502 Errors with patch 1018

[tryvalve]

Ⅰ. Issue Description

Intermittent 502 errors when using openresty 1.17.8.2 with 1018.path.

Ⅱ. Describe what happened

root@a86d47344729:/openresty-1.17.8.2# curl -x localhost:3128 https://www.example.com
curl: (56) Received HTTP code 502 from proxy after CONNECT

Ⅲ. Describe what you expected to happen

I expected the requests to be proxied through localhost:3128.

Ⅳ. How to reproduce it (as minimally and precisely as possible)

Dockerfile:

from ubuntu:20.04

run apt-get update
run apt-get install -y curl
run apt-get install -y wget 
run apt-get install -y libpcre3-dev 
run apt-get install -y zlib1g-dev 
run apt-get install -y build-essential 
run apt-get install -y curl 

run wget https://openresty.org/download/openresty-1.17.8.2.tar.gz
run tar -zxvf openresty-1.17.8.2.tar.gz
run curl -L https://github.com/chobits/ngx_http_proxy_connect_module/archive/master.tar.gz | tar xz
workdir /openresty-1.17.8.2

run apt-get install -y libssl-dev

run ./configure --add-module=../ngx_http_proxy_connect_module-master
run patch -d build/nginx-1.17.8/ -p 1 < ../ngx_http_proxy_connect_module-master/patch/proxy_connect_rewrite_1018.patch
run make && make install

copy ./nginx.conf /usr/local/openresty/nginx/conf/nginx.conf

cmd bash -c "/usr/local/openresty/nginx/sbin/nginx && bash"

nginx.conf:

error_log ./error.log;

http {
    server {
        listen                         3128;

        # dns resolver used by forward proxying
        resolver                       8.8.8.8;

        # forward proxy for CONNECT request
        proxy_connect;
        proxy_connect_allow            443 563;
        proxy_connect_connect_timeout  10s;
        proxy_connect_read_timeout     10s;
        proxy_connect_send_timeout     10s;

        # forward proxy for non-CONNECT request
        location / {
            proxy_pass http://$host;
            proxy_set_header Host $host;
        }
    }
}

events {}

Ⅴ. Anything else we need to know?

nginx error.log:

2020/11/14 19:41:47 [crit] 10#0: *213 connect() to [2606:2800:220:1:248:1893:25c8:1946]:443 failed (99: Cannot assign requested address) while connecting to upstream, client: 127.0.0.1, server: , request: "CONNECT www.example.com:443 HTTP/1.1", host: "www.example.com:443"
2020/11/14 19:41:47 [error] 10#0: *213 proxy_connect: connection error while connecting to upstream, client: 127.0.0.1, server: , request: "CONNECT www.example.com:443 HTTP/1.1", host: "www.example.com:443"

Ⅵ. Environment:

1. nginx version: openresty/1.17.8.2
2. patch: 1018.patch

[hehehe886]

hi ,it means the module doesn't work , i guess u can only proxy http request .

This step wrong:
"copy ./nginx.conf /usr/local/openresty/nginx/conf/nginx.conf"

u should copy the "objs/nginx" to "/usr/sbin/nginx" or add dynamic module "ngx_http_proxy_connect_module-master" copy the so file

[scott-hiemstra]

Enabling debugging while building nginx pointed to a probable root cause being host addresses being IPv6. If your target host resolution includes IPv6 addresses then you will get 502s when the IPv6 address is attempted. Adding "ipv6=off" to your resolver line should be a functioning workaround until it is fixed in code.

Change this:
resolver 8.8.8.8;
To This:
resolver 8.8.8.8 ipv6=off;

[neiser]

@scott-hiemstra Thanks for pointing out the workaround. I think I'm experiencing a similar issue (which vanishes when using ipv6=off) and I wonder if that's really a problem of this module. I can't see why a IPv6 address isn't usable with proxy_connect_address 🤔

[eladitzhakian]

@scott-hiemstra you're a life saver

[artemyv]

I see similar issue. Disabling ipv6 fixed it.
But I noticed that resolver reports a list of IPs and proxy_connect tries only one IP from the list reported.

Is it possible to configure the proxy_connect to try all IPs reported by resolver - if some of the connection attempts failed - till one IP that succeeded is found?