I am having problems with redirection from Nginx to gunicorn. I'm using proxy_pass
to redirect to https://127.0.0.1:5000
, and yet the redirect is being sent to https://[::1]:5000
.
Here is my own .conf
file, which is included inside nginx.conf
:
server {
listen 80;
server_name mydomain.no www.mydomain.no myotherdomain.no;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
server_name mydomain.no www.mydomain.no myotherdomain.no;
ssl_certificate /path/to/chain;
ssl_certificate_key /path/to/private/key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
root /var/www/html/;
index index.html;
charset UTF-8;
location /api {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass https://127.0.0.1:5000;
}
}
Here is my nginx.conf
file:
user django django;
worker_processes 1;
error_log /path/to/error.log warn;
pid /path/to/nginx.pid;
events {
worker_connections 1024;
}
http {
include /path/to/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /path/to/access.log main;
sendfile on;
keepalive_timeout 65;
include /path/to/conf.d/*.conf;
}
The last include
is what includes my .conf file, and it is the only file in the conf.d
directory (I did check for hidden files as well).
When I started today, the proxy_pass
was set to localhost
, yet I got a 502 when I tried to connect to mydomain.no/api/door
. The first thing I did was to check if mydomain.no:5000/api/door
worked, and indeed it did. Thus, I went to check error.log
. There I found this error:
2016/02/06 06:35:23 [error] 14280#0: *18082 connect() failed (111: Connection refused)
while connecting to upstream, client: nnn.nnn.nnn.nnn, server: mydomain.no,
request: "GET /api/door HTTP/1.1", upstream: "https://[::1]:5000/api/door", host:
"mydomain.no", referrer: "https://mydomain.no/"
As you can see, Nginx is redirecting to IPv6 localhost, for some reason. I then tried to change localhost
to an explicit IPv4 with 127.0.0.1
, but still got the exact same error.
For sake of giving as much (possibly) relevant information as I can, here's my nginx -V
as well (formatted for legibility):
nginx version: nginx/1.6.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log
--http-log-path=/var/log/nginx/access.log
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid
--lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx
--with-file-aio --with-ipv6 --with-http_ssl_module
--with-http_spdy_module --with-http_realip_module
--with-http_addition_module --with-http_xslt_module
--with-http_image_filter_module --with-http_geoip_module
--with-http_sub_module --with-http_dav_module --with-http_flv_module
--with-http_mp4_module --with-http_gunzip_module
--with-http_gzip_static_module --with-http_random_index_module
--with-http_secure_link_module --with-http_degradation_module
--with-http_stub_status_module --with-http_perl_module --with-mail
--with-mail_ssl_module --with-pcre --with-pcre-jit
--with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic'
--with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
I've tried changing around with my machine's IPv6 settings, even turning off IPv6 for all my network interfaces (including local), but nothing has had any effect. I therefore turn to your help. What is causing the proxy_pass
to always be IPv6?
Best Answer
It turns out that this problem was caused by the way Gunicorn was set up. I was told by my peers that they had set it up with TLS encryption, but upon closer inspection it wasn't using any encryption at all. The
[::1]
in the error was likely cased by Nginx falling back to IPv6 after failing an IPv4 connection.Simply changing the
proxy_pass
fromhttps
tohttp
fixed my problem while keeping the encryption, since the jump from Nginx to Gunicorn is internal. I also changed Gunicorn to only accept local connections, since it will only be accessed through the Nginx proxy anyhow.