#2244 closed defect (invalid)
`listen` not working inside `include`
| Reported by: | Thomas Landauer | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.18.x |
| Keywords: | include, listen | Cc: | |
| uname -a: | 5.4.0-84-generic #94-Ubuntu SMP Thu Aug 26 20:27:37 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module |
||
Description (last modified by )
With this being my sites-enabled/foo.conf
server {
include inc*;
ssl_certificate localhost.crt;
ssl_certificate_key localhost.key;
...
}
... and this my sites-enabled/inc
listen 443 ssl http2;
... I'm getting:
nginx: [emerg] "listen" directive is not allowed here in /etc/nginx/sites-enabled/inc:1
If I move the ssl_certificate lines to inc (and move the listen back to foo.conf), it works.
So either this is a bug, or http://nginx.org/en/docs/ngx_core_module.html#include is wrongly claiming that include works in any context.
Change History (5)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
| Description: | modified (diff) |
|---|
comment:3 by , 3 years ago
(I edited the description to include full paths.)
Thanks! The root of the problem is this line in my /etc/nginx/nginx.conf:
include /etc/nginx/sites-enabled/*;
This caused inc to be loaded as a definition on its own. I was assuming that only *.conf files are loaded by default, and I can safely create an arbitrary file inside sites-enabled. So for anybody else running into the same problem:
- Either change the above line to:
include /etc/nginx/sites-enabled/*.conf;
- Or place your
incelsewhere (outsidesites-enabled)
Suggestion for nginx
These two lines in /etc/nginx/nginx.conf are inconsistent (*.conf vs. *):
include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*;
So to avoid the above problem in general, I'm suggesting:
- Either change the second line to
/etc/nginx/sites-enabled/*.conf;by default. As far as I remember, all examples I've ever seen use.confas their filename. - Or add a note at http://nginx.org/en/docs/ngx_core_module.html#include that placing the included file inside
sites-enabledis a bad idea ;-)
comment:4 by , 3 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
The sites-enabled/* thing is a misconception specific to the Ubuntu-provided (and Debian-provided) nginx package. It was already pointed out multiple times that using bare * in includes is unsafe, in particular, because it also includes various temporary files, including ones created by editors and version control systems.
As far as I understand, the original idea of sites-enabled/ was to make it possible to enable particular sites with symlinks, and it might be relatively safe when used properly. But it means you should never ever try to edit anything in sites-enabled/, and only link files there from sites-available/. Unfortunately, this is not something most of the Ubuntu users are aware of, and this constantly causes issues.
If you think that the Ubuntu-provided package should be improved, you may want to report this to the corresponding Ubuntu bug tracker. Alternatively, consider using official nginx package as available from nginx.org.
comment:5 by , 3 years ago
I opened an issue at Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994199
The
sites-enabled/incis not expected to be included byinclude inc*;, since include paths are relative to the main configuration file. On the other hand, as long as your nginx.conf contains something likeinclude /etc/nginx/sites-enabled/*;, which is the default in the Ubuntu nginx package you are using, the error is expected to appear, as your include file will be included in thehttpblock, and thelistendirective is not allowed in http context.Could you please show other include directives as used in your nginx configuration, notably in
/etc/nginx/nginx.conf?