fix: add --ipv6 flag to docker network create for proper X-Forwarded-For with IPv6 clients#9570
Open
bobbiejaxn wants to merge 1 commit into
Open
fix: add --ipv6 flag to docker network create for proper X-Forwarded-For with IPv6 clients#9570bobbiejaxn wants to merge 1 commit into
bobbiejaxn wants to merge 1 commit into
Conversation
…For with IPv6 clients Fixes coollabsio#3436 When Coolify creates Docker networks for the proxy, it uses docker network create without the --ipv6 flag. This creates IPv4-only networks. When an IPv6 client connects, the traffic routes through the proxy gateway IP (e.g., 172.18.0.1) instead of the real client IP, causing X-Forwarded-For to contain the proxy IP rather than the client IP. Adding --ipv6 to all four docker network create calls in bootstrap/helpers/proxy.php ensures Coolify-created proxy networks have dual-stack IPv4/IPv6 support, allowing correct client IP forwarding for all clients regardless of IP protocol version. Changes: - Line 114: Add --ipv6 to overlay network create (swarm, connectProxyToNetworks) - Line 123: Add --ipv6 to regular network create (connectProxyToNetworks) - Line 149: Add --ipv6 to overlay network create (swarm, ensureProxyNetworksExist) - Line 157: Add --ipv6 to regular network create (ensureProxyNetworksExist)
algora-pbc
Bot
added
the
🙋 Bounty claim
2 tasks
Contributor
|
this is similar to the swarm ingress mesh issue, where containers see the nodes's ip not the clients i would say the usual solution is to run a host networked proxy either inside docker or just on the host, this terminates tls and then forwards onto an internal proxy port so for those that do not want or need ipv6, just run a multi layered proxy, where the connection is terminated on the host, so you will always have the real client ip |
This was referenced May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #3436
/claim #3436
Problem
When Coolify creates Docker networks for the proxy, it uses
docker network createwithout the--ipv6flag. This creates IPv4-only networks. When an IPv6 client connects, the traffic routes through the proxy gateway IP (e.g.,172.18.0.1) instead of the real client IP, causingX-Forwarded-Forto contain the proxy IP rather than the actual client IP.Root Cause
As identified by @fa-sharp in the issue discussion, IPv6 clients don't get proper IP forwarding because Docker networks are IPv4-only by default.
Solution
Add
--ipv6flag to all fourdocker network createcalls inbootstrap/helpers/proxy.php:connectProxyToNetworks)connectProxyToNetworks)ensureProxyNetworksExist)ensureProxyNetworksExist)This ensures Coolify-created proxy networks have dual-stack IPv4/IPv6 support, allowing correct client IP forwarding for all clients regardless of IP protocol version.
Testing
The fix is minimal and only adds the
--ipv6flag to existingdocker network createcommands. Verified that:--driver(for overlay) and before--attachable(for regular networks)Payment
Wallet: 0x5D319A61fD62e62E82C0b38a9D5CA81c61564ea9
Network: Ethereum/Base (USDC/USDT)