Page MenuHomePhabricator
Create Task
Maniphest T212871

tools-static tries to use ipv6 when proxying to downstream hosts
Open, MediumPublic
Actions

Description

2019/01/03 16:29:46 [error] 8789#8789: *282 connect() to [2606:4700::6813:c697]:443 failed (101: Network is unreachable) while connecting to upstream, client: 5.166.162.11, server: , request: "GET /cdnjs/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js HTTP/2.0", upstream: "https://[2606:4700::6813:c697]:443/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js", host: "tools-static.wmflabs.org", referrer: "https://xtools.wmflabs.org/ec/ru.wikipedia.org/Lumaca?uselang=ru"

I thought we fixed this a long time ago with rOPUP9640f7f3ef03: tools: Disable IPv6 for static reverse provy but that config is apparently not working now.

Related Objects

Event Timeline

bd808 created this task.Jan 3 2019, 4:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 3 2019, 4:31 PM
bd808 triaged this task as High priority.Jan 3 2019, 4:32 PM
bd808 added a comment.Jan 3 2019, 4:36 PM

https://trac.nginx.org/nginx/ticket/723

Internal resolver is only used for proxy_pass with variables.

More specifically, in your case (i.e., without variables) it is resolved only once on start up with the system resolver.

bd808 lowered the priority of this task from High to Medium.Jan 3 2019, 4:50 PM

Apparently this is just a lot of log noise and the proxy still works.

$ curl -v 'https://tools-static.wmflabs.org/fontcdn/css?family=Gochi+Hand'
*   Trying 208.80.155.174...
* TCP_NODELAY set
* Connected to tools-static.wmflabs.org (208.80.155.174) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: *.wmflabs.org
* Server certificate: GlobalSign Organization Validation CA - SHA256 - G2
* Server certificate: GlobalSign
> GET /fontcdn/css?family=Gochi+Hand HTTP/1.1
> Host: tools-static.wmflabs.org
> User-Agent: curl/7.60.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.13.6
< Date: Thu, 03 Jan 2019 16:49:22 GMT
< Content-Type: text/css; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Timing-Allow-Origin: *
< Expires: Thu, 03 Jan 2019 16:49:22 GMT
< Cache-Control: private, max-age=86400
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Alt-Svc: quic=":443"; ma=2592000; v="44,43,39,35"
< Accept-Ranges: none
< Vary: Accept-Encoding
< X-Clacks-Overhead: GNU Terry Pratchett
< Strict-Transport-Security: max-age=86400
<
@font-face {
  font-family: 'Gochi Hand';
  font-style: normal;
  font-weight: 400;
  src: local('Gochi Hand'), local('GochiHand-Regular'), url(https://tools-static.wmflabs.org/fontcdn/s/gochihand/v8/hES06XlsOjtJsgCkx1Pkfon__g.ttf) format('truetype');
}
* Connection #0 to host tools-static.wmflabs.org left intact
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL