Nginx proxy_pass always sending to [::1]

I am having problems with redirection from Nginx to gunicorn. I'm using proxy_pass to redirect to https://127.0.0.1:5000, and yet the redirect is being sent to https://[::1]:5000.

Here is my own .conf file, which is included inside nginx.conf:

server {
    listen 80;
    server_name mydomain.no www.mydomain.no myotherdomain.no;

    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    server_name mydomain.no www.mydomain.no myotherdomain.no;
    ssl_certificate /path/to/chain;
    ssl_certificate_key /path/to/private/key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;

    root /var/www/html/;
    index index.html;
    charset UTF-8;

    location /api {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $http_host;
            proxy_pass https://127.0.0.1:5000;
    }
}

Here is my nginx.conf file:

user  django django;
worker_processes  1;

error_log  /path/to/error.log warn;
pid        /path/to/nginx.pid;

events {
worker_connections  1024;
}

http {
include       /path/to/mime.types;
default_type  application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /path/to/access.log  main;

sendfile        on;

keepalive_timeout  65;

include /path/to/conf.d/*.conf;
}

The last include is what includes my .conf file, and it is the only file in the conf.d directory (I did check for hidden files as well).

When I started today, the proxy_pass was set to localhost, yet I got a 502 when I tried to connect to mydomain.no/api/door. The first thing I did was to check if mydomain.no:5000/api/door worked, and indeed it did. Thus, I went to check error.log. There I found this error:

2016/02/06 06:35:23 [error] 14280#0: *18082 connect() failed (111: Connection refused)
while connecting to upstream, client: nnn.nnn.nnn.nnn, server: mydomain.no,
request: "GET /api/door HTTP/1.1", upstream: "https://[::1]:5000/api/door", host:
"mydomain.no", referrer: "https://mydomain.no/"

As you can see, Nginx is redirecting to IPv6 localhost, for some reason. I then tried to change localhost to an explicit IPv4 with 127.0.0.1, but still got the exact same error.

For sake of giving as much (possibly) relevant information as I can, here's my nginx -V as well (formatted for legibility):

nginx version: nginx/1.6.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx 
--conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log 
--http-log-path=/var/log/nginx/access.log 
--http-client-body-temp-path=/var/lib/nginx/tmp/client_body
--http-proxy-temp-path=/var/lib/nginx/tmp/proxy
--http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi
--http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid
--lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx
--with-file-aio --with-ipv6 --with-http_ssl_module
--with-http_spdy_module --with-http_realip_module
--with-http_addition_module --with-http_xslt_module
--with-http_image_filter_module --with-http_geoip_module
--with-http_sub_module --with-http_dav_module --with-http_flv_module
--with-http_mp4_module --with-http_gunzip_module
--with-http_gzip_static_module --with-http_random_index_module
--with-http_secure_link_module --with-http_degradation_module
--with-http_stub_status_module --with-http_perl_module --with-mail
--with-mail_ssl_module --with-pcre --with-pcre-jit
--with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches 
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic'
--with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'

I've tried changing around with my machine's IPv6 settings, even turning off IPv6 for all my network interfaces (including local), but nothing has had any effect. I therefore turn to your help. What is causing the proxy_pass to always be IPv6?

Best Answer

It turns out that this problem was caused by the way Gunicorn was set up. I was told by my peers that they had set it up with TLS encryption, but upon closer inspection it wasn't using any encryption at all. The [::1] in the error was likely cased by Nginx falling back to IPv6 after failing an IPv4 connection.

Simply changing the proxy_pass from https to http fixed my problem while keeping the encryption, since the jump from Nginx to Gunicorn is internal. I also changed Gunicorn to only accept local connections, since it will only be accessed through the Nginx proxy anyhow.

Best Answer

Related Solutions

Nginx compiled –with-http_spdy_module yet raise errors complains ngx_http_spdy_module

Nginx and openSSL conf to use newest TLS protocols

Related Topic