Re: Virtual hosts sharing same port

2018-04-16 Thread Frank Liu
Thanks Maxim!

This is something interesting to know.

We had an outage last year when we had bunch of virtual hosts all with
listen a.b.c.d:443 ssl;
and someone added a new virtual host with
listen a.b.c.d:443;
and caused 443 no longer doing SSL.
Based on what you said, this should not happen. I need to dig deeper into
it.

Frank


On Mon, Apr 16, 2018 at 9:49 AM, Maxim Dounin  wrote:

> Hello!
>
> On Mon, Apr 16, 2018 at 08:13:42AM -0700, Frank Liu wrote:
>
> > Does that mean nginx will read and combine listen options from
> > all virtual hosts and use that to create listening socket?
>
> Yes.  You can configure something like this:
>
>server {
>listen 443 ssl;
>...
>}
>
>server {
>listen 443;
>...
>}
>
> and both servers will use SSL.  Moreover, currently you can do
> something like this:
>
>server {
>listen 443 ssl;
>...
>}
>
>server {
>listen 443 http2;
>...
>}
>
> and both servers will use SSL and HTTP/2.  (The latter is actually
> very confusing, and likely will result in warnings / errors during
> configuration parsing in future versions.)
>
> --
> Maxim Dounin
> http://mdounin.ru/
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Virtual hosts sharing same port

2018-04-16 Thread Maxim Dounin
Hello!

On Mon, Apr 16, 2018 at 08:13:42AM -0700, Frank Liu wrote:

> Does that mean nginx will read and combine listen options from 
> all virtual hosts and use that to create listening socket? 

Yes.  You can configure something like this:

   server {
   listen 443 ssl;
   ...
   }

   server {
   listen 443;
   ...
   }

and both servers will use SSL.  Moreover, currently you can do 
something like this:

   server {
   listen 443 ssl;
   ...
   }

   server {
   listen 443 http2;
   ...
   }

and both servers will use SSL and HTTP/2.  (The latter is actually 
very confusing, and likely will result in warnings / errors during 
configuration parsing in future versions.)

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx


Re: Virtual hosts sharing same port

2018-04-16 Thread Maxim Dounin
Hello!

On Mon, Apr 16, 2018 at 11:04:16AM -0400, Peter Booth wrote:

> Does this imply that that different behavior *could* be achieved 
> by first defining virtual IP addresses (additional private IPs 
> defined at the OS) which were bound to same physical NIC, and 
> then defining virtual hosts that reference the different VIPs, 
> in a similar fashion to how someone might configure a hardware 
> load balancer?

Yes, you can have different listening sockets configured with different 
options, e.g.:

server {
listen :443 ssl http2;
...
}

server {
listen :443 ssl; # no http2 here
...
}

Note though that you have to direct clients to these different IP 
addresses, so using private IPs won't work.  Rather, you have to 
use different public IPs.

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx


Re: Virtual hosts sharing same port

2018-04-16 Thread Frank Liu
Does that mean nginx will read and combine listen options from all virtual 
hosts and use that to create listening socket? 

> On Apr 16, 2018, at 8:04 AM, Peter Booth  wrote:
> 
> Does this imply that that different behavior *could* be achieved by first 
> defining virtual IP addresses (additional private IPs defined at the OS) 
> which were bound to same physical NIC, and then defining virtual hosts that 
> reference the different VIPs, in a similar fashion to how someone might 
> configure a hardware load balancer?
> 
> 
> 
> Sent from my iPhone
> 
>> On Apr 16, 2018, at 9:32 AM, Maxim Dounin  wrote:
>> 
>> Hello!
>> 
>>> On Mon, Apr 16, 2018 at 07:26:11AM +, Frank Liu wrote:
>>> 
>>> Can I use different listen parameters for virtual hosts using the same
>>> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
>>> ssl h2;”
>> 
>> No.  Options like "ssl" and "h2" can be repeated multiple times to 
>> make configuring listening sockets more clear.  But whenever you 
>> set it or not in a given server{} block, the listening socket in 
>> question will have the option set as long as it is set in at least 
>> one "listen" directive.
>> 
>> -- 
>> Maxim Dounin
>> http://mdounin.ru/
>> ___
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Virtual hosts sharing same port

2018-04-16 Thread Peter Booth
Does this imply that that different behavior *could* be achieved by first 
defining virtual IP addresses (additional private IPs defined at the OS) which 
were bound to same physical NIC, and then defining virtual hosts that reference 
the different VIPs, in a similar fashion to how someone might configure a 
hardware load balancer?



Sent from my iPhone

> On Apr 16, 2018, at 9:32 AM, Maxim Dounin  wrote:
> 
> Hello!
> 
>> On Mon, Apr 16, 2018 at 07:26:11AM +, Frank Liu wrote:
>> 
>> Can I use different listen parameters for virtual hosts using the same
>> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
>> ssl h2;”
> 
> No.  Options like "ssl" and "h2" can be repeated multiple times to 
> make configuring listening sockets more clear.  But whenever you 
> set it or not in a given server{} block, the listening socket in 
> question will have the option set as long as it is set in at least 
> one "listen" directive.
> 
> -- 
> Maxim Dounin
> http://mdounin.ru/
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Virtual hosts sharing same port

2018-04-16 Thread Maxim Dounin
Hello!

On Mon, Apr 16, 2018 at 07:26:11AM +, Frank Liu wrote:

> Can I use different listen parameters for virtual hosts using the same
> port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
> ssl h2;”

No.  Options like "ssl" and "h2" can be repeated multiple times to 
make configuring listening sockets more clear.  But whenever you 
set it or not in a given server{} block, the listening socket in 
question will have the option set as long as it is set in at least 
one "listen" directive.

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Virtual hosts sharing same port

2018-04-16 Thread Richard Demeny
It's possible if the so-called 'virtual machines' of yours are NOT on the
same machine

On Mon, 16 Apr 2018 10:19 A. Schulze,  wrote:

>
> Frank Liu:
>
> > Can I use different listen parameters for virtual hosts using the same
> > port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
> > ssl h2;”
>
> no, that's impossible (I think...)
>
> https://nginx.org/r/listen
> ...
> The listen directive can have several additional parameters specific
> to socket-related system calls. These parameters can be specified in
> any listen directive, but only once for a given address:port pair.
> ...
>
> Andreas
>
>
>
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Virtual hosts sharing same port

2018-04-16 Thread A. Schulze


Frank Liu:


Can I use different listen parameters for virtual hosts using the same
port? Eg, one vh has “listen 443 ssl;” and the other one has “listen 443
ssl h2;”


no, that's impossible (I think...)

https://nginx.org/r/listen
...
The listen directive can have several additional parameters specific  
to socket-related system calls. These parameters can be specified in  
any listen directive, but only once for a given address:port pair.

...

Andreas



___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx