[PATCH] Added nonlocal to the listen directive
info at kliemeck.de
info at kliemeck.de
Sun Apr 27 20:10:12 UTC 2014
Hey,
but it is still not possible to work with IPv6, if you want to bind to
a specific address (not [::]) that is not a local address. The
"ip_nonlocal_bind-sysctl" use-case is not fulfilled with this and i
think it is a common use-case that nginx is used within a high
availability environment with a shared ip address. It is possible that
this important feature is integrated within 1.6, since it may be a
reason not to use IPv6?
greets
Hans-Joachim Kliemeck
Quoting mdounin at mdounin.ru:
> Hello!
>
> On Fri, Mar 28, 2014 at 10:45:53AM +0100, Trygve Vea wrote:
>
>> # HG changeset patch
>> # User Trygve Vea <tv at redpill-linpro.com>
>> # Date 1395999940 -3600
>> # Fri Mar 28 10:45:40 2014 +0100
>> # Node ID 16eacd8609c8362e9dd729c743ed7a869c2993fe
>> # Parent 2411d4b5be2ca690a5a00a1d8ad96ff69a00317f
>> Added nonlocal to the listen directive
>>
>> The nonlocal option is used to set the needed socket options to be
>> able to bind
>> to an address not necessarily owned by the host.
>>
>> This patch currently implements this for Linux >= 2.4 IPv4/IPv6.
>>
>> The problem we solve by doing this, is in an environment where the following
>> conditions are met:
>>
>> * HTTPS with multiple certificates, and a client base that are unable to use
>> SNI - thus having the need to tie specific certificates to
>> specific ip/ports.
>> * Setting the ip_nonlocal_bind-sysctl is not an option (for example
>> for Linux
>> IPv6)
>> * Used in a failover-setup, where the service IP-addresses are
>> moved around by
>> a daemon like linux-ha or keepalived.
>
> As already explained, the patch is not needed for the use case
> claimed. Just a bind on INADDR_ANY/IN6ADDR_ANY will do the trick.
>
> --
> Maxim Dounin
> http://nginx.org/
More information about the nginx-devel
mailing list