Multiple SSL listen statements and SNI

Igor Sysoev igor at
Fri Nov 11 19:29:13 UTC 2016

On 11 Nov 2016, at 22:13, Dave Hayes <dave at> wrote:

> On 11/11/2016 10:49, Igor Sysoev wrote:
>> Yes, *:443 matches all addresses except explicitly specified in listen directives with the same port 443.
> Ah! Thank you very much! This statement cleared up my confusion. I didn't see this statement in any documentation, but I could have missed it.
>> Consider it as fallback. On FreeBSD you can use “bind” parameter:
>> listen  *:443;
>> listen bind;
>> And there will be two separate sockets: *:443 and
>> You can not use “bind” on Linux however if one of listen addresses is (wildcard, *).
>> So this configuration without “bind”:
>> listen  *:443;
>> listen;
>> emulates this two separate sockets behaviour in one socket.
> Nice to know that, as I do use FreeBSD. I'm still a bit curious; why would I want two separate sockets when I am already listening on

When nginx listen on *:80 it is calls getsockname() to learn exact IP address which client connected to.
With “bind” nginx already knows the address and eliminates the syscall.

> At first glance, I'd think the emulation suits my needs more; no sense in taking up memory for an extra socket right?

I believe memory saving is negligeable.

There is another case: You can configure listen addresses which are not exists on
the host when nginx starts and will be available later via CARP or similar protocol.

Igor Sysoev

More information about the nginx mailing list