diff --git a/server/embed/etcd.go b/server/embed/etcd.go
index 3b0e4db7c..56e629ab5 100644
--- a/server/embed/etcd.go
+++ b/server/embed/etcd.go
@@ -619,7 +619,6 @@ func configureClientListeners(cfg *Config) (sctxs map[string]*serveCtx, err erro
 
 	sctxs = make(map[string]*serveCtx)
 	for _, u := range cfg.ListenClientUrls {
-		sctx := newServeCtx(cfg.logger)
 		if u.Scheme == "http" || u.Scheme == "unix" {
 			if !cfg.ClientTLSInfo.Empty() {
 				cfg.logger.Warn("scheme is HTTP while key and cert files are present; ignoring key and cert files", zap.String("client-url", u.String()))
@@ -631,24 +630,31 @@ func configureClientListeners(cfg *Config) (sctxs map[string]*serveCtx, err erro
 		if (u.Scheme == "https" || u.Scheme == "unixs") && cfg.ClientTLSInfo.Empty() {
 			return nil, fmt.Errorf("TLS key/cert (--cert-file, --key-file) must be provided for client url %s with HTTPS scheme", u.String())
 		}
+	}
 
-		network := "tcp"
+	for _, u := range cfg.ListenClientUrls {
 		addr := u.Host
+		network := "tcp"
 		if u.Scheme == "unix" || u.Scheme == "unixs" {
-			network = "unix"
 			addr = u.Host + u.Path
+			network = "unix"
 		}
+		secure := u.Scheme == "https" || u.Scheme == "unixs"
+		insecure := !secure
+
+		sctx := sctxs[addr]
+		if sctx == nil {
+			sctx = newServeCtx(cfg.logger)
+			sctxs[addr] = sctx
+		}
+		sctx.secure = sctx.secure || secure
+		sctx.insecure = sctx.insecure || insecure
+		sctx.scheme = u.Scheme
+		sctx.addr = addr
 		sctx.network = network
-
-		sctx.secure = u.Scheme == "https" || u.Scheme == "unixs"
-		sctx.insecure = !sctx.secure
-		if oldctx := sctxs[addr]; oldctx != nil {
-			oldctx.secure = oldctx.secure || sctx.secure
-			oldctx.insecure = oldctx.insecure || sctx.insecure
-			continue
-		}
-
-		if sctx.l, err = transport.NewListenerWithOpts(addr, u.Scheme,
+	}
+	for _, sctx := range sctxs {
+		if sctx.l, err = transport.NewListenerWithOpts(sctx.addr, sctx.scheme,
 			transport.WithSocketOpts(&cfg.SocketOpts),
 			transport.WithSkipTLSInfoCheck(true),
 		); err != nil {
@@ -656,7 +662,6 @@ func configureClientListeners(cfg *Config) (sctxs map[string]*serveCtx, err erro
 		}
 		// net.Listener will rewrite ipv4 0.0.0.0 to ipv6 [::], breaking
 		// hosts that disable ipv6. So, use the address given by the user.
-		sctx.addr = addr
 
 		if fdLimit, fderr := runtimeutil.FDLimit(); fderr == nil {
 			if fdLimit <= reservedInternalFDNum {
@@ -669,17 +674,17 @@ func configureClientListeners(cfg *Config) (sctxs map[string]*serveCtx, err erro
 			sctx.l = transport.LimitListener(sctx.l, int(fdLimit-reservedInternalFDNum))
 		}
 
-		defer func(u url.URL) {
+		defer func(addr string) {
 			if err == nil {
 				return
 			}
 			sctx.l.Close()
 			cfg.logger.Warn(
 				"closing peer listener",
-				zap.String("address", u.Host),
+				zap.String("address", addr),
 				zap.Error(err),
 			)
-		}(u)
+		}(sctx.addr)
 		for k := range cfg.UserHandlers {
 			sctx.userHandlers[k] = cfg.UserHandlers[k]
 		}
@@ -690,7 +695,6 @@ func configureClientListeners(cfg *Config) (sctxs map[string]*serveCtx, err erro
 		if cfg.LogLevel == "debug" {
 			sctx.registerTrace()
 		}
-		sctxs[addr] = sctx
 	}
 	return sctxs, nil
 }
diff --git a/server/embed/serve.go b/server/embed/serve.go
index 874e5a926..577430518 100644
--- a/server/embed/serve.go
+++ b/server/embed/serve.go
@@ -52,8 +52,10 @@ import (
 )
 
 type serveCtx struct {
-	lg       *zap.Logger
-	l        net.Listener
+	lg *zap.Logger
+	l  net.Listener
+
+	scheme   string
 	addr     string
 	network  string
 	secure   bool