Score:0

Server

Nginx not listening on new ports with systemctl reload nginx after adding config with a new port

Jesse

5/31/23, 10:42 PM

Not sure how to quickly summary this issue, so I will put my scenario in bulletpoints:

Normal basic nginx install
I only use https(443), so I removed all http(80) config
When you start nginx (or restart it), the process seems to listen on port 80 as well (ss -tulp)
When I add a config in /etc/nginx/sites-enabled with a listener on http(80) and then;
Reload nginx, using systemctl reload nginx (note: reload, not restart)
It does not work, as if nginx is still not listening for traffic on port 80
If I run systemctl restart nginx it does work.

I noticed this, because LetsEncrypt couldn't renew my certificates. After investigating the issue, I noticed the behaviour described above.
Because I had no nginx config listening on http(80), I think nginx just doesn't add any listeners or something when I start nginx (although port 80 was claimed by nginx)
And if Certbot then tries to renew my certificates, it would add a temporary http(80) config to the nginx config directory, presumably followed by a "reload" of nginx, rather than a restart (which is as expected and as it should)
But since nginx was started without http(80) config, it didn't process the traffic from LetsEncrypt to that temporary challenge config.
My solution was quite simple, to add a basic http(80) config block to nginx with only a return 404; and restarted nginx. After that, Certbot worked just fine and could renew all my certificates.

I was wondering if this is expected behaviour, or if this is a (known) bug in Nginx.

Thanks

Update:

nginx version: nginx/1.18.0
Debian 11 (Bullseye)

259

0 + 0

linux

nginx

lets-encrypt

certbot

shearn89

6/3/23, 8:44 AM

You'd need to share your actual config for us to be able to help with this.

Jesse

6/3/23, 1:40 PM

@shearn89 not sure how my config would help. Because the config itself doesn't seem relevant, it is more the lack of config that seems to cause the issue. If I don't have a config which listens on port 80, and if I then add a config for port 80 (doesn't matter which config) then a reload of the service does not error, but it also does not listen on port 80. I have to restart the service, before the config is operational. While normally a reload is sufficient.

shearn89

6/3/23, 1:44 PM

You say you 'removed all http(80) config' and then 'add a config in ...'. Trying to guess what your config looks like from your description is difficult and error prone. If you add it to the question we can tell you if it's misconfiguration of a bug in Nginx.

Jesse

6/3/23, 5:19 PM

Well the problem is that it doesn't work as expected when I don't provide that config. With that config it does work, so again, not sure how providing the config would help. But as I stated in the original post, my config is just a return 404; listen 80; server_name _; return 404;

Score:0

Server

shearn89

6/4/23, 9:35 AM

I don't think this is a bug, I think this is something wrong at your end. I can't recreate your issue.

I've spun up a fresh EC2 instance with Amazon Linux and installed nginx.

Commented out http server, uncommented https, and generated certs:

#    server {
#        listen       80;
#        listen       [::]:80;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        error_page 404 /404.html;
#        location = /404.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#        location = /50x.html {
#        }
#    }

    server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/cert.pem";
        ssl_certificate_key "/etc/pki/nginx/key.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        # ssl_ciphers PROFILE=SYSTEM;
        # ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

Certs:

[root@ip-10-0-0-110 nginx]# ls -l /etc/pki/nginx/
total 8
-rw-r--r-- 1 nginx nginx 2155 Feb  4 09:28 cert.pem
-rw-r--r-- 1 nginx nginx 3272 Feb  4 09:28 key.pem

Start up the server, and port 80 is not in use, but 443 is:

[root@ip-10-0-0-110 nginx]# ss -plunt | grep ':80'
[root@ip-10-0-0-110 nginx]# ss -plunt | grep ':443'
tcp  LISTEN 0      511                            0.0.0.0:443       0.0.0.0:*    users:(("nginx",pid=32264,fd=6),("nginx",pid=32262,fd=6),("nginx",pid=32205,fd=6))
tcp  LISTEN 0      511                               [::]:443          [::]:*    users:(("nginx",pid=32264,fd=7),("nginx",pid=32262,fd=7),("nginx",pid=32205,fd=7))

Uncomment HTTP and do a systemctl reload nginx, and both are in use:

[root@ip-10-0-0-110 nginx]# vim /etc/nginx/nginx.conf
[root@ip-10-0-0-110 nginx]# systemctl reload nginx
[root@ip-10-0-0-110 nginx]# ss -plunt | grep ':443'
tcp  LISTEN 0      511                            0.0.0.0:443       0.0.0.0:*    users:(("nginx",pid=32288,fd=6),("nginx",pid=32287,fd=6),("nginx",pid=32205,fd=6))
tcp  LISTEN 0      511                               [::]:443          [::]:*    users:(("nginx",pid=32288,fd=7),("nginx",pid=32287,fd=7),("nginx",pid=32205,fd=7))
[root@ip-10-0-0-110 nginx]# ss -plunt | grep ':80'
tcp  LISTEN 0      511                            0.0.0.0:80        0.0.0.0:*    users:(("nginx",pid=32288,fd=13),("nginx",pid=32287,fd=13),("nginx",pid=32205,fd=13))
tcp  LISTEN 0      511                               [::]:80           [::]:*    users:(("nginx",pid=32288,fd=14),("nginx",pid=32287,fd=14),("nginx",pid=32205,fd=14))
[root@ip-10-0-0-110 nginx]#

Comment it out and reload again, only 443 is listening.

Version installed:

[root@ip-10-0-0-110 nginx]# yum list nginx
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Installed Packages
nginx.x86_64                               1:1.20.0-2.amzn2.0.4

0 + 0

Jesse

6/7/23, 3:41 PM

Ah, forgot to mention my version: "nginx version: nginx/1.18.0" on Debian 11. Will check if I can reproduce it on fresh install. Maybe it is solved in 1.20

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Nginx not listening on new ports with systemctl reload nginx after adding config with a new port

TH: Nginx ไม่ฟังพอร์ตใหม่ด้วย systemctl โหลด nginx ใหม่หลังจากเพิ่มการกำหนดค่าด้วยพอร์ตใหม่

RO: Nginx nu ascultă pe porturi noi cu systemctl reîncărcați nginx după ce a adăugat configurația cu un nou port

RU: Nginx не прослушивает новые порты с перезагрузкой systemctl nginx после добавления конфигурации с новым портом

VI: Nginx không nghe trên các cổng mới với systemctl tải lại nginx sau khi thêm cấu hình với một cổng mới

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.