Virtual hosts sharing same port

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Virtual hosts sharing same port

Frank Liu
Can I use different listen parameters for virtual hosts using the same port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443 ssl h2;”


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Virtual hosts sharing same port

A. Schulze

Frank Liu:

> Can I use different listen parameters for virtual hosts using the same
> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
> ssl h2;”

no, that's impossible (I think...)

https://nginx.org/r/listen
...
The listen directive can have several additional parameters specific  
to socket-related system calls. These parameters can be specified in  
any listen directive, but only once for a given address:port pair.
...

Andreas



_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Virtual hosts sharing same port

Richard Demeny
It's possible if the so-called 'virtual machines' of yours are NOT on the same machine

On Mon, 16 Apr 2018 10:19 A. Schulze, <[hidden email]> wrote:

Frank Liu:

> Can I use different listen parameters for virtual hosts using the same
> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
> ssl h2;”

no, that's impossible (I think...)

https://nginx.org/r/listen
...
The listen directive can have several additional parameters specific 
to socket-related system calls. These parameters can be specified in 
any listen directive, but only once for a given address:port pair.
...

Andreas



_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Virtual hosts sharing same port

Maxim Dounin
In reply to this post by Frank Liu
Hello!

On Mon, Apr 16, 2018 at 07:26:11AM +0000, Frank Liu wrote:

> Can I use different listen parameters for virtual hosts using the same
> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
> ssl h2;”

No.  Options like "ssl" and "h2" can be repeated multiple times to
make configuring listening sockets more clear.  But whenever you
set it or not in a given server{} block, the listening socket in
question will have the option set as long as it is set in at least
one "listen" directive.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Virtual hosts sharing same port

Peter Booth
Does this imply that that different behavior *could* be achieved by first defining virtual IP addresses (additional private IPs defined at the OS) which were bound to same physical NIC, and then defining virtual hosts that reference the different VIPs, in a similar fashion to how someone might configure a hardware load balancer?



Sent from my iPhone

> On Apr 16, 2018, at 9:32 AM, Maxim Dounin <[hidden email]> wrote:
>
> Hello!
>
>> On Mon, Apr 16, 2018 at 07:26:11AM +0000, Frank Liu wrote:
>>
>> Can I use different listen parameters for virtual hosts using the same
>> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
>> ssl h2;”
>
> No.  Options like "ssl" and "h2" can be repeated multiple times to
> make configuring listening sockets more clear.  But whenever you
> set it or not in a given server{} block, the listening socket in
> question will have the option set as long as it is set in at least
> one "listen" directive.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Virtual hosts sharing same port

Frank Liu
Does that mean nginx will read and combine listen options from all virtual hosts and use that to create listening socket?

> On Apr 16, 2018, at 8:04 AM, Peter Booth <[hidden email]> wrote:
>
> Does this imply that that different behavior *could* be achieved by first defining virtual IP addresses (additional private IPs defined at the OS) which were bound to same physical NIC, and then defining virtual hosts that reference the different VIPs, in a similar fashion to how someone might configure a hardware load balancer?
>
>
>
> Sent from my iPhone
>
>> On Apr 16, 2018, at 9:32 AM, Maxim Dounin <[hidden email]> wrote:
>>
>> Hello!
>>
>>> On Mon, Apr 16, 2018 at 07:26:11AM +0000, Frank Liu wrote:
>>>
>>> Can I use different listen parameters for virtual hosts using the same
>>> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
>>> ssl h2;”
>>
>> No.  Options like "ssl" and "h2" can be repeated multiple times to
>> make configuring listening sockets more clear.  But whenever you
>> set it or not in a given server{} block, the listening socket in
>> question will have the option set as long as it is set in at least
>> one "listen" directive.
>>
>> --
>> Maxim Dounin
>> http://mdounin.ru/
>> _______________________________________________
>> nginx mailing list
>> [hidden email]
>> http://mailman.nginx.org/mailman/listinfo/nginx
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Virtual hosts sharing same port

Maxim Dounin
In reply to this post by Peter Booth
Hello!

On Mon, Apr 16, 2018 at 11:04:16AM -0400, Peter Booth wrote:

> Does this imply that that different behavior *could* be achieved
> by first defining virtual IP addresses (additional private IPs
> defined at the OS) which were bound to same physical NIC, and
> then defining virtual hosts that reference the different VIPs,
> in a similar fashion to how someone might configure a hardware
> load balancer?

Yes, you can have different listening sockets configured with different
options, e.g.:

    server {
        listen <ip1>:443 ssl http2;
        ...
    }

    server {
        listen <ip2>:443 ssl; # no http2 here
        ...
    }

Note though that you have to direct clients to these different IP
addresses, so using private IPs won't work.  Rather, you have to
use different public IPs.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Virtual hosts sharing same port

Maxim Dounin
In reply to this post by Frank Liu
Hello!

On Mon, Apr 16, 2018 at 08:13:42AM -0700, Frank Liu wrote:

> Does that mean nginx will read and combine listen options from
> all virtual hosts and use that to create listening socket?

Yes.  You can configure something like this:

   server {
       listen 443 ssl;
       ...
   }

   server {
       listen 443;
       ...
   }

and both servers will use SSL.  Moreover, currently you can do
something like this:

   server {
       listen 443 ssl;
       ...
   }

   server {
       listen 443 http2;
       ...
   }

and both servers will use SSL and HTTP/2.  (The latter is actually
very confusing, and likely will result in warnings / errors during
configuration parsing in future versions.)

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Virtual hosts sharing same port

Frank Liu
Thanks Maxim!

This is something interesting to know.

We had an outage last year when we had bunch of virtual hosts all with
listen a.b.c.d:443 ssl;
and someone added a new virtual host with
listen a.b.c.d:443;
and caused 443 no longer doing SSL.
Based on what you said, this should not happen. I need to dig deeper into it.

Frank


On Mon, Apr 16, 2018 at 9:49 AM, Maxim Dounin <[hidden email]> wrote:
Hello!

On Mon, Apr 16, 2018 at 08:13:42AM -0700, Frank Liu wrote:

> Does that mean nginx will read and combine listen options from
> all virtual hosts and use that to create listening socket?

Yes.  You can configure something like this:

   server {
       listen 443 ssl;
       ...
   }

   server {
       listen 443;
       ...
   }

and both servers will use SSL.  Moreover, currently you can do
something like this:

   server {
       listen 443 ssl;
       ...
   }

   server {
       listen 443 http2;
       ...
   }

and both servers will use SSL and HTTP/2.  (The latter is actually
very confusing, and likely will result in warnings / errors during
configuration parsing in future versions.)

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx