Getting Nginx 101: Network is unreachable on proxy_pass setup


(Ricardonacif) #1

Guys,

We have discourse running and our currently setup is using nginx proxy_pass to make Vango Community access community.vangoart.co. Here’s our proxy_pass configuration:

location /community/ {
  proxy_pass https://community.vangoart.co/;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

We’ve been getting a few 5xx error only when accessing thru the proxy, and the discourse nginx error log shows:

2016/02/11 21:24:42 [error] 50#50: *246491 connect() to [2400:cb00:2048:1::6819:f117]:443 failed (101: Network is unreachable) while connecting to upstream, client: 186.242.81.92, server: _, request: "GET /community/letter_avatar_proxy/v2/letter/n/ea666f/90.png HTTP/2.0", upstream: "https://[2400:cb00:2048:1::6819:f117]:443/v2/letter/n/ea666f/90.png", host: "community.vangoart.co", referrer: "https://community.vangoart.co/community/t/aproval-is-needed/170"
2016/02/11 21:24:42 [error] 50#50: *246491 connect() to [2400:cb00:2048:1::6819:f017]:443 failed (101: Network is unreachable) while connecting to upstream, client: 186.242.81.92, server: _, request: "GET /community/letter_avatar_proxy/v2/letter/n/ea666f/90.png HTTP/2.0", upstream: "https://[2400:cb00:2048:1::6819:f017]:443/v2/letter/n/ea666f/90.png", host: "community.vangoart.co", referrer: "https://community.vangoart.co/community/t/aproval-is-needed/170"
2016/02/11 21:25:17 [error] 50#50: *246651 connect() to [2400:cb00:2048:1::6819:f017]:443 failed (101: Network is unreachable) while connecting to upstream, client: 173.72.28.48, server: _, request: "GET /letter_avatar_proxy/v2/letter/m/c57346/45.png HTTP/1.1", upstream: "https://[2400:cb00:2048:1::6819:f017]:443/v2/letter/m/c57346/45.png", host: "community.vangoart.co"
2016/02/11 21:26:08 [error] 50#50: *246727 connect() to [2400:cb00:2048:1::6819:f017]:443 failed (101: Network is unreachable) while connecting to upstream, client: 52.36.2.218, server: _, request: "GET /letter_avatar_proxy/v2/letter/n/ea666f/20.png HTTP/1.0", upstream: "https://[2400:cb00:2048:1::6819:f017]:443/v2/letter/n/ea666f/20.png", host: "community.vangoart.co", referrer: "https://www.vangoart.co/community/t/aproval-is-needed/170/2"

I believe its related to IPV6, but I’m not sure about the solution. Has anyone ever faced that?

Thanks,


(Matt Palmer) #2

The problem isn’t Discourse-specific. Your nginx thinks it can talk to community.vangoart.co over IPv6, but it can’t, and that’s causing much sadness. Frankly, I’m not sure why nginx thinks there’s an IPv6 address for that name, because it doesn’t resolve a AAAA record for me. Split-horizon DNS, maybe?

At any rate, if you should be able to reach that address over IPv6, you’ll need to use the usual network debugging tools (pcaps, routing table, firewall config/logs) to determine why the traffic can’t get to where it needs to go.


(Ricardonacif) #3

Cool @mpalmer, thanks for the input!