# Listen

<figure><img src="https://1973811904-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Flk5l3lUfuUzRDnMDVwnw%2Fuploads%2FBWq60Hr1pNOEqB4x43x3%2F7a5efz_nginx.jpg?alt=media&#x26;token=3f655203-52f5-4bfd-82ea-5a77696d0a98" alt="" width="333"><figcaption></figcaption></figure>

The ports specified here come from the web interface and are used by nginx intern docker container.

| Port         | Description               |
| ------------ | ------------------------- |
| 80 (TCP)     | HTTP Protocol             |
| 443 (TCP)    | HTTPS/SSH/SSL Protocols\* |
| 53 (TCP/UDP) | DNS Protocol              |

These ports are internal to nginx of type "Stream". You can see a port overview again in [port forwarding](https://flying-fish.gitbook.io/flyingfish/index/configurations/listen/port-forwarding).

<figure><img src="https://1973811904-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Flk5l3lUfuUzRDnMDVwnw%2Fuploads%2FMSvjJljDMbb15BQWXjI2%2Flisten_ports.png?alt=media&#x26;token=55b6856e-8b4f-4c9f-b7ca-21f2e2bc495b" alt=""><figcaption><p>Standard listen ports by setup</p></figcaption></figure>

If you only use the standard ports for your services, you do not need to enter any additional ports here.

## Add/Edit Listen

<div align="center" data-full-width="true"><figure><img src="https://1973811904-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Flk5l3lUfuUzRDnMDVwnw%2Fuploads%2FoZj6pUGDiQjB15bQRhf2%2Flisten_add.png?alt=media&#x26;token=3f4d8620-acc7-4f47-9304-53a370a52957" alt=""><figcaption><p>Add Listen</p></figcaption></figure></div>

Add a list, a dialog follows that also appears when editing.

<figure><img src="https://1973811904-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Flk5l3lUfuUzRDnMDVwnw%2Fuploads%2FfwXDKrKxWmVKXFWZ3S1W%2Flisten_add2.png?alt=media&#x26;token=bae2c69d-d1e4-42d5-8fa8-fa5295e9753e" alt=""><figcaption></figcaption></figure>

1. **Name:** Name your list, so you always recognize it in the UI.
2. **Type:** Type of listening from Nginx proxy. <mark style="background-color:orange;">Stream</mark> or <mark style="background-color:green;">HTTP/HTTPS</mark>, the difference is how the connection is handled.
3. **Protocol:** Which protocol should be used, UDP can also be used in addition to TCP for a stream.
4. **Port:** Which port the listening is listening on.
5. **Description:** Here you can describe in more detail what the listener is used for.
6. **IP6 enable:** Additionally enables listening on an IP6 address <mark style="color:red;">(untested yet, but enables it in the nginx config)</mark>.
7. **IP access:** Enables checking of the IP address against a list (blacklist/whitelist).
8. **Access type:** Which list to use for the IP check. The lists can be maintained under [IP Access](https://flying-fish.gitbook.io/flyingfish/index/configurations/listen/ip-access).
9. **Proxy protocol enable:** Activates the use of the [proxy protocol](https://flying-fish.gitbook.io/flyingfish/index/configurations/listen/proxy-protocol). From now on all packets are provided with the [proxy protocol](https://flying-fish.gitbook.io/flyingfish/index/configurations/listen/proxy-protocol) header. <mark style="background-color:blue;">This setting is important for internal HTTP/HTTPS processing.</mark> Only in this way does the route get the correct IP of the inquiring request for further checks or logging.
10. **Proxy protocol incoming enable:** Enables expecting a packet with a proxy header. Should the FlyingFish sit behind another proxy server with a [proxy protocol](https://flying-fish.gitbook.io/flyingfish/index/configurations/listen/proxy-protocol).
11. **Disable this listen:** Disables listening, settings are skipped during nginx config build. <mark style="background-color:blue;">All dependent routes are also skipped.</mark>

After the initial installation, you can view the automatically installed listeners. You will find that ports 80 and 443 work with the [proxy protocol](https://flying-fish.gitbook.io/flyingfish/index/configurations/listen/proxy-protocol). There is a good reason for this, since the stream points to the internal HTTP/HTTPS servers (lists). Which in turn expect the [proxy protocol](https://flying-fish.gitbook.io/flyingfish/index/configurations/listen/proxy-protocol) to process the correct IP from the request and not the IP 127.0.01.

{% hint style="info" %}
Imagine the Type 2 zones, the <mark style="background-color:orange;">Stream</mark> represents the external zone with the color orange and the <mark style="background-color:green;">HTTP/HTTPs</mark> with the color green the internal zone.

The Internal Zone can only be accessed from the External Stream Zone.
{% endhint %}

{% hint style="info" %}
Save causes an immediate reload of nginx. Existing connections are kept as if running the command: nginx -s reload
{% endhint %}

## Listen flow

The following graphic should help to understand the list process:

<figure><img src="https://1973811904-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Flk5l3lUfuUzRDnMDVwnw%2Fuploads%2FRf6rDe4NjsGWhXFsy4aV%2Fportflow.png?alt=media&#x26;token=bd231f9a-cc35-4a65-8342-50c6de552629" alt=""><figcaption><p>Portsflow</p></figcaption></figure>

<mark style="background-color:yellow;">Port 5333, 80, 443 Listening</mark> on the network from the host (as a bridge, port forwarding to the Docker container). &#x20;

There, the Nginx first uses <mark style="background-color:orange;">"</mark>[<mark style="background-color:orange;">IP access"</mark>](https://flying-fish.gitbook.io/flyingfish/index/configurations/listen/ip-access) to check whether the IPs have access rights. Then the streams (TCP/UDP) are <mark style="background-color:orange;">split into their protocol</mark> (SSL/HTTP/etc.) and <mark style="background-color:orange;">split into</mark> [<mark style="background-color:orange;">domains</mark>](https://flying-fish.gitbook.io/flyingfish/index/configurations/domains) for forwarded to a destination. Should not specify an external destination, then use the internal ports for the <mark style="background-color:green;">HTTP (10080) and HTTPS (10443) server</mark> are specified as standard. They perform a <mark style="background-color:green;">"proxy reserve"</mark> and request a route too <mark style="background-color:blue;">internal or external HTTP/HTTPS server</mark>.&#x20;

{% hint style="info" %}
The internal ports are only accessible in the Docker network and are securely shielded from the public network. It must pass stream ports 5333, 80, 443 via a query.
{% endhint %}

<figure><img src="https://1973811904-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Flk5l3lUfuUzRDnMDVwnw%2Fuploads%2FUQbLgRQkHtMxpmAoTrUc%2Fwhataflow.png?alt=media&#x26;token=71dc0359-8413-4690-93e2-b9cf0e45a402" alt=""><figcaption><p>Listen flow!</p></figcaption></figure>