We only want to allow http connections to our product on the local network, to prevent customers publicly hosting the product and allowing connections from public IP addresses.
The way we are currently doing this is to look at the request's user host address, and filter out any non-private IP addresses.
For IPv4 this seems to be relatively straightforward, we allow only IP addresses that match the following:
127.0.0.0/8 loopback
10.0.0.0/8 private
172.16.0.0/12 private
192.168.0.0/16 private
169.254.0.0/16 link-local
Also for IPv6 we allow only IP addresses that match the following:
::1/128 loopback
fc00::/7 unique-local (private)
fe80::/10 link-local
This all seems to work for the limited test cases so far...
So the question is: Are there any edge cases that will not be covered by this e.g. VPNs, proxies etc or is there simply a better way to approach this problem?
Typically, with IPv6, all hosts will use global addresses. The goal is to restore the end-to-end connectivity of IP that is lost when using RFC 1918 with NAT in IPv4. IPv6 doesn't have NAT.
Hosts addressed only with Unique Local addresses will be unable to connect to to the outside world. IPv6 allows (actually requires) multiple addresses per interface. Are you sure you can guarantee that your customers' hosts will use a configured Unique Local (or any other particular) address to try to connect to your product.
You may lose customers if you try to cripple IPv6 for them.
Wouldn't a license restriction be more appropriate?
It sounds like you need a better understanding of IPv6 since some things just don't directly translate from IPv4.