Mercurial > hg > nginx-site

--- a/xml/en/docs/http/ngx_http_auth_jwt_module.xml
+++ b/xml/en/docs/http/ngx_http_auth_jwt_module.xml
@@ -9,7 +9,7 @@
 <module name="Module ngx_http_auth_jwt_module"
         link="/en/docs/http/ngx_http_auth_jwt_module.html"
         lang="en"
-        rev="7">
+        rev="8">

 <section id="summary">

@@ -38,7 +38,7 @@ via the <link doc="ngx_http_core_module.

 <para>
 The module supports the following cryptographic
-<link url="https://tools.ietf.org/html/rfc7518#section-3.1">algorithms</link>:
+<link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">algorithms</link>:

 <list type="bullet">

@@ -54,6 +54,10 @@ RS256, RS384, RS512
 ES256, ES384, ES512
 </listitem>

+<listitem>
+EdDSA (Ed25519 and Ed448 signatures) (1.15.7)
+</listitem>
+
 </list>

 Prior to version 1.13.7,
@@ -190,6 +194,45 @@ Parameter value can contain variables.
 </directive>


+<directive name="auth_jwt_key_request">
+<syntax><value>uri</value></syntax>
+<default/>
+<context>http</context>
+<context>server</context>
+<context>location</context>
+<context>limit_except</context>
+<appeared-in>1.15.6</appeared-in>
+
+<para>
+Allows retrieving a
+<link url="https://tools.ietf.org/html/rfc7517#section-5">JSON Web Key Set</link>
+file from a subrequest for validating JWT signature and
+sets the URI where the subrequest will be sent to.
+To avoid validation overhead,
+it is recommended to cache the key file:
+<example>
+proxy_cache_path /data/nginx/cache levels=1 keys_zone=foo:10m;
+
+server {
+    ...
+
+    location / {
+        auth_jwt             "closed site";
+        auth_jwt_key_request /jwks_uri;
+    }
+
+    location = /jwks_uri {
+        internal;
+        proxy_cache foo;
+        proxy_pass  http://idp.example.com/keys;
+    }
+}
+</example>
+</para>
+
+</directive>
+
+
 <directive name="auth_jwt_leeway">
 <syntax><value>time</value></syntax>
 <default>0s</default>
--- a/xml/en/docs/stream/ngx_stream_zone_sync_module.xml
+++ b/xml/en/docs/stream/ngx_stream_zone_sync_module.xml
@@ -9,7 +9,7 @@
 <module name="Module ngx_stream_zone_sync_module"
         link="/en/docs/stream/ngx_stream_zone_sync_module.html"
         lang="en"
-        rev="3">
+        rev="4">

 <section id="summary">

@@ -208,7 +208,7 @@ A domain name that resolves to several I
 multiple nodes at once.
 </para>

-<para>
+<para id="resolve">
 The <literal>resolve</literal> parameter instructs nginx to monitor
 changes of the IP addresses that correspond to a domain name of the node
 and automatically modify the configuration
@@ -325,6 +325,29 @@ the certificate of another cluster serve
 </directive>


+<directive name="zone_sync_ssl_name">
+<syntax><value>name</value></syntax>
+<default>host from zone_sync_server</default>
+<context>stream</context>
+<context>server</context>
+<appeared-in>1.15.7</appeared-in>
+
+<para>
+Allows overriding the server name used to
+<link id="zone_sync_ssl_verify">verify</link>
+the certificate of a cluster server and to be
+<link id="zone_sync_ssl_server_name">passed through SNI</link>
+when establishing a connection with the cluster server.
+</para>
+
+<para>
+By default, the host part of the <link id="zone_sync_server"/> address is used,
+or resolved IP address if the <link id="resolve"/> parameter is specified.
+</para>
+
+</directive>
+
+
 <directive name="zone_sync_ssl_password_file">
 <syntax><value>file</value></syntax>
 <default/>
@@ -360,6 +383,23 @@ Enables the specified protocols for conn
 </directive>


+<directive name="zone_sync_ssl_server_name">
+<syntax><literal>on</literal> | <literal>off</literal></syntax>
+<default>off</default>
+<context>stream</context>
+<context>server</context>
+<appeared-in>1.15.7</appeared-in>
+
+<para>
+Enables or disables passing of the server name through
+<link url="http://en.wikipedia.org/wiki/Server_Name_Indication">TLS
+Server Name Indication extension</link> (SNI, RFC 6066)
+when establishing a connection with another cluster server.
+</para>
+
+</directive>
+
+
 <directive name="zone_sync_ssl_trusted_certificate">
 <syntax><value>file</value></syntax>
 <default/>
--- a/xml/ru/docs/http/ngx_http_auth_jwt_module.xml
+++ b/xml/ru/docs/http/ngx_http_auth_jwt_module.xml
@@ -9,7 +9,7 @@
 <module name="Модуль ngx_http_auth_jwt_module"
         link="/ru/docs/http/ngx_http_auth_jwt_module.html"
         lang="ru"
-        rev="7">
+        rev="8">

 <section id="summary">

@@ -36,7 +36,7 @@ JWT claims должны быть зашифрованы в структуре

 <para>
 Модуль поддерживает следующие криптографические
-<link url="https://tools.ietf.org/html/rfc7518#section-3.1">алгоритмы</link>:
+<link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">алгоритмы</link>:

 <list type="bullet">

@@ -52,6 +52,10 @@ RS256, RS384, RS512
 ES256, ES384, ES512
 </listitem>

+<listitem>
+EdDSA (подписи Ed25519 и Ed448) (1.15.7)
+</listitem>
+
 </list>

 До версии 1.13.7
@@ -188,6 +192,45 @@ location / {
 </directive>


+<directive name="auth_jwt_key_request">
+<syntax><value>uri</value></syntax>
+<default/>
+<context>http</context>
+<context>server</context>
+<context>location</context>
+<context>limit_except</context>
+<appeared-in>1.15.6</appeared-in>
+
+<para>
+Позволяет получать файл в формате
+<link url="https://tools.ietf.org/html/rfc7517#section-5">JSON Web Key Set</link>
+из подзапроса для проверки подписи JWT и
+задаёт URI, на который будет отправлен подзапрос.
+Для предотвращения дополнительных затрат на проверку
+файл рекомендутеся кэшировать.
+<example>
+proxy_cache_path /data/nginx/cache levels=1 keys_zone=foo:10m;
+
+server {
+    ...
+
+    location / {
+        auth_jwt             "closed site";
+        auth_jwt_key_request /jwks_uri;
+    }
+
+    location = /jwks_uri {
+        internal;
+        proxy_cache foo;
+        proxy_pass  http://idp.example.com/keys;
+    }
+}
+</example>
+</para>
+
+</directive>
+
+
 <directive name="auth_jwt_leeway">
 <syntax><value>время</value></syntax>
 <default>0s</default>