[PATCH] Added nonlocal to the listen directive

Maxim Dounin mdounin at mdounin.ru
Fri May 9 04:17:56 UTC 2014


Hello!

On Thu, May 01, 2014 at 01:42:51PM +0200, info at kliemeck.de wrote:

> Hey,
> 
> i thought that this is important but I have received no response. Any update
> on this?

Much like with ipv4, just bind on the ipv6 address you want _and_ 
[::].

> 
> greets
> Hans-Joachim
> 
> Quoting info at kliemeck.de:
> 
> >Hey,
> >
> >but it is still not possible to work with IPv6, if you want to bind to a
> >specific address (not [::]) that is not a local address. The
> >"ip_nonlocal_bind-sysctl" use-case is not fulfilled with this and i think
> >it is a common use-case that nginx is used within a high availability
> >environment with a shared ip address. It is possible that this important
> >feature is integrated within 1.6, since it may be a reason not to use
> >IPv6?
> >
> >greets
> >Hans-Joachim Kliemeck
> >
> >Quoting mdounin at mdounin.ru:
> >
> >>Hello!
> >>
> >>On Fri, Mar 28, 2014 at 10:45:53AM +0100, Trygve Vea wrote:
> >>
> >>># HG changeset patch
> >>># User Trygve Vea <tv at redpill-linpro.com>
> >>># Date 1395999940 -3600
> >>>#      Fri Mar 28 10:45:40 2014 +0100
> >>># Node ID 16eacd8609c8362e9dd729c743ed7a869c2993fe
> >>># Parent  2411d4b5be2ca690a5a00a1d8ad96ff69a00317f
> >>>Added nonlocal to the listen directive
> >>>
> >>>The nonlocal option is used to set the needed socket options to be
> >>>able to bind
> >>>to an address not necessarily owned by the host.
> >>>
> >>>This patch currently implements this for Linux >= 2.4 IPv4/IPv6.
> >>>
> >>>The problem we solve by doing this, is in an environment where the
> >>>following
> >>>conditions are met:
> >>>
> >>>* HTTPS with multiple certificates, and a client base that are unable
> >>>to use
> >>> SNI - thus having the need to tie specific certificates to specific
> >>>ip/ports.
> >>>* Setting the ip_nonlocal_bind-sysctl is not an option (for example
> >>>for Linux
> >>> IPv6)
> >>>* Used in a failover-setup, where the service IP-addresses are moved
> >>>around by
> >>> a daemon like linux-ha or keepalived.
> >>
> >>As already explained, the patch is not needed for the use case
> >>claimed.  Just a bind on INADDR_ANY/IN6ADDR_ANY will do the trick.
> >>
> >>--
> >>Maxim Dounin
> >>http://nginx.org/
> >
> >
> >
> >_______________________________________________
> >nginx-devel mailing list
> >nginx-devel at nginx.org
> >http://mailman.nginx.org/mailman/listinfo/nginx-devel
> 
> 
> 
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list