nginx virtual hosts not working after enabling IPv6
Solution 1:
Nginx 1.8.0 had a bug[1] (fixed in 1.8.1) that enabled SPDY/h2 by default. With http/2 browsers try to open only one connection per server[2]. Firefox does this in a very aggressive manner[3]. It reuses IPv6-Connections across hostnames even if the IPv6-Adresses don't match (but IPv4-addresses match and certificate matches). With wildcard-certificates this may lead to the observed problem[4] where content of the wrong domain is served.
The browser in this case is trying to unshard the subdomains to optimize speed wrongly thinking the different subdomains were only put in place to optimize speed in http/1 (i.e. by using stattic1.example.com and static2.example.com to get more server connections in parallel).
The Problem can be solved by A) using different certificates for the domains, by B) using the same IPv6 address for the domains or C) by sending http status code 421[5] for the misguided requests.
- [1] http://nginx.org/en/CHANGES-1.8
- [2] https://http2.github.io/http2-spec/#reuse
- [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1190136
- [4] https://www.trullala.de/firefox-http2-ipv6-pitfall/
- [5] http://httpwg.org/specs/rfc7540.html#MisdirectedRequest