Opened 6 months ago

Closed 6 months ago

#2179 closed defect (invalid)

QUIC: multiple hosts listening on quic cause config verification fail

Reported by: mkg20001@… Owned by:
Priority: major Milestone:
Component: nginx-core Version:
Keywords: quic Cc:
uname -a: Linux nix-test 5.10.29 #1-NixOS SMP Sat Apr 10 11:36:11 UTC 2021 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.19.10
built by gcc 10.2.0 (GCC)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/nix/store/0rxkiby7ck7dpbyy8zj6x45wpv0gd5gx-nginx-quic --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-threads --with-pcre-jit --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --pid-path=/var/log/nginx/nginx.pid --http-client-body-temp-path=/var/cache/nginx/client_body --http-proxy-temp-path=/var/cache/nginx/proxy --http-fastcgi-temp-path=/var/cache/nginx/fastcgi --http-uwsgi-temp-path=/var/cache/nginx/uwsgi --http-scgi-temp-path=/var/cache/nginx/scgi --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_image_filter_module --with-http_geoip_module --with-stream_geoip_module --with-file-aio --with-http_v3_module --with-http_quic_module --with-stream_quic_module --add-module=/nix/store/dr6n543igdhj589qirfh36m5a5fcg47d-rtmp --add-module=/nix/store/6pb7j6kymf3y4xs5blp3g8mwin2j22kk-dav --add-module=/nix/store/y39g23fn8ikzcd1iy3b1bclqwjk2qmxd-moreheaders

Description

Having two server blocks listen on quic causes nginx -t to fail with

nginx: [emerg] duplicate listen options for 0.0.0.0:443 in /root/nginx.conf:25
nginx: configuration file /root/nginx.conf test failed

The config to re-produce:

(Note that removing the last server block causes it to work, it is only when there is more than one that it fails)
(Also this is nginx-quic with revision 12f18e0bca09)

http {
	server {
		listen 0.0.0.0:443 ssl http2 ;
                # UDP listener for **QUIC+HTTP/3
		listen 0.0.0.0:443 http3 reuseport;
		# Advertise that HTTP/3 is available
		add_header Alt-Svc 'h3=":443"';
		# Sent when QUIC was used
		add_header QUIC-Status $quic;
		listen [::]:443 ssl http2 ;# UDP listener for **QUIC+HTTP/3
		listen [::]:443 http3 reuseport;
		# Advertise that HTTP/3 is available
		add_header Alt-Svc 'h3=":443"';
		# Sent when QUIC was used
		add_header QUIC-Status $quic;
		server_name domain.tld ;
		ssl_certificate /var/lib/acme/domain.tld/fullchain.pem;
		ssl_certificate_key /var/lib/acme/domain.tld/key.pem;
		ssl_trusted_certificate /var/lib/acme/domain.tld/chain.pem;
	}

        server {
                listen 0.0.0.0:443 ssl http2 ;
                # UDP listener for **QUIC+HTTP/3
                listen 0.0.0.0:443 http3 reuseport;
                # Advertise that HTTP/3 is available
                add_header Alt-Svc 'h3=":443"';
                # Sent when QUIC was used
                add_header QUIC-Status $quic;
                listen [::]:443 ssl http2 ;# UDP listener for **QUIC+HTTP/3
                listen [::]:443 http3 reuseport;
                # Advertise that HTTP/3 is available
                add_header Alt-Svc 'h3=":443"';
                # Sent when QUIC was used
                add_header QUIC-Status $quic;
                server_name sub.domain.tld ;
                ssl_certificate /var/lib/acme/domain.tld/fullchain.pem;
                ssl_certificate_key /var/lib/acme/domain.tld/key.pem;
                ssl_trusted_certificate /var/lib/acme/domain.tld/chain.pem;
        }
}

events {}

Change History (1)

comment:1 by vl, 6 months ago

Resolution: invalid
Status: newclosed

Such behaviour is caused by specifying the 'reuseport' option twice for the same socket.

Quote from documentation (http://nginx.org/en/docs/http/ngx_http_core_module.html#listen):

The listen directive can have several additional parameters specific to socket-related system calls. These parameters can be specified in any listen directive, but only once for a given address:port pair.

Note: See TracTickets for help on using tickets.