id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1517	defective routing with multiple interfaces and domains	bertothunder@…		"This is happening on a customer, running NGINX 1.13.10 on a VPS in DigitalOcean with ubuntu 16.04/16.10.

The host has two NICs with example IPs (eth0) 192.10.134.103 and (eth1) 192.19.10.223, and DNS records pointing to domains xxx.dev.domain1.com / yyy.dev.domain2.com into eth0 IP, and xxx.test.domain1.com / yyy.test.domain2.com into eth1 IP.

We had two existing server vhosts for app1.test.domain1.com and app1.test.domain2.com, which proxy_pass into a tomcat server with the right webapps running. Everything was working fine.

The server blocks are similar to:

{{{

# app1
server {
   listen 443 ssl http2;
   server_name app1.test.domain1.com;

   [...]

   location / {
      [...]
      proxy_pass http://<tomcat>:<port>/app1;
   }
}

# app2
server {
   listen 443 ssl http2;
   server_name app2.test.domain2.com;

   [...]

   location / {
      [...]
      proxy_pass http://<tomcat>:<port>/app2;
   }
}
}}}


unimportant details missing in the config, as ssl options, etc.; as said, this was working fine.

Issue arised when we added a new server vhost for app1.dev.domain1.com:


{{{
# app1 dev
server {
   listen 443 ssl http2;
   server_name app1.dev.domain1.com;

   [...]

   location / {
      [...]
      proxy_pass http://<dev_tomcat>:<port>/app1;
   }
}
}}}



With this vhost enabled, anything trying to hit either app1.test.domain1.com or app2.test.domain.com **will be routed** through the new .dev.domain1.com vhost, no matter what we do, returning a 404 as the dev tomcat webapp does not contain the expected app for test in dev.

We have enabled upstreamlog log format to ensure this, and nginx it's always routing any .test.domainX.com request into .dev.domain1.com.

DNS records point to the right IPs for the righ NICs, checked.

What we actually found to make this work, is we had to change the listen:


{{{
# app1 test
server {
   listen 192.19.10.223:443 ssl http2;
   [rest unchanged]
}

# app2 test
server {
   listen 192.19.10.223:443 ssl http2;
   [rest unchanged]
}

# app1 dev
server {
   listen 192.10.134.103:443 ssl http2;
   [ rest unchanged ]
}
}}}



With this change, everything works as expected, and routing no longer makes a mess. 

I could not find anything about this in the documentation, and I don't understand how the routing for xxx.test.domain1.com would be accepted through xxx.dev.domain1.com, since the server_name does not match.

I would expected nginx to reject the requests since the domain and host for server_name does not match, in such a case. But it's accepted, routed, and proxied to the (wrong) tomcat, without the specific IP address in the listen parameter.

Is this right??"	defect	closed	major		nginx-core	1.13.x	worksforme			Linux localhost 4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.13.10
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --with-pcre --with-http_stub_status_module --prefix=/opt/nginx/1.13.10 --conf-path=/etc/nginx/nginx.conf --with-http_ssl_module --with-select_module --with-file-aio --with-threads --with-http_secure_link_module --with-pcre-jit --sbin-path=/opt/nginx/1.13.10/bin/nginx --with-http_realip_module
"