proxy_pass ignoring gai.conf/RFC3484
Ivan Vilata i Balaguer
ivan at pangea.org
Fri Jan 2 15:13:40 UTC 2015
Hi everyone (and a happy new year!),
I'm trying to setup NginX as a reverse proxy to an internal machine
which has both private IPv4 and ULA IPv6 addresses, both resolvable from
the same name ``internal_machine`` to A and AAAA entries in our local
DNS servers. Outbound connections are still using IPv4, but I want to
phase out our private IPv4 ones in favour of ULA IPv6, thus I'm using
``/etc/gai.conf`` to leverage the mechanism described in [RFC 3484][] to
configure ``getaddrinfo()`` responses. This is my configuration:
precedence ::1/128 50 # loopback IPv6 first
precedence fdf4:7759:a7d2::/48 47 # then our ULA IPv6 range
precedence ::ffff:0:0/96 45 # then IPv4 (private and public)
precedence ::/0 40 # then IPv6 ...
precedence 2002::/16 30
precedence ::/96 20
[RFC 3484]: http://tools.ietf.org/html/rfc3484
This configuration seems to be correct, i.e. running ``getent ahosts
internal_machine`` puts ULA IPv6 addresses before private IPv4. If I
exchange the priorities of ULA IPv6 and IPv4, the command puts IPv4
addresses first. So far so good.
BUT if I configure NginX with ``proxy_pass http://internal_machine;``,
it always insists in using the IPv4 address first, regardless of what
``gai.conf`` says. The only way I have to force IPv6 first is
hardwiring it in the URL (which is ugly) or including the resolution in
``/etc/hosts`` (which disperses configuration).
Is this behaviour expected? Maybe I missed some configuration aspect?
I'm currently using:
# nginx -V # from Debian Wheezy backports
nginx version: nginx/1.6.2
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector \
--param=ssp-buffer-size=4 -Wformat -Werror=format-security \
-D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-z,relro \
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug \
--with-pcre-jit --with-ipv6 --with-http_ssl_module \
--with-http_stub_status_module --with-http_realip_module \
--with-http_auth_request_module --with-http_addition_module \
--with-http_dav_module --with-http_geoip_module \
--with-http_gzip_static_module --with-http_image_filter_module \
--with-http_spdy_module --with-http_sub_module \
--with-http_xslt_module --with-mail --with-mail_ssl_module \
--add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam \
--add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-dav-ext-module \
--add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-echo \
--add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair \
--add-module=/tmp/buildd/nginx-1.6.2/debian/modules/ngx_http_substitutions_filter_module
# uname -a
Linux frontend01 2.6.32-4-pve #1 SMP Mon May 9 12:59:57 CEST 2011 x86_64 GNU/Linux
I found [an nginx-devel thread][1] revolving around a similar issue, but
the proposed solutions overlooked ``/etc/gai.conf``.
[1]: http://www.mail-archive.com/nginx-devel%40nginx.org/msg01893.html
"proxy_pass behavior"
Thank you very much for your help!
--
Ivan Vilata i Balaguer
More information about the nginx
mailing list