Opened 5 years ago

Closed 5 years ago

#1741 closed enhancement (worksforme)

Use IP_FREEBIND?

Reported by: teward.thomas-ward.net@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.14.x
Keywords: Cc:
uname -a: Linux arstotzka 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.0g 2 Nov 2017
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-FIJPpj/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

Description

Hello.

Over the past several years, there have been multiple requests regarding IPv6 or IPv4 binding before addresses are assigned; and many suggestions have been made to use IP_FREEBIND to permit binding before the IP address(es) are actually on-interface, or for HA cases.

Is there any particular reason why IP_FREEBIND is not included to solve these binding issues? If there is no specific reason, can you consider adding it?

Maxim made suggestions via the lists to bind to [::] AND the IPv6 that's sought to be bound to, however this doesn't appear to work anymore and gives you an emerg crit failure during startup.

(NOTE: While nginx -V points at Ubuntu, this is ultimately still a question that should be considered for NGINX at-large.)

Change History (1)

comment:1 by Maxim Dounin, 5 years ago

Resolution: worksforme
Status: newclosed

Maxim made suggestions via the lists to bind to [::] AND the IPv6 that's sought to be bound to, however this doesn't appear to work anymore and gives you an emerg crit failure during startup.

If it doesn't work for you, you may want to check the reasons. For example, the following configuration opens a single listening socket on [::]:8080 and does not depend on 2001:db8::1 being present on the host in question:

server {
    listen [::]:8080;
    listen [2001:db8::1]:8080;
}

Basic things to check are:

  • On Linux there should be no "conflicting" sockets, since Linux does not permit binds on a wildcard address and a particular IP address at the same time.
  • You shouldn't try to configure bind options for non-existing addresses, as bind options will imply a dedicated bind() which would fail.

While supporting Linux-specific IP_FREEBIND is certainly possible, it is not clear why this can be needed except may be in some complex configurations when one do not want to configure listening on the wildcard address for some reason (and in such configurations it is always possible to use /proc/sys/net/ipv?/ip_nonlocal_bind to allow non-local binds system-wide). All requests seen so far indicate no reasons to introduce IP_FREEBIND support, but rather indicate that people don't know how to use existing nginx features to bind on wildcard addresses.

Note: See TracTickets for help on using tickets.