# HG changeset patch # User Ruslan Ermilov # Date 1328076057 0 # Node ID 331a86bc51ff585d53002a4daf57db61bc5972f7 # Parent a73fa21add8ac958768368188dec0ed4fe9f0d28 English translation of ngx_http_ssl_module. diff --git a/xml/en/GNUmakefile b/xml/en/GNUmakefile --- a/xml/en/GNUmakefile +++ b/xml/en/GNUmakefile @@ -73,6 +73,7 @@ REFS = \ http/ngx_http_referer_module \ http/ngx_http_secure_link_module \ http/ngx_http_split_clients_module \ + http/ngx_http_ssl_module \ http/ngx_http_sub_module \ http/ngx_http_upstream_module \ http/ngx_http_userid_module \ diff --git a/xml/en/docs/http/ngx_http_ssl_module.xml b/xml/en/docs/http/ngx_http_ssl_module.xml new file mode 100644 --- /dev/null +++ b/xml/en/docs/http/ngx_http_ssl_module.xml @@ -0,0 +1,473 @@ + + + + + + +
+ + +The ngx_http_ssl_module module provides the +necessary support for HTTPS. + + + +This module is not built by default, it should be enabled with the +--with-http_ssl_module +configuration parameter. + +This module requires the +OpenSSL library. + + + +
+ + +
+ + +To reduce the processor load it is recommended to + + + +set the number of worker processes equal to the number of processors, + + + +enable keep-alive connections, + + + +enable shared session cache, + + + +disable built-in session cache, + + + +and possibly increase the session lifetime (by default, 5 minutes): + + + + + +worker_processes 2; + +http { + + ... + + server { + listen 443; + keepalive_timeout 70; + + ssl on; + ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; + ssl_certificate /usr/local/nginx/conf/cert.pem; + ssl_certificate_key /usr/local/nginx/conf/cert.key; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + ... + } + + + +
+ + +
+ + +on | off +off +http +server + + +Enables the HTTPS protocol for the given virtual server. + + + + + + +file + +http +server + + +Specifies a file with a certificate in the PEM format +for the given virtual server. +If intermediate certificates should be specified in addition +to a primary certificate, they should be specified in the same file +in the following order: the primary certificate comes first, then +the intermediate certificates. +A secret key in the PEM format may be placed in the same file. + + + +It should be kept in mind that due to the HTTPS protocol limitations +virtual servers should listen on different IP addresses: + +server { + listen 192.168.1.1:443; + server_name one.example.com; + ssl_certificate /usr/local/nginx/conf/one.example.com.cert; + ... +} + +server { + listen 192.168.1.2:443; + server_name two.example.com; + ssl_certificate /usr/local/nginx/conf/two.example.com.cert; + ... +} + +otherwise +the first server’s certificate +will be issued for the second site. + + + + + + +file + +http +server + + +Specifies a file with a secret key in the PEM format +for the given virtual server. + + + + + + +ciphers +HIGH:!ADH:!MD5 +http +server + + +Specifies the enabled ciphers. +The ciphers are specified in the format understood by the +OpenSSL library, for example: + +ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; + + + + +The full list can be viewed using the +“openssl ciphers” command. + + + + + + +file + +http +server + + +Specifies a file with CA certificates in the PEM format +used for client certificate verification. + + + + + + +file + +http +server +0.8.7 + + +Specifies a file with revoked certificates (CRL) +in the PEM format, used to client certificate verification. + + + + + + +file + +http +server +0.7.2 + + +Specifies a file with DH parameters for EDH ciphers. + + + + + + +on | off +off +http +server + + +Specifies that server ciphers should be preferred over client +ciphers when using the SSLv3 and TLS protocols. + + + + + + + + [SSLv2] + [SSLv3] + [TLSv1] + [TLSv1.1] + [TLSv1.2] +SSLv3 TLSv1 TLSv1.1 TLSv1.2 +http +server + + +Enables the specified protocols. +The parameters TLSv1.1 and TLSv1.2 work +only when using the OpenSSL library version 1.0.1 and higher. + +The parameters TLSv1.1 and TLSv1.2 are +supported starting from version 1.1.13 so when using OpenSSL version 1.0.1 +and higher on older nginx versions these protocols will work but could not +be disabled. + + + + + + + + + off | + none | + [builtin[:size]] + [shared:name:size] +none +http +server + + +Sets types and sizes of caches that store session parameters. +A cache can be any of the following types: + + +off + +the use of session cache is strictly prohibited: +nginx explicitly tells a client that sessions may not be reused. + + +none + +the use of session cache is gently disallowed: +nginx tells a client that sessions may be reused, but does not +actually do that. + + +builtin + +a cache built in OpenSSL; used by one worker process only. +The cache size is specified in sessions. +If size is not given, it is equal to 20480 sessions. +Use of the built-in cache can cause memory fragmentation. + + +shared + +shared between all worker processes. +The cache size is specified in bytes; one megabyte can store +about 4000 sessions. +Each shared cache should have an arbitrary name. +A cache with the same name can be used in several virtual servers. + + + + + + +Both cache types can be used simultaneously, for example: + +ssl_session_cache builtin:1000 shared:SSL:10m; + +but using only shared cache without the built-in cache should +be more efficient. + + + + + + +time +5m +http +server + + +Specifies a time during which a client may reuse the +session parameters stored in a cache. + + + + + + + + on | off | + optional +off +http +server + + +Enables the client certificate verification. +The optional parameter (0.8.7+) requests the client +certificate and verifies it if it was present. +The result of verification is stored in the +$ssl_client_verify variable. + + + + + + +number +1 +http +server + + +Sets a verification depth in the client certificates chain. + + + + +
+ + +
+ + +The ngx_http_ssl_module module supports several +non-standard error codes that can be used for redirects using the + directive: + + +495 + +an error has occurred during the client certificate verification; + + +496 + +a client did not present the required certificate; + + +497 + +a regular request was sent to the HTTPS port. + + + + + + +A redirection happens after the request was fully parsed and +variables such as $request_uri, +$uri, $args and others were made available. + + +
+ + +
+ + +The ngx_http_ssl_module module supports +several embedded variables: + + +$ssl_cipher + +returns the string of ciphers used +for an established SSL connection; + + +$ssl_client_cert + +returns the client certificate in the PEM format +for an established SSL connection, with each line except the first +prepended with the tab character; +this is intended for the use in the + directive; + + +$ssl_client_raw_cert + +returns the client certificate in the PEM format +for an established SSL connection; + + +$ssl_client_serial + +returns the serial number of the client certificate +for an established SSL connection; + + +$ssl_client_s_dn + +returns the “subject DN” string of the client certificate +for an established SSL connection; + + +$ssl_client_i_dn + +returns the “issuer DN” string of the client certificate +for an established SSL connection; + + +$ssl_client_verify + +returns the result of client certificate verification: +“SUCCESS”, “FAILED”, and +“NONE” if a certificate was not present; + + +$ssl_protocol + +returns the protocol of an established SSL connection; + + +$ssl_session_id + +returns the session identifier of an established SSL connection. + + + + + +
+ + diff --git a/xml/en/docs/index.xml b/xml/en/docs/index.xml --- a/xml/en/docs/index.xml +++ b/xml/en/docs/index.xml @@ -215,6 +215,11 @@ ngx_http_split_clients_module + +ngx_http_ssl_module + + + ngx_http_sub_module diff --git a/xml/en/index.xml b/xml/en/index.xml --- a/xml/en/index.xml +++ b/xml/en/index.xml @@ -77,7 +77,8 @@ parallel if they are handled by proxied -SSL and TLS SNI support. +SSL and +TLS SNI support.