Mercurial > hg > nginx-site
diff xml/en/docs/stream/ngx_stream_ssl_module.xml @ 1450:f5b5eefc43cb
Updated commercial docs for the upcoming release.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Thu, 09 Apr 2015 19:18:54 +0300 |
parents | |
children | acba294382d6 |
line wrap: on
line diff
new file mode 100644 --- /dev/null +++ b/xml/en/docs/stream/ngx_stream_ssl_module.xml @@ -0,0 +1,326 @@ +<?xml version="1.0"?> + +<!-- + Copyright (C) Nginx, Inc. + --> + +<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> + +<module name="Module ngx_stream_ssl_module" + link="/en/docs/stream/ngx_stream_ssl_module.html" + lang="en" + rev="1"> + +<section id="summary"> + +<para> +The <literal>ngx_stream_ssl_module</literal> module (1.7.10) +provides the necessary support for a stream proxy server to work with +the SSL/TLS protocol. +</para> + +<para> +<note> +This module is available as part of our +<commercial_version>commercial subscription</commercial_version>. +</note> +</para> + +</section> + + +<section id="directives" name="Directives"> + +<directive name="ssl_certificate"> +<syntax><value>file</value></syntax> +<default/> +<context>stream</context> +<context>server</context> + +<para> +Specifies a file with the certificate in the PEM format for the given +server. +If intermediate certificates should be specified in addition to a primary +certificate, they should be specified in the same file in the following +order: the primary certificate comes first, then the intermediate certificates. +A secret key in the PEM format may be placed in the same file. +</para> + +</directive> + + +<directive name="ssl_certificate_key"> +<syntax><value>file</value></syntax> +<default/> +<context>stream</context> +<context>server</context> + +<para> +Specifies a file with the secret key in the PEM format for the given +server. +</para> + +</directive> + + +<directive name="ssl_ciphers"> +<syntax><value>ciphers</value></syntax> +<default>HIGH:!aNULL:!MD5</default> +<context>stream</context> +<context>server</context> + +<para> +Specifies the enabled ciphers. +The ciphers are specified in the format understood by the +OpenSSL library, for example: +<example> +ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; +</example> +</para> + +<para> +The full list can be viewed using the +“<command>openssl ciphers</command>” command. +</para> + +</directive> + + +<directive name="ssl_dhparam"> +<syntax><value>file</value></syntax> +<default/> +<context>stream</context> +<context>server</context> + +<para> +Specifies a <value>file</value> with DH parameters for EDH ciphers. +</para> + +</directive> + + +<directive name="ssl_ecdh_curve"> +<syntax><value>curve</value></syntax> +<default>prime256v1</default> +<context>stream</context> +<context>server</context> + +<para> +Specifies a <value>curve</value> for ECDHE ciphers. +</para> + +</directive> + + +<directive name="ssl_handshake_timeout"> +<syntax><value>time</value></syntax> +<default>60s</default> +<context>stream</context> +<context>server</context> + +<para> +Specifies a timeout for the SSL handshake to complete. +</para> + +</directive> + + +<directive name="ssl_password_file"> +<syntax><value>file</value></syntax> +<default/> +<context>stream</context> +<context>server</context> + +<para> +Specifies a <value>file</value> with passphrases for +<link id="ssl_certificate_key">secret keys</link> +where each passphrase is specified on a separate line. +Passphrases are tried in turn when loading the key. +</para> + +<para> +Example: +<example> +stream { + ssl_password_file /etc/keys/global.pass; + ... + + server { + listen 127.0.0.1:12345; + ssl_certificate_key /etc/keys/first.key; + } + + server { + listen 127.0.0.1:12346; + + # named pipe can also be used instead of a file + ssl_password_file /etc/keys/fifo; + ssl_certificate_key /etc/keys/second.key; + } +} +</example> +</para> + +</directive> + + +<directive name="ssl_prefer_server_ciphers"> +<syntax><literal>on</literal> | <literal>off</literal></syntax> +<default>off</default> +<context>stream</context> +<context>server</context> + +<para> +Specifies that server ciphers should be preferred over client ciphers +when the SSLv3 and TLS protocols are used. +</para> + +</directive> + + +<directive name="ssl_protocols"> +<syntax> + [<literal>SSLv2</literal>] + [<literal>SSLv3</literal>] + [<literal>TLSv1</literal>] + [<literal>TLSv1.1</literal>] + [<literal>TLSv1.2</literal>]</syntax> +<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> +<context>stream</context> +<context>server</context> + +<para> +Enables the specified protocols. +The <literal>TLSv1.1</literal> and <literal>TLSv1.2</literal> parameters work +only when the OpenSSL library of version 1.0.1 or higher is used. +</para> + +</directive> + + +<directive name="ssl_session_cache"> +<syntax> + <literal>off</literal> | + <literal>none</literal> | + [<literal>builtin</literal>[:<value>size</value>]] + [<literal>shared</literal>:<value>name</value>:<value>size</value>]</syntax> +<default>none</default> +<context>stream</context> +<context>server</context> + +<para> +Sets the types and sizes of caches that store session parameters. +A cache can be of any of the following types: +<list type="tag"> + +<tag-name><literal>off</literal></tag-name> +<tag-desc> +the use of a session cache is strictly prohibited: +nginx explicitly tells a client that sessions may not be reused. +</tag-desc> + +<tag-name><literal>none</literal></tag-name> +<tag-desc> +the use of a session cache is gently disallowed: +nginx tells a client that sessions may be reused, but does not +actually store session parameters in the cache. +</tag-desc> + +<tag-name><literal>builtin</literal></tag-name> +<tag-desc> +a cache built in OpenSSL; used by one worker process only. +The cache size is specified in sessions. +If size is not given, it is equal to 20480 sessions. +Use of the built-in cache can cause memory fragmentation. +</tag-desc> + +<tag-name><literal>shared</literal></tag-name> +<tag-desc> +a cache shared between all worker processes. +The cache size is specified in bytes; one megabyte can store +about 4000 sessions. +Each shared cache should have an arbitrary name. +A cache with the same name can be used in several +servers. +</tag-desc> + +</list> +</para> + +<para> +Both cache types can be used simultaneously, for example: +<example> +ssl_session_cache builtin:1000 shared:SSL:10m; +</example> +but using only shared cache without the built-in cache should +be more efficient. +</para> + +</directive> + + +<directive name="ssl_session_ticket_key"> +<syntax><value>file</value></syntax> +<default/> +<context>stream</context> +<context>server</context> + +<para> +Sets a <value>file</value> with the secret key used to encrypt +and decrypt TLS session tickets. +The directive is necessary if the same key has to be shared between +multiple servers. +By default, a randomly generated key is used. +</para> + +<para> +If several keys are specified, only the first key is +used to encrypt TLS session tickets. +This allows configuring key rotation, for example: +<example> +ssl_session_ticket_key current.key; +ssl_session_ticket_key previous.key; +</example> +</para> + +<para> +The <value>file</value> must contain 48 bytes of random data and can +be created using the following command: +<example> +openssl rand 48 > ticket.key +</example> +</para> + +</directive> + + +<directive name="ssl_session_tickets"> +<syntax><literal>on</literal> | <literal>off</literal></syntax> +<default>on</default> +<context>stream</context> +<context>server</context> + +<para> +Enables or disables session resumption through +<link url="http://tools.ietf.org/html/rfc5077">TLS session tickets</link>. +</para> + +</directive> + + +<directive name="ssl_session_timeout"> +<syntax><value>time</value></syntax> +<default>5m</default> +<context>stream</context> +<context>server</context> + +<para> +Specifies a time during which a client may reuse the +session parameters stored in a cache. +</para> + +</directive> + +</section> + +</module>