#2460 closed defect (invalid)
listen 443 ssl precedence
Reported by: | https://stackoverflow.com/users/12360980/logi | Owned by: | |
---|---|---|---|
Priority: | trivial | Milestone: | |
Component: | nginx-core | Version: | 1.18.x |
Keywords: | Cc: | https://stackoverflow.com/users/12360980/logi | |
uname -a: | Linux xxx 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.18.0
built with OpenSSL 1.1.1n 15 Mar 2022 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-x3gsRV/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module |
Description (last modified by )
Hi,
I belive this is a bug.
Using listen ... ssl
in a single vhost server block forces every other vhost (even defined in a different file!) with same port listening to apply ssl-related directives, i.e.:
nginx[343400]: nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/aaa-default.conf:1
/etc/nginx/sites-enabled #: cat aaa-default.conf server { listen 80; listen 443; server_name _; }
and the other file, that using ssl:
server { # Update this line to be your domain listen 80; server_name xxx.domain.tld; } server { listen 443 ssl; server_name xxx.domain.tld; ssl_dhparam /etc/nginx/ssl/dhparams.pem; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; proxy_buffering off; location / { proxy_pass ht_t_ps:_/_/xxx.xxx.xxx.xxx; #Maximum number of external links per post exceeded proxy_set_header Host $host; proxy_redirect ht_tp:// htt_ps://; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } }
/etc/nginx/sites-enabled #: cat ../inc/ssl.conf #ssl on; ssl_certificate /root/.acme.sh/logiczny.it/fullchain.cer; ssl_certificate_key /root/.acme.sh/logiczny.it/logiczny.it.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5;
I can observe same behaviour, no matter what port I setup to listen on ssl (80 acts identical), so I strongly belive that adding ssl
to listen
directive causing that.
Is that how this suppose to work?
Change History (4)
comment:1 by , 22 months ago
Description: | modified (diff) |
---|
comment:2 by , 22 months ago
Description: | modified (diff) |
---|
comment:3 by , 22 months ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:4 by , 22 months ago
OK, so this is a lack of knowledge, sorry for creating an unnecessary ticket.
Thank you for your wonderful work and time!
The
listen
directive parameters apply to the listening socket as a whole. That is, if you specify that the listening socket should work over SSL by specifying thessl
parameter, all connections to the listening socket will be handled as SSL connections. Quoting docs:Since listening sockets can be shared between multiple name-based virtual hosts, nginx makes it possible to specify parameters only in one of the
listen
directives, so there is no need to specify all the parameters multiple times. This is essentially what your configuration does:listen 443 ssl;
with thessl
parameter in one of the server blocks, andlisten 443;
which refers to the same listening socket in another server block.Hope this helps.