Multiple SSL listen statements and SNI
Igor Sysoev
igor at sysoev.ru
Fri Nov 11 19:29:13 UTC 2016
On 11 Nov 2016, at 22:13, Dave Hayes <dave at jetcafe.org> wrote:
> On 11/11/2016 10:49, Igor Sysoev wrote:
>> Yes, *:443 matches all addresses except explicitly specified in listen directives with the same port 443.
>
> Ah! Thank you very much! This statement cleared up my confusion. I didn't see this statement in any documentation, but I could have missed it.
>
>> Consider it as fallback. On FreeBSD you can use “bind” parameter:
>>
>> listen *:443;
>> listen 127.0.0.81:443 bind;
>>
>> And there will be two separate sockets: *:443 and 127.0.0.81:443.
>> You can not use “bind” on Linux however if one of listen addresses is 0.0.0.0 (wildcard, *).
>>
>> So this configuration without “bind”:
>>
>> listen *:443;
>> listen 127.0.0.81:443;
>>
>> emulates this two separate sockets behaviour in one 0.0.0.0:443 socket.
>
> Nice to know that, as I do use FreeBSD. I'm still a bit curious; why would I want two separate sockets when I am already listening on 0.0.0.0?
When nginx listen on *:80 it is calls getsockname() to learn exact IP address which client connected to.
With “bind” nginx already knows the address and eliminates the syscall.
> At first glance, I'd think the emulation suits my needs more; no sense in taking up memory for an extra socket right?
I believe memory saving is negligeable.
There is another case: You can configure listen addresses which are not exists on
the host when nginx starts and will be available later via CARP or similar protocol.
--
Igor Sysoev
http://nginx.com
More information about the nginx
mailing list