Opened 3 years ago

Closed 3 years ago

#1320 closed enhancement (wontfix)

IPv6 listen directive prevents nginx from starting

Reported by: vko.exante.eu@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.12.x
Keywords: ipv6 Cc: ops-team@…
uname -a: Linux REDACTED 4.8.0-45-generic #48~16.04.1-Ubuntu SMP Fri Mar 24 12:46:56 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.12.0
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/headers-more-nginx-module --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-cache-purge --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-development-kit --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/ngx-fancyindex --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nchan --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-lua --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-upload-progress --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/ngx_http_substitutions_filter_module

Description

I would propose either adding a way to explicitely tell nginx to turn off all IPv6 functionality like e.g. OpenSSH does (sshd -4) or better yet do it automatically.

2017/07/13 12:50:29 [info] 10825#10825: Using 32768KiB of shared memory for nchan in /etc/nginx/nginx.conf:31
2017/07/13 12:50:29 [emerg] 10825#10825: socket() [::]:80 failed (97: Address family not supported by protocol)
# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;
cat /proc/cmdline
root=/dev/xvda1 ro ipv6.disable=1 net.ifnames=0

Change History (1)

comment:1 by Maxim Dounin, 3 years ago

Resolution: wontfix
Status: newclosed

The current nginx behaviour is as follows:

  • configuration says to do something, and this cannot be done, fail;

Such approach prevents various half-working configurations from being accepted and in general believed to simplify maintenance: if nginx works, it does what is specified in the configuration. Additionally, when updating an existing configuration via configuration reload it prevents nginx from degrading already working service due to configuration mistakes: instead of applying a half-working new configuration, nginx will reject it and will continue to work with the old configuration.

In this particular case, you've explicitly asked nginx to listen on the [::] IPv6 address, yet it is not possible due to disabled support in the kernel. The only sensible solution as per the above policy is to reject such a configuration. If starting nginx without listening on the IPv6 address is needed, it would be trivial to fix the configuration.

Note: See TracTickets for help on using tickets.