Mercurial > hg > nginx-site
view xml/en/docs/stream/ngx_stream_ssl_module.xml @ 1450:f5b5eefc43cb
Updated commercial docs for the upcoming release.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Thu, 09 Apr 2015 19:18:54 +0300 |
parents | |
children | acba294382d6 |
line wrap: on
line source
<?xml version="1.0"?> <!-- Copyright (C) Nginx, Inc. --> <!DOCTYPE module SYSTEM "../../../../dtd/module.dtd"> <module name="Module ngx_stream_ssl_module" link="/en/docs/stream/ngx_stream_ssl_module.html" lang="en" rev="1"> <section id="summary"> <para> The <literal>ngx_stream_ssl_module</literal> module (1.7.10) provides the necessary support for a stream proxy server to work with the SSL/TLS protocol. </para> <para> <note> This module is available as part of our <commercial_version>commercial subscription</commercial_version>. </note> </para> </section> <section id="directives" name="Directives"> <directive name="ssl_certificate"> <syntax><value>file</value></syntax> <default/> <context>stream</context> <context>server</context> <para> Specifies a file with the certificate in the PEM format for the given server. If intermediate certificates should be specified in addition to a primary certificate, they should be specified in the same file in the following order: the primary certificate comes first, then the intermediate certificates. A secret key in the PEM format may be placed in the same file. </para> </directive> <directive name="ssl_certificate_key"> <syntax><value>file</value></syntax> <default/> <context>stream</context> <context>server</context> <para> Specifies a file with the secret key in the PEM format for the given server. </para> </directive> <directive name="ssl_ciphers"> <syntax><value>ciphers</value></syntax> <default>HIGH:!aNULL:!MD5</default> <context>stream</context> <context>server</context> <para> Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library, for example: <example> ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; </example> </para> <para> The full list can be viewed using the “<command>openssl ciphers</command>” command. </para> </directive> <directive name="ssl_dhparam"> <syntax><value>file</value></syntax> <default/> <context>stream</context> <context>server</context> <para> Specifies a <value>file</value> with DH parameters for EDH ciphers. </para> </directive> <directive name="ssl_ecdh_curve"> <syntax><value>curve</value></syntax> <default>prime256v1</default> <context>stream</context> <context>server</context> <para> Specifies a <value>curve</value> for ECDHE ciphers. </para> </directive> <directive name="ssl_handshake_timeout"> <syntax><value>time</value></syntax> <default>60s</default> <context>stream</context> <context>server</context> <para> Specifies a timeout for the SSL handshake to complete. </para> </directive> <directive name="ssl_password_file"> <syntax><value>file</value></syntax> <default/> <context>stream</context> <context>server</context> <para> Specifies a <value>file</value> with passphrases for <link id="ssl_certificate_key">secret keys</link> where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key. </para> <para> Example: <example> stream { ssl_password_file /etc/keys/global.pass; ... server { listen 127.0.0.1:12345; ssl_certificate_key /etc/keys/first.key; } server { listen 127.0.0.1:12346; # named pipe can also be used instead of a file ssl_password_file /etc/keys/fifo; ssl_certificate_key /etc/keys/second.key; } } </example> </para> </directive> <directive name="ssl_prefer_server_ciphers"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>off</default> <context>stream</context> <context>server</context> <para> Specifies that server ciphers should be preferred over client ciphers when the SSLv3 and TLS protocols are used. </para> </directive> <directive name="ssl_protocols"> <syntax> [<literal>SSLv2</literal>] [<literal>SSLv3</literal>] [<literal>TLSv1</literal>] [<literal>TLSv1.1</literal>] [<literal>TLSv1.2</literal>]</syntax> <default>SSLv3 TLSv1 TLSv1.1 TLSv1.2</default> <context>stream</context> <context>server</context> <para> Enables the specified protocols. The <literal>TLSv1.1</literal> and <literal>TLSv1.2</literal> parameters work only when the OpenSSL library of version 1.0.1 or higher is used. </para> </directive> <directive name="ssl_session_cache"> <syntax> <literal>off</literal> | <literal>none</literal> | [<literal>builtin</literal>[:<value>size</value>]] [<literal>shared</literal>:<value>name</value>:<value>size</value>]</syntax> <default>none</default> <context>stream</context> <context>server</context> <para> Sets the types and sizes of caches that store session parameters. A cache can be of any of the following types: <list type="tag"> <tag-name><literal>off</literal></tag-name> <tag-desc> the use of a session cache is strictly prohibited: nginx explicitly tells a client that sessions may not be reused. </tag-desc> <tag-name><literal>none</literal></tag-name> <tag-desc> the use of a session cache is gently disallowed: nginx tells a client that sessions may be reused, but does not actually store session parameters in the cache. </tag-desc> <tag-name><literal>builtin</literal></tag-name> <tag-desc> a cache built in OpenSSL; used by one worker process only. The cache size is specified in sessions. If size is not given, it is equal to 20480 sessions. Use of the built-in cache can cause memory fragmentation. </tag-desc> <tag-name><literal>shared</literal></tag-name> <tag-desc> a cache shared between all worker processes. The cache size is specified in bytes; one megabyte can store about 4000 sessions. Each shared cache should have an arbitrary name. A cache with the same name can be used in several servers. </tag-desc> </list> </para> <para> Both cache types can be used simultaneously, for example: <example> ssl_session_cache builtin:1000 shared:SSL:10m; </example> but using only shared cache without the built-in cache should be more efficient. </para> </directive> <directive name="ssl_session_ticket_key"> <syntax><value>file</value></syntax> <default/> <context>stream</context> <context>server</context> <para> Sets a <value>file</value> with the secret key used to encrypt and decrypt TLS session tickets. The directive is necessary if the same key has to be shared between multiple servers. By default, a randomly generated key is used. </para> <para> If several keys are specified, only the first key is used to encrypt TLS session tickets. This allows configuring key rotation, for example: <example> ssl_session_ticket_key current.key; ssl_session_ticket_key previous.key; </example> </para> <para> The <value>file</value> must contain 48 bytes of random data and can be created using the following command: <example> openssl rand 48 > ticket.key </example> </para> </directive> <directive name="ssl_session_tickets"> <syntax><literal>on</literal> | <literal>off</literal></syntax> <default>on</default> <context>stream</context> <context>server</context> <para> Enables or disables session resumption through <link url="http://tools.ietf.org/html/rfc5077">TLS session tickets</link>. </para> </directive> <directive name="ssl_session_timeout"> <syntax><value>time</value></syntax> <default>5m</default> <context>stream</context> <context>server</context> <para> Specifies a time during which a client may reuse the session parameters stored in a cache. </para> </directive> </section> </module>