Baoyuantop commented on issue #13112:
URL: https://github.com/apache/apisix/issues/13112#issuecomment-4108314924
Thanks @twellck for this issue and the detailed analysis.
The inconsistency you've identified is real — `enable_ipv6` only applies to
`node_listen` and `ssl.listen` while the other 5 listener endpoints are left
out. I traced the history: this behavior dates back to PR #341 (2019) when
`enable_ipv6` was first introduced. At that time APISIX only had proxy and
admin server blocks, and only the proxy ports needed external exposure, so IPv6
was only added there. When control, status, and prometheus endpoints were added
later, nobody went back to add IPv6 support.
I'd like to discuss a few things about the approach before implementation:
1. Loopback address IPv6 mapping
The current `listen_table_insert` always appends `[::]` (IPv6 wildcard) when
`enable_ipv6=true`. But `control` (default `127.0.0.1:9090`) and `prometheus`
(default `127.0.0.1:9091`) bind to localhost — their IPv6 counterpart should be
`[::1]` (loopback), not `[::]`. Feeding these endpoints through
`listen_table_insert` without handling this would unintentionally expose
internal-only interfaces to all network interfaces. This is a security concern
that needs to be addressed regardless of which approach we take.
2. Scope of proxy_protocol changes
Your reference implementation gives proxy_protocol the same full
capabilities as `node_listen` (multi-port, multi-IP, list-based config, `anyOf`
schema). But the typical proxy_protocol use case is one HTTP port + one HTTPS
port — multi-port lists aren't really needed. For the IPv6 problem
specifically, adding a few `{% if enable_ipv6 then %} listen [::]:{* port *}
...{% end %}` lines in the template is sufficient. Multi-port support could be
discussed as a separate enhancement.
3. Suggest separating the functional fix from the refactor
The current proposal bundles two things: (a) making `enable_ipv6` work for
all endpoints (functional fix), and (b) unifying all listeners under
`normalize_listen_conf` (code refactor). I'd suggest:
- Fix the functional gap first: Without changing config formats or schemas,
just modify `ngx_tpl.lua` to generate IPv6 listen directives for proxy_protocol
/ admin / control / status / prometheus when `enable_ipv6=true`. Use `[::1]`
for loopback-bound listeners, `[::]` for wildcard. Small change.
- Unify code paths later (optional): Once the functional issue is resolved,
submit the `normalize_listen_conf` refactor as a separate PR if the community
finds it valuable.
What do you think about this breakdown? Happy to discuss further.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
