proxy_pass ignoring gai.conf/RFC3484

Ivan Vilata i Balaguer ivan at
Fri Jan 2 15:13:40 UTC 2015

Hi everyone (and a happy new year!),

I'm trying to setup NginX as a reverse proxy to an internal machine
which has both private IPv4 and ULA IPv6 addresses, both resolvable from
the same name ``internal_machine`` to A and AAAA entries in our local
DNS servers.  Outbound connections are still using IPv4, but I want to
phase out our private IPv4 ones in favour of ULA IPv6, thus I'm using
``/etc/gai.conf`` to leverage the mechanism described in [RFC 3484][] to
configure ``getaddrinfo()`` responses.  This is my configuration:

    precedence  ::1/128              50  # loopback IPv6 first
    precedence  fdf4:7759:a7d2::/48  47  # then our ULA IPv6 range
    precedence  ::ffff:0:0/96        45  # then IPv4 (private and public)
    precedence  ::/0                 40  # then IPv6 ...
    precedence  2002::/16            30
    precedence  ::/96                20

[RFC 3484]:

This configuration seems to be correct, i.e. running ``getent ahosts
internal_machine`` puts ULA IPv6 addresses before private IPv4.  If I
exchange the priorities of ULA IPv6 and IPv4, the command puts IPv4
addresses first.  So far so good.

BUT if I configure NginX with ``proxy_pass http://internal_machine;``,
it always insists in using the IPv4 address first, regardless of what
``gai.conf`` says.  The only way I have to force IPv6 first is
hardwiring it in the URL (which is ugly) or including the resolution in
``/etc/hosts`` (which disperses configuration).

Is this behaviour expected?  Maybe I missed some configuration aspect?
I'm currently using:

    # nginx -V  # from Debian Wheezy backports
    nginx version: nginx/1.6.2
    TLS SNI support enabled
    configure arguments: --with-cc-opt='-g -O2 -fstack-protector \
      --param=ssp-buffer-size=4 -Wformat -Werror=format-security \
      -D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-z,relro \
      --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf \
      --http-log-path=/var/log/nginx/access.log \
      --error-log-path=/var/log/nginx/error.log \
      --lock-path=/var/lock/nginx.lock --pid-path=/run/ \
      --http-client-body-temp-path=/var/lib/nginx/body \
      --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
      --http-proxy-temp-path=/var/lib/nginx/proxy \
      --http-scgi-temp-path=/var/lib/nginx/scgi \
      --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug \
      --with-pcre-jit --with-ipv6 --with-http_ssl_module \
      --with-http_stub_status_module --with-http_realip_module \
      --with-http_auth_request_module --with-http_addition_module \
      --with-http_dav_module --with-http_geoip_module \
      --with-http_gzip_static_module --with-http_image_filter_module \
      --with-http_spdy_module --with-http_sub_module \
      --with-http_xslt_module --with-mail --with-mail_ssl_module \
      --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam \
      --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-dav-ext-module \
      --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-echo \
      --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair \
    # uname -a
    Linux frontend01 2.6.32-4-pve #1 SMP Mon May 9 12:59:57 CEST 2011 x86_64 GNU/Linux

I found [an nginx-devel thread][1] revolving around a similar issue, but
the proposed solutions overlooked ``/etc/gai.conf``.

     "proxy_pass behavior"

Thank you very much for your help!

Ivan Vilata i Balaguer

More information about the nginx mailing list