Fix ipv6

accel-ppp.conf

@@ -22,13 +22,16 @@ single-session=replace
 chap-secrets=/etc/ppp/chap-secrets
 
 [ppp]
-verbose=5
+verbose=0
 mtu=1550
 mru=1550
 accomp=allow
 pcomp=allow
 ipv4=prefer
-ipv6=allow
+ipv6=prefer
+ipv6-intf-id=random
+ipv6-peer-intf-id=calling-sid
+ipv6-accept-peer-intf-id=1
 lcp-echo-interval=30
 lcp-echo-failure=3
 lcp-echo-timeout=5
@@ -40,9 +43,8 @@ lcp-echo-timeout=5
 
 [sstp]
 port=443
-verbose=5
+verbose=0
-#accept=proxy,ssl
+accept=ssl,proxy
-accept=ssl
 ssl-pemfile=/etc/cert.pem
 ssl-keyfile=/etc/privkey.pem
 ssl-ca-file=/etc/ca.pem
@@ -66,16 +68,22 @@ tunnel=192.168.95.2-254,v4pool
 dns=2001:4860:4860::8888
 
 [ipv6-pool]
-gw-ip6-address=fc00:b10c:0::
+#gw-ip6-address=fc00:b10c:3::ffff
 fc00:b10c:0001::/48,64,name=v6pool
+
 fc00:b10c:0002::/48,64,name=v6pool-delegate
+delegate=fc00:b10c:0002::/48,64
 
 [ipv6-nd]
 verbose=1
+AdvManagedFlag=1
+
+[ipv6-dhcp]
+verbose=1
+route-via-gw=1
 
 [log]
-#level=4
+level=4
-level=5
 log-file=/dev/stdout
 log-debug=/dev/stdout
 log-emerg=/dev/stderr

compose.yaml

@@ -11,10 +11,51 @@ services:
       - ./ca.pem:/etc/ca.pem:ro
     expose:
       - "443/tcp"
-    ports:
-      - "443:443/tcp"
     devices:
       - "/dev/ppp:/dev/ppp:rwm"
-
+    environment:
+      VIRTUAL_HOST: "api.bearns.me"
+      VIRTUAL_PROTO: "https"
+      VIRTUAL_PORT: 443
     cap_add:
-      - NET_ADMIN
+      - NET_ADMIN
+    networks:
+      proxy-tier:
+        ipv6_address: "fc00:b10c:3::ffff"
+
+  stream:
+    build: ./nginx-stream
+    volumes:
+      - ./ca.pem:/etc/nginx/certs/chain.pem:ro
+      - ./cert.pem:/etc/nginx/certs/api.bearns.me/fullchain.pem:ro
+      - ./privkey.pem:/etc/nginx/certs/api.bearns.me/key.pem:ro
+    expose:
+      - "443/tcp"
+    ports:
+      - "443:443/tcp"
+    environment:
+      SNI_NAME: "api.bearns.me"
+    networks:
+      - proxy-tier
+
+  proxy:
+    build: ./proxy
+    volumes:
+      - ./cert.pem:/etc/nginx/certs/cert.pem:ro
+      - ./privkey.pem:/etc/nginx/certs/privkey.pem:ro
+    expose:
+      - "443/tcp"
+    networks:
+      - proxy-tier
+
+networks:
+  proxy-tier:
+    enable_ipv6: true
+    ipam:
+      config:
+        - subnet: fc00:b10c:3::/64
+
+volumes:
+  certs:
+  vhost.d:
+  html:

nginx-stream/Dockerfile

@@ -0,0 +1,17 @@
+FROM nginx:alpine
+
+ENV HTTPS_UPSTREAM="proxy"
+ENV SSTP_UPSTREAM="sstp"
+ENV SNI_NAME="cloud.bearns.me"
+# self signed for client certification
+# put in /etc/nginx/certs/
+ENV CA_CERT="chain.pem"
+# put in /etc/nginx/certs/$SNI_NAME
+ENV CERT="fullchain.pem"
+ENV KEY="key.pem"
+
+RUN rm -f /etc/nginx/conf.d/default.conf
+
+COPY nginx.conf /etc/nginx/
+COPY *.conf.template /etc/nginx/templates/
+

nginx-stream/http.conf.template

@@ -0,0 +1,37 @@
+http {
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    server {
+        listen unix:/tmp/fallback-stream.socket ssl proxy_protocol;
+        server_name _;
+
+        ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
+        ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};
+
+        access_log  /dev/stdout  main;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+
+        #error_page  404              /404.html;
+
+        # redirect server error pages to the static page /50x.html
+        #
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+
+        # deny access to .htaccess files, if Apache's document root
+        # concurs with nginx's one
+        #
+        #location ~ /\.ht {
+        #    deny  all;
+        #}
+    }
+}

nginx-stream/nginx.conf

@@ -0,0 +1,12 @@
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+include /etc/nginx/conf.d/*.conf;

nginx-stream/stream.conf.template

@@ -0,0 +1,61 @@
+error_log /dev/stderr;
+
+stream {
+    log_format stream '"$ssl_preread_server_name" $remote_addr [$time_local] '
+                      '$protocol $status $bytes_sent $bytes_received "$upstream_addr" '
+                      '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+
+    map $ssl_preread_server_name $sni_name {
+            ${SNI_NAME} cert-check;
+            default https;
+        }
+
+    upstream https {
+        server ${HTTPS_UPSTREAM}:443;
+    }
+
+    upstream cert-check {
+        server unix:/tmp/virtual-stream.socket;
+    }
+
+    server {
+        listen 443;
+        listen [::]:443;
+
+        access_log /dev/stdout stream;
+
+        proxy_pass $sni_name;
+        ssl_preread on;
+        # todo nginx-proxy by default don't listen proxy_protocol, enable it in both sides
+        #proxy_protocol on;
+    }
+
+    map $ssl_client_verify $name {
+        SUCCESS sstp;
+        default fallback;
+    }
+
+    upstream sstp {
+        server ${SSTP_UPSTREAM}:443;
+    }
+
+    upstream fallback {
+        server unix:/tmp/fallback-stream.socket;
+    }
+
+    server {
+        listen unix:/tmp/virtual-stream.socket ssl;
+
+        ssl_certificate /etc/nginx/certs/${SNI_NAME}/${CERT};
+        ssl_certificate_key /etc/nginx/certs/${SNI_NAME}/${KEY};
+
+        ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
+        ssl_verify_client optional;
+
+        # Doesn't work without it
+        proxy_ssl on;
+
+        proxy_pass $name;
+        proxy_protocol on;
+    }
+}

proxy/00-default.conf

@@ -0,0 +1,7 @@
+server {
+    listen 443 ssl;
+    server_name _;
+    ssl_certificate /etc/nginx/certs/cert.pem;
+    ssl_certificate_key /etc/nginx/certs/privkey.pem;
+    return       404;
+}

proxy/Dockerfile

@@ -0,0 +1,3 @@
+FROM nginx:alpine
+
+COPY 00-default.conf /etc/nginx/conf.d/