id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2400	listen on localhost can fail (sort of a docker and glibc issue, worth working around?)	blowfishpro@…		"**Steps to reproduce:**

Run nginx with the following conditions:
- Inside docker
- On a distro that uses glibc (typically anything but alpine)
- Do not enable ipv6 on the container (this is the default)
- Have a listen directive that specifies localhost (e.g. {{{listen localhost:80;}}}

**Observed Behavior:**

Nginx fails with the following error message (this can be seen just by validating the config with -t as well):
{{{
nginx: [emerg] a duplicate listen 127.0.0.1:80 in /etc/nginx/conf.d/default.conf:2
}}}

**Desired behavior:**

We only attempt to bind to 127.0.0.1 once, and nginx starts up successfully

**Explanation**

Two longstanding issues from glibc and docker are at play here:
- [https://github.com/moby/moby/issues/35954 Docker writes an ipv6 entry for localhost to /etc/hosts but does not assign an ipv6 address to the loopback interface]
- Under that condition [https://sourceware.org/bugzilla/show_bug.cgi?id=14969 getaddrinfo returns a duplicate ipv4 address for the loopback interface]

**Immediate workarounds for users**

- Specify {{{127.0.0.1}}} instead of {{{localhost}}} - this makes supporting systems with different combinations of ipv4/ipv6 annoying
- Don't limit to the loopback, instead use {{{allow}}} and {{{deny}}} directives to limit traffic from only that container network
- Have some other process resolve {{{localhost}}} uniquely and generate the nginx config, inserting one or more {{{listen}}} directives as necessary

**Possible workarounds that nginx could implement**

- De-duplicate the addresses returned by {{{getaddrinfo}}}
- Rewrite {{{""localhost""}}} to {{{null}}} in the {{{getaddrinfo}}} call - in this case the unique loopback addresses appear to be returned correctly
  - I'm not sure if this could break other cases where {{{/etc/hosts}}} resolves localhost to something different
  - This requires passing a port, fortunately we have one

**Additional notes**

- This is very easy to reproduce using the docker library nginx images.  Just change the listen directive in {{{/etc/nginx/conf.d/default.conf}}} and it appears immediately.
- Other container runtimes don't appear to have this issue - they assign a working ipv6 address to the loopback interface
- Alpine linux does not use glibc and does not appear to have this issue - {{{getaddrinfo}}} returns the single unique ipv4 loopback address in this case
- Neither of the issues in question seem to have gotten any traction for multiple years"	enhancement	closed	minor		nginx-core	1.23.x	fixed	docker localhost listen glibc getaddrinfo		"Linux be43d003a089 5.10.109-0-virt #1-Alpine SMP Mon, 28 Mar 2022 11:20:52 +0000 aarch64 GNU/Linux

(note, this is not actually alpine, it's debian from the docker library nginx image):

# cat /etc/os-release 
PRETTY_NAME=""Debian GNU/Linux 11 (bullseye)""
NAME=""Debian GNU/Linux""
VERSION_ID=""11""
VERSION=""11 (bullseye)""
VERSION_CODENAME=bullseye
ID=debian
"	"nginx version: nginx/1.23.1
built by gcc 10.2.1 20210110 (Debian 10.2.1-6) 
built with OpenSSL 1.1.1k  25 Mar 2021 (running with OpenSSL 1.1.1n  15 Mar 2022)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.23.1/debian/debuild-base/nginx-1.23.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'"