Connection issues between nginx and unicorn

[Michael Bernstein <michael.bernstein@clicksign.com>]

Hello,

We are having a lot of connection issues between nginx and unicorn,
but we don't know exactly where is the issue. Can somebody help us?

Exemple from our nginx logs:
[error] 6#6: *4269348 connect() failed (111: Connection refused) while
connecting to upstream, client: 10.2.2.252, server: _, request: "POST
/api/v1/documents?access_token=....
[error] 6#6: *4269169 recv() failed (104: Connection reset by peer)
while reading response header from upstream, client: 10.2.10.120,
server: _, request: "GET /api/v1/documents/.....
[error] 6#6: *4268896 upstream timed out (110: Operation timed out)
while connecting to upstream, client: 10.2.2.252, server: _, request:
"GET /accounts/.... HTTP/1.1", upstream:
"http://172.20.214.176:80/accounts...", host: "app.clicksign.com",
referrer: "https://app.clicksign.com/..."

############
Unicorn configuration file:

# frozen_string_literal: true

listen 8080
worker_processes 4
timeout 60

preload_app true
GC.respond_to?(:copy_on_write_friendly=) &&
  (GC.copy_on_write_friendly = true)

before_fork do |server, worker|
  Signal.trap 'TERM' do
    puts 'Unicorn master intercepting TERM and sending myself QUIT instead'
    Process.kill 'QUIT', Process.pid
  end

  defined?(ActiveRecord::Base) &&
    ActiveRecord::Base.connection.disconnect!

  old_pid = "#{server.config[:pid]}.oldbin"
  if old_pid != server.pid
    begin
      sig = (worker.nr + 1) >= server.worker_processes ? :QUIT : :TTOU
      Process.kill(sig, File.read(old_pid).to_i)
    rescue Errno::ENOENT, Errno::ESRCH
    end
  end

  sleep 1
end

after_fork do |_server, _worker|
  Signal.trap 'TERM' do
    puts 'Unicorn worker intercepting TERM and doing nothing. Wait for
master to send QUIT'
  end

  defined?(ActiveRecord::Base) &&
    ActiveRecord::Base.establish_connection
end


############
nginx configuration file:

proxy_cache_path /var/cache/nginx/ levels=1:2 keys_zone=assets_cache:10m
                 max_size=1g inactive=60m use_temp_path=off;

resolver kube-dns.kube-system.svc.cluster.local valid=5s;

upstream backend {
  server unicorn;
}

server {
  server_name _;

  server_tokens off;
  keepalive_timeout 5;
  client_max_body_size 100M;
  client_body_buffer_size 30M;

  sendfile on;
  tcp_nopush on;
  tcp_nodelay off;

  gzip on;
  gzip_min_length 1000;
  gzip_proxied any;
  gzip_buffers 16 8k;
  gzip_http_version 1.0;
  gzip_types text/css
             text/plain
             text/javascript
             application/javascript
             application/json
             application/x-javascript
             application/xml
             application/xml+rss
             application/xhtml+xml
             application/x-font-ttf
             application/x-font-opentype
             application/vnd.ms-fontobject
             image/svg+xml
             image/x-icon
             application/rss+xml
             application/atom_xml;

  location /healthcheck {
    return 204;
  }

  location ~* ^/(fonts|webfonts|assets|packs) {
    proxy_redirect off;
    proxy_cache assets_cache;
    proxy_cache_valid 120m;
    proxy_pass http://backend;
    add_header Cache-Control public;
    if ($http_origin ~
'^((https*?:\/\/).*?((\.clicksign)\.(com|me|dev)))($|\/.*$)$' ){
      add_header Access-Control-Allow-Origin $http_origin;
    }
    expires max;
  }

  location / {
    proxy_pass http://backend;
    proxy_redirect off;
    proxy_read_timeout 60;
    proxy_set_header Host $http_host;
  }
}

######

Thanks,

Michael Belfer Bernstein
michael.bernstein@clicksign.com
https://www.clicksign.com | https://www.fluxia.com.br

-- 
A informação contida nesta mensagem e seus anexos é considerada secreta, 
para uso exclusivo de seu destinatário. Caso você não seja o destinatário, 
notifique o remetente e elimine esta mensagem. The information contained in 
this message and respective attachments is secret, to be used exclusively 
by its addressee. If you are not the intended addressee, please notify the 
sender and delete this message.