Do you need separate IPv4 and IPv6 listen directives in nginx?

Solution 1:

If you host multiple vhost domains with a single Nginx instance, you can't use the single combined listen directive

listen [::]:80 ipv6only=off;

for each of them. Nginx has a weird quirk where you can only specify the ipv6only parameter once for each port, or it will fail to start. That means you can't specify it for each vhost domain server block.

As Michael mentioned, starting with Nginx 1.3.4, the ipv6only parameter defaults to on.

Therefore, if you want to host multiple domains on both IPv4 and IPv6 with a single Nginx server, you are forced to use two listen directives for each domain server block:

listen 80;
listen [::]:80; 

Additionally, as Sander mentioned, using ipv6only=off has the drawback that IPv4 addresses are translated to IPv6. This can cause problems if your app does IP checking against blacklists like Akismet or StopForumSpam because unless you build in a reverse translation layer, your app will check the IPv6 translation of the spammer's IPv4 address, which won't match any of the IPv4 addresses in the blacklist.

Solution 2:

That probably is about the only reason you would use the former construct, these days.

The reason you're seeing this is probably that the default of ipv6only changed in nginx 1.3.4. Prior to that, it defaulted to off; in newer versions it defaults to on.

This happens to interact with the IPV6_V6ONLY socket option on Linux, and similar options on other operating systems, whose defaults aren't necessarily predictable. Thus the former construct was required pre-1.3.4 to ensure that you were actually listening for connections on both IPv4 and IPv6.

The change to the nginx default for ipv6only ensures that the operating system default for dual stack sockets is irrelevant. Now, nginx either explicitly binds to IPv4, IPv6, or both, never depending on the OS to create a dual stack socket by default.

Indeed, my standard nginx configs for pre-1.3.4 have the first configuration, and post-1.3.4 all have the second configuration.

Though, since binding a dual stack socket is a Linux-only thing, my current configurations now look more like the first example, but without ipv6only set, to wit:

listen [::]:80;
listen 80;

Solution 3:

With the ipv6only=off configuration style the IPv4 addresses might be shown as IPv6 addresses using the (software-only) IPv4-mapped IPv6 addresses in for example log files, environment variables (REMOTE_ADDR) etc.

Solution 4:

To my understanding (and according to the docs at, using just

listen 80; sufficient if you wish to channel both IPv4 & IPv6 traffic at the same port.