> -----Original Message-----
> From: owner-nginx@sysoev.ru [mailto:owner-nginx@sysoev.ru] On Behalf
Of
> Igor Sysoev
> Sent: Friday, 1 May 2009 5:38 PM
> To: nginx@sysoev.ru
> Subject: Re: nginx + ip_nonlocal_bind
>
> On Fri, May 01, 2009 at 05:27:10PM +1000, Tristan Griffiths wrote:
>
> > > -----Original Message-----
> > > From: owner-nginx@sysoev.ru [mailto:owner-nginx@sysoev.ru] On
> Behalf
> > Of
> > > Igor Sysoev
> > > Sent: Friday, 1 May 2009 4:50 PM
> > > To: nginx@sysoev.ru
> > > Subject: Re: nginx + ip_nonlocal_bind
> > >
> > > On Fri, May 01, 2009 at 04:26:55PM +1000, Tristan Griffiths wrote:
> > >
> > > > Greetings.
> > > >
> > > > We would like to setup our Nginx instances in a HA pair. Using
> > > > Heartbeat, we have Nginx listening on virtual addresses on the
> > active
> > > > server.
> > > >
> > > > On the passive server, we cannot get Nginx to start up because
> those
> > > > virtual (or floating) address are not configured on the server
> until
> > > > Heartbeat detects a failover condition.
> > > >
> > > > Is Nginx able to bind to a non-local IP address? We've tried
> setting
> > > the
> > > > ip_nonlocal_bind kernel option with no luck.
> > > >
> > > > Some important information:
> > > >
> > > > # nginx -v
> > > > nginx version: nginx/0.7.53
> > > >
> > > > Starting nginx: [emerg]: bind() to 213.167.72.152:80 failed (98:
> > > Address
> > > > already in use)
> > >
> > > This is because another process is laready listen on this
> > address:port.
> > >
> > > > CentOS 5.3
> > > >
> > > > <config>
> > > > server {
> > > > listen 213.167.72.152:80 default;
> > > > </config>
> > > >
> > > > Any other settings we should provide?
> > >
> > > To listen on temporarily non configured addresses you may use
> > something
> > > like this:
> > >
> > > server {
> > > listen 80;
> > > }
> > >
> > > server {
> > > listen 213.167.72.152:80 default;
> > > ...
> > > }
> > >
> > > server {
> > > listen 213.167.72.1:80 default;
> > > ...
> > > }
> > >
> > > nginx binds to *:80 only, but tests an address where a request
> comes
> > > to.
> >
> > Hadn't tried that. Works a treat.
> >
> > Hope this helps someone else in future.
>
> OK, however, with ip_nonlocal_bind nginx should bind() successfully
> even to non existent addresses. You should look why bind() returned
> (98: Address already in use).
>
> > For SSL hosts, would we just "listen 443; ssl on;" (with a dummy
> > certificate)?
>
> Yes. Or you may combine SSL/non-SSL servers in one server:
>
> server {
> listen 80;
> listen 443 default ssl;
>

This is what I have now done, although I was being tripped up by the
"deferred" option defined in our virtual host listen directives.
Setting:

server { listen 80 default deferred; ....

Seems to work.

Catch with combining SSL/non-SSL is that our backend app servers require
the X-FORWARDED_PROTO header to know if the client is getting an
encrypted connection. Is there a way around this?