nginx listen ip

[patrick7]

Hi

Is there a possibility to tell a nginx server to listen on which IP?

Regards
Patrick

[fabian]

no, is there a special use case behind? It listens on ::/0 and 0.0.0.0/0 on the configured ports.

[patrick7]

I see several usecases.
One is that the webinterface already listens on the same ports :-)

[fabian]

One is that the webinterface already listens on the same ports :-)

The nginx plugin can serve the web interface instead of the internal server and you probably do already have it but it is disabled in the code.
Try to connect via SSH, search for TODO in the /usr/local/etc/nginx.conf and enable this line, then kill the web interface server (if you do not use the CP it is just killall lighttpd) and then restart nginx. The web interface should be there and the shared port should work.

Just be careful because a config reload will drop the change and you loose access. (to make it more persistent, you have to update the template)

[patrick7]

Will try, but even if it's possible to serve the webinterface, there should be a possibility to tell nginx to listen on which ip's.
Use case multiple servers, dedicated IP per website, ...... (endless list)

[fabian]

Use case multiple servers,...

You can make multiple server blocks. nginx decides based on SNI or Host header.

…, dedicated IP per website, …

Isn't that against the high availability goal? If you think about security, you can also contact the server(s) directly from your internal networks if the WAF is not required. But wouldn't be an IP based ACL more reasonable?

[patrick7]

You are right, there are other ways.
But still it should be possible to bind nginx to a single IP. e.g. replace the listen port with just "listen". If someone enters 443, it listens on all IPs, port 443, if you enter 1.2.3.4:443, it listens on IP 1.2.3.4, port 443.
I don't like to bind services to all IPs even if I only need the service on one IP.  For all other services I use that's possible...

[fabian]

But still it should be possible to bind nginx to a single IP. e.g. replace the listen port with just "listen". If someone enters 443, it listens on all IPs, port 443, if you enter 1.2.3.4:443, it listens on IP 1.2.3.4, port 443.

currently if you choose port 80 for HTTP, you will bind 0.0.0.0:80 and [::]:80. I guess many administrators are confused about [IP] notation or forget it.

I don't like to bind services to all IPs even if I only need the service on one IP.  For all other services I use that's possible...

Most plugins don't support that but many allow to choose an interface and will generate a configuration which will bind to all IP addresses configured on a special interface.
This has some other limitations like it does not work when the IP is replaced or not in the configuration (for example when SLAAC is used).
In some cases the socket breaks and leads to a daemon crash (don't know if this happens in nginx as well but others do some have this issue if you get another IP and the old binding is not valid anymore).

[Deku]

I would also like a feature to select which interface to listen on.  Another service using the port on another interface is causing me issues.  I don't want it to listen on all interfaces - would be nice to allow the selection and just default to ALL.

[oxivanisher]

I would like that too. My goal is, to implement something like Pi Hole but much simpler. A simple https://forum.fpvhub.ch/t/dns-blacklist-wie-pi-hole-fuer-unbound-dns-server-opn-sense/772 with a cron entry which rewrites ad- and malicious domains to a given IP. This IP is configured as virtual IP on the firewall, and the nginx could server a site like http://www.shadowandy.net/2014/04/adblocking-nginx-serving-1-pixel-gif-204-content.htm.
But to make the nginx config "catch all" I would need it to listen on the virtual IP.

[fabian]

It is bound to :: and 0.0.0.0 so it will also listen on VIPs

[ip6li]

There are several usecases for binding Nginx to specific IP adresses, e.g.:

• One IP address may be forwarded by pf to a webservice which cannot be routed through Nginx, e.g because it does not support SNI - that is real life versus theory
• One mor IP address is routed to e.g. honeypot and Nginx should not interfere

I cannot understand what is wrong with a Nginx config like listen 192.168.1.2:443 ssl http2; it is supported by Nginx out of the box.

Binding services to IP addresses which are not needed for this service should be considered as a security flaw.

[bimbar]

I do agree, and I have opened (another) feature request: https://github.com/opnsense/plugins/issues/2574 .

We have customers with public /27 networks which are served by an opnsense firewall, and if I can't distinguish between all those IPs in nginx, I might just as well not have them.

I would also do the work for this, but if it's not going to be accepted, then I don't want to waste my time.

[bimbar]

I opened a Pull Request, #2578 .