Hi everyone (and a happy new year!),
I’m trying to setup NginX as a reverse proxy to an internal machine
which has both private IPv4 and ULA IPv6 addresses, both resolvable from
the same name internal_machine to A and AAAA entries in our local
DNS servers. Outbound connections are still using IPv4, but I want to
phase out our private IPv4 ones in favour of ULA IPv6, thus I’m using
/etc/gai.conf to leverage the mechanism described in RFC3484 to
configure getaddrinfo() responses. This is my configuration:
precedence ::1/128 50 # loopback IPv6 first
precedence fdf4:7759:a7d2::/48 47 # then our ULA IPv6 range
precedence ::ffff:0:0/96 45 # then IPv4 (private and
public)
precedence ::/0 40 # then IPv6 …
precedence 2002::/16 30
precedence ::/96 20
This configuration seems to be correct, i.e. running getent ahosts internal_machine puts ULA IPv6 addresses before private IPv4. If I
exchange the priorities of ULA IPv6 and IPv4, the command puts IPv4
addresses first. So far so good.
BUT if I configure NginX with proxy_pass http://internal_machine;,
it always insists in using the IPv4 address first, regardless of what
gai.conf says. The only way I have to force IPv6 first is
hardwiring it in the URL (which is ugly) or including the resolution in
/etc/hosts (which disperses configuration).
Is this behaviour expected? Maybe I missed some configuration aspect?
I’m currently using:
# nginx -V # from Debian Wheezy backports
nginx version: nginx/1.6.2
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector \
--param=ssp-buffer-size=4 -Wformat -Werror=format-security \
-D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-z,relro \
--prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid \
--http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \
--http-scgi-temp-path=/var/lib/nginx/scgi \
--http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug \
--with-pcre-jit --with-ipv6 --with-http_ssl_module \
--with-http_stub_status_module --with-http_realip_module \
--with-http_auth_request_module --with-http_addition_module \
--with-http_dav_module --with-http_geoip_module \
--with-http_gzip_static_module --with-http_image_filter_module \
--with-http_spdy_module --with-http_sub_module \
--with-http_xslt_module --with-mail --with-mail_ssl_module \
--add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-dav-ext-module
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-echo
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-upstream-fair
–add-module=/tmp/buildd/nginx-1.6.2/debian/modules/ngx_http_substitutions_filter_module
# uname -a
Linux frontend01 2.6.32-4-pve #1 SMP Mon May 9 12:59:57 CEST 2011
x86_64 GNU/Linux
I found an nginx-devel thread revolving around a similar issue, but
the proposed solutions overlooked /etc/gai.conf.
Thank you very much for your help!
–
Ivan Vilata i Balaguer