Opened 7 years ago
Closed 7 years ago
#1320 closed enhancement (wontfix)
IPv6 listen directive prevents nginx from starting
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | nginx-core | Version: | 1.12.x |
Keywords: | ipv6 | Cc: | ops-team@… |
uname -a: | Linux REDACTED 4.8.0-45-generic #48~16.04.1-Ubuntu SMP Fri Mar 24 12:46:56 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.12.0
built with OpenSSL 1.0.2g 1 Mar 2016 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_ssl_preread_module --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/headers-more-nginx-module --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-cache-purge --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-development-kit --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/ngx-fancyindex --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nchan --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-lua --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-upload-progress --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-DYnRGx/nginx-1.12.0/debian/modules/ngx_http_substitutions_filter_module |
Description
I would propose either adding a way to explicitely tell nginx to turn off all IPv6 functionality like e.g. OpenSSH does (sshd -4
) or better yet do it automatically.
2017/07/13 12:50:29 [info] 10825#10825: Using 32768KiB of shared memory for nchan in /etc/nginx/nginx.conf:31 2017/07/13 12:50:29 [emerg] 10825#10825: socket() [::]:80 failed (97: Address family not supported by protocol)
# Default server configuration # server { listen 80 default_server; listen [::]:80 default_server;
cat /proc/cmdline root=/dev/xvda1 ro ipv6.disable=1 net.ifnames=0
Note:
See TracTickets
for help on using tickets.
The current nginx behaviour is as follows:
Such approach prevents various half-working configurations from being accepted and in general believed to simplify maintenance: if nginx works, it does what is specified in the configuration. Additionally, when updating an existing configuration via configuration reload it prevents nginx from degrading already working service due to configuration mistakes: instead of applying a half-working new configuration, nginx will reject it and will continue to work with the old configuration.
In this particular case, you've explicitly asked nginx to listen on the
[::]
IPv6 address, yet it is not possible due to disabled support in the kernel. The only sensible solution as per the above policy is to reject such a configuration. If starting nginx without listening on the IPv6 address is needed, it would be trivial to fix the configuration.