[PATCH] Added nonlocal to the listen directive

info at kliemeck.de info at kliemeck.de
Sun Apr 27 20:10:12 UTC 2014


Hey,

but it is still not possible to work with IPv6, if you want to bind to  
a specific address (not [::]) that is not a local address. The  
"ip_nonlocal_bind-sysctl" use-case is not fulfilled with this and i  
think it is a common use-case that nginx is used within a high  
availability environment with a shared ip address. It is possible that  
this important feature is integrated within 1.6, since it may be a  
reason not to use IPv6?

greets
Hans-Joachim Kliemeck

Quoting mdounin at mdounin.ru:

> Hello!
>
> On Fri, Mar 28, 2014 at 10:45:53AM +0100, Trygve Vea wrote:
>
>> # HG changeset patch
>> # User Trygve Vea <tv at redpill-linpro.com>
>> # Date 1395999940 -3600
>> #      Fri Mar 28 10:45:40 2014 +0100
>> # Node ID 16eacd8609c8362e9dd729c743ed7a869c2993fe
>> # Parent  2411d4b5be2ca690a5a00a1d8ad96ff69a00317f
>> Added nonlocal to the listen directive
>>
>> The nonlocal option is used to set the needed socket options to be  
>> able to bind
>> to an address not necessarily owned by the host.
>>
>> This patch currently implements this for Linux >= 2.4 IPv4/IPv6.
>>
>> The problem we solve by doing this, is in an environment where the following
>> conditions are met:
>>
>> * HTTPS with multiple certificates, and a client base that are unable to use
>>   SNI - thus having the need to tie specific certificates to  
>> specific ip/ports.
>> * Setting the ip_nonlocal_bind-sysctl is not an option (for example  
>> for Linux
>>   IPv6)
>> * Used in a failover-setup, where the service IP-addresses are  
>> moved around by
>>   a daemon like linux-ha or keepalived.
>
> As already explained, the patch is not needed for the use case
> claimed.  Just a bind on INADDR_ANY/IN6ADDR_ANY will do the trick.
>
> --
> Maxim Dounin
> http://nginx.org/





More information about the nginx-devel mailing list