Opened 17 months ago

Closed 17 months ago

Last modified 17 months ago

#2460 closed defect (invalid)

listen 443 ssl precedence

Reported by: Owned by:
Priority: trivial Milestone:
Component: nginx-core Version: 1.18.x
Keywords: Cc:
uname -a: Linux xxx 5.10.0-20-amd64 #1 SMP Debian 5.10.158-2 (2022-12-13) x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.18.0
built with OpenSSL 1.1.1n 15 Mar 2022
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -ffile-prefix-map=/build/nginx-x3gsRV/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/ --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module

Description (last modified by

I belive this is a bug.

Using listen ... ssl in a single vhost server block forces every other vhost (even defined in a different file!) with same port listening to apply ssl-related directives, i.e.:

nginx[343400]: nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/aaa-default.conf:1

/etc/nginx/sites-enabled #: cat aaa-default.conf 
server {

    listen 80;
    listen 443;
    server_name _;

and the other file, that using ssl:

server {
    # Update this line to be your domain
    listen 80;
    server_name xxx.domain.tld;

server {
    listen 443 ssl;
    server_name xxx.domain.tld;

    ssl_dhparam /etc/nginx/ssl/dhparams.pem;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    proxy_buffering off;

    location / {
        proxy_pass ht_t_ps:_/_/; #Maximum number of external links per post exceeded
        proxy_set_header Host $host;
        proxy_redirect ht_tp:// htt_ps://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

/etc/nginx/sites-enabled #: cat ../inc/ssl.conf 
#ssl on;

ssl_certificate /root/;
ssl_certificate_key /root/;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers         HIGH:!aNULL:!MD5;

I can observe same behaviour, no matter what port I setup to listen on ssl (80 acts identical), so I strongly belive that adding ssl to listen directive causing that.

Is that how this suppose to work?

Change History (4)

comment:1 by, 17 months ago

Description: modified (diff)

comment:2 by, 17 months ago

Description: modified (diff)

comment:3 by Maxim Dounin, 17 months ago

Resolution: invalid
Status: newclosed

The listen directive parameters apply to the listening socket as a whole. That is, if you specify that the listening socket should work over SSL by specifying the ssl parameter, all connections to the listening socket will be handled as SSL connections. Quoting docs:

The ssl parameter (0.7.14) allows specifying that all connections accepted on this port should work in SSL mode.

Since listening sockets can be shared between multiple name-based virtual hosts, nginx makes it possible to specify parameters only in one of the listen directives, so there is no need to specify all the parameters multiple times. This is essentially what your configuration does: listen 443 ssl; with the ssl parameter in one of the server blocks, and listen 443; which refers to the same listening socket in another server block.

Hope this helps.

comment:4 by, 17 months ago

OK, so this is a lack of knowledge, sorry for creating an unnecessary ticket.
Thank you for your wonderful work and time!

Note: See TracTickets for help on using tickets.