Mercurial > hg > nginx
annotate conf/nginx.conf @ 5058:f25d0bbc4392 stable-1.2
Merge of r5004, r5019-r5025: ssl fixes.
*) SSL: speedup loading of configs with many ssl servers. The patch
saves one EC_KEY_generate_key() call per server{} block by informing
OpenSSL about SSL_OP_SINGLE_ECDH_USE we are going to use before
the SSL_CTX_set_tmp_ecdh() call.
For a configuration file with 10k simple server{} blocks with SSL
enabled this change reduces startup time from 18s to 5s on a slow
test box here.
*) SSL: removed conditions that always hold true.
*) SSL: resetting of flush flag after the data was written. There is
no need to flush next chunk of data if it does not contain a buffer
with the flush or last_buf flags set.
*) SSL: preservation of flush flag for buffered data. Previously,
if SSL buffer was not sent we lost information that the data
must be flushed.
*) SSL: calculation of buffer size moved closer to its usage.
No functional changes.
*) SSL: avoid calling SSL_write() with zero data size. According to
documentation, calling SSL_write() with num=0 bytes to be sent
results in undefined behavior.
We don't currently call ngx_ssl_send_chain() with empty chain and
buffer. This check handles the case of a chain with total data size
that is a multiple of NGX_SSL_BUFSIZE, and with the special buffer
at the end.
In practice such cases resulted in premature connection close and
critical error "SSL_write() failed (SSL:)" in the error log.
*) SSL: take into account data in the buffer while limiting output.
In some rare cases this can result in a more smooth sending rate.
*) SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Missing calls to ngx_handle_write_event() and ngx_handle_read_event()
resulted in a CPU hog during SSL handshake if an level-triggered event
method (e.g. select) was used.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 11 Feb 2013 15:12:06 +0000 |
parents | 1e90599af73b |
children | 50f531a55b73 |
rev | line source |
---|---|
450 | 1 |
455 | 2 #user nobody; |
573 | 3 worker_processes 1; |
450 | 4 |
5 #error_log logs/error.log; | |
577 | 6 #error_log logs/error.log notice; |
7 #error_log logs/error.log info; | |
8 | |
450 | 9 #pid logs/nginx.pid; |
10 | |
11 | |
12 events { | |
573 | 13 worker_connections 1024; |
450 | 14 } |
15 | |
16 | |
17 http { | |
1394 | 18 include mime.types; |
450 | 19 default_type application/octet-stream; |
20 | |
2286
d795199b41ad
add double quotes around $request
Igor Sysoev <igor@sysoev.ru>
parents:
1907
diff
changeset
|
21 #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
2684
c944cba169e3
update $status in log_format example
Igor Sysoev <igor@sysoev.ru>
parents:
2286
diff
changeset
|
22 # '$status $body_bytes_sent "$http_referer" ' |
657 | 23 # '"$http_user_agent" "$http_x_forwarded_for"'; |
577 | 24 |
25 #access_log logs/access.log main; | |
26 | |
493 | 27 sendfile on; |
577 | 28 #tcp_nopush on; |
493 | 29 |
523 | 30 #keepalive_timeout 0; |
645 | 31 keepalive_timeout 65; |
450 | 32 |
33 #gzip on; | |
34 | |
35 server { | |
577 | 36 listen 80; |
37 server_name localhost; | |
450 | 38 |
573 | 39 #charset koi8-r; |
450 | 40 |
577 | 41 #access_log logs/host.access.log main; |
450 | 42 |
43 location / { | |
44 root html; | |
45 index index.html index.htm; | |
46 } | |
47 | |
657 | 48 #error_page 404 /404.html; |
49 | |
50 # redirect server error pages to the static page /50x.html | |
51 # | |
52 error_page 500 502 503 504 /50x.html; | |
53 location = /50x.html { | |
54 root html; | |
55 } | |
56 | |
569 | 57 # proxy the PHP scripts to Apache listening on 127.0.0.1:80 |
58 # | |
59 #location ~ \.php$ { | |
60 # proxy_pass http://127.0.0.1; | |
61 #} | |
62 | |
577 | 63 # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 |
64 # | |
65 #location ~ \.php$ { | |
1907
7d47e1681a62
add "root" to the fastcgi example to set correct included DOCUMENT_ROOT
Igor Sysoev <igor@sysoev.ru>
parents:
1394
diff
changeset
|
66 # root html; |
577 | 67 # fastcgi_pass 127.0.0.1:9000; |
68 # fastcgi_index index.php; | |
611 | 69 # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; |
1394 | 70 # include fastcgi_params; |
577 | 71 #} |
72 | |
645 | 73 # deny access to .htaccess files, if Apache's document root |
74 # concurs with nginx's one | |
481 | 75 # |
527 | 76 #location ~ /\.ht { |
481 | 77 # deny all; |
78 #} | |
450 | 79 } |
577 | 80 |
81 | |
82 # another virtual host using mix of IP-, name-, and port-based configuration | |
83 # | |
84 #server { | |
85 # listen 8000; | |
86 # listen somename:8080; | |
87 # server_name somename alias another.alias; | |
88 | |
89 # location / { | |
90 # root html; | |
91 # index index.html index.htm; | |
92 # } | |
93 #} | |
94 | |
95 | |
96 # HTTPS server | |
97 # | |
98 #server { | |
99 # listen 443; | |
100 # server_name localhost; | |
101 | |
102 # ssl on; | |
103 # ssl_certificate cert.pem; | |
104 # ssl_certificate_key cert.key; | |
105 | |
106 # ssl_session_timeout 5m; | |
107 | |
108 # ssl_protocols SSLv2 SSLv3 TLSv1; | |
3938
1e90599af73b
use !aNULL to disable all anonymous cipher suites
Igor Sysoev <igor@sysoev.ru>
parents:
2684
diff
changeset
|
109 # ssl_ciphers HIGH:!aNULL:!MD5; |
577 | 110 # ssl_prefer_server_ciphers on; |
111 | |
112 # location / { | |
113 # root html; | |
114 # index index.html index.htm; | |
115 # } | |
116 #} | |
117 | |
450 | 118 } |