Opened 5 years ago
Closed 5 years ago
#2179 closed defect (invalid)
QUIC: multiple hosts listening on quic cause config verification fail
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-core | Version: | |
| Keywords: | quic | Cc: | |
| uname -a: | Linux nix-test 5.10.29 #1-NixOS SMP Sat Apr 10 11:36:11 UTC 2021 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.19.10
built by gcc 10.2.0 (GCC) built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL) TLS SNI support enabled configure arguments: --prefix=/nix/store/0rxkiby7ck7dpbyy8zj6x45wpv0gd5gx-nginx-quic --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-threads --with-pcre-jit --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --pid-path=/var/log/nginx/nginx.pid --http-client-body-temp-path=/var/cache/nginx/client_body --http-proxy-temp-path=/var/cache/nginx/proxy --http-fastcgi-temp-path=/var/cache/nginx/fastcgi --http-uwsgi-temp-path=/var/cache/nginx/uwsgi --http-scgi-temp-path=/var/cache/nginx/scgi --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_image_filter_module --with-http_geoip_module --with-stream_geoip_module --with-file-aio --with-http_v3_module --with-http_quic_module --with-stream_quic_module --add-module=/nix/store/dr6n543igdhj589qirfh36m5a5fcg47d-rtmp --add-module=/nix/store/6pb7j6kymf3y4xs5blp3g8mwin2j22kk-dav --add-module=/nix/store/y39g23fn8ikzcd1iy3b1bclqwjk2qmxd-moreheaders |
||
Description
Having two server blocks listen on quic causes nginx -t to fail with
nginx: [emerg] duplicate listen options for 0.0.0.0:443 in /root/nginx.conf:25
nginx: configuration file /root/nginx.conf test failed
The config to re-produce:
(Note that removing the last server block causes it to work, it is only when there is more than one that it fails)
(Also this is nginx-quic with revision 12f18e0bca09)
http {
server {
listen 0.0.0.0:443 ssl http2 ;
# UDP listener for **QUIC+HTTP/3
listen 0.0.0.0:443 http3 reuseport;
# Advertise that HTTP/3 is available
add_header Alt-Svc 'h3=":443"';
# Sent when QUIC was used
add_header QUIC-Status $quic;
listen [::]:443 ssl http2 ;# UDP listener for **QUIC+HTTP/3
listen [::]:443 http3 reuseport;
# Advertise that HTTP/3 is available
add_header Alt-Svc 'h3=":443"';
# Sent when QUIC was used
add_header QUIC-Status $quic;
server_name domain.tld ;
ssl_certificate /var/lib/acme/domain.tld/fullchain.pem;
ssl_certificate_key /var/lib/acme/domain.tld/key.pem;
ssl_trusted_certificate /var/lib/acme/domain.tld/chain.pem;
}
server {
listen 0.0.0.0:443 ssl http2 ;
# UDP listener for **QUIC+HTTP/3
listen 0.0.0.0:443 http3 reuseport;
# Advertise that HTTP/3 is available
add_header Alt-Svc 'h3=":443"';
# Sent when QUIC was used
add_header QUIC-Status $quic;
listen [::]:443 ssl http2 ;# UDP listener for **QUIC+HTTP/3
listen [::]:443 http3 reuseport;
# Advertise that HTTP/3 is available
add_header Alt-Svc 'h3=":443"';
# Sent when QUIC was used
add_header QUIC-Status $quic;
server_name sub.domain.tld ;
ssl_certificate /var/lib/acme/domain.tld/fullchain.pem;
ssl_certificate_key /var/lib/acme/domain.tld/key.pem;
ssl_trusted_certificate /var/lib/acme/domain.tld/chain.pem;
}
}
events {}
Note:
See TracTickets
for help on using tickets.
Such behaviour is caused by specifying the 'reuseport' option twice for the same socket.
Quote from documentation (http://nginx.org/en/docs/http/ngx_http_core_module.html#listen):
The listen directive can have several additional parameters specific to socket-related system calls. These parameters can be specified in any listen directive, but only once for a given address:port pair.