feat: listen on ipv6 sockets as well

Fixes #4391

Author: nijel

etc/nginx/default.tpl

@@ -1,6 +1,9 @@
 server {
 {% if WEBLATE_BUILTIN_SSL %}
     listen 4443 ssl;
+{% if ENABLE_IPV6 %}
+    listen [::]:4443 ssl;
+{% endif %}
 
     ssl_certificate /app/data/ssl/fullchain.pem;
     ssl_certificate_key /app/data/ssl/privkey.pem;
@@ -18,6 +21,9 @@ server {
     ssl_dhparam /etc/nginx/ffdhe2048.pem;
 {% else %}
     listen 8080 default_server;
+{% if ENABLE_IPV6 %}
+    listen [::]:8080 default_server;
+{% endif %}
 {% endif %}
     root /app/cache/static;
     client_max_body_size {{ CLIENT_MAX_BODY_SIZE }};
@@ -110,6 +116,9 @@ server {
 {% if WEBLATE_BUILTIN_SSL %}
 server {
     listen 8080 default_server;
+{% if ENABLE_IPV6 %}
+    listen [::]:8080 default_server;
+{% endif %}
     server_tokens off;
     return 301 https://$host$request_uri;
 }

etc/nginx/generate-site.py

@@ -14,6 +14,7 @@
     SITE_DOMAIN,
     ENABLE_HTTPS,
     GRANIAN_SOCKET,
+    ENABLE_IPV6,
 ) = sys.argv[1:]
 
 WEBLATE_SITE_URL = "{}://{}".format(
@@ -47,6 +48,7 @@
             "WEBLATE_ANUBIS_URL": WEBLATE_ANUBIS_URL,
             "WEBLATE_SITE_URL": WEBLATE_SITE_URL,
             "GRANIAN_SOCKET": GRANIAN_SOCKET,
+            "ENABLE_IPV6": ENABLE_IPV6,
         }
     )
 )

start

@@ -93,6 +93,28 @@ find_nss_wrapper() {
     return 1
 }
 
+ipv6_available() {
+    WEBLATE_NGINX_IPV6_VALUE=$(printf '%s' "${WEBLATE_NGINX_IPV6:-auto}" | tr '[:upper:]' '[:lower:]')
+
+    if [ "$WEBLATE_NGINX_IPV6_VALUE" = "0" ] || [ "$WEBLATE_NGINX_IPV6_VALUE" = "false" ] || [ "$WEBLATE_NGINX_IPV6_VALUE" = "no" ] || [ "$WEBLATE_NGINX_IPV6_VALUE" = "off" ]; then
+        return 1
+    fi
+
+    if [ "$WEBLATE_NGINX_IPV6_VALUE" = "1" ] || [ "$WEBLATE_NGINX_IPV6_VALUE" = "true" ] || [ "$WEBLATE_NGINX_IPV6_VALUE" = "yes" ] || [ "$WEBLATE_NGINX_IPV6_VALUE" = "on" ]; then
+        return 0
+    fi
+
+    if [ ! -f /proc/net/if_inet6 ]; then
+        return 1
+    fi
+
+    if [ -r /proc/sys/net/ipv6/conf/all/disable_ipv6 ] && [ "$(cat /proc/sys/net/ipv6/conf/all/disable_ipv6)" = "1" ]; then
+        return 1
+    fi
+
+    return 0
+}
+
 # Support OpenShift and other arbitrary-UID deployments without modifying
 # the system passwd database. Keep the legacy /etc/passwd append only as a
 # compatibility fallback for derived images that still make it writable.
@@ -315,6 +337,7 @@ if [ "$1" = "runserver" ]; then
         WEBLATE_REALIP="
 real_ip_header X-Forwarded-For;
 set_real_ip_from 0.0.0.0/0;
+set_real_ip_from ::/0;
 "
         ;;
     *)
@@ -336,10 +359,27 @@ set_real_ip_from 0.0.0.0/0;
     # Make sure WEBLATE_ANUBIS_URL is set
     : "${WEBLATE_ANUBIS_URL:=""}"
     : "${WEBLATE_ENABLE_HTTPS:=""}"
+    if ipv6_available; then
+        WEBLATE_ENABLE_IPV6=1
+    else
+        WEBLATE_ENABLE_IPV6=
+    fi
 
     # Generate nginx configuration
     mkdir -p /tmp/nginx
-    /app/venv/bin/python /etc/nginx/generate-site.py /etc/nginx "$WEBLATE_URL_PREFIX" "$WEBLATE_REALIP" "$CLIENT_MAX_BODY_SIZE" "$WEBLATE_BUILTIN_SSL" "$WEBLATE_ANUBIS_URL" "$WEBLATE_SITE_DOMAIN" "$WEBLATE_ENABLE_HTTPS" "$GRANIAN_SOCKET" > /tmp/nginx/weblate-site.conf
+    /app/venv/bin/python \
+        /etc/nginx/generate-site.py \
+        /etc/nginx \
+        "$WEBLATE_URL_PREFIX" \
+        "$WEBLATE_REALIP" \
+        "$CLIENT_MAX_BODY_SIZE" \
+        "$WEBLATE_BUILTIN_SSL" \
+        "$WEBLATE_ANUBIS_URL" \
+        "$WEBLATE_SITE_DOMAIN" \
+        "$WEBLATE_ENABLE_HTTPS" \
+        "$GRANIAN_SOCKET" \
+        "$WEBLATE_ENABLE_IPV6" \
+        > /tmp/nginx/weblate-site.conf
 
     # Calculate number of processes, at least 2, at most 4, depending on CPU cores
     if [ -z "$WEBLATE_WORKERS" ]; then