Welcome! Log In Create A New Profile

Advanced

Should listen *:443 bind to IPv4 and IPv6 ?

Posted by Ralph Seichter 
Ralph Seichter
Should listen *:443 bind to IPv4 and IPv6 ?
June 13, 2018 11:10AM
Hi folks,

I wonder if I missed an announcement for a change in nginx behaviour
or if some local issue is causing me problems. The configuration

server {
listen *:443 ssl default_server;
}

used to bind to both 0.0.0.0:443 and [::]:443, but since I updated to
nginx 1.15.0 it only binds to IPv4 but no longer to IPv6. When I add
a second listen directive

server {
listen *:443 ssl default_server;
listen [::]:443 ssl default_server;
}

the server can be reached via both IPv6 and IPv4 again. Was this a
deliberate change?

-Ralph
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: Should listen *:443 bind to IPv4 and IPv6 ?
June 13, 2018 02:30PM
Hello!

On Wed, Jun 13, 2018 at 11:01:09AM +0200, Ralph Seichter wrote:

> I wonder if I missed an announcement for a change in nginx behaviour
> or if some local issue is causing me problems. The configuration
>
> server {
> listen *:443 ssl default_server;
> }
>
> used to bind to both 0.0.0.0:443 and [::]:443, but since I updated to
> nginx 1.15.0 it only binds to IPv4 but no longer to IPv6. When I add
> a second listen directive
>
> server {
> listen *:443 ssl default_server;
> listen [::]:443 ssl default_server;
> }
>
> the server can be reached via both IPv6 and IPv4 again. Was this a
> deliberate change?

The "listen *:443" snippet always created only IPv4 listening
socket. Though I think I've seen some distributions patching
nginx to create IPv6+IPv4 sockets instead.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Ralph Seichter
Re: Should listen *:443 bind to IPv4 and IPv6 ?
June 13, 2018 05:20PM
On 13.06.18 14:19, Maxim Dounin wrote:

> The "listen *:443" snippet always created only IPv4 listening socket.

That's interesting. Maybe Gentoo Linux did indeed add a custom patch to
previous nginx versions.

What is the shortest officially recommended way to bind nginx to port
443 for both IPv4 and IPv6? I should probably mention that my servers
usually service multiple domains using TLS SNI.

server {
listen *:443 ssl;
listen [::]:443;
}

works, but perhaps there is method with just one listen statement?

-Ralph
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Maxim Dounin
Re: Should listen *:443 bind to IPv4 and IPv6 ?
June 13, 2018 06:00PM
Hello!

On Wed, Jun 13, 2018 at 05:10:51PM +0200, Ralph Seichter wrote:

> On 13.06.18 14:19, Maxim Dounin wrote:
>
> > The "listen *:443" snippet always created only IPv4 listening socket.
>
> That's interesting. Maybe Gentoo Linux did indeed add a custom patch to
> previous nginx versions.
>
> What is the shortest officially recommended way to bind nginx to port
> 443 for both IPv4 and IPv6? I should probably mention that my servers
> usually service multiple domains using TLS SNI.
>
> server {
> listen *:443 ssl;
> listen [::]:443;
> }
>
> works, but perhaps there is method with just one listen statement?

Using

listen 443 ssl;
listen [::]:443 ssl;

should be good enough.

While it is possible to use just one listen statement with an IPv6
address and "ipv6only=off", I would rather recommend to use an
explicit configuration with two distinct listening sockets.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login