Mercurial > hg > nginx-site

view xml/en/docs/stream/ngx_stream_ssl_module.xml @ 1450:f5b5eefc43cb

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Updated commercial docs for the upcoming release.
author Ruslan Ermilov <ru@nginx.com>
date Thu, 09 Apr 2015 19:18:54 +0300
parents
children acba294382d6
line wrap: on
line source

<?xml version="1.0"?>

<!--
  Copyright (C) Nginx, Inc.
  -->

<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">

<module name="Module ngx_stream_ssl_module"
        link="/en/docs/stream/ngx_stream_ssl_module.html"
        lang="en"
        rev="1">

<section id="summary">

<para>
The <literal>ngx_stream_ssl_module</literal> module (1.7.10)
provides the necessary support for a stream proxy server to work with
the SSL/TLS protocol.
</para>

<para>
<note>
This module is available as part of our
<commercial_version>commercial subscription</commercial_version>.
</note>
</para>

</section>


<section id="directives" name="Directives">

<directive name="ssl_certificate">
<syntax><value>file</value></syntax>
<default/>
<context>stream</context>
<context>server</context>

<para>
Specifies a file with the certificate in the PEM format for the given
server.
If intermediate certificates should be specified in addition to a primary
certificate, they should be specified in the same file in the following
order: the primary certificate comes first, then the intermediate certificates.
A secret key in the PEM format may be placed in the same file.
</para>

</directive>


<directive name="ssl_certificate_key">
<syntax><value>file</value></syntax>
<default/>
<context>stream</context>
<context>server</context>

<para>
Specifies a file with the secret key in the PEM format for the given
server.
</para>

</directive>


<directive name="ssl_ciphers">
<syntax><value>ciphers</value></syntax>
<default>HIGH:!aNULL:!MD5</default>
<context>stream</context>
<context>server</context>

<para>
Specifies the enabled ciphers.
The ciphers are specified in the format understood by the
OpenSSL library, for example:
<example>
ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
</example>
</para>

<para>
The full list can be viewed using the
“<command>openssl ciphers</command>” command.
</para>

</directive>


<directive name="ssl_dhparam">
<syntax><value>file</value></syntax>
<default/>
<context>stream</context>
<context>server</context>

<para>
Specifies a <value>file</value> with DH parameters for EDH ciphers.
</para>

</directive>


<directive name="ssl_ecdh_curve">
<syntax><value>curve</value></syntax>
<default>prime256v1</default>
<context>stream</context>
<context>server</context>

<para>
Specifies a <value>curve</value> for ECDHE ciphers.
</para>

</directive>


<directive name="ssl_handshake_timeout">
<syntax><value>time</value></syntax>
<default>60s</default>
<context>stream</context>
<context>server</context>

<para>
Specifies a timeout for the SSL handshake to complete.
</para>

</directive>


<directive name="ssl_password_file">
<syntax><value>file</value></syntax>
<default/>
<context>stream</context>
<context>server</context>

<para>
Specifies a <value>file</value> with passphrases for
<link id="ssl_certificate_key">secret keys</link>
where each passphrase is specified on a separate line.
Passphrases are tried in turn when loading the key.
</para>

<para>
Example:
<example>
stream {
    ssl_password_file /etc/keys/global.pass;
    ...

    server {
        listen 127.0.0.1:12345;
        ssl_certificate_key /etc/keys/first.key;
    }

    server {
        listen 127.0.0.1:12346;

        # named pipe can also be used instead of a file
        ssl_password_file /etc/keys/fifo;
        ssl_certificate_key /etc/keys/second.key;
    }
}
</example>
</para>

</directive>


<directive name="ssl_prefer_server_ciphers">
<syntax><literal>on</literal> | <literal>off</literal></syntax>
<default>off</default>
<context>stream</context>
<context>server</context>

<para>
Specifies that server ciphers should be preferred over client ciphers
when the SSLv3 and TLS protocols are used.
</para>

</directive>


<directive name="ssl_protocols">
<syntax>
    [<literal>SSLv2</literal>]
    [<literal>SSLv3</literal>]
    [<literal>TLSv1</literal>]
    [<literal>TLSv1.1</literal>]
    [<literal>TLSv1.2</literal>]</syntax>
<default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default>
<context>stream</context>
<context>server</context>

<para>
Enables the specified protocols.
The <literal>TLSv1.1</literal> and <literal>TLSv1.2</literal> parameters work
only when the OpenSSL library of version 1.0.1 or higher is used.
</para>

</directive>


<directive name="ssl_session_cache">
<syntax>
    <literal>off</literal> |
    <literal>none</literal> |
    [<literal>builtin</literal>[:<value>size</value>]]
    [<literal>shared</literal>:<value>name</value>:<value>size</value>]</syntax>
<default>none</default>
<context>stream</context>
<context>server</context>

<para>
Sets the types and sizes of caches that store session parameters.
A cache can be of any of the following types:
<list type="tag">

<tag-name><literal>off</literal></tag-name>
<tag-desc>
the use of a session cache is strictly prohibited:
nginx explicitly tells a client that sessions may not be reused.
</tag-desc>

<tag-name><literal>none</literal></tag-name>
<tag-desc>
the use of a session cache is gently disallowed:
nginx tells a client that sessions may be reused, but does not
actually store session parameters in the cache.
</tag-desc>

<tag-name><literal>builtin</literal></tag-name>
<tag-desc>
a cache built in OpenSSL; used by one worker process only.
The cache size is specified in sessions.
If size is not given, it is equal to 20480 sessions.
Use of the built-in cache can cause memory fragmentation.
</tag-desc>

<tag-name><literal>shared</literal></tag-name>
<tag-desc>
a cache shared between all worker processes.
The cache size is specified in bytes; one megabyte can store
about 4000 sessions.
Each shared cache should have an arbitrary name.
A cache with the same name can be used in several
servers.
</tag-desc>

</list>
</para>

<para>
Both cache types can be used simultaneously, for example:
<example>
ssl_session_cache builtin:1000 shared:SSL:10m;
</example>
but using only shared cache without the built-in cache should
be more efficient.
</para>

</directive>


<directive name="ssl_session_ticket_key">
<syntax><value>file</value></syntax>
<default/>
<context>stream</context>
<context>server</context>

<para>
Sets a <value>file</value> with the secret key used to encrypt
and decrypt TLS session tickets.
The directive is necessary if the same key has to be shared between
multiple servers.
By default, a randomly generated key is used.
</para>

<para>
If several keys are specified, only the first key is
used to encrypt TLS session tickets.
This allows configuring key rotation, for example:
<example>
ssl_session_ticket_key current.key;
ssl_session_ticket_key previous.key;
</example>
</para>

<para>
The <value>file</value> must contain 48 bytes of random data and can
be created using the following command:
<example>
openssl rand 48 > ticket.key
</example>
</para>

</directive>


<directive name="ssl_session_tickets">
<syntax><literal>on</literal> | <literal>off</literal></syntax>
<default>on</default>
<context>stream</context>
<context>server</context>

<para>
Enables or disables session resumption through
<link url="http://tools.ietf.org/html/rfc5077">TLS session tickets</link>.
</para>

</directive>


<directive name="ssl_session_timeout">
<syntax><value>time</value></syntax>
<default>5m</default>
<context>stream</context>
<context>server</context>

<para>
Specifies a time during which a client may reuse the
session parameters stored in a cache.
</para>

</directive>

</section>

</module>