Mercurial > hg > nginx-site

changeset 2618:0b98a81f196b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Documented the ssl_reject_handshake directive.
author Yaroslav Zhuravlev <yar@nginx.com>
date Tue, 27 Oct 2020 22:07:25 +0000
parents 6684517c9d19
children 94107f33b7bb
files xml/en/docs/http/ngx_http_ssl_module.xml xml/ru/docs/http/ngx_http_ssl_module.xml
diffstat 2 files changed, 68 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/xml/en/docs/http/ngx_http_ssl_module.xml
+++ b/xml/en/docs/http/ngx_http_ssl_module.xml
@@ -10,7 +10,7 @@
 <module name="Module ngx_http_ssl_module"
         link="/en/docs/http/ngx_http_ssl_module.html"
         lang="en"
-        rev="50">
+        rev="51">
 
 <section id="summary">
 
@@ -605,6 +605,39 @@ OpenSSL 1.1.1 built with TLSv1.3 support
 </directive>
 
 
+<directive name="ssl_reject_handshake">
+<syntax><literal>on</literal> | <literal>off</literal></syntax>
+<default>off</default>
+<context>http</context>
+<context>server</context>
+<appeared-in>1.19.4</appeared-in>
+
+<para>
+If enabled, SSL handshakes in
+the <link doc="ngx_http_core_module.xml" id="server"/> block will be rejected.
+</para>
+
+<para>
+For example, in the following configuration, SSL handshakes with
+server names other than <literal>example.com</literal> are rejected:
+<example>
+server {
+    listen               443 ssl;
+    ssl_reject_handshake on;
+}
+
+server {
+    listen              443 ssl;
+    server_name         example.com;
+    ssl_certificate     example.com.crt;
+    ssl_certificate_key example.com.key;
+}
+</example>
+</para>
+
+</directive>
+
+
 <directive name="ssl_session_cache">
 <syntax>
     <literal>off</literal> |
--- a/xml/ru/docs/http/ngx_http_ssl_module.xml
+++ b/xml/ru/docs/http/ngx_http_ssl_module.xml
@@ -10,7 +10,7 @@
 <module name="Модуль ngx_http_ssl_module"
         link="/ru/docs/http/ngx_http_ssl_module.html"
         lang="ru"
-        rev="50">
+        rev="51">
 
 <section id="summary">
 
@@ -609,6 +609,39 @@ http {
 </directive>
 
 
+<directive name="ssl_reject_handshake">
+<syntax><literal>on</literal> | <literal>off</literal></syntax>
+<default>off</default>
+<context>http</context>
+<context>server</context>
+<appeared-in>1.19.4</appeared-in>
+
+<para>
+Если разрешено, то операции SSL handshake в
+блоке <link doc="ngx_http_core_module.xml" id="server"/> будут отклонены.
+</para>
+
+<para>
+Например в этой конфигурации отклоняются все операции SSL handshake с
+именем сервера, отличным от <literal>example.com</literal>:
+<example>
+server {
+    listen               443 ssl;
+    ssl_reject_handshake on;
+}
+
+server {
+    listen              443 ssl;
+    server_name         example.com;
+    ssl_certificate     example.com.crt;
+    ssl_certificate_key example.com.key;
+}
+</example>
+</para>
+
+</directive>
+
+
 <directive name="ssl_session_cache">
 <syntax>
     <literal>off</literal> |