Resolve hostname to IPv6 address in listen directive
Maxim Dounin
mdounin at mdounin.ru
Wed Aug 25 15:04:44 MSD 2010
Hello!
On Wed, Aug 25, 2010 at 09:27:43AM +0200, Matthias-Christian Ott wrote:
> At the moment nignx does not allow IPv6 addresses to specified by
> hostname in a listen directive, that is the following will not work:
>
> listen ipv6.example.com;
> listen [ipv6.example.com];
> listen ipv6.example.com ipv6only=on;
> listen [ipv6.example.com] ipv6only=on;
>
> Though I see a potential security problem with hostnames here (this
> also applies to IPv4), because DNS replies can be manipulated if
> DNSSEC is not used, I think that this feature would be helpful and
> simplifies administration.
Note well: listen with hostname always uses *one* address returned
by hostname lookup, the first one returned by gethostbyname(). It
doesn't make sense to attempt to use it with hostname which
resolves to multiple addresses.
> Given that example.com resolves to an IPv4 and IPv6 address, simply
> binding to both addresses with the following directive would break
> backwards compatibility: listen example.com;
>
> For backwards compatibility I propose the following to resolve the
> IPv6 addresses of a hostname and listen on them:
>
> a) listen example.com ipv6only=on;
>
> b) listen [example.com];
>
> Solution b) has the disadvantage that it doesn't conform to RFC 3986.
Both are bad. Attribute ipv6only serves completely different
purpose: it disables implicit mapping of ipv6 listen sockets to
ipv4 (for OSes where such mapping is on by default), i.e.
instructs nginx to do setsockopt(IPV6_V6ONLY) on listen socket.
See http://tools.ietf.org/html/rfc3493#section-5.3 for details.
I believe correct solution would be to make
listen example.com;
to use ipv6 address if no ipv4 addresses were found.
Maxim Dounin
More information about the nginx-devel
mailing list