Opened 10 days ago

Closed 9 days ago

Last modified 9 days ago

#2244 closed defect (invalid)

`listen` not working inside `include`

Reported by: Thomas Landauer Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.18.x
Keywords: include, listen Cc:
uname -a: 5.4.0-84-generic #94-Ubuntu SMP Thu Aug 26 20:27:37 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

Description (last modified by Thomas Landauer)

With this being my sites-enabled/foo.conf

server {
    include inc*;
    ssl_certificate     localhost.crt;
    ssl_certificate_key localhost.key;
    ...
}

... and this my sites-enabled/inc

listen 443 ssl http2;

... I'm getting:

nginx: [emerg] "listen" directive is not allowed here in /etc/nginx/sites-enabled/inc:1

If I move the ssl_certificate lines to inc (and move the listen back to foo.conf), it works.

So either this is a bug, or http://nginx.org/en/docs/ngx_core_module.html#include is wrongly claiming that include works in any context.

Change History (5)

comment:1 by Maxim Dounin, 9 days ago

The sites-enabled/inc is not expected to be included by include inc*;, since include paths are relative to the main configuration file. On the other hand, as long as your nginx.conf contains something like include /etc/nginx/sites-enabled/*;, which is the default in the Ubuntu nginx package you are using, the error is expected to appear, as your include file will be included in the http block, and the listen directive is not allowed in http context.

Could you please show other include directives as used in your nginx configuration, notably in /etc/nginx/nginx.conf?

comment:2 by Thomas Landauer, 9 days ago

Description: modified (diff)

comment:3 by Thomas Landauer, 9 days ago

(I edited the description to include full paths.)

Thanks! The root of the problem is this line in my /etc/nginx/nginx.conf:

include /etc/nginx/sites-enabled/*;

This caused inc to be loaded as a definition on its own. I was assuming that only *.conf files are loaded by default, and I can safely create an arbitrary file inside sites-enabled. So for anybody else running into the same problem:

  • Either change the above line to:
    include /etc/nginx/sites-enabled/*.conf;
    
  • Or place your inc elsewhere (outside sites-enabled)

Suggestion for nginx

These two lines in /etc/nginx/nginx.conf are inconsistent (*.conf vs. *):

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

So to avoid the above problem in general, I'm suggesting:

  • Either change the second line to /etc/nginx/sites-enabled/*.conf; by default. As far as I remember, all examples I've ever seen use .conf as their filename.
  • Or add a note at http://nginx.org/en/docs/ngx_core_module.html#include that placing the included file inside sites-enabled is a bad idea ;-)

comment:4 by Maxim Dounin, 9 days ago

Resolution: invalid
Status: newclosed

The sites-enabled/* thing is a misconception specific to the Ubuntu-provided (and Debian-provided) nginx package. It was already pointed out multiple times that using bare * in includes is unsafe, in particular, because it also includes various temporary files, including ones created by editors and version control systems.

As far as I understand, the original idea of sites-enabled/ was to make it possible to enable particular sites with symlinks, and it might be relatively safe when used properly. But it means you should never ever try to edit anything in sites-enabled/, and only link files there from sites-available/. Unfortunately, this is not something most of the Ubuntu users are aware of, and this constantly causes issues.

If you think that the Ubuntu-provided package should be improved, you may want to report this to the corresponding Ubuntu bug tracker. Alternatively, consider using official nginx package as available from nginx.org.

comment:5 by Thomas Landauer, 9 days ago

Note: See TracTickets for help on using tickets.