Opened 3 years ago

Closed 3 years ago

#1260 closed defect (invalid)

Regex Location fails resolver DNS lookup

Reported by: hulu1522@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.11.x
Keywords: resolver Cc:
uname -a: Linux bb-analytics-auth-proxy-3860146928-2v0v4 4.4.0-72-generic #93-Ubuntu SMP Fri Mar 31 14:07:41 UTC 2017 x86_64 Linux
nginx -V: nginx version: openresty/1.11.2.3
built by gcc 6.2.1 20160822 (Alpine 6.2.1)
built with OpenSSL 1.0.2k 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.60 --add-module=../xss-nginx-module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.31 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.06 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.8 --add-module=../ngx_lua_upstream-0.06 --add-module=../headers-more-nginx-module-0.32 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.18 --add-module=../redis2-nginx-module-0.14 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.14 --add-module=../rds-csv-nginx-module-0.07 --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --with-openssl=/tmp/openssl-1.0.2k --with-pcre=/tmp/pcre-8.39 --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_xslt_module=dynamic --with-ipv6 --with-mail --with-mail_ssl_module --with-md5-asm --with-pcre-jit --with-sha1-asm --with-stream --with-stream_ssl_module --with-threads

Description

We are developing with Kubernetes and came across an interesting issue where the resolver directive would not be applied properly when a DNS service name was inside a regex location. If we converted the DNS service to an IP then it would work. If we changed the regex location to a static location the resolver would work and find the DNS service IP correctly.

The following examples are what we had in the config for the location:

Did not work -

resolver 10.0.0.10 valid=10s ipv6=off;
resolver_timeout 10s;

location ~* ^/esauth/($1) {
  internal;
  proxy_pass http://bb-application/api/v1/proxy/$1
}

Worked -

resolver 10.0.0.10 valid=10s ipv6=off;
resolver_timeout 10s;

location /esauth {
  internal;
  proxy_pass http://bb-application/api/v1/proxy
}

Log from failed attempt:

2017-04-27T20:07:42.72470006Z 2017/04/27 20:07:42 [error] 7#7: *5 bb-application could not be resolved (3: Host not found),...

Change History (2)

comment:1 by hulu1522@…, 3 years ago

Sorry, the location that did not work has an error in it from our actual config.
It should read location ~* ^/esauth/(.*) {

Last edited 3 years ago by hulu1522@… (previous) (diff)

comment:2 by Ruslan Ermilov, 3 years ago

Resolution: invalid
Status: newclosed

Hostname in proxy_pass without variables is resolved on start-up using the resolver from libc, which has a notion of "short names relative to the local domain", or the search path.

Hostname in proxy_pass with variables uses nginx's resolver which needs full domain names.

Note: See TracTickets for help on using tickets.