Unable to use multiple IPs with SSL (0.7.64)

I have an nginx (v0.7.64) configuration that requires a number of
virtual hosts each with their own SSL.

I have assigned different IP addresses to each vhost. All IP addresses
are available on port 443 (i.e. they are not blocked by firewall). All
certificates are from Thawte.

When I test nginx configuration (nginx -t), I get the following error:

[quote]the configuration file /usr/local/nginx/conf/nginx.conf syntax is
ok
[emerg]: bind() to IP1:443 failed (99: Cannot assign requested address)
configuration file /usr/local/nginx/conf/nginx.conf test failed[/quote]

(where IP1 is one of our IP addresses)

This is the abridged configuration:

user  apache;
worker_processes  4;
worker_rlimit_nofile 4112;

events {
    worker_connections  4112;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    send_timeout 300;

    upstream webapp {
  server UPSTREAM_IP1;
        server UPSTREAM_IP2;
    }

    server {
  listen       843;
  server_name  localhost;

  location / {
    rewrite ^(.*)$ /crossdomain.xml;
  }

  error_page 400 /crossdomain.xml;

  location /crossdomain.xml {
    root /var/www/html;
  }
    }

    server {
        listen       80;
        server_name  localhost;

        location /media {
            access_log   off;
            root   /var/www/html;
            index  index.html index.htm;
            expires 24h;
        }

  location / {
            access_log off;
            proxy_connect_timeout 15;
      proxy_next_upstream error;
      proxy_pass http://webapp;
      proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
            proxy_redirect off;

  }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        location ~ /\.ht {
            deny  all;
        }
    }

server {
        listen       IP1:443;
        server_name  *.firstdomain.com;

        ssl                  on;
        ssl_certificate      /var/ssl/firstdomain.crt;
        ssl_certificate_key  /var/ssl/firstdomain.key;

        location /media {
            root   /var/www/html;
            index  index.html index.htm;
        }

  location / {
            access_log off;
            proxy_connect_timeout 15;
      proxy_next_upstream error;
      proxy_pass http://webapp;
      proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Protocol https;
            proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
            proxy_redirect off;
  }

}
    server {
        listen        IP2:443;
        server_name  *.seconddomain.com;

        ssl                  on;
        ssl_certificate      /var/ssl/seconddomain.crt;
        ssl_certificate_key  /var/ssl/seconddomain.key;

        location /media {
            root   /var/www/html;
            index  index.html index.htm;
        }


  location / {
            access_log off;
            proxy_connect_timeout 15;
      proxy_next_upstream error;
      proxy_pass http://webapp;
      proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Protocol https;
            proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
            proxy_redirect off;
  }

}

server {
        listen       IP3:443;
        server_name  *.thirddomain.com;

        ssl                  on;
        ssl_certificate      /var/ssl/thirddomain.crt;
        ssl_certificate_key  /var/ssl/thirddomain.key;

        location /media {
            root   /var/www/html;
            index  index.html index.htm;
        }

  location / {
            access_log off;
            proxy_connect_timeout 15;
      proxy_next_upstream error;
      proxy_pass http://webapp;
      proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Protocol https;
            proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
            proxy_redirect off;
  }

}

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,142634#msg-142634

Hi,

You can’t use more than one SSL server in the same ip/port pair unless
you use SNI (which is still non-standard). I don’t think the bid error
is SSL related.

And i could be wrong :slight_smile:

Bye,
Nuno

On Wed, Oct 20, 2010 at 06:00:38AM -0400, danjac wrote:

ok
[emerg]: bind() to IP1:443 failed (99: Cannot assign requested address)
configuration file /usr/local/nginx/conf/nginx.conf test failed[/quote]

(where IP1 is one of our IP addresses)

Are you sure that IP1 is configured on this host ?
This error means that there is no such address.

It’s better to rewrite this:

location /crossdomain.xml {
root /var/www/html;
}
}

as

 server {

listen 843;
server_name localhost;

location = / {
alias /var/www/html/crossdomain.xml;
}

error_page 400 /crossdomain.xml;

location = /crossdomain.xml {
root /var/www/html;
}
}


Igor S.
http://sysoev.ru/en/

On Wed, Oct 20, 2010 at 06:22:59AM -0400, danjac wrote:

The IP is configured for this address, yes.

Then something wrong in this configuration.
This is not nginx issue.
You can workaround it by binding only to *:443 and letting nginx to
learn
address at run-time:

server {
    listen  *:443;
    listen  IP1:443;
}

server {
    listen  IP2:443;
}

server {
    listen  IP3:443;
}


Igor S.
http://sysoev.ru/en/

The IP is configured for this address, yes.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,142639#msg-142639

This solution works (i.e. I can restart nginx) but it doesn’t recognize
the correct domain - certificate for firstdomain.com is correct, but
when I go to the seconddomain.com I get the SSL error “this site was
configured for firstdomain.com” in my browser.

Igor S. Wrote:

    listen  IP3:443;

http://nginx.org/mailman/listinfo/nginx
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,142659#msg-142659

As you can see, they are all using different IPs.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,142650#msg-142650

On Wed, Oct 20, 2010 at 07:15:05AM -0400, danjac wrote:

This solution works (i.e. I can restart nginx) but it doesn’t recognize
the correct domain - certificate for firstdomain.com is correct, but
when I go to the seconddomain.com I get the SSL error “this site was
configured for firstdomain.com” in my browser.

You see certificate for firstdomain.com for all addresse - IP2 and IP3 ?
It seems that these IP-addresses are not really configured on the host.
And the previous error “Cannot assign requested address” is related to
this.

letting nginx to learn

server {
    listen  IP3:443;
}


Igor S.
http://sysoev.ru/en/

You see certificate for firstdomain.com for all
addresse - IP2 and IP3 ?

I’m not sure I quite understand. Each IP address is set for each domain
and has its own certificate.

    listen  *:443;


Igor S.
http://sysoev.ru/en/


nginx mailing list
[email protected]
http://nginx.org/mailman/listinfo/nginx

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,142687#msg-142687

You see certificate for firstdomain.com for all
addresse - IP2 and IP3 ?

I’m not sure I quite understand. Each IP address is set for each
domain
and has its own certificate.

Yes, but currently do you see only certificate of firstdomain.com for
all requests ?

Yes. I’ll check with our hosting provider to ensure these IPs are set
correctly.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,142690#msg-142690

On Wed, Oct 20, 2010 at 08:32:30AM -0400, danjac wrote:

You see certificate for firstdomain.com for all
addresse - IP2 and IP3 ?

I’m not sure I quite understand. Each IP address is set for each domain
and has its own certificate.

Yes, but currently do you see only certificate of firstdomain.com for
all requests ?

    listen  *:443;

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,142687#msg-142687


nginx mailing list
[email protected]
http://nginx.org/mailman/listinfo/nginx


Igor S.
http://sysoev.ru/en/

I’ve double-checked the IP addresses, they are all resolving correctly
to this host.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,142695#msg-142695

Yes, telnet works too.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,142702#msg-142702

On Wed, Oct 20, 2010 at 09:09:48AM -0400, danjac wrote:

I’ve double-checked the IP addresses, they are all resolving correctly
to this host.

They must be configured on this host, not only be resolved.
Are you able to ping them ?


Igor S.
http://sysoev.ru/en/

On Thu, Oct 21, 2010 at 07:53:29AM -0400, danjac wrote:

OK, the error I now get is this (nginx error log file):

So, has IP issue been resolved ?

If I just set the default to “*:443” I get the browser error “Error
code: ssl_error_rx_record_too_long” (in various browsers).

Have you read this
http://nginx.org/en/docs/http/configuring_https_servers.html
?


Igor S.
http://sysoev.ru/en/

The IP addresses are fine, they are configured correctly on the host as
far as I (and our hosting company) can verify.

Have you read this
http://nginx.org/en/docs/http/configuring_https_servers.html
?

I take it you mean this section:

Which is what I’ve been trying to do. Unless you mean some other
specific part of that page ?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,143119#msg-143119

Working now, and you were correct, the issue was with IP addresses.

The IP addresses used needed to be the internal IP addresses, not the
public external IPs. So for example one of our addresses was
99.999.9.102:443, it should have been instead 192.168.100.102:443.
Stupid mistake on my part.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,143286#msg-143286

OK, the error I now get is this (nginx error log file):

In the Firefox this appears as “The connection to the server was reset
while the page was loading.”.

This is when I set the default for port 443 to “*:443 default ssl”.

If I just set the default to “*:443” I get the browser error “Error
code: ssl_error_rx_record_too_long” (in various browsers).

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,142634,143100#msg-143100

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs