On 11 Nov 2016, at 20:29, Dave Hayes <[email protected]> wrote: > On 11/11/2016 00:02, Igor Sysoev wrote: >> Please read this: >> http://nginx.org/en/docs/http/request_processing.html#mixed_name_ip_based_servers > > Thanks very much for your reply. I have read this before, but maybe I missed > something. In reading it again like you asked, I see this paragraph: > > "In this configuration, nginx first tests the IP address and port of the > request against the listen directives of the server blocks. It then tests the > “Host” header field of the request against the server_name entries of the > server blocks that matched the IP address and port." > > So in my previous configuration, if I send an SSL request to 127.0.0.81 with > curl properly set up so it does SNI, e.g. > > curl -vk --resolve thing.com:443:127.0.0.81 https://thing.com/ > > I would expect it to first test the IP address and port of the request: > > 127.0.0.81:443 > > Given that I do not get to the "server 4" block, this appears to imply that > 127.0.0.81:443 will not be matched by > > listen 443 ssl; > > or > > listen *:443 ssl;
Yes, *:443 matches all addresses except explicitly specified in listen directives with the same port 443. Consider it as fallback. On FreeBSD you can use “bind” parameter: listen *:443; listen 127.0.0.81:443 bind; And there will be two separate sockets: *:443 and 127.0.0.81:443. You can not use “bind” on Linux however if one of listen addresses is 0.0.0.0 (wildcard, *). So this configuration without “bind”: listen *:443; listen 127.0.0.81:443; emulates this two separate sockets behaviour in one 0.0.0.0:443 socket. > SNI does not look at the Host: header, so I wasn't considering it useful in > this analysis. Is this wrong? SNI is used to find server with appropriate server_name. -- Igor Sysoev http://nginx.com > Your suggestion (which does work) seems to confirm that > > listen *:443 ssl; > > will not bind to all IP addresses. > >> This configuration does what you want: >> >> server { >> # server 4 >> listen 443 ssl; >> listen 127.0.0.81:443 ssl; >> server_name "thing.com"; >> ... >> } > > Naturally I've IP aliased the 127.0.0.81 (for testing). Perhaps the usage of > IP aliases prevents "*" from having the meaning of "attach this server block > to every IP you find"? Am I confused here? > > Thanks in advance for any insight provided. > -- > Dave Hayes - Consultant - Altadena CA, USA - [email protected] > >>>> *The opinions expressed above are entirely my own* <<<< > > "Luke, you'll find many of the truths we cling to depend > greatly upon our point of view." - Obi-Wan Kenobi > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
