Forum: NGINX nginx + ip_nonlocal_bind

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
6fc8f0c5581901fad7a0747ba2c63257?d=identicon&s=25 Tristan Griffiths (Guest)
on 2009-05-01 08:33
(Received via mailing list)
Greetings.

We would like to setup our Nginx instances in a HA pair. Using
Heartbeat, we have Nginx listening on virtual addresses on the active
server.

On the passive server, we cannot get Nginx to start up because those
virtual (or floating) address are not configured on the server until
Heartbeat detects a failover condition.

Is Nginx able to bind to a non-local IP address? We've tried setting the
ip_nonlocal_bind kernel option with no luck.

Some important information:

# nginx -v
nginx version: nginx/0.7.53

Starting nginx: [emerg]: bind() to 213.167.72.152:80 failed (98: Address
already in use)

CentOS 5.3

<config>
server {
    listen 213.167.72.152:80 default;
</config>

Any other settings we should provide?

OT: Many thanks for the excellent software.

Thanks,

Griff
F5a6ed477b109fe6acc11a5a8f87e7e8?d=identicon&s=25 Michael Shadle (Guest)
on 2009-05-01 08:40
(Received via mailing list)
i thought nginx listened on port 80 by default. couldn't you just not
explicitly define it?

On Thu, Apr 30, 2009 at 11:26 PM, Tristan Griffiths
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-05-01 08:59
(Received via mailing list)
On Fri, May 01, 2009 at 04:26:55PM +1000, Tristan Griffiths wrote:

> Is Nginx able to bind to a non-local IP address? We've tried setting the
> ip_nonlocal_bind kernel option with no luck.
>
> Some important information:
>
> # nginx -v
> nginx version: nginx/0.7.53
>
> Starting nginx: [emerg]: bind() to 213.167.72.152:80 failed (98: Address
> already in use)

This is because another process is laready listen on this address:port.

> CentOS 5.3
>
> <config>
> server {
>     listen 213.167.72.152:80 default;
> </config>
>
> Any other settings we should provide?

To listen on temporarily non configured addresses you may use something
like this:

    server {
         listen  80;
    }

    server {
         listen 213.167.72.152:80 default;
         ...
    }

    server {
         listen 213.167.72.1:80 default;
         ...
    }

nginx binds to *:80 only, but tests an address where a request comes to.
6fc8f0c5581901fad7a0747ba2c63257?d=identicon&s=25 Tristan Griffiths (Guest)
on 2009-05-01 09:09
(Received via mailing list)
> On Thu, Apr 30, 2009 at 11:26 PM, Tristan Griffiths
> > Is Nginx able to bind to a non-local IP address? We've tried setting
> > already in use)
> > OT: Many thanks for the excellent software.
Yes, nginx does listen on port 80 by default.

Basically, we are trying to get nginx to listen on an IP address for
which the machine does not currently have (non-local).

Say we have a server with IP address 10.1.1.1, we want Nginx bound to IP
192.168.1.1 without complaining.

The idea being that in a failover situation, the IP 192.168.1.1 may end
up being assigned to the server by an external process like Heartbeat.

Even the most basic config (below) is not letting nginx start up on the
non-local IP.

user nginx;
worker_processes 4;
pid /var/run/nginx.pid;

error_log /var/log/nginx/error.log;

events {
    worker_connections  1000;
}


http {
    server {
        listen 192.168.1.1:80 default;
    }
}
F5a6ed477b109fe6acc11a5a8f87e7e8?d=identicon&s=25 Michael Shadle (Guest)
on 2009-05-01 09:24
(Received via mailing list)
On Fri, May 1, 2009 at 12:00 AM, Tristan Griffiths
<tristan.griffiths@stomp.com.au> wrote:

> http {
>    server {
-        listen 192.168.1.1:80 default;
+        listen 80 default;
>    }
> }

try that

also you could try dropping default. maybe the behavior will change. i
guess it depends if nginx will listen on new ips that are inherited
through heartbeat or not. i haven't tried but i've never hit the
situation where i had to tell nginx to re-bind. but i may have never
-got- to that situation to begin with :P
6fc8f0c5581901fad7a0747ba2c63257?d=identicon&s=25 Tristan Griffiths (Guest)
on 2009-05-01 09:36
(Received via mailing list)
> -----Original Message-----
> From: owner-nginx@sysoev.ru [mailto:owner-nginx@sysoev.ru] On Behalf
Of
> > Heartbeat, we have Nginx listening on virtual addresses on the
active
> > Some important information:
> >
> > # nginx -v
> > nginx version: nginx/0.7.53
> >
> > Starting nginx: [emerg]: bind() to 213.167.72.152:80 failed (98:
> Address
> > already in use)
>
> This is because another process is laready listen on this
address:port.
> To listen on temporarily non configured addresses you may use
something
>
>     server {
>          listen 213.167.72.1:80 default;
>          ...
>     }
>
> nginx binds to *:80 only, but tests an address where a request comes
> to.

Hadn't tried that. Works a treat.

Hope this helps someone else in future.

For SSL hosts, would we just "listen 443; ssl on;" (with a dummy
certificate)?

Thanks,

Griff
5640e332954fc0006aea97a155ce0afd?d=identicon&s=25 Igor Sysoev (Guest)
on 2009-05-01 09:48
(Received via mailing list)
On Fri, May 01, 2009 at 05:27:10PM +1000, Tristan Griffiths wrote:

> > > Greetings.
> > > Is Nginx able to bind to a non-local IP address? We've tried setting
> > > already in use)
> > >
> >     server {
> > to.
>
> Hadn't tried that. Works a treat.
>
> Hope this helps someone else in future.

OK, however, with ip_nonlocal_bind nginx should bind() successfully
even to non existent addresses. You should look why bind() returned
(98: Address already in use).

> For SSL hosts, would we just "listen 443; ssl on;" (with a dummy
> certificate)?

Yes. Or you may combine SSL/non-SSL servers in one server:

       server {
            listen  80;
            listen  443 default ssl;
6fc8f0c5581901fad7a0747ba2c63257?d=identicon&s=25 Tristan Griffiths (Guest)
on 2009-05-01 12:10
(Received via mailing list)
> -----Original Message-----
> From: owner-nginx@sysoev.ru [mailto:owner-nginx@sysoev.ru] On Behalf
Of
> > Of
> > > > Heartbeat, we have Nginx listening on virtual addresses on the
> setting
> > > > already in use)
> > > >
> > >     server {
> comes
> > For SSL hosts, would we just "listen 443; ssl on;" (with a dummy
> > certificate)?
>
> Yes. Or you may combine SSL/non-SSL servers in one server:
>
>        server {
>             listen  80;
>             listen  443 default ssl;
>

This is what I have now done, although I was being tripped up by the
"deferred" option defined in our virtual host listen directives.
Setting:

server { listen 80 default deferred; ....

Seems to work.

Catch with combining SSL/non-SSL is that our backend app servers require
the X-FORWARDED_PROTO header to know if the client is getting an
encrypted connection. Is there a way around this?
6fc8f0c5581901fad7a0747ba2c63257?d=identicon&s=25 Tristan Griffiths (Guest)
on 2009-05-01 13:12
(Received via mailing list)
> -----Original Message-----
> From: owner-nginx@sysoev.ru [mailto:owner-nginx@sysoev.ru] On Behalf
Of
> > To: nginx@sysoev.ru
> > > > To: nginx@sysoev.ru
> > > > > server.
> > > > > ip_nonlocal_bind kernel option with no luck.
> > > >
> > > > > Any other settings we should provide?
> > > >          listen 213.167.72.152:80 default;
> > > > to.
> > > certificate)?
> Setting:
>
> server { listen 80 default deferred; ....
>
> Seems to work.
>
> Catch with combining SSL/non-SSL is that our backend app servers
> require
> the X-FORWARDED_PROTO header to know if the client is getting an
> encrypted connection. Is there a way around this?

Answered my own question...

proxy_set_header X-FORWARDED_PROTO $scheme;

Easy!

Thanks again Igor for fantastic software.
This topic is locked and can not be replied to.