[PATCH] Added nonlocal to the listen directive

info at kliemeck.de info at kliemeck.de
Thu May 1 11:42:51 UTC 2014


Hey,

i thought that this is important but I have received no response. Any  
update on this?

greets
Hans-Joachim

Quoting info at kliemeck.de:

> Hey,
>
> but it is still not possible to work with IPv6, if you want to bind  
> to a specific address (not [::]) that is not a local address. The  
> "ip_nonlocal_bind-sysctl" use-case is not fulfilled with this and i  
> think it is a common use-case that nginx is used within a high  
> availability environment with a shared ip address. It is possible  
> that this important feature is integrated within 1.6, since it may  
> be a reason not to use IPv6?
>
> greets
> Hans-Joachim Kliemeck
>
> Quoting mdounin at mdounin.ru:
>
>> Hello!
>>
>> On Fri, Mar 28, 2014 at 10:45:53AM +0100, Trygve Vea wrote:
>>
>>> # HG changeset patch
>>> # User Trygve Vea <tv at redpill-linpro.com>
>>> # Date 1395999940 -3600
>>> #      Fri Mar 28 10:45:40 2014 +0100
>>> # Node ID 16eacd8609c8362e9dd729c743ed7a869c2993fe
>>> # Parent  2411d4b5be2ca690a5a00a1d8ad96ff69a00317f
>>> Added nonlocal to the listen directive
>>>
>>> The nonlocal option is used to set the needed socket options to be  
>>> able to bind
>>> to an address not necessarily owned by the host.
>>>
>>> This patch currently implements this for Linux >= 2.4 IPv4/IPv6.
>>>
>>> The problem we solve by doing this, is in an environment where the  
>>> following
>>> conditions are met:
>>>
>>> * HTTPS with multiple certificates, and a client base that are  
>>> unable to use
>>>  SNI - thus having the need to tie specific certificates to  
>>> specific ip/ports.
>>> * Setting the ip_nonlocal_bind-sysctl is not an option (for  
>>> example for Linux
>>>  IPv6)
>>> * Used in a failover-setup, where the service IP-addresses are  
>>> moved around by
>>>  a daemon like linux-ha or keepalived.
>>
>> As already explained, the patch is not needed for the use case
>> claimed.  Just a bind on INADDR_ANY/IN6ADDR_ANY will do the trick.
>>
>> --
>> Maxim Dounin
>> http://nginx.org/
>
>
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel





More information about the nginx-devel mailing list