Hello!

On Wed, Aug 25, 2010 at 09:27:43AM +0200, Matthias-Christian Ott wrote:

> At the moment nignx does not allow IPv6 addresses to specified by
> hostname in a listen directive, that is the following will not work:
>
> listen ipv6.example.com;
> listen [ipv6.example.com];
> listen ipv6.example.com ipv6only=on;
> listen [ipv6.example.com] ipv6only=on;
>
> Though I see a potential security problem with hostnames here (this
> also applies to IPv4), because DNS replies can be manipulated if
> DNSSEC is not used, I think that this feature would be helpful and
> simplifies administration.

Note well: listen with hostname always uses *one* address returned
by hostname lookup, the first one returned by gethostbyname(). It
doesn't make sense to attempt to use it with hostname which
resolves to multiple addresses.

> Given that example.com resolves to an IPv4 and IPv6 address, simply
> binding to both addresses with the following directive would break
> backwards compatibility: listen example.com;
>
> For backwards compatibility I propose the following to resolve the
> IPv6 addresses of a hostname and listen on them:
>
> a) listen example.com ipv6only=on;
>
> b) listen [example.com];
>
> Solution b) has the disadvantage that it doesn't conform to RFC 3986.

Both are bad. Attribute ipv6only serves completely different
purpose: it disables implicit mapping of ipv6 listen sockets to
ipv4 (for OSes where such mapping is on by default), i.e.
instructs nginx to do setsockopt(IPV6_V6ONLY) on listen socket.
See http://tools.ietf.org/html/rfc3493#section-5.3 for details.

I believe correct solution would be to make

listen example.com;

to use ipv6 address if no ipv4 addresses were found.

Maxim Dounin

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://nginx.org/mailman/listinfo/nginx-devel