nginx virtual hosts not working after enabling IPv6

nginx ssl virtualhost ipv6

Solution 1:

Nginx 1.8.0 had a bug[1] (fixed in 1.8.1) that enabled SPDY/h2 by default. With http/2 browsers try to open only one connection per server[2]. Firefox does this in a very aggressive manner[3]. It reuses IPv6-Connections across hostnames even if the IPv6-Adresses don't match (but IPv4-addresses match and certificate matches). With wildcard-certificates this may lead to the observed problem[4] where content of the wrong domain is served.

The browser in this case is trying to unshard the subdomains to optimize speed wrongly thinking the different subdomains were only put in place to optimize speed in http/1 (i.e. by using stattic1.example.com and static2.example.com to get more server connections in parallel).

The Problem can be solved by A) using different certificates for the domains, by B) using the same IPv6 address for the domains or C) by sending http status code 421[5] for the misguided requests.

  • [1] http://nginx.org/en/CHANGES-1.8
  • [2] https://http2.github.io/http2-spec/#reuse
  • [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1190136
  • [4] https://www.trullala.de/firefox-http2-ipv6-pitfall/
  • [5] http://httpwg.org/specs/rfc7540.html#MisdirectedRequest

Related

Can't go back to root from postgres: forces to enter postgres password which it finds invalid
When the AD attribute TargetAddress is synchronised to Office 365, where does it "go"?
ping returns IPV6 address on ubuntu 20.04
How can I stop all files being read only to PHP?
Ubuntu, specify interface for a single destination ip
Docker in Docker for gitlab: Client sent an http request to https server / failed to remove network
can ping but not arping via OpenVPN
Need advice for running React app on linux server
How can I use iptables to drop packages for an invalid ether-type?
Accessing different host's docker containers via portainer
Call function based on argparse
How to get latest values for each group with an Elasticsearch query?