I have an nginx (v0.7.64) configuration that requires a number of
virtual hosts each with their own SSL.
I have assigned different IP addresses to each vhost. All IP addresses
are available on port 443 (i.e. they are not blocked by firewall). All
certificates are from Thawte.
When I test nginx configuration (nginx -t), I get the following error:
[quote]the configuration file /usr/local/nginx/conf/nginx.conf syntax is
ok
[emerg]: bind() to IP1:443 failed (99: Cannot assign requested address)
configuration file /usr/local/nginx/conf/nginx.conf test failed[/quote]
(where IP1 is one of our IP addresses)
This is the abridged configuration:
user apache;
worker_processes 4;
worker_rlimit_nofile 4112;
events {
worker_connections 4112;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
send_timeout 300;
upstream webapp {
server UPSTREAM_IP1;
server UPSTREAM_IP2;
}
server {
listen 843;
server_name localhost;
location / {
rewrite ^(.*)$ /crossdomain.xml;
}
error_page 400 /crossdomain.xml;
location /crossdomain.xml {
root /var/www/html;
}
}
server {
listen 80;
server_name localhost;
location /media {
access_log off;
root /var/www/html;
index index.html index.htm;
expires 24h;
}
location / {
access_log off;
proxy_connect_timeout 15;
proxy_next_upstream error;
proxy_pass http://webapp;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_redirect off;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
location ~ /\.ht {
deny all;
}
}
server {
listen IP1:443;
server_name *.firstdomain.com;
ssl on;
ssl_certificate /var/ssl/firstdomain.crt;
ssl_certificate_key /var/ssl/firstdomain.key;
location /media {
root /var/www/html;
index index.html index.htm;
}
location / {
access_log off;
proxy_connect_timeout 15;
proxy_next_upstream error;
proxy_pass http://webapp;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Protocol https;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_redirect off;
}
}
server {
listen IP2:443;
server_name *.seconddomain.com;
ssl on;
ssl_certificate /var/ssl/seconddomain.crt;
ssl_certificate_key /var/ssl/seconddomain.key;
location /media {
root /var/www/html;
index index.html index.htm;
}
location / {
access_log off;
proxy_connect_timeout 15;
proxy_next_upstream error;
proxy_pass http://webapp;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Protocol https;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_redirect off;
}
}
server {
listen IP3:443;
server_name *.thirddomain.com;
ssl on;
ssl_certificate /var/ssl/thirddomain.crt;
ssl_certificate_key /var/ssl/thirddomain.key;
location /media {
root /var/www/html;
index index.html index.htm;
}
location / {
access_log off;
proxy_connect_timeout 15;
proxy_next_upstream error;
proxy_pass http://webapp;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Protocol https;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_redirect off;
}
}
Posted at Nginx Forum:
danjac
October 20, 2010, 12:14pm
2
Hi,
You can’t use more than one SSL server in the same ip/port pair unless
you use SNI (which is still non-standard). I don’t think the bid error
is SSL related.
And i could be wrong
Bye,
Nuno
danjac
October 20, 2010, 12:15pm
3
On Wed, Oct 20, 2010 at 06:00:38AM -0400, danjac wrote:
ok
[emerg]: bind() to IP1:443 failed (99: Cannot assign requested address)
configuration file /usr/local/nginx/conf/nginx.conf test failed[/quote]
(where IP1 is one of our IP addresses)
Are you sure that IP1 is configured on this host ?
This error means that there is no such address.
It’s better to rewrite this:
location /crossdomain.xml {
root /var/www/html;
}
}
as
server {
listen 843;
server_name localhost;
location = / {
alias /var/www/html/crossdomain.xml;
}
error_page 400 /crossdomain.xml;
location = /crossdomain.xml {
root /var/www/html;
}
}
–
Igor S.
http://sysoev.ru/en/
danjac
October 20, 2010, 12:44pm
4
On Wed, Oct 20, 2010 at 06:22:59AM -0400, danjac wrote:
The IP is configured for this address, yes.
Then something wrong in this configuration.
This is not nginx issue.
You can workaround it by binding only to *:443 and letting nginx to
learn
address at run-time:
server {
listen *:443;
listen IP1:443;
}
server {
listen IP2:443;
}
server {
listen IP3:443;
}
–
Igor S.
http://sysoev.ru/en/
danjac
October 20, 2010, 12:23pm
5
The IP is configured for this address, yes.
Posted at Nginx Forum:
danjac
October 20, 2010, 1:15pm
6
This solution works (i.e. I can restart nginx) but it doesn’t recognize
the correct domain - certificate for firstdomain.com is correct, but
when I go to the seconddomain.com I get the SSL error “this site was
configured for firstdomain.com ” in my browser.
Igor S. Wrote:
listen IP3:443;
nginx Info Page
Posted at Nginx Forum:
Re: Unable to use multiple IPs with SSL (0.7.64)
danjac
October 20, 2010, 12:46pm
7
As you can see, they are all using different IPs.
Posted at Nginx Forum:
danjac
October 20, 2010, 1:50pm
8
On Wed, Oct 20, 2010 at 07:15:05AM -0400, danjac wrote:
This solution works (i.e. I can restart nginx) but it doesn’t recognize
the correct domain - certificate for firstdomain.com is correct, but
when I go to the seconddomain.com I get the SSL error “this site was
configured for firstdomain.com ” in my browser.
You see certificate for firstdomain.com for all addresse - IP2 and IP3 ?
It seems that these IP-addresses are not really configured on the host.
And the previous error “Cannot assign requested address” is related to
this.
letting nginx to learn
server {
listen IP3:443;
}
–
Igor S.
http://sysoev.ru/en/
danjac
October 20, 2010, 2:33pm
9
You see certificate for firstdomain.com for all
addresse - IP2 and IP3 ?
I’m not sure I quite understand. Each IP address is set for each domain
and has its own certificate.
listen *:443;
–
Igor S.
Igor Sysoev
nginx mailing list
[email protected]
nginx Info Page
Posted at Nginx Forum:
danjac
October 20, 2010, 2:47pm
10
You see certificate for firstdomain.com for all
addresse - IP2 and IP3 ?
I’m not sure I quite understand. Each IP address is set for each
domain
and has its own certificate.
Yes, but currently do you see only certificate of firstdomain.com for
all requests ?
Yes. I’ll check with our hosting provider to ensure these IPs are set
correctly.
Posted at Nginx Forum:
danjac
October 20, 2010, 2:35pm
11
On Wed, Oct 20, 2010 at 08:32:30AM -0400, danjac wrote:
You see certificate for firstdomain.com for all
addresse - IP2 and IP3 ?
I’m not sure I quite understand. Each IP address is set for each domain
and has its own certificate.
Yes, but currently do you see only certificate of firstdomain.com for
all requests ?
listen *:443;
Posted at Nginx Forum:
Re: Unable to use multiple IPs with SSL (0.7.64)
nginx mailing list
[email protected]
nginx Info Page
–
Igor S.
http://sysoev.ru/en/
danjac
October 20, 2010, 3:11pm
12
I’ve double-checked the IP addresses, they are all resolving correctly
to this host.
Posted at Nginx Forum:
danjac
October 20, 2010, 3:19pm
14
On Wed, Oct 20, 2010 at 09:09:48AM -0400, danjac wrote:
I’ve double-checked the IP addresses, they are all resolving correctly
to this host.
They must be configured on this host, not only be resolved.
Are you able to ping them ?
–
Igor S.
http://sysoev.ru/en/
danjac
October 21, 2010, 2:38pm
15
On Thu, Oct 21, 2010 at 07:53:29AM -0400, danjac wrote:
OK, the error I now get is this (nginx error log file):
So, has IP issue been resolved ?
If I just set the default to “*:443” I get the browser error “Error
code: ssl_error_rx_record_too_long” (in various browsers).
Have you read this
http://nginx.org/en/docs/http/configuring_https_servers.html
?
–
Igor S.
http://sysoev.ru/en/
danjac
October 21, 2010, 2:55pm
16
The IP addresses are fine, they are configured correctly on the host as
far as I (and our hosting company) can verify.
Have you read this
Configuring HTTPS servers
?
I take it you mean this section:
The oldest and most robust method to resolve the issue is to assign a
separate IP address for every HTTPS server:
server {
listen 192.168.1.1:443;
server_name www.nginx.com ;
ssl on;
ssl_certificate www.nginx.com.crt;
…
}
server {
listen 192.168.1.2:443;
server_name www.nginx.org ;
ssl on;
ssl_certificate www.nginx.org.crt;
…
}
Which is what I’ve been trying to do. Unless you mean some other
specific part of that page ?
Posted at Nginx Forum:
danjac
October 22, 2010, 1:22am
17
Working now, and you were correct, the issue was with IP addresses.
The IP addresses used needed to be the internal IP addresses, not the
public external IPs. So for example one of our addresses was
99.999.9.102:443, it should have been instead 192.168.100.102:443.
Stupid mistake on my part.
Posted at Nginx Forum:
danjac
October 21, 2010, 1:54pm
18
OK, the error I now get is this (nginx error log file):
In the Firefox this appears as “The connection to the server was reset
while the page was loading.”.
This is when I set the default for port 443 to “*:443 default ssl”.
If I just set the default to “*:443” I get the browser error “Error
code: ssl_error_rx_record_too_long” (in various browsers).
Posted at Nginx Forum: