Mercurial > hg > nginx-site
view xml/en/docs/http/ngx_http_core_module.xml @ 3043:9eadb98ec770
Free nginx: removed commercial version documentation.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Wed, 14 Feb 2024 20:05:49 +0300 |
| parents | cbd963190c15 |
| children | 3b5594157fab |
line wrap: on
line source
<?xml version="1.0"?> <!-- Copyright (C) Igor Sysoev Copyright (C) Nginx, Inc. --> <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> <module name="Module ngx_http_core_module" link="/en/docs/http/ngx_http_core_module.html" lang="en" rev="107"> <section id="directives" name="Directives"> <directive name="absolute_redirect"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>on</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>1.11.8</appeared-in> <para> If disabled, redirects issued by nginx will be relative. </para> <para> See also <link id="server_name_in_redirect"/> and <link id="port_in_redirect"/> directives. </para> </directive> <directive name="aio"> <syntax> <literal>on</literal> | <literal>off</literal> | <literal>threads</literal>[<literal>=</literal><value>pool</value>]</syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>0.8.11</appeared-in> <para> Enables or disables the use of asynchronous file I/O (AIO) on FreeBSD and Linux: <example> location /video/ { aio on; output_buffers 1 64k; } </example> </para> <para> On FreeBSD, AIO can be used starting from FreeBSD 4.3. Prior to FreeBSD 11.0, AIO can either be linked statically into a kernel: <example> options VFS_AIO </example> or loaded dynamically as a kernel loadable module: <example> kldload aio </example> </para> <!-- <para> In FreeBSD versions 5 and 6, enabling AIO statically, or dynamically when booting the kernel, will cause the entire networking subsystem to use the Giant lock, which can impact overall performance negatively. This limitation has been removed in FreeBSD 6.4-STABLE in 2009, and in FreeBSD 7. However, starting from FreeBSD 5.3 it is possible to enable AIO without the penalty of running the networking subsystem under a Giant lock—for this to work, the AIO module needs to be loaded after the kernel has booted. In this case, the following message will appear in <path>/var/log/messages</path> <example> WARNING: Network stack Giant-free, but aio requires Giant. Consider adding 'options NET_WITH_GIANT' or setting debug.mpsafenet=0 </example> and can safely be ignored. <note> The requirement to use the Giant lock with AIO is related to the fact that FreeBSD supports asynchronous calls <c-func>aio_read</c-func> and <c-func>aio_write</c-func> when working with sockets. However, since nginx uses AIO only for disk I/O, no problems should arise. </note> </para> --> <para> On Linux, AIO can be used starting from kernel version 2.6.22. Also, it is necessary to enable <link id="directio"/>, or otherwise reading will be blocking: <example> location /video/ { aio on; directio 512; output_buffers 1 128k; } </example> </para> <para> On Linux, <link id="directio"/> can only be used for reading blocks that are aligned on 512-byte boundaries (or 4K for XFS). File’s unaligned end is read in blocking mode. The same holds true for byte range requests and for FLV requests not from the beginning of a file: reading of unaligned data at the beginning and end of a file will be blocking. </para> <para> When both AIO and <link id="sendfile"/> are enabled on Linux, AIO is used for files that are larger than or equal to the size specified in the <link id="directio"/> directive, while <link id="sendfile"/> is used for files of smaller sizes or when <link id="directio"/> is disabled. <example> location /video/ { sendfile on; aio on; directio 8m; } </example> </para> <para> Finally, files can be read and <link id="sendfile">sent</link> using multi-threading (1.7.11), without blocking a worker process: <example> location /video/ { sendfile on; aio threads; } </example> Read and send file operations are offloaded to threads of the specified <link doc="../ngx_core_module.xml" id="thread_pool">pool</link>. If the pool name is omitted, the pool with the name “<literal>default</literal>” is used. The pool name can also be set with variables: <example> aio threads=pool$disk; </example> By default, multi-threading is disabled, it should be enabled with the <literal>--with-threads</literal> configuration parameter. Currently, multi-threading is compatible only with the <link doc="../events.xml" id="epoll"/>, <link doc="../events.xml" id="kqueue"/>, and <link doc="../events.xml" id="eventport"/> methods. Multi-threaded sending of files is only supported on Linux. </para> <para> See also the <link id="sendfile"/> directive. </para> </directive> <directive name="aio_write"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>1.9.13</appeared-in> <para> If <link id="aio"/> is enabled, specifies whether it is used for writing files. Currently, this only works when using <literal>aio threads</literal> and is limited to writing temporary files with data received from proxied servers. </para> </directive> <directive name="alias"> <syntax><value>path</value></syntax> <default/> <context>location</context> <para> Defines a replacement for the specified location. For example, with the following configuration <example> location /i/ { alias /data/w3/images/; } </example> on request of “<literal>/i/top.gif</literal>”, the file <path>/data/w3/images/top.gif</path> will be sent. </para> <para> The <value>path</value> value can contain variables, except <var>$document_root</var> and <var>$realpath_root</var>. </para> <para> If <literal>alias</literal> is used inside a location defined with a regular expression then such regular expression should contain captures and <literal>alias</literal> should refer to these captures (0.7.40), for example: <example> location ~ ^/users/(.+\.(?:gif|jpe?g|png))$ { alias /data/w3/images/$1; } </example> </para> <para> When location matches the last part of the directive’s value: <example> location /images/ { alias /data/w3/images/; } </example> it is better to use the <link id="root"/> directive instead: <example> location /images/ { root /data/w3; } </example> </para> </directive> <directive name="auth_delay"> <syntax><value>time</value></syntax> <default>0s</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>1.17.10</appeared-in> <para> Delays processing of unauthorized requests with 401 response code to prevent timing attacks when access is limited by <link doc="ngx_http_auth_basic_module.xml">password</link> or by the <link doc="ngx_http_auth_request_module.xml">result of subrequest</link>. </para> </directive> <directive name="chunked_transfer_encoding"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>on</default> <context>http</context> <context>server</context> <context>location</context> <para> Allows disabling chunked transfer encoding in HTTP/1.1. It may come in handy when using a software failing to support chunked encoding despite the standard’s requirement. </para> </directive> <directive name="client_body_buffer_size"> <syntax><value>size</value></syntax> <default>8k|16k</default> <context>http</context> <context>server</context> <context>location</context> <para> Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a <link id="client_body_temp_path">temporary file</link>. By default, buffer size is equal to two memory pages. This is 8K on x86, other 32-bit platforms, and x86-64. It is usually 16K on other 64-bit platforms. </para> </directive> <directive name="client_body_in_file_only"> <syntax> <literal>on</literal> | <literal>clean</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <para> Determines whether nginx should save the entire client request body into a file. This directive can be used during debugging, or when using the <var>$request_body_file</var> variable, or the <link doc="ngx_http_perl_module.xml" id="methods">$r->request_body_file</link> method of the module <link doc="ngx_http_perl_module.xml">ngx_http_perl_module</link>. </para> <para> When set to the value <literal>on</literal>, temporary files are not removed after request processing. </para> <para> The value <literal>clean</literal> will cause the temporary files left after request processing to be removed. </para> </directive> <directive name="client_body_in_single_buffer"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <para> Determines whether nginx should save the entire client request body in a single buffer. The directive is recommended when using the <var>$request_body</var> variable, to save the number of copy operations involved. </para> </directive> <directive name="client_body_temp_path"> <syntax> <value>path</value> [<value>level1</value> [<value>level2</value> [<value>level3</value>]]]</syntax> <default>client_body_temp</default> <context>http</context> <context>server</context> <context>location</context> <para> Defines a directory for storing temporary files holding client request bodies. Up to three-level subdirectory hierarchy can be used under the specified directory. For example, in the following configuration <example> client_body_temp_path /spool/nginx/client_temp 1 2; </example> a path to a temporary file might look like this: <example> /spool/nginx/client_temp/7/45/00000123457 </example> </para> </directive> <directive name="client_body_timeout"> <syntax><value>time</value></syntax> <default>60s</default> <context>http</context> <context>server</context> <context>location</context> <para> Defines a timeout for reading client request body. The timeout is set only for a period between two successive read operations, not for the transmission of the whole request body. If a client does not transmit anything within this time, the request is terminated with the <http-status code="408" text="Request Time-out"/> error. </para> </directive> <directive name="client_header_buffer_size"> <syntax><value>size</value></syntax> <default>1k</default> <context>http</context> <context>server</context> <para> Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough. However, if a request includes long cookies, or comes from a WAP client, it may not fit into 1K. If a request line or a request header field does not fit into this buffer then larger buffers, configured by the <link id="large_client_header_buffers"/> directive, are allocated. </para> <para> If the directive is specified on the <link id="server"/> level, the value from the default server can be used. Details are provided in the “<link doc="server_names.xml" id="virtual_server_selection">Virtual server selection</link>” section. </para> </directive> <directive name="client_header_timeout"> <syntax><value>time</value></syntax> <default>60s</default> <context>http</context> <context>server</context> <para> Defines a timeout for reading client request header. If a client does not transmit the entire header within this time, the request is terminated with the <http-status code="408" text="Request Time-out"/> error. </para> </directive> <directive name="client_max_body_size"> <syntax><value>size</value></syntax> <default>1m</default> <context>http</context> <context>server</context> <context>location</context> <para> Sets the maximum allowed size of the client request body. If the size in a request exceeds the configured value, the <http-status code="413" text="Request Entity Too Large"/> error is returned to the client. Please be aware that <!--link doc="/web/upload.xml"-->browsers cannot correctly display this error<!--/link-->. Setting <value>size</value> to 0 disables checking of client request body size. </para> </directive> <directive name="connection_pool_size"> <syntax><value>size</value></syntax> <default>256|512</default> <context>http</context> <context>server</context> <para> Allows accurate tuning of per-connection memory allocations. This directive has minimal impact on performance and should not generally be used. By default, the size is equal to 256 bytes on 32-bit platforms and 512 bytes on 64-bit platforms. <note> Prior to version 1.9.8, the default value was 256 on all platforms. </note> </para> </directive> <directive name="default_type"> <syntax><value>mime-type</value></syntax> <default>text/plain</default> <context>http</context> <context>server</context> <context>location</context> <para> Defines the default MIME type of a response. Mapping of file name extensions to MIME types can be set with the <link id="types"/> directive. </para> </directive> <directive name="directio"> <syntax><value>size</value> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>0.7.7</appeared-in> <para> Enables the use of the <c-def>O_DIRECT</c-def> flag (FreeBSD, Linux), the <c-def>F_NOCACHE</c-def> flag (macOS), or the <c-func>directio</c-func> function (Solaris), when reading files that are larger than or equal to the specified <value>size</value>. The directive automatically disables (0.7.15) the use of <link id="sendfile"/> for a given request. It can be useful for serving large files: <example> directio 4m; </example> or when using <link id="aio"/> on Linux. </para> </directive> <directive name="directio_alignment"> <syntax><value>size</value></syntax> <default>512</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>0.8.11</appeared-in> <para> Sets the alignment for <link id="directio"/>. In most cases, a 512-byte alignment is enough. However, when using XFS under Linux, it needs to be increased to 4K. </para> </directive> <directive name="disable_symlinks"> <syntax><literal>off</literal></syntax> <syntax> <literal>on</literal> | <literal>if_not_owner</literal> [<literal>from</literal>=<value>part</value>]</syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>1.1.15</appeared-in> <para> Determines how symbolic links should be treated when opening files: <list type="tag"> <tag-name><literal>off</literal></tag-name> <tag-desc> Symbolic links in the pathname are allowed and not checked. This is the default behavior. </tag-desc> <tag-name><literal>on</literal></tag-name> <tag-desc> If any component of the pathname is a symbolic link, access to a file is denied. </tag-desc> <tag-name><literal>if_not_owner</literal></tag-name> <tag-desc> Access to a file is denied if any component of the pathname is a symbolic link, and the link and object that the link points to have different owners. </tag-desc> <tag-name><literal>from</literal>=<value>part</value></tag-name> <tag-desc> When checking symbolic links (parameters <literal>on</literal> and <literal>if_not_owner</literal>), all components of the pathname are normally checked. Checking of symbolic links in the initial part of the pathname may be avoided by specifying additionally the <literal>from</literal>=<value>part</value> parameter. In this case, symbolic links are checked only from the pathname component that follows the specified initial part. If the value is not an initial part of the pathname checked, the whole pathname is checked as if this parameter was not specified at all. If the value matches the whole file name, symbolic links are not checked. The parameter value can contain variables. </tag-desc> </list> </para> <para> Example: <example> disable_symlinks on from=$document_root; </example> </para> <para> This directive is only available on systems that have the <c-func>openat</c-func> and <c-func>fstatat</c-func> interfaces. Such systems include modern versions of FreeBSD, Linux, and Solaris. </para> <para> Parameters <literal>on</literal> and <literal>if_not_owner</literal> add a processing overhead. <note> On systems that do not support opening of directories only for search, to use these parameters it is required that worker processes have read permissions for all directories being checked. </note> </para> <para> <note> The <link doc="ngx_http_autoindex_module.xml">ngx_http_autoindex_module</link>, <link doc="ngx_http_random_index_module.xml">ngx_http_random_index_module</link>, and <link doc="ngx_http_dav_module.xml">ngx_http_dav_module</link> modules currently ignore this directive. </note> </para> </directive> <directive name="error_page"> <syntax> <value>code</value> ... [<literal>=</literal>[<value>response</value>]] <value>uri</value></syntax> <default/> <context>http</context> <context>server</context> <context>location</context> <context>if in location</context> <para> Defines the URI that will be shown for the specified errors. A <value>uri</value> value can contain variables. </para> <para> Example: <example> error_page 404 /404.html; error_page 500 502 503 504 /50x.html; </example> </para> <para> This causes an internal redirect to the specified <value>uri</value> with the client request method changed to “<literal>GET</literal>” (for all methods other than “<literal>GET</literal>” and “<literal>HEAD</literal>”). </para> <para> Furthermore, it is possible to change the response code to another using the “<literal>=</literal><value>response</value>” syntax, for example: <example> error_page 404 =200 /empty.gif; </example> </para> <para> If an error response is processed by a proxied server or a FastCGI/uwsgi/SCGI/gRPC server, and the server may return different response codes (e.g., 200, 302, 401 or 404), it is possible to respond with the code it returns: <example> error_page 404 = /404.php; </example> </para> <para> If there is no need to change URI and method during internal redirection it is possible to pass error processing into a named location: <example> location / { error_page 404 = @fallback; } location @fallback { proxy_pass http://backend; } </example> </para> <para> <note> If <value>uri</value> processing leads to an error, the status code of the last occurred error is returned to the client. </note> </para> <para> It is also possible to use URL redirects for error processing: <example> error_page 403 http://example.com/forbidden.html; error_page 404 =301 http://example.com/notfound.html; </example> In this case, by default, the response code 302 is returned to the client. It can only be changed to one of the redirect status codes (301, 302, 303, 307, and 308). <note> The code 307 was not treated as a redirect until versions 1.1.16 and 1.0.13. </note> <note> The code 308 was not treated as a redirect until version 1.13.0. </note> </para> <para> These directives are inherited from the previous configuration level if and only if there are no <literal>error_page</literal> directives defined on the current level. </para> </directive> <directive name="etag"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>on</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>1.3.3</appeared-in> <para> Enables or disables automatic generation of the <header>ETag</header> response header field for static resources. </para> </directive> <directive name="http"> <syntax block="yes"/> <default/> <context>main</context> <para> Provides the configuration file context in which the HTTP server directives are specified. </para> </directive> <directive name="if_modified_since"> <syntax> <literal>off</literal> | <literal>exact</literal> | <literal>before</literal></syntax> <default>exact</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>0.7.24</appeared-in> <para> Specifies how to compare modification time of a response with the time in the <header>If-Modified-Since</header> request header field: <list type="tag"> <tag-name><literal>off</literal></tag-name> <tag-desc> the response is always considered modified (0.7.34); </tag-desc> <tag-name><literal>exact</literal></tag-name> <tag-desc> exact match; </tag-desc> <tag-name><literal>before</literal></tag-name> <tag-desc> modification time of the response is less than or equal to the time in the <header>If-Modified-Since</header> request header field. </tag-desc> </list> </para> </directive> <directive name="ignore_invalid_headers"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>on</default> <context>http</context> <context>server</context> <para> Controls whether header fields with invalid names should be ignored. Valid names are composed of English letters, digits, hyphens, and possibly underscores (as controlled by the <link id="underscores_in_headers"/> directive). </para> <para> If the directive is specified on the <link id="server"/> level, the value from the default server can be used. Details are provided in the “<link doc="server_names.xml" id="virtual_server_selection">Virtual server selection</link>” section. </para> </directive> <directive name="internal"> <syntax/> <default/> <context>location</context> <para> Specifies that a given location can only be used for internal requests. For external requests, the client error <http-status code="404" text="Not Found"/> is returned. Internal requests are the following: <list type="bullet"> <listitem> requests redirected by the <link id="error_page"/>, <link doc="ngx_http_index_module.xml" id="index"/>, <link doc="ngx_http_random_index_module.xml" id="random_index"/>, and <link id="try_files"/> directives; </listitem> <listitem> requests redirected by the <header>X-Accel-Redirect</header> response header field from an upstream server; </listitem> <listitem> subrequests formed by the “<command>include virtual</command>” command of the <link doc="ngx_http_ssi_module.xml">ngx_http_ssi_module</link> module, by the <link doc="ngx_http_addition_module.xml">ngx_http_addition_module</link> module directives, and by <link doc="ngx_http_auth_request_module.xml" id="auth_request"/> and <link doc="ngx_http_mirror_module.xml" id="mirror"/> directives; </listitem> <listitem> requests changed by the <link doc="ngx_http_rewrite_module.xml" id="rewrite"/> directive. </listitem> </list> </para> <para> Example: <example> error_page 404 /404.html; location = /404.html { internal; } </example> <note> There is a limit of 10 internal redirects per request to prevent request processing cycles that can occur in incorrect configurations. If this limit is reached, the error <http-status code="500" text="Internal Server Error"/> is returned. In such cases, the “rewrite or internal redirection cycle” message can be seen in the error log. </note> </para> </directive> <directive name="keepalive_disable"> <syntax><literal>none</literal> | <value>browser</value> ...</syntax> <default>msie6</default> <context>http</context> <context>server</context> <context>location</context> <para> Disables keep-alive connections with misbehaving browsers. The <value>browser</value> parameters specify which browsers will be affected. The value <literal>msie6</literal> disables keep-alive connections with old versions of MSIE, once a POST request is received. The value <literal>safari</literal> disables keep-alive connections with Safari and Safari-like browsers on macOS and macOS-like operating systems. The value <literal>none</literal> enables keep-alive connections with all browsers. <note> Prior to version 1.1.18, the value <literal>safari</literal> matched all Safari and Safari-like browsers on all operating systems, and keep-alive connections with them were disabled by default. </note> </para> </directive> <directive name="keepalive_requests"> <syntax><value>number</value></syntax> <default>1000</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>0.8.0</appeared-in> <para> Sets the maximum number of requests that can be served through one keep-alive connection. After the maximum number of requests are made, the connection is closed. </para> <para> Closing connections periodically is necessary to free per-connection memory allocations. Therefore, using too high maximum number of requests could result in excessive memory usage and not recommended. </para> <para> <note> Prior to version 1.19.10, the default value was 100. </note> </para> </directive> <directive name="keepalive_time"> <syntax><value>time</value></syntax> <default>1h</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>1.19.10</appeared-in> <para> Limits the maximum time during which requests can be processed through one keep-alive connection. After this time is reached, the connection is closed following the subsequent request processing. </para> </directive> <directive name="keepalive_timeout"> <syntax> <value>timeout</value> [<value>header_timeout</value>]</syntax> <default>75s</default> <context>http</context> <context>server</context> <context>location</context> <para> The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the <header>Keep-Alive: timeout=<value>time</value></header> response header field. Two parameters may differ. </para> <para> The <header>Keep-Alive: timeout=<value>time</value></header> header field is recognized by Mozilla and Konqueror. MSIE closes keep-alive connections by itself in about 60 seconds. </para> </directive> <directive name="large_client_header_buffers"> <syntax><value>number</value> <value>size</value></syntax> <default>4 8k</default> <context>http</context> <context>server</context> <para> Sets the maximum <value>number</value> and <value>size</value> of buffers used for reading large client request header. A request line cannot exceed the size of one buffer, or the <http-status code="414" text="Request-URI Too Large"/> error is returned to the client. A request header field cannot exceed the size of one buffer as well, or the <http-status code="400" text="Bad Request"/> error is returned to the client. Buffers are allocated only on demand. By default, the buffer size is equal to 8K bytes. If after the end of request processing a connection is transitioned into the keep-alive state, these buffers are released. </para> <para> If the directive is specified on the <link id="server"/> level, the value from the default server can be used. Details are provided in the “<link doc="server_names.xml" id="virtual_server_selection">Virtual server selection</link>” section. </para> </directive> <directive name="limit_except"> <syntax block="yes"><value>method</value> ...</syntax> <default/> <context>location</context> <para> Limits allowed HTTP methods inside a location. The <value>method</value> parameter can be one of the following: <literal>GET</literal>, <literal>HEAD</literal>, <literal>POST</literal>, <literal>PUT</literal>, <literal>DELETE</literal>, <literal>MKCOL</literal>, <literal>COPY</literal>, <literal>MOVE</literal>, <literal>OPTIONS</literal>, <literal>PROPFIND</literal>, <literal>PROPPATCH</literal>, <literal>LOCK</literal>, <literal>UNLOCK</literal>, or <literal>PATCH</literal>. Allowing the <literal>GET</literal> method makes the <literal>HEAD</literal> method also allowed. Access to other methods can be limited using the <link doc="ngx_http_access_module.xml">ngx_http_access_module</link> and <link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link> modules directives: <example> limit_except GET { allow 192.168.1.0/32; deny all; } </example> Please note that this will limit access to all methods <emphasis>except</emphasis> GET and HEAD. </para> </directive> <directive name="limit_rate"> <syntax><value>rate</value></syntax> <default>0</default> <context>http</context> <context>server</context> <context>location</context> <context>if in location</context> <para> Limits the rate of response transmission to a client. The <value>rate</value> is specified in bytes per second. The zero value disables rate limiting. <!-- The smaller the rate, the more accurate will be the limitation. --> The limit is set per a request, and so if a client simultaneously opens two connections, the overall rate will be twice as much as the specified limit. </para> <para> Parameter value can contain variables (1.17.0). It may be useful in cases where rate should be limited depending on a certain condition: <example> map $slow $rate { 1 4k; 2 8k; } limit_rate $rate; </example> </para> <para> Rate limit can also be set in the <link id="var_limit_rate"><var>$limit_rate</var></link> variable, however, since version 1.17.0, this method is not recommended: <example> server { if ($slow) { set $limit_rate 4k; } ... } </example> </para> <para> Rate limit can also be set in the <header>X-Accel-Limit-Rate</header> header field of a proxied server response. This capability can be disabled using the <link doc="ngx_http_proxy_module.xml" id="proxy_ignore_headers"/>, <link doc="ngx_http_fastcgi_module.xml" id="fastcgi_ignore_headers"/>, <link doc="ngx_http_uwsgi_module.xml" id="uwsgi_ignore_headers"/>, and <link doc="ngx_http_scgi_module.xml" id="scgi_ignore_headers"/> directives. </para> </directive> <directive name="limit_rate_after"> <syntax><value>size</value></syntax> <default>0</default> <context>http</context> <context>server</context> <context>location</context> <context>if in location</context> <appeared-in>0.8.0</appeared-in> <para> Sets the initial amount after which the further transmission of a response to a client will be rate limited. Parameter value can contain variables (1.17.0). </para> <para> Example: <example> location /flv/ { flv; limit_rate_after 500k; limit_rate 50k; } </example> </para> </directive> <directive name="lingering_close"> <syntax> <literal>off</literal> | <literal>on</literal> | <literal>always</literal></syntax> <default>on</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>1.1.0</appeared-in> <appeared-in>1.0.6</appeared-in> <para> Controls how nginx closes client connections. </para> <para> The default value “<literal>on</literal>” instructs nginx to <link id="lingering_timeout">wait for</link> and <link id="lingering_time">process</link> additional data from a client before fully closing a connection, but only if heuristics suggests that a client may be sending more data. </para> <para> The value “<literal>always</literal>” will cause nginx to unconditionally wait for and process additional client data. </para> <para> The value “<literal>off</literal>” tells nginx to never wait for more data and close the connection immediately. This behavior breaks the protocol and should not be used under normal circumstances. </para> <para> To control closing <link doc="ngx_http_v2_module.xml">HTTP/2</link> connections, the directive must be specified on the <link id="server"/> level (1.19.1). </para> </directive> <directive name="lingering_time"> <syntax><value>time</value></syntax> <default>30s</default> <context>http</context> <context>server</context> <context>location</context> <para> When <link id="lingering_close"/> is in effect, this directive specifies the maximum time during which nginx will process (read and ignore) additional data coming from a client. After that, the connection will be closed, even if there will be more data. </para> </directive> <directive name="lingering_timeout"> <syntax><value>time</value></syntax> <default>5s</default> <context>http</context> <context>server</context> <context>location</context> <para> When <link id="lingering_close"/> is in effect, this directive specifies the maximum waiting time for more client data to arrive. If data are not received during this time, the connection is closed. Otherwise, the data are read and ignored, and nginx starts waiting for more data again. The “wait-read-ignore” cycle is repeated, but no longer than specified by the <link id="lingering_time"/> directive. </para> </directive> <directive name="listen"> <syntax> <value>address</value>[:<value>port</value>] [<literal>default_server</literal>] [<literal>ssl</literal>] [<literal>http2</literal> | <literal>quic</literal>] [<literal>proxy_protocol</literal>] [<literal>setfib</literal>=<value>number</value>] [<literal>fastopen</literal>=<value>number</value>] [<literal>backlog</literal>=<value>number</value>] [<literal>rcvbuf</literal>=<value>size</value>] [<literal>sndbuf</literal>=<value>size</value>] [<literal>accept_filter</literal>=<value>filter</value>] [<literal>deferred</literal>] [<literal>bind</literal>] [<literal>ipv6only</literal>=<literal>on</literal>|<literal>off</literal>] [<literal>reuseport</literal>] [<literal>so_keepalive</literal>=<literal>on</literal>|<literal>off</literal>|[<value>keepidle</value>]:[<value>keepintvl</value>]:[<value>keepcnt</value>]]</syntax> <syntax> <value>port</value> [<literal>default_server</literal>] [<literal>ssl</literal>] [<literal>http2</literal> | <literal>quic</literal>] [<literal>proxy_protocol</literal>] [<literal>setfib</literal>=<value>number</value>] [<literal>fastopen</literal>=<value>number</value>] [<literal>backlog</literal>=<value>number</value>] [<literal>rcvbuf</literal>=<value>size</value>] [<literal>sndbuf</literal>=<value>size</value>] [<literal>accept_filter</literal>=<value>filter</value>] [<literal>deferred</literal>] [<literal>bind</literal>] [<literal>ipv6only</literal>=<literal>on</literal>|<literal>off</literal>] [<literal>reuseport</literal>] [<literal>so_keepalive</literal>=<literal>on</literal>|<literal>off</literal>|[<value>keepidle</value>]:[<value>keepintvl</value>]:[<value>keepcnt</value>]]</syntax> <syntax> <literal>unix:</literal><value>path</value> [<literal>default_server</literal>] [<literal>ssl</literal>] [<literal>http2</literal> | <literal>quic</literal>] [<literal>proxy_protocol</literal>] [<literal>backlog</literal>=<value>number</value>] [<literal>rcvbuf</literal>=<value>size</value>] [<literal>sndbuf</literal>=<value>size</value>] [<literal>accept_filter</literal>=<value>filter</value>] [<literal>deferred</literal>] [<literal>bind</literal>] [<literal>so_keepalive</literal>=<literal>on</literal>|<literal>off</literal>|[<value>keepidle</value>]:[<value>keepintvl</value>]:[<value>keepcnt</value>]]</syntax> <default>*:80 | *:8000</default> <context>server</context> <para> Sets the <value>address</value> and <value>port</value> for IP, or the <value>path</value> for a UNIX-domain socket on which the server will accept requests. Both <value>address</value> and <value>port</value>, or only <value>address</value> or only <value>port</value> can be specified. An <value>address</value> may also be a hostname, for example: <example> listen 127.0.0.1:8000; listen 127.0.0.1; listen 8000; listen *:8000; listen localhost:8000; </example> IPv6 addresses (0.7.36) are specified in square brackets: <example> listen [::]:8000; listen [::1]; </example> UNIX-domain sockets (0.8.21) are specified with the “<literal>unix:</literal>” prefix: <example> listen unix:/var/run/nginx.sock; </example> </para> <para> If only <value>address</value> is given, the port 80 is used. </para> <para> If the directive is not present then either <literal>*:80</literal> is used if nginx runs with the superuser privileges, or <literal>*:8000</literal> otherwise. </para> <para> The <literal>default_server</literal> parameter, if present, will cause the server to become the default server for the specified <value>address</value>:<value>port</value> pair. If none of the directives have the <literal>default_server</literal> parameter then the first server with the <value>address</value>:<value>port</value> pair will be the default server for this pair. <note> In versions prior to 0.8.21 this parameter is named simply <literal>default</literal>. </note> </para> <para> The <literal>ssl</literal> parameter (0.7.14) allows specifying that all connections accepted on this port should work in SSL mode. This allows for a more compact <link doc="configuring_https_servers.xml" id="single_http_https_server">configuration</link> for the server that handles both HTTP and HTTPS requests. </para> <para> The <literal>http2</literal> parameter (1.9.5) configures the port to accept <link doc="ngx_http_v2_module.xml">HTTP/2</link> connections. Normally, for this to work the <literal>ssl</literal> parameter should be specified as well, but nginx can also be configured to accept HTTP/2 connections without SSL. <note> The parameter is deprecated, the <link doc="ngx_http_v2_module.xml" id="http2">http2</link> directive should be used instead. </note> </para> <para id="quic"> The <literal>quic</literal> parameter (1.25.0) configures the port to accept <link doc="ngx_http_v3_module.xml">QUIC</link> connections. </para> <para> The <literal>proxy_protocol</literal> parameter (1.5.12) allows specifying that all connections accepted on this port should use the <link url="http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt">PROXY protocol</link>. <note> The PROXY protocol version 2 is supported since version 1.13.11. </note> </para> <para> The <literal>listen</literal> directive can have several additional parameters specific to socket-related system calls. These parameters can be specified in any <literal>listen</literal> directive, but only once for a given <value>address</value>:<value>port</value> pair. <note> In versions prior to 0.8.21, they could only be specified in the <literal>listen</literal> directive together with the <literal>default</literal> parameter. </note> <list type="tag"> <tag-name> <literal>setfib</literal>=<value>number</value> </tag-name> <tag-desc> this parameter (0.8.44) sets the associated routing table, FIB (the <c-def>SO_SETFIB</c-def> option) for the listening socket. This currently works only on FreeBSD. </tag-desc> <tag-name> <literal>fastopen</literal>=<value>number</value> </tag-name> <tag-desc> enables “<link url="http://en.wikipedia.org/wiki/TCP_Fast_Open">TCP Fast Open</link>” for the listening socket (1.5.8) and <link url="https://datatracker.ietf.org/doc/html/rfc7413#section-5.1">limits</link> the maximum length for the queue of connections that have not yet completed the three-way handshake. <note> Do not enable this feature unless the server can handle receiving the <link url="https://datatracker.ietf.org/doc/html/rfc7413#section-6.1"> same SYN packet with data</link> more than once. </note> </tag-desc> <tag-name> <literal>backlog</literal>=<value>number</value> </tag-name> <tag-desc> sets the <literal>backlog</literal> parameter in the <c-func>listen</c-func> call that limits the maximum length for the queue of pending connections. By default, <literal>backlog</literal> is set to -1 on FreeBSD, DragonFly BSD, and macOS, and to 511 on other platforms. </tag-desc> <tag-name> <literal>rcvbuf</literal>=<value>size</value> </tag-name> <tag-desc> sets the receive buffer size (the <c-def>SO_RCVBUF</c-def> option) for the listening socket. </tag-desc> <tag-name> <literal>sndbuf</literal>=<value>size</value> </tag-name> <tag-desc> sets the send buffer size (the <c-def>SO_SNDBUF</c-def> option) for the listening socket. </tag-desc> <tag-name> <literal>accept_filter</literal>=<value>filter</value> </tag-name> <tag-desc> sets the name of accept filter (the <c-def>SO_ACCEPTFILTER</c-def> option) for the listening socket that filters incoming connections before passing them to <c-func>accept</c-func>. This works only on FreeBSD and NetBSD 5.0+. Possible values are <link url="http://man.freebsd.org/accf_data">dataready</link> and <link url="http://man.freebsd.org/accf_http">httpready</link>. </tag-desc> <tag-name> <literal>deferred</literal> </tag-name> <tag-desc> instructs to use a deferred <c-func>accept</c-func> (the <c-def>TCP_DEFER_ACCEPT</c-def> socket option) on Linux. </tag-desc> <tag-name> <literal>bind</literal> </tag-name> <tag-desc> instructs to make a separate <c-func>bind</c-func> call for a given <value>address</value>:<value>port</value> pair. This is useful because if there are several <literal>listen</literal> directives with the same port but different addresses, and one of the <literal>listen</literal> directives listens on all addresses for the given port (<literal>*:</literal><value>port</value>), nginx will <c-func>bind</c-func> only to <literal>*:</literal><value>port</value>. It should be noted that the <c-func>getsockname</c-func> system call will be made in this case to determine the address that accepted the connection. If the <literal>setfib</literal>, <literal>fastopen</literal>, <literal>backlog</literal>, <literal>rcvbuf</literal>, <literal>sndbuf</literal>, <literal>accept_filter</literal>, <literal>deferred</literal>, <literal>ipv6only</literal>, <literal>reuseport</literal>, or <literal>so_keepalive</literal> parameters are used then for a given <value>address</value>:<value>port</value> pair a separate <c-func>bind</c-func> call will always be made. </tag-desc> <tag-name> <literal>ipv6only</literal>=<literal>on</literal>|<literal>off</literal> </tag-name> <tag-desc> this parameter (0.7.42) determines (via the <c-def>IPV6_V6ONLY</c-def> socket option) whether an IPv6 socket listening on a wildcard address <literal>[::]</literal> will accept only IPv6 connections or both IPv6 and IPv4 connections. This parameter is turned on by default. It can only be set once on start. <note> Prior to version 1.3.4, if this parameter was omitted then the operating system’s settings were in effect for the socket. </note> </tag-desc> <tag-name id="reuseport"> <literal>reuseport</literal> </tag-name> <tag-desc> this parameter (1.9.1) instructs to create an individual listening socket for each worker process (using the <c-def>SO_REUSEPORT</c-def> socket option on Linux 3.9+ and DragonFly BSD, or <c-def>SO_REUSEPORT_LB</c-def> on FreeBSD 12+), allowing a kernel to distribute incoming connections between worker processes. This currently works only on Linux 3.9+, DragonFly BSD, and FreeBSD 12+ (1.15.1). <note> Inappropriate use of this option may have its security <link url="http://man7.org/linux/man-pages/man7/socket.7.html">implications</link>. </note> </tag-desc> <tag-name> <literal>so_keepalive</literal>=<literal>on</literal>|<literal>off</literal>|[<value>keepidle</value>]:[<value>keepintvl</value>]:[<value>keepcnt</value>] </tag-name> <tag-desc> this parameter (1.1.11) configures the “TCP keepalive” behavior for the listening socket. If this parameter is omitted then the operating system’s settings will be in effect for the socket. If it is set to the value “<literal>on</literal>”, the <c-def>SO_KEEPALIVE</c-def> option is turned on for the socket. If it is set to the value “<literal>off</literal>”, the <c-def>SO_KEEPALIVE</c-def> option is turned off for the socket. Some operating systems support setting of TCP keepalive parameters on a per-socket basis using the <c-def>TCP_KEEPIDLE</c-def>, <c-def>TCP_KEEPINTVL</c-def>, and <c-def>TCP_KEEPCNT</c-def> socket options. On such systems (currently, Linux 2.4+, NetBSD 5+, and FreeBSD 9.0-STABLE), they can be configured using the <value>keepidle</value>, <value>keepintvl</value>, and <value>keepcnt</value> parameters. One or two parameters may be omitted, in which case the system default setting for the corresponding socket option will be in effect. For example, <example>so_keepalive=30m::10</example> will set the idle timeout (<c-def>TCP_KEEPIDLE</c-def>) to 30 minutes, leave the probe interval (<c-def>TCP_KEEPINTVL</c-def>) at its system default, and set the probes count (<c-def>TCP_KEEPCNT</c-def>) to 10 probes. </tag-desc> </list> </para> <para> Example: <example> listen 127.0.0.1 default_server accept_filter=dataready backlog=1024; </example> </para> </directive> <directive name="location"> <syntax block="yes">[ <literal>=</literal> | <literal>~</literal> | <literal>~*</literal> | <literal>^~</literal> ] <value>uri</value></syntax> <syntax block="yes"><literal>@</literal><value>name</value></syntax> <default/> <context>server</context> <context>location</context> <para> Sets configuration depending on a request URI. </para> <para> The matching is performed against a normalized URI, after decoding the text encoded in the “<literal>%XX</literal>” form, resolving references to relative path components “<literal>.</literal>” and “<literal>..</literal>”, and possible <link id="merge_slashes">compression</link> of two or more adjacent slashes into a single slash. </para> <para> A location can either be defined by a prefix string, or by a regular expression. Regular expressions are specified with the preceding “<literal>~*</literal>” modifier (for case-insensitive matching), or the “<literal>~</literal>” modifier (for case-sensitive matching). To find location matching a given request, nginx first checks locations defined using the prefix strings (prefix locations). Among them, the location with the longest matching prefix is selected and remembered. Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used. If no match with a regular expression is found then the configuration of the prefix location remembered earlier is used. </para> <para> <literal>location</literal> blocks can be nested, with some exceptions mentioned below. </para> <para> For case-insensitive operating systems such as macOS and Cygwin, matching with prefix strings ignores a case (0.7.7). However, comparison is limited to one-byte locales. </para> <para> Regular expressions can contain captures (0.7.40) that can later be used in other directives. </para> <para> If the longest matching prefix location has the “<literal>^~</literal>” modifier then regular expressions are not checked. </para> <para> Also, using the “<literal>=</literal>” modifier it is possible to define an exact match of URI and location. If an exact match is found, the search terminates. For example, if a “<literal>/</literal>” request happens frequently, defining “<literal>location = /</literal>” will speed up the processing of these requests, as search terminates right after the first comparison. Such a location cannot obviously contain nested locations. </para> <para> <note> In versions from 0.7.1 to 0.8.41, if a request matched the prefix location without the “<literal>=</literal>” and “<literal>^~</literal>” modifiers, the search also terminated and regular expressions were not checked. </note> </para> <para> Let’s illustrate the above by an example: <example> location = / { [ configuration A ] } location / { [ configuration B ] } location /documents/ { [ configuration C ] } location ^~ /images/ { [ configuration D ] } location ~* \.(gif|jpg|jpeg)$ { [ configuration E ] } </example> The “<literal>/</literal>” request will match configuration A, the “<literal>/index.html</literal>” request will match configuration B, the “<literal>/documents/document.html</literal>” request will match configuration C, the “<literal>/images/1.gif</literal>” request will match configuration D, and the “<literal>/documents/1.jpg</literal>” request will match configuration E. </para> <para id="location_named"> The “<literal>@</literal>” prefix defines a named location. Such a location is not used for a regular request processing, but instead used for request redirection. They cannot be nested, and cannot contain nested locations. </para> <para> If a location is defined by a prefix string that ends with the slash character, and requests are processed by one of <link doc="ngx_http_proxy_module.xml" id="proxy_pass"/>, <link doc="ngx_http_fastcgi_module.xml" id="fastcgi_pass"/>, <link doc="ngx_http_uwsgi_module.xml" id="uwsgi_pass"/>, <link doc="ngx_http_scgi_module.xml" id="scgi_pass"/>, <link doc="ngx_http_memcached_module.xml" id="memcached_pass"/>, or <link doc="ngx_http_grpc_module.xml" id="grpc_pass"/>, then the special processing is performed. In response to a request with URI equal to this string, but without the trailing slash, a permanent redirect with the code 301 will be returned to the requested URI with the slash appended. If this is not desired, an exact match of the URI and location could be defined like this: <example> location /user/ { proxy_pass http://user.example.com; } location = /user { proxy_pass http://login.example.com; } </example> </para> <!-- <migration from="Apache" directive="Location" /> --> </directive> <directive name="log_not_found"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>on</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables logging of errors about not found files into <link doc="../ngx_core_module.xml" id="error_log"/>. </para> </directive> <directive name="log_subrequest"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables logging of subrequests into <link doc="ngx_http_log_module.xml" id="access_log"/>. </para> </directive> <directive name="max_ranges"> <syntax><value>number</value></syntax> <default/> <context>http</context> <context>server</context> <context>location</context> <appeared-in>1.1.2</appeared-in> <para> Limits the maximum allowed number of ranges in byte-range requests. Requests that exceed the limit are processed as if there were no byte ranges specified. By default, the number of ranges is not limited. The zero value disables the byte-range support completely. </para> </directive> <directive name="merge_slashes"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>on</default> <context>http</context> <context>server</context> <para> Enables or disables compression of two or more adjacent slashes in a URI into a single slash. </para> <para> Note that compression is essential for the correct matching of prefix string and regular expression locations. Without it, the “<literal>//scripts/one.php</literal>” request would not match <example> location /scripts/ { ... } </example> and might be processed as a static file. So it gets converted to “<literal>/scripts/one.php</literal>”. </para> <para> Turning the compression <literal>off</literal> can become necessary if a URI contains base64-encoded names, since base64 uses the “<literal>/</literal>” character internally. However, for security considerations, it is better to avoid turning the compression off. </para> <para> If the directive is specified on the <link id="server"/> level, the value from the default server can be used. Details are provided in the “<link doc="server_names.xml" id="virtual_server_selection">Virtual server selection</link>” section. </para> </directive> <directive name="msie_padding"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>on</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables adding comments to responses for MSIE clients with status greater than 400 to increase the response size to 512 bytes. </para> </directive> <directive name="msie_refresh"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables issuing refreshes instead of redirects for MSIE clients. </para> </directive> <directive name="open_file_cache"> <syntax><literal>off</literal></syntax> <syntax> <literal>max</literal>=<value>N</value> [<literal>inactive</literal>=<value>time</value>]</syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <para> Configures a cache that can store: <list type="bullet"> <listitem> open file descriptors, their sizes and modification times; </listitem> <listitem> information on existence of directories; </listitem> <listitem> file lookup errors, such as “file not found”, “no read permission”, and so on. <note> Caching of errors should be enabled separately by the <link id="open_file_cache_errors"/> directive. </note> </listitem> </list> </para> <para> The directive has the following parameters: <list type="tag"> <tag-name> <literal>max</literal> </tag-name> <tag-desc> sets the maximum number of elements in the cache; on cache overflow the least recently used (LRU) elements are removed; </tag-desc> <tag-name> <literal>inactive</literal> </tag-name> <tag-desc> defines a time after which an element is removed from the cache if it has not been accessed during this time; by default, it is 60 seconds; </tag-desc> <tag-name> <literal>off</literal> </tag-name> <tag-desc> disables the cache. </tag-desc> </list> </para> <para> Example: <example> open_file_cache max=1000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on;<!-- open_file_cache_events on; --> </example> </para> </directive> <directive name="open_file_cache_errors"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables caching of file lookup errors by <link id="open_file_cache"/>. </para> </directive> <!-- <directive name="open_file_cache_events"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables to use kernel events to validate <link id="open_file_cache"/> elements. This directive works with the <link doc="../events.xml" id="kqueue"/> method only. Note that only NetBSD 2.0+ and FreeBSD 6.0+ support events for arbitrary file system types. Other operating systems support events only for essential file systems such as UFS or FFS. </para> </directive> --> <directive name="open_file_cache_min_uses"> <syntax><value>number</value></syntax> <default>1</default> <context>http</context> <context>server</context> <context>location</context> <para> Sets the minimum <value>number</value> of file accesses during the period configured by the <literal>inactive</literal> parameter of the <link id="open_file_cache"/> directive, required for a file descriptor to remain open in the cache. </para> </directive> <directive name="open_file_cache_valid"> <syntax><value>time</value></syntax> <default>60s</default> <context>http</context> <context>server</context> <context>location</context> <para> Sets a time after which <link id="open_file_cache"/> elements should be validated. <!-- When <link id="open_file_cache_events"/> is enabled, open file descriptors are checked only once, and then updated right after they get changed. --> </para> </directive> <directive name="output_buffers"> <syntax><value>number</value> <value>size</value></syntax> <default>2 32k</default> <context>http</context> <context>server</context> <context>location</context> <para> Sets the <value>number</value> and <value>size</value> of the buffers used for reading a response from a disk. <note> Prior to version 1.9.5, the default value was 1 32k. </note> </para> </directive> <directive name="port_in_redirect"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>on</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables specifying the port in <link id="absolute_redirect">absolute</link> redirects issued by nginx. </para> <para> The use of the primary server name in redirects is controlled by the <link id="server_name_in_redirect"/> directive. </para> </directive> <directive name="postpone_output"> <syntax><value>size</value></syntax> <default>1460</default> <context>http</context> <context>server</context> <context>location</context> <para> If possible, the transmission of client data will be postponed until nginx has at least <value>size</value> bytes of data to send. The zero value disables postponing data transmission. </para> </directive> <directive name="read_ahead"> <syntax><value>size</value></syntax> <default>0</default> <context>http</context> <context>server</context> <context>location</context> <para> Sets the amount of pre-reading for the kernel when working with file. </para> <para> On Linux, the <literal>posix_fadvise(0, 0, 0, POSIX_FADV_SEQUENTIAL)</literal> system call is used, and so the <value>size</value> parameter is ignored. </para> <para> On FreeBSD, the <literal>fcntl(O_READAHEAD,</literal> <value>size</value><literal>)</literal> system call, supported since FreeBSD 9.0-CURRENT, is used. FreeBSD 7 has to be <link url="http://sysoev.ru/freebsd/patch.readahead.txt">patched</link>. </para> </directive> <directive name="recursive_error_pages"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables doing several redirects using the <link id="error_page"/> directive. The number of such redirects is <link id="internal">limited</link>. </para> </directive> <directive name="request_pool_size"> <syntax><value>size</value></syntax> <default>4k</default> <context>http</context> <context>server</context> <para> Allows accurate tuning of per-request memory allocations. This directive has minimal impact on performance and should not generally be used. </para> </directive> <directive name="reset_timedout_connection"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables resetting timed out connections and connections <link doc="ngx_http_rewrite_module.xml" id="return">closed</link> with the non-standard code 444 (1.15.2). The reset is performed as follows. Before closing a socket, the <c-def>SO_LINGER</c-def> option is set on it with a timeout value of 0. When the socket is closed, TCP RST is sent to the client, and all memory occupied by this socket is released. This helps avoid keeping an already closed socket with filled buffers in a FIN_WAIT1 state for a long time. </para> <para> It should be noted that timed out keep-alive connections are closed normally. </para> </directive> <directive name="resolver"> <syntax> <value>address</value> ... [<literal>valid</literal>=<value>time</value>] [<literal>ipv4</literal>=<literal>on</literal>|<literal>off</literal>] [<literal>ipv6</literal>=<literal>on</literal>|<literal>off</literal>]</syntax> <default/> <context>http</context> <context>server</context> <context>location</context> <para> Configures name servers used to resolve names of upstream servers into addresses, for example: <example> resolver 127.0.0.1 [::1]:5353; </example> The address can be specified as a domain name or IP address, with an optional port (1.3.1, 1.2.2). If port is not specified, the port 53 is used. Name servers are queried in a round-robin fashion. <note> Before version 1.1.7, only a single name server could be configured. Specifying name servers using IPv6 addresses is supported starting from versions 1.3.1 and 1.2.2. </note> </para> <para id="resolver_ipv6"> By default, nginx will look up both IPv4 and IPv6 addresses while resolving. If looking up of IPv4 or IPv6 addresses is not desired, the <literal>ipv4=off</literal> (1.23.1) or the <literal>ipv6=off</literal> parameter can be specified. <note> Resolving of names into IPv6 addresses is supported starting from version 1.5.8. </note> </para> <para id="resolver_valid"> By default, nginx caches answers using the TTL value of a response. An optional <literal>valid</literal> parameter allows overriding it: <example> resolver 127.0.0.1 [::1]:5353 valid=30s; </example> <note> Before version 1.1.9, tuning of caching time was not possible, and nginx always cached answers for the duration of 5 minutes. </note> <note> To prevent DNS spoofing, it is recommended configuring DNS servers in a properly secured trusted local network. </note> </para> </directive> <directive name="resolver_timeout"> <syntax><value>time</value></syntax> <default>30s</default> <context>http</context> <context>server</context> <context>location</context> <para> Sets a timeout for name resolution, for example: <example> resolver_timeout 5s; </example> </para> </directive> <directive name="root"> <syntax><value>path</value></syntax> <default>html</default> <context>http</context> <context>server</context> <context>location</context> <context>if in location</context> <para> Sets the root directory for requests. For example, with the following configuration <example> location /i/ { root /data/w3; } </example> The <path>/data/w3/i/top.gif</path> file will be sent in response to the “<literal>/i/top.gif</literal>” request. </para> <para> The <value>path</value> value can contain variables, except <var>$document_root</var> and <var>$realpath_root</var>. </para> <para> A path to the file is constructed by merely adding a URI to the value of the <literal>root</literal> directive. If a URI has to be modified, the <link id="alias"/> directive should be used. </para> </directive> <directive name="satisfy"> <syntax><literal>all</literal> | <literal>any</literal></syntax> <default>all</default> <context>http</context> <context>server</context> <context>location</context> <para> Allows access if all (<literal>all</literal>) or at least one (<literal>any</literal>) of the <link doc="ngx_http_access_module.xml">ngx_http_access_module</link>, <link doc="ngx_http_auth_basic_module.xml">ngx_http_auth_basic_module</link>, or <link doc="ngx_http_auth_request_module.xml">ngx_http_auth_request_module</link> modules allow access. </para> <para> Example: <example> location / { satisfy any; allow 192.168.1.0/32; deny all; auth_basic "closed site"; auth_basic_user_file conf/htpasswd; } </example> </para> </directive> <directive name="send_lowat"> <syntax><value>size</value></syntax> <default>0</default> <context>http</context> <context>server</context> <context>location</context> <para> If the directive is set to a non-zero value, nginx will try to minimize the number of send operations on client sockets by using either <c-def>NOTE_LOWAT</c-def> flag of the <link doc="../events.xml" id="kqueue"/> method or the <c-def>SO_SNDLOWAT</c-def> socket option. In both cases the specified <value>size</value> is used. </para> <para> This directive is ignored on Linux, Solaris, and Windows. </para> </directive> <directive name="send_timeout"> <syntax><value>time</value></syntax> <default>60s</default> <context>http</context> <context>server</context> <context>location</context> <para> Sets a timeout for transmitting a response to the client. The timeout is set only between two successive write operations, not for the transmission of the whole response. If the client does not receive anything within this time, the connection is closed. </para> </directive> <directive name="sendfile"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <context>if in location</context> <para> Enables or disables the use of <c-func>sendfile</c-func>. </para> <para> Starting from nginx 0.8.12 and FreeBSD 5.2.1, <link id="aio"/> can be used to pre-load data for <c-func>sendfile</c-func>: <example> location /video/ { sendfile on; tcp_nopush on; aio on; } </example> In this configuration, <c-func>sendfile</c-func> is called with the <c-def>SF_NODISKIO</c-def> flag which causes it not to block on disk I/O, but, instead, report back that the data are not in memory. nginx then initiates an asynchronous data load by reading one byte. On the first read, the FreeBSD kernel loads the first 128K bytes of a file into memory, although next reads will only load data in 16K chunks. This can be changed using the <link id="read_ahead"/> directive. <note> Before version 1.7.11, pre-loading could be enabled with <literal>aio sendfile;</literal>. </note> </para> </directive> <directive name="sendfile_max_chunk"> <syntax><value>size</value></syntax> <default>2m</default> <context>http</context> <context>server</context> <context>location</context> <para> Limits the amount of data that can be transferred in a single <c-func>sendfile</c-func> call. Without the limit, one fast connection may seize the worker process entirely. <note> Prior to version 1.21.4, by default there was no limit. </note> </para> </directive> <directive name="server"> <syntax block="yes"/> <default/> <context>http</context> <para> Sets configuration for a virtual server. There is no clear separation between IP-based (based on the IP address) and name-based (based on the <header>Host</header> request header field) virtual servers. Instead, the <link id="listen"/> directives describe all addresses and ports that should accept connections for the server, and the <link id="server_name"/> directive lists all server names. Example configurations are provided in the “<link doc="request_processing.xml"/>” document. </para> </directive> <directive name="server_name"> <syntax><value>name</value> ...</syntax> <default>""</default> <context>server</context> <para> Sets names of a virtual server, for example: <example> server { server_name example.com www.example.com; } </example> </para> <para> The first name becomes the primary server name. </para> <para> Server names can include an asterisk (“<literal>*</literal>”) replacing the first or last part of a name: <example> server { server_name example.com *.example.com www.example.*; } </example> Such names are called wildcard names. </para> <para> The first two of the names mentioned above can be combined in one: <example> server { server_name .example.com; } </example> </para> <para> It is also possible to use regular expressions in server names, preceding the name with a tilde (“<literal>~</literal>”): <example> server { server_name www.example.com ~^www\d+\.example\.com$; } </example> </para> <para> Regular expressions can contain captures (0.7.40) that can later be used in other directives: <example> server { server_name ~^(www\.)?(.+)$; location / { root /sites/$2; } } server { server_name _; location / { root /sites/default; } } </example> </para> <para> Named captures in regular expressions create variables (0.8.25) that can later be used in other directives: <example> server { server_name ~^(www\.)?(?<domain>.+)$; location / { root /sites/$domain; } } server { server_name _; location / { root /sites/default; } } </example> </para> <para> If the directive’s parameter is set to “<var>$hostname</var>” (0.9.4), the machine’s hostname is inserted. </para> <para> It is also possible to specify an empty server name (0.7.11): <example> server { server_name www.example.com ""; } </example> It allows this server to process requests without the <header>Host</header> header field — instead of the default server — for the given address:port pair. This is the default setting. <note> Before 0.8.48, the machine’s hostname was used by default. </note> </para> <para> During searching for a virtual server by name, if the name matches more than one of the specified variants, (e.g. both a wildcard name and regular expression match), the first matching variant will be chosen, in the following order of priority: <list type="enum"> <listitem> the exact name </listitem> <listitem> the longest wildcard name starting with an asterisk, e.g. “<literal>*.example.com</literal>” </listitem> <listitem> the longest wildcard name ending with an asterisk, e.g. “<literal>mail.*</literal>” </listitem> <listitem> the first matching regular expression (in order of appearance in the configuration file) </listitem> </list> </para> <para> Detailed description of server names is provided in a separate <link doc="server_names.xml"/> document. </para> </directive> <directive name="server_name_in_redirect"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables the use of the primary server name, specified by the <link id="server_name"/> directive, in <link id="absolute_redirect">absolute</link> redirects issued by nginx. When the use of the primary server name is disabled, the name from the <header>Host</header> request header field is used. If this field is not present, the IP address of the server is used. </para> <para> The use of a port in redirects is controlled by the <link id="port_in_redirect"/> directive. </para> </directive> <directive name="server_names_hash_bucket_size"> <syntax><value>size</value></syntax> <default>32|64|128</default> <context>http</context> <para> Sets the bucket size for the server names hash tables. The default value depends on the size of the processor’s cache line. The details of setting up hash tables are provided in a separate <link doc="../hash.xml">document</link>. </para> </directive> <directive name="server_names_hash_max_size"> <syntax><value>size</value></syntax> <default>512</default> <context>http</context> <para> Sets the maximum <value>size</value> of the server names hash tables. The details of setting up hash tables are provided in a separate <link doc="../hash.xml">document</link>. </para> </directive> <directive name="server_tokens"> <syntax> <literal>on</literal> | <literal>off</literal> | <literal>build</literal></syntax> <default>on</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables emitting nginx version on error pages and in the <header>Server</header> response header field. </para> <para id="server_tokens_build"> The <literal>build</literal> parameter (1.11.10) enables emitting a <link doc="../configure.xml" id="build">build name</link> along with nginx version. </para> </directive> <directive name="subrequest_output_buffer_size"> <syntax><value>size</value></syntax> <default>4k|8k</default> <context>http</context> <context>server</context> <context>location</context> <appeared-in>1.13.10</appeared-in> <para> Sets the <value>size</value> of the buffer used for storing the response body of a subrequest. By default, the buffer size is equal to one memory page. This is either 4K or 8K, depending on a platform. It can be made smaller, however. </para> <para> The directive is applicable only for subrequests with response bodies saved into memory. For example, such subrequests are created by <link doc="ngx_http_ssi_module.xml" id="ssi_include_set">SSI</link>. </para> </directive> <directive name="tcp_nodelay"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>on</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables the use of the <c-def>TCP_NODELAY</c-def> option. The option is enabled when a connection is transitioned into the keep-alive state. Additionally, it is enabled on SSL connections, for unbuffered proxying, and for <link doc="websocket.xml">WebSocket</link> proxying. </para> </directive> <directive name="tcp_nopush"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <context>location</context> <para> Enables or disables the use of the <c-def>TCP_NOPUSH</c-def> socket option on FreeBSD or the <c-def>TCP_CORK</c-def> socket option on Linux. The options are enabled only when <link id="sendfile"/> is used. Enabling the option allows <list type="bullet"> <listitem> sending the response header and the beginning of a file in one packet, on Linux and FreeBSD 4.*; </listitem> <listitem> sending a file in full packets. </listitem> </list> </para> </directive> <directive name="try_files"> <syntax><value>file</value> ... <value>uri</value></syntax> <syntax><value>file</value> ... =<value>code</value></syntax> <default/> <context>server</context> <context>location</context> <para> Checks the existence of files in the specified order and uses the first found file for request processing; the processing is performed in the current context. The path to a file is constructed from the <value>file</value> parameter according to the <link id="root"/> and <link id="alias"/> directives. It is possible to check directory’s existence by specifying a slash at the end of a name, e.g. “<literal>$uri/</literal>”. If none of the files were found, an internal redirect to the <value>uri</value> specified in the last parameter is made. For example: <example> location /images/ { try_files $uri /images/default.gif; } location = /images/default.gif { expires 30s; } </example> The last parameter can also point to a named location, as shown in examples below. Starting from version 0.7.51, the last parameter can also be a <value>code</value>: <example> location / { try_files $uri $uri/index.html $uri.html =404; } </example> </para> <para> Example in proxying Mongrel: <example> location / { try_files /system/maintenance.html $uri $uri/index.html $uri.html @mongrel; } location @mongrel { proxy_pass http://mongrel; } </example> </para> <para> Example for Drupal/FastCGI: <example> location / { try_files $uri $uri/ @drupal; } location ~ \.php$ { try_files $uri @drupal; fastcgi_pass ...; fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param QUERY_STRING $args; ... other fastcgi_param's } location @drupal { fastcgi_pass ...; fastcgi_param SCRIPT_FILENAME /path/to/index.php; fastcgi_param SCRIPT_NAME /index.php; fastcgi_param QUERY_STRING q=$uri&$args; ... other fastcgi_param's } </example> In the following example, <example> location / { try_files $uri $uri/ @drupal; } </example> the <literal>try_files</literal> directive is equivalent to <example> location / { error_page 404 = @drupal; log_not_found off; } </example> And here, <example> location ~ \.php$ { try_files $uri @drupal; fastcgi_pass ...; fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name; ... } </example> <literal>try_files</literal> checks the existence of the PHP file before passing the request to the FastCGI server. </para> <para> Example for Wordpress and Joomla: <example> location / { try_files $uri $uri/ @wordpress; } location ~ \.php$ { try_files $uri @wordpress; fastcgi_pass ...; fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name; ... other fastcgi_param's } location @wordpress { fastcgi_pass ...; fastcgi_param SCRIPT_FILENAME /path/to/index.php; ... other fastcgi_param's } </example> </para> </directive> <directive name="types"> <syntax block="yes"/> <default> text/html html; image/gif gif; image/jpeg jpg; </default> <context>http</context> <context>server</context> <context>location</context> <para> Maps file name extensions to MIME types of responses. Extensions are case-insensitive. Several extensions can be mapped to one type, for example: <example> types { application/octet-stream bin exe dll; application/octet-stream deb; application/octet-stream dmg; } </example> </para> <para> A sufficiently full mapping table is distributed with nginx in the <path>conf/mime.types</path> file. </para> <para> To make a particular location emit the “<literal>application/octet-stream</literal>” MIME type for all requests, the following configuration can be used: <example> location /download/ { types { } default_type application/octet-stream; } </example> </para> </directive> <directive name="types_hash_bucket_size"> <syntax><value>size</value></syntax> <default>64</default> <context>http</context> <context>server</context> <context>location</context> <para> Sets the bucket size for the types hash tables. The details of setting up hash tables are provided in a separate <link doc="../hash.xml">document</link>. <note> Prior to version 1.5.13, the default value depended on the size of the processor’s cache line. </note> </para> </directive> <directive name="types_hash_max_size"> <syntax><value>size</value></syntax> <default>1024</default> <context>http</context> <context>server</context> <context>location</context> <para> Sets the maximum <value>size</value> of the types hash tables. The details of setting up hash tables are provided in a separate <link doc="../hash.xml">document</link>. </para> </directive> <directive name="underscores_in_headers"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>http</context> <context>server</context> <para> Enables or disables the use of underscores in client request header fields. When the use of underscores is disabled, request header fields whose names contain underscores are marked as invalid and become subject to the <link id="ignore_invalid_headers"/> directive. </para> <para> If the directive is specified on the <link id="server"/> level, the value from the default server can be used. Details are provided in the “<link doc="server_names.xml" id="virtual_server_selection">Virtual server selection</link>” section. </para> </directive> <directive name="variables_hash_bucket_size"> <syntax><value>size</value></syntax> <default>64</default> <context>http</context> <para> Sets the bucket size for the variables hash table. The details of setting up hash tables are provided in a separate <link doc="../hash.xml">document</link>. </para> </directive> <directive name="variables_hash_max_size"> <syntax><value>size</value></syntax> <default>1024</default> <context>http</context> <para> Sets the maximum <value>size</value> of the variables hash table. The details of setting up hash tables are provided in a separate <link doc="../hash.xml">document</link>. <note> Prior to version 1.5.13, the default value was 512. </note> </para> </directive> </section> <section id="variables" name="Embedded Variables"> <para> The <literal>ngx_http_core_module</literal> module supports embedded variables with names matching the Apache Server variables. First of all, these are variables representing client request header fields, such as <var>$http_user_agent</var>, <var>$http_cookie</var>, and so on. Also there are other variables: <list type="tag"> <tag-name id="var_arg_"><var>$arg_</var><value>name</value></tag-name> <tag-desc> argument <value>name</value> in the request line </tag-desc> <tag-name id="var_args"><var>$args</var></tag-name> <tag-desc> arguments in the request line </tag-desc> <tag-name id="var_binary_remote_addr"><var>$binary_remote_addr</var></tag-name> <tag-desc> client address in a binary form, value’s length is always 4 bytes for IPv4 addresses or 16 bytes for IPv6 addresses </tag-desc> <tag-name id="var_body_bytes_sent"><var>$body_bytes_sent</var></tag-name> <tag-desc> number of bytes sent to a client, not counting the response header; this variable is compatible with the “<literal>%B</literal>” parameter of the <literal>mod_log_config</literal> Apache module </tag-desc> <tag-name id="var_bytes_sent"><var>$bytes_sent</var></tag-name> <tag-desc> number of bytes sent to a client (1.3.8, 1.2.5) </tag-desc> <tag-name id="var_connection"><var>$connection</var></tag-name> <tag-desc> connection serial number (1.3.8, 1.2.5) </tag-desc> <tag-name id="var_connection_requests"><var>$connection_requests</var></tag-name> <tag-desc> current number of requests made through a connection (1.3.8, 1.2.5) </tag-desc> <tag-name id="var_connection_time"><var>$connection_time</var></tag-name> <tag-desc> connection time in seconds with a milliseconds resolution (1.19.10) </tag-desc> <tag-name id="var_content_length"><var>$content_length</var></tag-name> <tag-desc> <header>Content-Length</header> request header field </tag-desc> <tag-name id="var_content_type"><var>$content_type</var></tag-name> <tag-desc> <header>Content-Type</header> request header field </tag-desc> <tag-name id="var_cookie_"><var>$cookie_</var><value>name</value></tag-name> <tag-desc> the <value>name</value> cookie </tag-desc> <tag-name id="var_document_root"><var>$document_root</var></tag-name> <tag-desc> <link id="root"/> or <link id="alias"/> directive’s value for the current request </tag-desc> <tag-name id="var_document_uri"><var>$document_uri</var></tag-name> <tag-desc> same as <var>$uri</var> </tag-desc> <tag-name id="var_host"><var>$host</var></tag-name> <tag-desc> in this order of precedence: host name from the request line, or host name from the <header>Host</header> request header field, or the server name matching a request </tag-desc> <tag-name id="var_hostname"><var>$hostname</var></tag-name> <tag-desc> host name </tag-desc> <tag-name id="var_http_"><var>$http_</var><value>name</value></tag-name> <tag-desc> arbitrary request header field; the last part of a variable name is the field name converted to lower case with dashes replaced by underscores </tag-desc> <tag-name id="var_https"><var>$https</var></tag-name> <tag-desc> “<literal>on</literal>” if connection operates in SSL mode, or an empty string otherwise </tag-desc> <tag-name id="var_is_args"><var>$is_args</var></tag-name> <tag-desc> “<literal>?</literal>” if a request line has arguments, or an empty string otherwise </tag-desc> <tag-name id="var_limit_rate"><var>$limit_rate</var></tag-name> <tag-desc> setting this variable enables response rate limiting; see <link id="limit_rate"/> </tag-desc> <tag-name id="var_msec"><var>$msec</var></tag-name> <tag-desc> current time in seconds with the milliseconds resolution (1.3.9, 1.2.6) </tag-desc> <tag-name id="var_nginx_version"><var>$nginx_version</var></tag-name> <tag-desc> nginx version </tag-desc> <tag-name id="var_pid"><var>$pid</var></tag-name> <tag-desc> PID of the worker process </tag-desc> <tag-name id="var_pipe"><var>$pipe</var></tag-name> <tag-desc> “<literal>p</literal>” if request was pipelined, “<literal>.</literal>” otherwise (1.3.12, 1.2.7) </tag-desc> <tag-name id="var_proxy_protocol_addr"><var>$proxy_protocol_addr</var></tag-name> <tag-desc> client address from the PROXY protocol header (1.5.12) <para> The PROXY protocol must be previously enabled by setting the <literal>proxy_protocol</literal> parameter in the <link id="listen"/> directive. </para> </tag-desc> <tag-name id="var_proxy_protocol_port"><var>$proxy_protocol_port</var></tag-name> <tag-desc> client port from the PROXY protocol header (1.11.0) <para> The PROXY protocol must be previously enabled by setting the <literal>proxy_protocol</literal> parameter in the <link id="listen"/> directive. </para> </tag-desc> <tag-name id="var_proxy_protocol_server_addr"><var>$proxy_protocol_server_addr</var></tag-name> <tag-desc> server address from the PROXY protocol header (1.17.6) <para> The PROXY protocol must be previously enabled by setting the <literal>proxy_protocol</literal> parameter in the <link id="listen"/> directive. </para> </tag-desc> <tag-name id="var_proxy_protocol_server_port"><var>$proxy_protocol_server_port</var></tag-name> <tag-desc> server port from the PROXY protocol header (1.17.6) <para> The PROXY protocol must be previously enabled by setting the <literal>proxy_protocol</literal> parameter in the <link id="listen"/> directive. </para> </tag-desc> <tag-name id="var_proxy_protocol_tlv_"><var>$proxy_protocol_tlv_</var><value>name</value></tag-name> <tag-desc> TLV from the PROXY Protocol header (1.23.2). The <literal>name</literal> can be a TLV type name or its numeric value. In the latter case, the value is hexadecimal and should be prefixed with <literal>0x</literal>: <example> $proxy_protocol_tlv_alpn $proxy_protocol_tlv_0x01 </example> SSL TLVs can also be accessed by TLV type name or its numeric value, both prefixed by <literal>ssl_</literal>: <example> $proxy_protocol_tlv_ssl_version $proxy_protocol_tlv_ssl_0x21 </example> <para> The following TLV type names are supported: <list type="bullet"> <listitem> <literal>alpn</literal> (<literal>0x01</literal>)— upper layer protocol used over the connection </listitem> <listitem> <literal>authority</literal> (<literal>0x02</literal>)— host name value passed by the client </listitem> <listitem> <literal>unique_id</literal> (<literal>0x05</literal>)— unique connection id </listitem> <listitem> <literal>netns</literal> (<literal>0x30</literal>)— name of the namespace </listitem> <listitem> <literal>ssl</literal> (<literal>0x20</literal>)— binary SSL TLV structure </listitem> </list> </para> <para> The following SSL TLV type names are supported: <list type="bullet"> <listitem> <literal>ssl_version</literal> (<literal>0x21</literal>)— SSL version used in client connection </listitem> <listitem> <literal>ssl_cn</literal> (<literal>0x22</literal>)— SSL certificate Common Name </listitem> <listitem> <literal>ssl_cipher</literal> (<literal>0x23</literal>)— name of the used cipher </listitem> <listitem> <literal>ssl_sig_alg</literal> (<literal>0x24</literal>)— algorithm used to sign the certificate </listitem> <listitem> <literal>ssl_key_alg</literal> (<literal>0x25</literal>)— public-key algorithm </listitem> </list> </para> <para> Also, the following special SSL TLV type name is supported: <list type="bullet"> <listitem> <literal>ssl_verify</literal>— client SSL certificate verification result, <literal>0</literal> if the client presented a certificate and it was successfully verified, non-zero otherwise. </listitem> </list> </para> <para> The PROXY protocol must be previously enabled by setting the <literal>proxy_protocol</literal> parameter in the <link id="listen"/> directive. </para> </tag-desc> <tag-name id="var_query_string"><var>$query_string</var></tag-name> <tag-desc> same as <var>$args</var> </tag-desc> <tag-name id="var_realpath_root"><var>$realpath_root</var></tag-name> <tag-desc> an absolute pathname corresponding to the <link id="root"/> or <link id="alias"/> directive’s value for the current request, with all symbolic links resolved to real paths </tag-desc> <tag-name id="var_remote_addr"><var>$remote_addr</var></tag-name> <tag-desc> client address </tag-desc> <tag-name id="var_remote_port"><var>$remote_port</var></tag-name> <tag-desc> client port </tag-desc> <tag-name id="var_remote_user"><var>$remote_user</var></tag-name> <tag-desc> user name supplied with the Basic authentication </tag-desc> <tag-name id="var_request"><var>$request</var></tag-name> <tag-desc> full original request line </tag-desc> <tag-name id="var_request_body"><var>$request_body</var></tag-name> <tag-desc> request body <para> The variable’s value is made available in locations processed by the <link doc="ngx_http_proxy_module.xml" id="proxy_pass"/>, <link doc="ngx_http_fastcgi_module.xml" id="fastcgi_pass"/>, <link doc="ngx_http_uwsgi_module.xml" id="uwsgi_pass"/>, and <link doc="ngx_http_scgi_module.xml" id="scgi_pass"/> directives when the request body was read to a <link id="client_body_buffer_size">memory buffer</link>. </para> </tag-desc> <tag-name id="var_request_body_file"><var>$request_body_file</var></tag-name> <tag-desc> name of a temporary file with the request body <para> At the end of processing, the file needs to be removed. To always write the request body to a file, <link id="client_body_in_file_only"/> needs to be enabled. When the name of a temporary file is passed in a proxied request or in a request to a FastCGI/uwsgi/SCGI server, passing the request body should be disabled by the <link doc="ngx_http_proxy_module.xml" id="proxy_pass_request_body"> proxy_pass_request_body off</link>, <link doc="ngx_http_fastcgi_module.xml" id="fastcgi_pass_request_body"> fastcgi_pass_request_body off</link>, <link doc="ngx_http_uwsgi_module.xml" id="uwsgi_pass_request_body"> uwsgi_pass_request_body off</link>, or <link doc="ngx_http_scgi_module.xml" id="scgi_pass_request_body"> scgi_pass_request_body off</link> directives, respectively. </para> </tag-desc> <tag-name id="var_request_completion"><var>$request_completion</var></tag-name> <tag-desc> “<literal>OK</literal>” if a request has completed, or an empty string otherwise </tag-desc> <tag-name id="var_request_filename"><var>$request_filename</var></tag-name> <tag-desc> file path for the current request, based on the <link id="root"/> or <link id="alias"/> directives, and the request URI </tag-desc> <tag-name id="var_request_id"><var>$request_id</var></tag-name> <tag-desc> unique request identifier generated from 16 random bytes, in hexadecimal (1.11.0) </tag-desc> <tag-name id="var_request_length"><var>$request_length</var></tag-name> <tag-desc> request length (including request line, header, and request body) (1.3.12, 1.2.7) </tag-desc> <tag-name id="var_request_method"><var>$request_method</var></tag-name> <tag-desc> request method, usually “<literal>GET</literal>” or “<literal>POST</literal>” </tag-desc> <tag-name id="var_request_time"><var>$request_time</var></tag-name> <tag-desc> request processing time in seconds with a milliseconds resolution (1.3.9, 1.2.6); time elapsed since the first bytes were read from the client </tag-desc> <tag-name id="var_request_uri"><var>$request_uri</var></tag-name> <tag-desc> full original request URI (with arguments) </tag-desc> <tag-name id="var_scheme"><var>$scheme</var></tag-name> <tag-desc> request scheme, “<literal>http</literal>” or “<literal>https</literal>” </tag-desc> <tag-name id="var_sent_http_"><var>$sent_http_</var><value>name</value></tag-name> <tag-desc> arbitrary response header field; the last part of a variable name is the field name converted to lower case with dashes replaced by underscores </tag-desc> <tag-name id="var_sent_trailer_"><var>$sent_trailer_</var><value>name</value></tag-name> <tag-desc> arbitrary field sent at the end of the response (1.13.2); the last part of a variable name is the field name converted to lower case with dashes replaced by underscores </tag-desc> <tag-name id="var_server_addr"><var>$server_addr</var></tag-name> <tag-desc> an address of the server which accepted a request <para> Computing a value of this variable usually requires one system call. To avoid a system call, the <link id="listen"/> directives must specify addresses and use the <literal>bind</literal> parameter. </para> </tag-desc> <tag-name id="var_server_name"><var>$server_name</var></tag-name> <tag-desc> name of the server which accepted a request </tag-desc> <tag-name id="var_server_port"><var>$server_port</var></tag-name> <tag-desc> port of the server which accepted a request </tag-desc> <tag-name id="var_server_protocol"><var>$server_protocol</var></tag-name> <tag-desc> request protocol, usually “<literal>HTTP/1.0</literal>”, “<literal>HTTP/1.1</literal>”, “<link doc="ngx_http_v2_module.xml">HTTP/2.0</link>”, or “<link doc="ngx_http_v3_module.xml">HTTP/3.0</link>” </tag-desc> <tag-name id="var_status"><var>$status</var></tag-name> <tag-desc> response status (1.3.2, 1.2.2) </tag-desc> <tag-name id="var_tcpinfo_"> <var>$tcpinfo_rtt</var>, <var>$tcpinfo_rttvar</var>, <var>$tcpinfo_snd_cwnd</var>, <var>$tcpinfo_rcv_space</var> </tag-name> <tag-desc> information about the client TCP connection; available on systems that support the <c-def>TCP_INFO</c-def> socket option </tag-desc> <tag-name id="var_time_iso8601"><var>$time_iso8601</var></tag-name> <tag-desc> local time in the ISO 8601 standard format (1.3.12, 1.2.7) </tag-desc> <tag-name id="var_time_local"><var>$time_local</var></tag-name> <tag-desc> local time in the Common Log Format (1.3.12, 1.2.7) </tag-desc> <tag-name id="var_uri"><var>$uri</var></tag-name> <tag-desc> current URI in request, <link id="location">normalized</link> <para> The value of <var>$uri</var> may change during request processing, e.g. when doing internal redirects, or when using index files. </para> </tag-desc> </list> </para> </section> </module>