge.enable_ip_masquerade": "true",
            "com.docker.network.bridge.gateway_mode_ipv6": "nat",
            "com.docker.network.bridge.name": "private"
        },
        "Labels": {
            "com.docker.compose.network": "private",
            "com.docker.compose.project": "docker",
            "com.docker.compose.version": "2.29.1"
        }
    }
]
Remember that is important to allow ports 80 and 443 TCP in your firewall.
Iptables rules (IPv6 + Ipv4):
# ip6tables -A INPUT -m state --state NEW -p tcp -m multiport --dports 80,443 -j ACCEPT
# iptables -A INPUT -m state --state NEW -p tcp -m multiport --dports 80,443 -j ACCEPT
If everything is running well, you might be able to see the access log as it follows:
# tail -f /data/docker/nginx_data/access.log
2001:818:e264:7200:e62:dffe:9007:731a - - [27/Aug/2024:09:04:46 -0300]"GET / HTTP/1.0" 200 39550 "https://example.com/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
In conclusion, setting up an Nginx reverse proxy with Docker Compose and IPv6 NAT enhances your server’s network capabilities and optimizes traffic management. By following the detailed steps, including configuring Docker for IPv6, enabling IPv6 NAT, and customizing Nginx, you can ensure efficient handling of both IPv4 and IPv6 traffic. This guide simplifies the process, making it easier to implement a modern, flexible network infrastructure suitable for diverse applications while maintaining strong security and performance standards.
