search

nginxinc / docker-nginx

Official NGINX Dockerfiles
BSD 2-Clause "Simplified" License
3.25k stars 1.73k forks source link

Upstream lookup returns IPv6 address on Alpine #374

Open codefrau opened 4 years ago

codefrau commented 4 years ago

Using this (partial) configuration:

    resolver                   8.8.8.8 valid=300s ipv6=off;
    resolver_timeout           10s;
    upstream gs {
        server storage.googleapis.com:443;
        keepalive 128;
    }
    server {
        location / {
            proxy_set_header    Host storage.googleapis.com;
            proxy_pass          https://gs/$bucket_name$uri;
            proxy_http_version  1.1;
            proxy_set_header    Connection "";
        }
    }

on nginx:1.17-alpine getting errors:

*758 connect() to [2a00:1450:4001:824::2010]:443 failed (101: Network unreachable) while connecting to upstream, client: 10.12.0.1, server: , request: "GET / HTTP/1.1", upstream: "https://[2a00:1450:4001:824::2010]:443/example.com/index.html", host: "10.156.0.15"
*758 upstream server temporarily disabled while connecting to upstream, client: 10.12.0.1, server: , request: "GET / HTTP/1.1", upstream: "https://[2a00:1450:4001:824::2010]:443/example.com/index.html", host: "10.156.0.15"

The proxying did still work, apparently it was getting both IPv4 and IPv6 addresses, successfully using the IPv4 ones.

This is while running on Google's Kubernetes Engine (GKE) which does not support IPv6 networking.

Switching to nginx:1.17 made the errors disappear, so I assume the Alpine setup is missing something the Debian setup does.

thresheek commented 4 years ago

What's in the /etc/resolv.conf on the container in your case? resolver as set by the directive will not be used in this scenario, the system-wide parameters will be used on a start.

AFAICT locally, on my laptop, docker run -ti --rm nginx:1.17 and nginx:1.17-alpine produce identical results when I nslookup storage.googleapis.com (e.g. both ipv4 and ipv6 addresses).

f100024 commented 4 years ago

I've solved same issue by turning off ipv6 support on host machine; I'm not suggest this approach but this can be used in some cases as workaround.

Add to /etc/sysctl.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Run # sysctl -p to refresh with the new configuration.

wh1t3h47 commented 1 year ago

Is it possible to enable ipv6 maybe?