docker-nginx
docker-nginx copied to clipboard
nginxinc
Upstream lookup returns IPv6 address on Alpine
Using this (partial) configuration:
resolver 8.8.8.8 valid=300s ipv6=off;
resolver_timeout 10s;
upstream gs {
server storage.googleapis.com:443;
keepalive 128;
}
server {
location / {
proxy_set_header Host storage.googleapis.com;
proxy_pass https://gs/$bucket_name$uri;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
}
on nginx:1.17-alpine getting errors:
*758 connect() to [2a00:1450:4001:824::2010]:443 failed (101: Network unreachable) while connecting to upstream, client: 10.12.0.1, server: , request: "GET / HTTP/1.1", upstream: "https://[2a00:1450:4001:824::2010]:443/example.com/index.html", host: "10.156.0.15"
*758 upstream server temporarily disabled while connecting to upstream, client: 10.12.0.1, server: , request: "GET / HTTP/1.1", upstream: "https://[2a00:1450:4001:824::2010]:443/example.com/index.html", host: "10.156.0.15"
The proxying did still work, apparently it was getting both IPv4 and IPv6 addresses, successfully using the IPv4 ones.
This is while running on Google's Kubernetes Engine (GKE) which does not support IPv6 networking.
Switching to nginx:1.17 made the errors disappear, so I assume the Alpine setup is missing something the Debian setup does.
What's in the /etc/resolv.conf on the container in your case? resolver as set by the directive will not be used in this scenario, the system-wide parameters will be used on a start.
AFAICT locally, on my laptop, docker run -ti --rm nginx:1.17 and nginx:1.17-alpine produce identical results when I nslookup storage.googleapis.com (e.g. both ipv4 and ipv6 addresses).
I've solved same issue by turning off ipv6 support on host machine; I'm not suggest this approach but this can be used in some cases as workaround.
Add to /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Run # sysctl -p to refresh with the new configuration.
