Mercurial > hg > nginx-site
changeset 2304:f4b9660316c5
Updated docs for the upcoming NGINX Plus release.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Mon, 10 Dec 2018 12:35:00 +0300 |
parents | 8da870c88c75 |
children | 5e869428d52e |
files | xml/en/docs/http/ngx_http_auth_jwt_module.xml xml/en/docs/stream/ngx_stream_zone_sync_module.xml xml/ru/docs/http/ngx_http_auth_jwt_module.xml |
diffstat | 3 files changed, 132 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/xml/en/docs/http/ngx_http_auth_jwt_module.xml +++ b/xml/en/docs/http/ngx_http_auth_jwt_module.xml @@ -9,7 +9,7 @@ <module name="Module ngx_http_auth_jwt_module" link="/en/docs/http/ngx_http_auth_jwt_module.html" lang="en" - rev="7"> + rev="8"> <section id="summary"> @@ -38,7 +38,7 @@ via the <link doc="ngx_http_core_module. <para> The module supports the following cryptographic -<link url="https://tools.ietf.org/html/rfc7518#section-3.1">algorithms</link>: +<link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">algorithms</link>: <list type="bullet"> @@ -54,6 +54,10 @@ RS256, RS384, RS512 ES256, ES384, ES512 </listitem> +<listitem> +EdDSA (Ed25519 and Ed448 signatures) (1.15.7) +</listitem> + </list> Prior to version 1.13.7, @@ -190,6 +194,45 @@ Parameter value can contain variables. </directive> +<directive name="auth_jwt_key_request"> +<syntax><value>uri</value></syntax> +<default/> +<context>http</context> +<context>server</context> +<context>location</context> +<context>limit_except</context> +<appeared-in>1.15.6</appeared-in> + +<para> +Allows retrieving a +<link url="https://tools.ietf.org/html/rfc7517#section-5">JSON Web Key Set</link> +file from a subrequest for validating JWT signature and +sets the URI where the subrequest will be sent to. +To avoid validation overhead, +it is recommended to cache the key file: +<example> +proxy_cache_path /data/nginx/cache levels=1 keys_zone=foo:10m; + +server { + ... + + location / { + auth_jwt "closed site"; + auth_jwt_key_request /jwks_uri; + } + + location = /jwks_uri { + internal; + proxy_cache foo; + proxy_pass http://idp.example.com/keys; + } +} +</example> +</para> + +</directive> + + <directive name="auth_jwt_leeway"> <syntax><value>time</value></syntax> <default>0s</default>
--- a/xml/en/docs/stream/ngx_stream_zone_sync_module.xml +++ b/xml/en/docs/stream/ngx_stream_zone_sync_module.xml @@ -9,7 +9,7 @@ <module name="Module ngx_stream_zone_sync_module" link="/en/docs/stream/ngx_stream_zone_sync_module.html" lang="en" - rev="3"> + rev="4"> <section id="summary"> @@ -208,7 +208,7 @@ A domain name that resolves to several I multiple nodes at once. </para> -<para> +<para id="resolve"> The <literal>resolve</literal> parameter instructs nginx to monitor changes of the IP addresses that correspond to a domain name of the node and automatically modify the configuration @@ -325,6 +325,29 @@ the certificate of another cluster serve </directive> +<directive name="zone_sync_ssl_name"> +<syntax><value>name</value></syntax> +<default>host from zone_sync_server</default> +<context>stream</context> +<context>server</context> +<appeared-in>1.15.7</appeared-in> + +<para> +Allows overriding the server name used to +<link id="zone_sync_ssl_verify">verify</link> +the certificate of a cluster server and to be +<link id="zone_sync_ssl_server_name">passed through SNI</link> +when establishing a connection with the cluster server. +</para> + +<para> +By default, the host part of the <link id="zone_sync_server"/> address is used, +or resolved IP address if the <link id="resolve"/> parameter is specified. +</para> + +</directive> + + <directive name="zone_sync_ssl_password_file"> <syntax><value>file</value></syntax> <default/> @@ -360,6 +383,23 @@ Enables the specified protocols for conn </directive> +<directive name="zone_sync_ssl_server_name"> +<syntax><literal>on</literal> | <literal>off</literal></syntax> +<default>off</default> +<context>stream</context> +<context>server</context> +<appeared-in>1.15.7</appeared-in> + +<para> +Enables or disables passing of the server name through +<link url="http://en.wikipedia.org/wiki/Server_Name_Indication">TLS +Server Name Indication extension</link> (SNI, RFC 6066) +when establishing a connection with another cluster server. +</para> + +</directive> + + <directive name="zone_sync_ssl_trusted_certificate"> <syntax><value>file</value></syntax> <default/>
--- a/xml/ru/docs/http/ngx_http_auth_jwt_module.xml +++ b/xml/ru/docs/http/ngx_http_auth_jwt_module.xml @@ -9,7 +9,7 @@ <module name="Модуль ngx_http_auth_jwt_module" link="/ru/docs/http/ngx_http_auth_jwt_module.html" lang="ru" - rev="7"> + rev="8"> <section id="summary"> @@ -36,7 +36,7 @@ JWT claims должны быть зашифрованы в структуре <para> Модуль поддерживает следующие криптографические -<link url="https://tools.ietf.org/html/rfc7518#section-3.1">алгоритмы</link>: +<link url="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms">алгоритмы</link>: <list type="bullet"> @@ -52,6 +52,10 @@ RS256, RS384, RS512 ES256, ES384, ES512 </listitem> +<listitem> +EdDSA (подписи Ed25519 и Ed448) (1.15.7) +</listitem> + </list> До версии 1.13.7 @@ -188,6 +192,45 @@ location / { </directive> +<directive name="auth_jwt_key_request"> +<syntax><value>uri</value></syntax> +<default/> +<context>http</context> +<context>server</context> +<context>location</context> +<context>limit_except</context> +<appeared-in>1.15.6</appeared-in> + +<para> +Позволяет получать файл в формате +<link url="https://tools.ietf.org/html/rfc7517#section-5">JSON Web Key Set</link> +из подзапроса для проверки подписи JWT и +задаёт URI, на который будет отправлен подзапрос. +Для предотвращения дополнительных затрат на проверку +файл рекомендутеся кэшировать. +<example> +proxy_cache_path /data/nginx/cache levels=1 keys_zone=foo:10m; + +server { + ... + + location / { + auth_jwt "closed site"; + auth_jwt_key_request /jwks_uri; + } + + location = /jwks_uri { + internal; + proxy_cache foo; + proxy_pass http://idp.example.com/keys; + } +} +</example> +</para> + +</directive> + + <directive name="auth_jwt_leeway"> <syntax><value>время</value></syntax> <default>0s</default>