Opened 2 years ago

Closed 2 years ago

#1457 closed defect (invalid)

nginx reload doen't support listen interface changes

Reported by: nmorozoff77@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.12.x
Keywords: Cc:
uname -a: Linux CyanCircinus 4.9.28-1.tls.x86_64 #1 SMP Tue Aug 22 09:14:03 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.12.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.0.2l 25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/usr --sbin-path=/usr/sbin --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/run/nginx.pid --lock-path=/run/nginx.lock --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-debug --add-module=./scauth --add-module=./nginx_substitution_filter --with-ld-opt=-L/root/rpmbuild/BUILD/build_tree.Continent-tls/out

Description

I have a configuration directive
listen *:443 ssl;
netstat showing
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 18013/nginx

if i change it to
listen 172.16.160.44:443 ssl;
then run nginx -s reload
nothing chanes in netstat
buf if i restarat nginx
all is ok
tcp 0 0 172.16.160.44:443 0.0.0.0:* LISTEN 18013/nginx

BTW if i change port or port and interface all works properly
but if interface only ngxin still holding port:(

Change History (1)

comment:1 by Maxim Dounin, 2 years ago

Resolution: invalid
Status: newclosed

There should be something like this in the error log:

2018/01/09 15:46:23 [notice] 837#837: signal 1 (SIGHUP) received from 1096, reconfiguring
2018/01/09 15:46:23 [notice] 837#837: reconfiguring
2018/01/09 15:46:23 [emerg] 837#837: bind() to 127.0.0.1:443 failed (98: Address already in use)
2018/01/09 15:46:23 [notice] 837#837: try again to bind() after 500ms
2018/01/09 15:46:23 [emerg] 837#837: bind() to 127.0.0.1:443 failed (98: Address already in use)
2018/01/09 15:46:23 [notice] 837#837: try again to bind() after 500ms
2018/01/09 15:46:23 [emerg] 837#837: bind() to 127.0.0.1:443 failed (98: Address already in use)
2018/01/09 15:46:23 [notice] 837#837: try again to bind() after 500ms
2018/01/09 15:46:23 [emerg] 837#837: bind() to 127.0.0.1:443 failed (98: Address already in use)
2018/01/09 15:46:23 [notice] 837#837: try again to bind() after 500ms
2018/01/09 15:46:23 [emerg] 837#837: bind() to 127.0.0.1:443 failed (98: Address already in use)
2018/01/09 15:46:23 [notice] 837#837: try again to bind() after 500ms
2018/01/09 15:46:23 [emerg] 837#837: still could not bind()

The problem is that Linux (in contrast to other operating systems) does not allows binds on both "*:443" and "<ip>:443" at the same time for "security" reasons. Due to this restriction opening listening sockets for the new configuration fails, and nginx falls back to the old configuration.

As a result, to switch from listening on "*" to listening on an IP address on Linux you have to restart nginx.

Note: See TracTickets for help on using tickets.