Freebsd/jail: nginx ignores IP in listen directive
Maxim Dounin
mdounin at mdounin.ru
Sat Jun 9 15:19:33 UTC 2012
Hello!
On Sat, Jun 09, 2012 at 06:25:55AM -0400, zgen wrote:
> FreeBSD 8.3/amd64
> nginx 1.2.1
> jail
>
> default config, but listen is:
>
> server {
> listen ip_addr_of_jail:80;
> ...
> }
>
> but
>
> $ telnet 127.0.0.1 80
> gets answer from nginx. If I remark this listen directive - nginx isn't
> answer.
>
> Why nginx listens localhost?
Because there is no localhost in a jail, it's instead emulated by
the kernel by using jail's ip instead of localhost. This is how
jails work, nothing to do with nginx.
> I found something similar to this here:
>
> http://mailman.nginx.org/pipermail/nginx/2009-February/009947.html
>
> but
> server {
> listen 80;
> allow ip_addr_of_jail;
> deny all;
> ...
> }
>
> isn't works too.
This config is expected to resolve the opposite issue: as there is
no localhost in a jail one can't listen on it as well (it will
listen on jail's ip instead). So to allow only local connections
it's not enough to use "listen 127.0.0.1", the allow/deny
directives are needed as an additional protection.
Maxim Dounin
More information about the nginx
mailing list