#2460 closed defect (invalid)
listen 443 ssl precedence
| Reported by: | https://stackoverflow.com/users/12360980/logi | Owned by: | |
|---|---|---|---|
| Priority: | trivial | Milestone: | |
| Component: | nginx-core | Version: | 1.18.x |
| Keywords: | Cc: | https://stackoverflow.com/users/12360980/logi | |
| uname -a: | Linux xxx 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.18.0
built with OpenSSL 1.1.1n 15 Mar 2022 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-x3gsRV/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module |
||
Description (last modified by )
Hi,
I belive this is a bug.
Using listen ... ssl in a single vhost server block forces every other vhost (even defined in a different file!) with same port listening to apply ssl-related directives, i.e.:
nginx[343400]: nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/aaa-default.conf:1
/etc/nginx/sites-enabled #: cat aaa-default.conf
server {
listen 80;
listen 443;
server_name _;
}
and the other file, that using ssl:
server {
# Update this line to be your domain
listen 80;
server_name xxx.domain.tld;
}
server {
listen 443 ssl;
server_name xxx.domain.tld;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
proxy_buffering off;
location / {
proxy_pass ht_t_ps:_/_/xxx.xxx.xxx.xxx; #Maximum number of external links per post exceeded
proxy_set_header Host $host;
proxy_redirect ht_tp:// htt_ps://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
/etc/nginx/sites-enabled #: cat ../inc/ssl.conf #ssl on; ssl_certificate /root/.acme.sh/logiczny.it/fullchain.cer; ssl_certificate_key /root/.acme.sh/logiczny.it/logiczny.it.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5;
I can observe same behaviour, no matter what port I setup to listen on ssl (80 acts identical), so I strongly belive that adding ssl to listen directive causing that.
Is that how this suppose to work?
Change History (4)
comment:1 by , 14 months ago
| Description: | modified (diff) |
|---|
comment:2 by , 14 months ago
| Description: | modified (diff) |
|---|
comment:3 by , 14 months ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:4 by , 14 months ago
OK, so this is a lack of knowledge, sorry for creating an unnecessary ticket.
Thank you for your wonderful work and time!
Note:
See TracTickets
for help on using tickets.
The
listendirective parameters apply to the listening socket as a whole. That is, if you specify that the listening socket should work over SSL by specifying thesslparameter, all connections to the listening socket will be handled as SSL connections. Quoting docs:Since listening sockets can be shared between multiple name-based virtual hosts, nginx makes it possible to specify parameters only in one of the
listendirectives, so there is no need to specify all the parameters multiple times. This is essentially what your configuration does:listen 443 ssl;with thesslparameter in one of the server blocks, andlisten 443;which refers to the same listening socket in another server block.Hope this helps.