Opened 5 years ago

Closed 5 years ago

#1912 closed defect (wontfix)

Ignore duplicate reuseport options

Reported by: ltning@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.16.x
Keywords: Cc:
uname -a: FreeBSD 12.1-RELEASE-p1 FreeBSD 12.1-RELEASE-p1 GENERIC amd64
nginx -V: nginx version: nginx/1.16.1
built with OpenSSL 1.1.1d-freebsd 10 Sep 2019
TLS SNI support enabled
configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /usr/local/include' --with-ld-opt='-L /usr/local/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/ --error-log-path=/var/log/nginx/error.log --user=www --group=www --modules-path=/usr/local/libexec/nginx --with-file-aio --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx/access.log --with-http_v2_module --with-http_addition_module --with-http_auth_request_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-pcre --with-http_ssl_module --with-http_stub_status_module --without-mail_pop3_module --without-mail_smtp_module --with-mail_ssl_module --add-module=/wrkdirs/usr/ports/www/nginx/work/ModSecurity-nginx-71ede63 --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads --add-module=/wrkdirs/usr/ports/www/nginx/work/nginx-module-vts-0.1.18 --with-mail=dynamic --with-stream=dynamic --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_devel_kit-0.3.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/ngx_http_auth_pam_module-1.5.1 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/lua-nginx-module-0.10.15 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/set-misc-nginx-module-cda7e50 --add-dynamic-module=/wrkdirs/usr/ports/www/nginx/work/passenger-6.0.4/src/nginx_module


We use puppet for configuration management, automatically creating hundreds of virtual hosts on a single nginx instance and IP:PORT. Using reuseport greatly improves performance, but we cannot automate this since we can either specify "reuseport" on all listen directives, or none at all.

Since configuration parsing already detects duplicate reuseport options, it should be trivial to simply ignore any but the first for a given IP:PORT combination.

Though I am sure it makes sense on a code level, it does not make sense to a user that some options (ssl) can (must?) be specified for each listen directive, while others (reuseport) can not.

Change History (1)

comment:1 by Maxim Dounin, 5 years ago

Resolution: wontfix
Status: newclosed

As of now, options of the "listen" directive related to the listening socket cannot be specified multiple times. This ensures that all options are set correctly and no conflicting configurations can be specified.

To simplify configurations and make them more user-friendly in 0.8.51 it was made possible to specify the "ssl" option (which is not related to listening socket options, but rather to the protocol used on connections to the listening socket) multiple times. So it become possible to use "listen 443 ssl;" in virtual servers, making it obvious that the socket in question uses SSL. Later this approach was extended to all newly added protocol-level options ("http2", "proxy_protocol"). This approach, however, causes a different issue: users try to enable a particular option only in a particular server block and don't understand why this breaks other servers using the same listening socket.

Given the above, there are no plans to make it possible to specify other listening options multiple times, including the "reuseport" option. Rather, we are considering making options checking more strict: in particular, checking that all protocol-specific options are either specified only once, like socket-related options, or the same set of options is used.

If have problems with your automatic configuration, consider extending it. It should be easy enough to make it possible to specify options only in the default server, and use no options (just listen <address>;) in all other servers.

Note: See TracTickets for help on using tickets.