Wednesday, August 15, 2018

django - Nginx - connect() failed (111: Connection refused) while connecting to upstream



I am running a site that uses Django, Nginx, Gunicorn, Supervisord and fail2ban (which only allows ssh, http and https). The site is live and working correctly but there are some nginx error log entries that are concerning:



connect() failed (111: Connection refused) while connecting to upstream, client: x.x.x.x, server: www.example.com, request: "GET /example/url/to/get/ HTTP/1.1", upstream: "http://[::1]:8000/example/url/to/get/", host: "www.example.com"

upstream server temporarily disabled while connecting to upstream, client: x.x.x.x, server: www.example.com, request: "GET /example/url/to/get/ HTTP/1.1", upstream: "http://[::1]:8000/example/url/to/get/", host: "www.example.com"


Here is my nginx config:




upstream app_server_wsgiapp {
  server localhost:8000 fail_timeout=0;
}

server {
 listen 80;
 server_name www.example.com;
 return 301 https://www.example.com$request_uri;
}


server {
  server_name           www.example.com;
  listen                443 ssl;

  if ($host = 'example.com') {
    return 301 https://www.example.com$request_uri;
  }

  ssl_certificate       /etc/nginx/example/example.crt;

  ssl_certificate_key   /etc/nginx/example/example.key;
  ssl_session_timeout   1d;
  ssl_session_cache     shared:SSL:50m;
  ssl_protocols         TLSv1.1 TLSv1.2;
  ssl_ciphers           'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-
AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-
SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-
SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-
SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-
SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-

AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-
SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-
SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-
SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-
CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  ssl_prefer_server_ciphers   on;

  access_log          /var/log/nginx/www.example.com.access.log;
  error_log           /var/log/nginx/www.example.com.error.log info;

  keepalive_timeout   5;

  proxy_read_timeout    120s;

  # nginx serve up static and media files
  location /static {
    autoindex on;
    alias /static/path;
  }


  location /media {
        autoindex on;
        alias /media/path;
  }

  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    if (!-f $request_filename) {

        proxy_pass http://app_server_wsgiapp;
        break;
    }
  }
}


I do not have any errors in the Gunicorn logs.



Like I said, the site is working correctly. But I don't want to ignore error logs which could potentially become a bigger issue later.



Answer



Could this be because your system is dual-stack, but your upstream is IPv4 only?



It looks as if localhost is resolving to [::1], which depending on your upstream might be the problem in and of itself.



Given you are communicating over loopback, I would tend to assume the Connection refused is 'real' - it is reflective of the actual issue.



You can check whether this is the problem by replacing localhost with 127.0.0.1 in your upstream config:



upstream app_server_wsgiapp {

  server 127.0.0.1:8000 fail_timeout=0;
}

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...