Weird problem cannot standup nginx on 443 ipv4

Julian Brown julian at jlbprof.com
Thu Apr 25 19:27:36 UTC 2019 

Sorry this is a bit long:

On Debian Stretch 9.8, fresh install.   I want to setup nginx as a load
balancer to just one node at this time just to play with it and understand
it.

I installed the apt package nginx-full, which I assume will have all there.

So I slightly modified nginx.conf, where I removed the part about
sites-available and only included the one loadbalance.conf.

nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log debug;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json
application/javascript text/xml application/xml application/xm

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/loadbalance.conf;
}

Here is
/etc/nginx/conf.d/loadbalance.conf

upstream learngigs {
    server 192.168.1.250;
}

server {
    server_name learngigs.com www.learngigs.com

    listen 443;
    listen [::]:443;

    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
    ssl_certificate /etc/letsencrypt/live/learngigs.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/learngigs.com/privkey.pem;

    access_log /var/log/nginx/loadbalance.access.log;
    error_log /var/log/nginx/loadbalance.error.log debug;

    location / {
        proxy_pass http://learngigs/;
    }
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name _;

    return 301 https://learngigs.com;
}

root at loadbalance01:/etc/nginx# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

As you can see there are no syntax errors.

root at loadbalance01:/etc/nginx# netstat -anop | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
    1322/nginx: master   off (0.00/0/0)
tcp6       0      0 :::80                   :::*                    LISTEN
    1322/nginx: master   off (0.00/0/0)
tcp6       0      0 :::443                  :::*                    LISTEN
    1322/nginx: master   off (0.00/0/0)
unix  3      [ ]         STREAM     CONNECTED     20723    1322/nginx:
master
unix  3      [ ]         STREAM     CONNECTED     20724    1322/nginx:
master

>From this you can see it will not bind to 0.0.0.0:443, it was able to and
did for 80, and did 443 on ipv6, but not ipv4.

There is nothing sitting on 443:

root at loadbalance01:/etc/nginx# netstat -anop | grep 443
tcp6       0      0 :::443                  :::*                    LISTEN
    1322/nginx: master   off (0.00/0/0)

So there is no bind error.

Looking at the logs:

root at loadbalance01:/var/log/nginx# ls -ld *
-rw-r--r-- 1 root root   0 Apr 25 14:20 access.log
-rw-r--r-- 1 root root 265 Apr 25 14:20 error.log
-rw-r--r-- 1 root root   0 Apr 25 14:20 loadbalance.access.log
-rw-r--r-- 1 root root  78 Apr 25 14:20 loadbalance.error.log

As you can see it created loadbalance.error.log, so it understood my config
for that.

root at loadbalance01:/var/log/nginx# cat loadbalance.error.log
2019/04/25 14:20:09 [debug] 1368#1368: epoll add event: fd:8 op:1
ev:00002001
root at loadbalance01:/var/log/nginx# cat error.log
2019/04/25 14:20:09 [info] 1363#1363: Using 32768KiB of shared memory for
nchan in /etc/nginx/nginx.conf:63
2019/04/25 14:20:09 [debug] 1368#1368: epoll add event: fd:9 op:1
ev:00002001
2019/04/25 14:20:09 [debug] 1368#1368: epoll add event: fd:10 op:1
ev:00002001

And there is nothing interesting in the logs.

I put this on serverfault and someone suggested that listening on a port on
ipv6 would also work for ipv4, but if I do a telnet myip 443 from another
server it says refused connection.

There is nothing of note in syslog:

Apr 25 14:20:03 loadbalance01 systemd[1]: Stopping A high performance web
server and a reverse proxy server...
Apr 25 14:20:03 loadbalance01 systemd[1]: Stopped A high performance web
server and a reverse proxy server.
Apr 25 14:20:09 loadbalance01 systemd[1]: Starting A high performance web
server and a reverse proxy server...
Apr 25 14:20:09 loadbalance01 systemd[1]: nginx.service: Failed to read PID
from file /run/nginx.pid: Invalid argument
Apr 25 14:20:09 loadbalance01 systemd[1]: Started A high performance web
server and a reverse proxy server.

I tried to strace it, and it does not even try to bind to 443 on ipv4, it
is almost like it is compiled to ignore port 443 on ipv4.

Can someone help me?

Thank you

Julian Brown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20190425/57c7fa24/attachment.html>

More information about the nginx mailing list