Welcome! Log In Create A New Profile

Advanced

Virtual hosts sharing same port

Posted by Frank Liu 
Frank Liu
Virtual hosts sharing same port
April 16, 2018 09:30AM
Can I use different listen parameters for virtual hosts using the same
port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
ssl h2;”
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
A. Schulze
Re: Virtual hosts sharing same port
April 16, 2018 11:30AM
Frank Liu:

> Can I use different listen parameters for virtual hosts using the same
> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
> ssl h2;”

no, that's impossible (I think...)

https://nginx.org/r/listen
...
The listen directive can have several additional parameters specific
to socket-related system calls. These parameters can be specified in
any listen directive, but only once for a given address:port pair.
...

Andreas



_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Richard Demeny
Re: Virtual hosts sharing same port
April 16, 2018 11:30AM
It's possible if the so-called 'virtual machines' of yours are NOT on the
same machine

On Mon, 16 Apr 2018 10:19 A. Schulze, <[email protected]> wrote:

>
> Frank Liu:
>
> > Can I use different listen parameters for virtual hosts using the same
> > port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
> > ssl h2;”
>
> no, that's impossible (I think...)
>
> https://nginx.org/r/listen
> ...
> The listen directive can have several additional parameters specific
> to socket-related system calls. These parameters can be specified in
> any listen directive, but only once for a given address:port pair.
> ...
>
> Andreas
>
>
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: Virtual hosts sharing same port
April 16, 2018 03:40PM
Hello!

On Mon, Apr 16, 2018 at 07:26:11AM +0000, Frank Liu wrote:

> Can I use different listen parameters for virtual hosts using the same
> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
> ssl h2;”

No. Options like "ssl" and "h2" can be repeated multiple times to
make configuring listening sockets more clear. But whenever you
set it or not in a given server{} block, the listening socket in
question will have the option set as long as it is set in at least
one "listen" directive.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Peter Booth
Re: Virtual hosts sharing same port
April 16, 2018 05:10PM
Does this imply that that different behavior *could* be achieved by first defining virtual IP addresses (additional private IPs defined at the OS) which were bound to same physical NIC, and then defining virtual hosts that reference the different VIPs, in a similar fashion to how someone might configure a hardware load balancer?



Sent from my iPhone

> On Apr 16, 2018, at 9:32 AM, Maxim Dounin <[email protected]> wrote:
>
> Hello!
>
>> On Mon, Apr 16, 2018 at 07:26:11AM +0000, Frank Liu wrote:
>>
>> Can I use different listen parameters for virtual hosts using the same
>> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
>> ssl h2;”
>
> No. Options like "ssl" and "h2" can be repeated multiple times to
> make configuring listening sockets more clear. But whenever you
> set it or not in a given server{} block, the listening socket in
> question will have the option set as long as it is set in at least
> one "listen" directive.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Frank Liu
Re: Virtual hosts sharing same port
April 16, 2018 05:20PM
Does that mean nginx will read and combine listen options from all virtual hosts and use that to create listening socket?

> On Apr 16, 2018, at 8:04 AM, Peter Booth <[email protected]> wrote:
>
> Does this imply that that different behavior *could* be achieved by first defining virtual IP addresses (additional private IPs defined at the OS) which were bound to same physical NIC, and then defining virtual hosts that reference the different VIPs, in a similar fashion to how someone might configure a hardware load balancer?
>
>
>
> Sent from my iPhone
>
>> On Apr 16, 2018, at 9:32 AM, Maxim Dounin <[email protected]> wrote:
>>
>> Hello!
>>
>>> On Mon, Apr 16, 2018 at 07:26:11AM +0000, Frank Liu wrote:
>>>
>>> Can I use different listen parameters for virtual hosts using the same
>>> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
>>> ssl h2;”
>>
>> No. Options like "ssl" and "h2" can be repeated multiple times to
>> make configuring listening sockets more clear. But whenever you
>> set it or not in a given server{} block, the listening socket in
>> question will have the option set as long as it is set in at least
>> one "listen" directive.
>>
>> --
>> Maxim Dounin
>> http://mdounin.ru/
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: Virtual hosts sharing same port
April 16, 2018 06:40PM
Hello!

On Mon, Apr 16, 2018 at 11:04:16AM -0400, Peter Booth wrote:

> Does this imply that that different behavior *could* be achieved
> by first defining virtual IP addresses (additional private IPs
> defined at the OS) which were bound to same physical NIC, and
> then defining virtual hosts that reference the different VIPs,
> in a similar fashion to how someone might configure a hardware
> load balancer?

Yes, you can have different listening sockets configured with different
options, e.g.:

server {
listen <ip1>:443 ssl http2;
...
}

server {
listen <ip2>:443 ssl; # no http2 here
...
}

Note though that you have to direct clients to these different IP
addresses, so using private IPs won't work. Rather, you have to
use different public IPs.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: Virtual hosts sharing same port
April 16, 2018 07:00PM
Hello!

On Mon, Apr 16, 2018 at 08:13:42AM -0700, Frank Liu wrote:

> Does that mean nginx will read and combine listen options from
> all virtual hosts and use that to create listening socket?

Yes. You can configure something like this:

server {
listen 443 ssl;
...
}

server {
listen 443;
...
}

and both servers will use SSL. Moreover, currently you can do
something like this:

server {
listen 443 ssl;
...
}

server {
listen 443 http2;
...
}

and both servers will use SSL and HTTP/2. (The latter is actually
very confusing, and likely will result in warnings / errors during
configuration parsing in future versions.)

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Frank Liu
Re: Virtual hosts sharing same port
April 16, 2018 11:20PM
Thanks Maxim!

This is something interesting to know.

We had an outage last year when we had bunch of virtual hosts all with
listen a.b.c.d:443 ssl;
and someone added a new virtual host with
listen a.b.c.d:443;
and caused 443 no longer doing SSL.
Based on what you said, this should not happen. I need to dig deeper into
it.

Frank


On Mon, Apr 16, 2018 at 9:49 AM, Maxim Dounin <[email protected]> wrote:

> Hello!
>
> On Mon, Apr 16, 2018 at 08:13:42AM -0700, Frank Liu wrote:
>
> > Does that mean nginx will read and combine listen options from
> > all virtual hosts and use that to create listening socket?
>
> Yes. You can configure something like this:
>
> server {
> listen 443 ssl;
> ...
> }
>
> server {
> listen 443;
> ...
> }
>
> and both servers will use SSL. Moreover, currently you can do
> something like this:
>
> server {
> listen 443 ssl;
> ...
> }
>
> server {
> listen 443 http2;
> ...
> }
>
> and both servers will use SSL and HTTP/2. (The latter is actually
> very confusing, and likely will result in warnings / errors during
> configuration parsing in future versions.)
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login