nginx + ip_nonlocal_bind

Fri May 1 15:01:09 MSD 2009

> -----Original Message-----
> From: owner-nginx at sysoev.ru [mailto:owner-nginx at sysoev.ru] On Behalf
Of
> Tristan Griffiths
> Sent: Friday, 1 May 2009 8:00 PM
> To: nginx at sysoev.ru
> Subject: RE: nginx + ip_nonlocal_bind
> 
> > -----Original Message-----
> > From: owner-nginx at sysoev.ru [mailto:owner-nginx at sysoev.ru] On Behalf
> Of
> > Igor Sysoev
> > Sent: Friday, 1 May 2009 5:38 PM
> > To: nginx at sysoev.ru
> > Subject: Re: nginx + ip_nonlocal_bind
> >
> > On Fri, May 01, 2009 at 05:27:10PM +1000, Tristan Griffiths wrote:
> >
> > > > -----Original Message-----
> > > > From: owner-nginx at sysoev.ru [mailto:owner-nginx at sysoev.ru] On
> > Behalf
> > > Of
> > > > Igor Sysoev
> > > > Sent: Friday, 1 May 2009 4:50 PM
> > > > To: nginx at sysoev.ru
> > > > Subject: Re: nginx + ip_nonlocal_bind
> > > >
> > > > On Fri, May 01, 2009 at 04:26:55PM +1000, Tristan Griffiths
> wrote:
> > > >
> > > > > Greetings.
> > > > >
> > > > > We would like to setup our Nginx instances in a HA pair. Using
> > > > > Heartbeat, we have Nginx listening on virtual addresses on the
> > > active
> > > > > server.
> > > > >
> > > > > On the passive server, we cannot get Nginx to start up because
> > those
> > > > > virtual (or floating) address are not configured on the server
> > until
> > > > > Heartbeat detects a failover condition.
> > > > >
> > > > > Is Nginx able to bind to a non-local IP address? We've tried
> > setting
> > > > the
> > > > > ip_nonlocal_bind kernel option with no luck.
> > > > >
> > > > > Some important information:
> > > > >
> > > > > # nginx -v
> > > > > nginx version: nginx/0.7.53
> > > > >
> > > > > Starting nginx: [emerg]: bind() to 213.167.72.152:80 failed
> (98:
> > > > Address
> > > > > already in use)
> > > >
> > > > This is because another process is laready listen on this
> > > address:port.
> > > >
> > > > > CentOS 5.3
> > > > >
> > > > > <config>
> > > > > server {
> > > > >     listen 213.167.72.152:80 default;
> > > > > </config>
> > > > >
> > > > > Any other settings we should provide?
> > > >
> > > > To listen on temporarily non configured addresses you may use
> > > something
> > > > like this:
> > > >
> > > >     server {
> > > >          listen  80;
> > > >     }
> > > >
> > > >     server {
> > > >          listen 213.167.72.152:80 default;
> > > >          ...
> > > >     }
> > > >
> > > >     server {
> > > >          listen 213.167.72.1:80 default;
> > > >          ...
> > > >     }
> > > >
> > > > nginx binds to *:80 only, but tests an address where a request
> > comes
> > > > to.
> > >
> > > Hadn't tried that. Works a treat.
> > >
> > > Hope this helps someone else in future.
> >
> > OK, however, with ip_nonlocal_bind nginx should bind() successfully
> > even to non existent addresses. You should look why bind() returned
> > (98: Address already in use).
> >
> > > For SSL hosts, would we just "listen 443; ssl on;" (with a dummy
> > > certificate)?
> >
> > Yes. Or you may combine SSL/non-SSL servers in one server:
> >
> >        server {
> >             listen  80;
> >             listen  443 default ssl;
> >
> 
> This is what I have now done, although I was being tripped up by the
> "deferred" option defined in our virtual host listen directives.
> Setting:
> 
> server { listen 80 default deferred; ....
> 
> Seems to work.
> 
> Catch with combining SSL/non-SSL is that our backend app servers
> require
> the X-FORWARDED_PROTO header to know if the client is getting an
> encrypted connection. Is there a way around this?

Answered my own question...

proxy_set_header X-FORWARDED_PROTO $scheme;

Easy!

Thanks again Igor for fantastic software.