Skip to content

Re-enable IPv4 connections in Nginx no-default.conf #885

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 15, 2017
Merged

Re-enable IPv4 connections in Nginx no-default.conf #885

merged 1 commit into from
Sep 15, 2017

Conversation

@fullyint
Copy link
Contributor

@fullyint fullyint commented Sep 12, 2017

Multiple listen directives

It appears Ubuntu doesn't support dual-stack sockets (single socket serving both IPv4 and IPv6), even with ipv6only=off parameter for listen. Separate listen directives are necessary for no-default.conf to serve IPv4 and IPv6 connections to unknown hosts. Discussion at h5bp/server-configs-nginx#179 (comment).

deferred parameter

This PR also adds the deferred parameter to enable deferred accept() (the TCP_DEFER_ACCEPT socket option) to streamline usage of server processes. Here is the best description I found.

Note that deferred is one of the "additional parameters ... [that can be applied] only once for a given address:port pair" (Nginx docs). For this reason it should be applied only in the no-default.conf. If deferred were also applied for WordPress vhosts, Nginx would fail to reload: nginx: [emerg] duplicate listen options for socket (example discussion).

Testing IPv6

Of course, to test IPv6, one's local machine and server must both enable IPv6. For Trellis to make IPv6 SSH connections (e.g., to run a playbook), adjust the ListenAdresses and AddressFamily:

 sshd_listen_addresses:
   - 0.0.0.0
+  - '::'

-sshd_address_family: inet
+sshd_address_family: any

⚠️ Trellis is not ready for IPv6 in production. There are no ip6tables settings.

@fullyint
Re-enable IPv4 connections in Nginx no-default.conf
c2559e7 
Ubuntu doesn't appear to support dual-stack sockets, even if
ipv6only=off is added. Separate listen directives are necessary for
no-default.conf to serve IPv4 and IPv6 connections to unknown hosts.
Enable deferred accept() (the TCP_DEFER_ACCEPT socket option) to
streamline usage of server processes.
@tangrufus
Copy link
Member

tangrufus commented Sep 13, 2017

Can we apply the same patch to ssl.no-default as well? That file is currently ignored.

@fullyint fullyint mentioned this pull request Sep 14, 2017
Merged
@fullyint fullyint merged commit 765f4ca into master Sep 15, 2017
@fullyint fullyint deleted the nginx-no-default-ipv4 branch September 15, 2017 02:26
@fullyint fullyint mentioned this pull request Jan 12, 2018
Merged
@tangrufus tangrufus mentioned this pull request May 27, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fullyint @tangrufus