on | off
Determines whether SSL sessions can be reused when working with\nthe gRPC server.\nIf the errors\n“SSL3_GET_FINISHED:digest check failed”\nappear in the logs, try disabling session reuse.
Determines whether SSL sessions can be reused when working with\nthe gRPC server.\nIf the errors\n“digest check failed”\nappear in the logs, try disabling session reuse.
on | off
Determines whether SSL sessions can be reused when working with\nthe proxied server.\nIf the errors\n“SSL3_GET_FINISHED:digest check failed”\nappear in the logs, try disabling session reuse.
Determines whether SSL sessions can be reused when working with\nthe proxied server.\nIf the errors\n“digest check failed”\nappear in the logs, try disabling session reuse.
file
Specifies a file with the certificate in the PEM format\nfor the given virtual server.\nIf intermediate certificates should be specified in addition to a primary\ncertificate, they should be specified in the same file in the following\norder: the primary certificate comes first, then the intermediate certificates.\nA secret key in the PEM format may be placed in the same file.
Since version 1.11.0,\nthis directive can be specified multiple times\nto load certificates of different types, for example, RSA and ECDSA:
\n\nserver {\n listen 443 ssl;\n server_name example.com;\n\n ssl_certificate example.com.rsa.crt;\n ssl_certificate_key example.com.rsa.key;\n\n ssl_certificate example.com.ecdsa.crt;\n ssl_certificate_key example.com.ecdsa.key;\n\n ...\n}\n\n\n\nOnly OpenSSL 1.0.2 or higher supports separate\ncertificate chains\nfor different certificates.\nWith older versions, only one certificate chain can be used.
\n
Since version 1.15.9, variables can be used in the file name\nwhen using OpenSSL 1.0.2 or higher:
ssl_certificate $ssl_server_name.crt;\nssl_certificate_key $ssl_server_name.key;\nNote that using variables implies that\na certificate will be loaded for each SSL handshake,\nand this may have a negative impact on performance.
\n\nThe value\ndata:$variable\ncan be specified instead of the file (1.15.10),\nwhich loads a certificate from a variable\nwithout using intermediate files.\nNote that inappropriate use of this syntax may have its security implications,\nsuch as writing secret key data to\nerror log.
It should be kept in mind that due to the HTTPS protocol limitations\nfor maximum interoperability virtual servers should listen on\ndifferent IP addresses.
\n" + "description_md": "Specifies a *`file`* with the certificate in the PEM format\nfor the given virtual server.\nIf intermediate certificates should be specified in addition to a primary\ncertificate, they should be specified in the same file in the following\norder: the primary certificate comes first, then the intermediate certificates.\nA secret key in the PEM format may be placed in the same file.\n\nSince version 1.11.0,\nthis directive can be specified multiple times\nto load certificates of different types, for example, RSA and ECDSA:\n```\nserver {\n listen 443 ssl;\n server_name example.com;\n\n ssl_certificate example.com.rsa.crt;\n ssl_certificate_key example.com.rsa.key;\n\n ssl_certificate example.com.ecdsa.crt;\n ssl_certificate_key example.com.ecdsa.key;\n\n ...\n}\n```\n> Only OpenSSL 1.0.2 or higher supports separate\n> [certificate chains](https://nginx.org/en/docs/http/configuring_https_servers.html#chains)\n> for different certificates.\n> With older versions, only one certificate chain can be used.\n\nSince version 1.15.9, variables can be used in the *`file`* name\nwhen using OpenSSL 1.0.2 or higher:\n```\nssl_certificate $ssl_server_name.crt;\nssl_certificate_key $ssl_server_name.key;\n```\nNote that using variables implies that\na certificate will be loaded for each SSL handshake,\nand this may have a negative impact on performance.\n\nThe value\n`data`:*`$variable`*\ncan be specified instead of the *`file`* (1.15.10),\nwhich loads a certificate from a variable\nwithout using intermediate files.\nNote that inappropriate use of this syntax may have its security implications,\nsuch as writing secret key data to\n[error log](https://nginx.org/en/docs/ngx_core_module.html#error_log).\n\nIt should be kept in mind that due to the SSL/TLS protocol limitations,\nfor maximum interoperability with clients that do not use\n[SNI](http://en.wikipedia.org/wiki/Server_Name_Indication),\nvirtual servers with different certificates should listen on\n[different IP addresses](https://nginx.org/en/docs/http/configuring_https_servers.html#name_based_https_servers).", + "description_html": "Specifies a file with the certificate in the PEM format\nfor the given virtual server.\nIf intermediate certificates should be specified in addition to a primary\ncertificate, they should be specified in the same file in the following\norder: the primary certificate comes first, then the intermediate certificates.\nA secret key in the PEM format may be placed in the same file.
Since version 1.11.0,\nthis directive can be specified multiple times\nto load certificates of different types, for example, RSA and ECDSA:
\n\nserver {\n listen 443 ssl;\n server_name example.com;\n\n ssl_certificate example.com.rsa.crt;\n ssl_certificate_key example.com.rsa.key;\n\n ssl_certificate example.com.ecdsa.crt;\n ssl_certificate_key example.com.ecdsa.key;\n\n ...\n}\n\n\n\nOnly OpenSSL 1.0.2 or higher supports separate\ncertificate chains\nfor different certificates.\nWith older versions, only one certificate chain can be used.
\n
Since version 1.15.9, variables can be used in the file name\nwhen using OpenSSL 1.0.2 or higher:
ssl_certificate $ssl_server_name.crt;\nssl_certificate_key $ssl_server_name.key;\nNote that using variables implies that\na certificate will be loaded for each SSL handshake,\nand this may have a negative impact on performance.
\n\nThe value\ndata:$variable\ncan be specified instead of the file (1.15.10),\nwhich loads a certificate from a variable\nwithout using intermediate files.\nNote that inappropriate use of this syntax may have its security implications,\nsuch as writing secret key data to\nerror log.
It should be kept in mind that due to the SSL/TLS protocol limitations,\nfor maximum interoperability with clients that do not use\nSNI,\nvirtual servers with different certificates should listen on\ndifferent IP addresses.
\n" }, { "name": "ssl_certificate_cache", @@ -8913,8 +8913,8 @@ "off | [shared:name:size]
Sets name and size of the cache\nthat stores client certificates status for OCSP validation.\nThe cache is shared between all worker processes.\nA cache with the same name can be used in several virtual servers.
The off parameter prohibits the use of the cache.
Sets name and size of the cache\nthat stores client certificates status for OCSP validation.\nThe cache is shared between all worker processes.\nA cache with the same name can be used in several\nvirtual servers.
The off parameter prohibits the use of the cache.
on | off
Specifies that server ciphers should be preferred over client\nciphers when using the SSLv3 and TLS protocols.
\n" + "description_md": "Specifies that server ciphers should be preferred over client ciphers\nwhen the SSLv3 and TLS protocols are used.", + "description_html": "Specifies that server ciphers should be preferred over client ciphers\nwhen the SSLv3 and TLS protocols are used.
\n" }, { "name": "ssl_protocols", @@ -9015,8 +9015,8 @@ "off | none | [builtin[:size]] [shared:name:size]
Sets the types and sizes of caches that store session parameters.\nA cache can be of any of the following types:
\n\noff
the use of a session cache is strictly prohibited:\nnginx explicitly tells a client that sessions may not be reused.
none
the use of a session cache is gently disallowed:\nnginx tells a client that sessions may be reused, but does not\nactually store session parameters in the cache.
builtin
a cache built in OpenSSL; used by one worker process only.\nThe cache size is specified in sessions.\nIf size is not given, it is equal to 20480 sessions.\nUse of the built-in cache can cause memory fragmentation.
shared
a cache shared between all worker processes.\nThe cache size is specified in bytes; one megabyte can store\nabout 4000 sessions.\nEach shared cache should have an arbitrary name.\nA cache with the same name can be used in several virtual servers.\nIt is also used to automatically generate, store, and\nperiodically rotate TLS session ticket keys (1.23.2)\nunless configured explicitly\nusing the ssl_session_ticket_key directive.
Both cache types can be used simultaneously, for example:
\n\nssl_session_cache builtin:1000 shared:SSL:10m;\nbut using only shared cache without the built-in cache should\nbe more efficient.
\n" + "description_md": "Sets the types and sizes of caches that store session parameters.\nA cache can be of any of the following types:\n- `off`\n\n the use of a session cache is strictly prohibited:\n nginx explicitly tells a client that sessions may not be reused.\n- `none`\n\n the use of a session cache is gently disallowed:\n nginx tells a client that sessions may be reused, but does not\n actually store session parameters in the cache.\n- `builtin`\n\n a cache built in OpenSSL; used by one worker process only.\n The cache size is specified in sessions.\n If size is not given, it is equal to 20480 sessions.\n Use of the built-in cache can cause memory fragmentation.\n- `shared`\n\n a cache shared between all worker processes.\n The cache size is specified in bytes; one megabyte can store\n about 4000 sessions.\n Each shared cache should have an arbitrary name.\n A cache with the same name can be used in several\n virtual servers.\n It is also used to automatically generate, store, and\n periodically rotate TLS session ticket keys (1.23.2)\n unless configured explicitly\n using the [`ssl_session_ticket_key`](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key) directive.\n\nBoth cache types can be used simultaneously, for example:\n```\nssl_session_cache builtin:1000 shared:SSL:10m;\n```\nbut using only shared cache without the built-in cache should\nbe more efficient.", + "description_html": "Sets the types and sizes of caches that store session parameters.\nA cache can be of any of the following types:
\n\noff
the use of a session cache is strictly prohibited:\nnginx explicitly tells a client that sessions may not be reused.
none
the use of a session cache is gently disallowed:\nnginx tells a client that sessions may be reused, but does not\nactually store session parameters in the cache.
builtin
a cache built in OpenSSL; used by one worker process only.\nThe cache size is specified in sessions.\nIf size is not given, it is equal to 20480 sessions.\nUse of the built-in cache can cause memory fragmentation.
shared
a cache shared between all worker processes.\nThe cache size is specified in bytes; one megabyte can store\nabout 4000 sessions.\nEach shared cache should have an arbitrary name.\nA cache with the same name can be used in several\nvirtual servers.\nIt is also used to automatically generate, store, and\nperiodically rotate TLS session ticket keys (1.23.2)\nunless configured explicitly\nusing the ssl_session_ticket_key directive.
Both cache types can be used simultaneously, for example:
\n\nssl_session_cache builtin:1000 shared:SSL:10m;\nbut using only shared cache without the built-in cache should\nbe more efficient.
\n" }, { "name": "ssl_session_ticket_key", @@ -11109,8 +11109,8 @@ "on | off
Determines whether SSL sessions can be reused when working with\na secured uwsgi server.\nIf the errors\n“SSL3_GET_FINISHED:digest check failed”\nappear in the logs, try disabling session reuse.
Determines whether SSL sessions can be reused when working with\na secured uwsgi server.\nIf the errors\n“digest check failed”\nappear in the logs, try disabling session reuse.
file
Specifies a file with the certificate in the PEM format\nfor the given server.\nIf intermediate certificates should be specified in addition to a primary\ncertificate, they should be specified in the same file in the following\norder: the primary certificate comes first, then the intermediate certificates.\nA secret key in the PEM format may be placed in the same file.
Since version 1.11.0,\nthis directive can be specified multiple times\nto load certificates of different types, for example, RSA and ECDSA:
\n\nserver {\n listen 993 ssl;\n\n ssl_certificate example.com.rsa.crt;\n ssl_certificate_key example.com.rsa.key;\n\n ssl_certificate example.com.ecdsa.crt;\n ssl_certificate_key example.com.ecdsa.key;\n\n ...\n}\n\n\n\nOnly OpenSSL 1.0.2 or higher supports separate certificate chains\nfor different certificates.\nWith older versions, only one certificate chain can be used.
\n
The value\ndata:certificate\ncan be specified instead of the file (1.15.10),\nwhich loads a certificate without using intermediate files.\nNote that inappropriate use of this syntax may have its security implications,\nsuch as writing secret key data to\nerror log.
Specifies a file with the certificate in the PEM format\nfor the given server.\nIf intermediate certificates should be specified in addition to a primary\ncertificate, they should be specified in the same file in the following\norder: the primary certificate comes first, then the intermediate certificates.\nA secret key in the PEM format may be placed in the same file.
Since version 1.11.0,\nthis directive can be specified multiple times\nto load certificates of different types, for example, RSA and ECDSA:
\n\nserver {\n listen 993 ssl;\n\n ssl_certificate example.com.rsa.crt;\n ssl_certificate_key example.com.rsa.key;\n\n ssl_certificate example.com.ecdsa.crt;\n ssl_certificate_key example.com.ecdsa.key;\n\n ...\n}\n\n\n\nOnly OpenSSL 1.0.2 or higher supports separate\ncertificate chains\nfor different certificates.\nWith older versions, only one certificate chain can be used.
\n
The value\ndata:certificate\ncan be specified instead of the file (1.15.10),\nwhich loads a certificate\nwithout using intermediate files.\nNote that inappropriate use of this syntax may have its security implications,\nsuch as writing secret key data to\nerror log.
on | off
Determines whether SSL sessions can be reused when working with\nthe proxied server.\nIf the errors\n“SSL3_GET_FINISHED:digest check failed”\nappear in the logs, try disabling session reuse.
Determines whether SSL sessions can be reused when working with\nthe proxied server.\nIf the errors\n“digest check failed”\nappear in the logs, try disabling session reuse.
file
Specifies a file with the certificate in the PEM format\nfor the given server.\nIf intermediate certificates should be specified in addition to a primary\ncertificate, they should be specified in the same file in the following\norder: the primary certificate comes first, then the intermediate certificates.\nA secret key in the PEM format may be placed in the same file.
Since version 1.11.0,\nthis directive can be specified multiple times\nto load certificates of different types, for example, RSA and ECDSA:
\n\nserver {\n listen 12345 ssl;\n\n ssl_certificate example.com.rsa.crt;\n ssl_certificate_key example.com.rsa.key;\n\n ssl_certificate example.com.ecdsa.crt;\n ssl_certificate_key example.com.ecdsa.key;\n\n ...\n}\n\n\n\nOnly OpenSSL 1.0.2 or higher supports separate certificate chains\nfor different certificates.\nWith older versions, only one certificate chain can be used.
\n
Since version 1.15.9, variables can be used in the file name\nwhen using OpenSSL 1.0.2 or higher:
ssl_certificate $ssl_server_name.crt;\nssl_certificate_key $ssl_server_name.key;\nNote that using variables implies that\na certificate will be loaded for each SSL handshake,\nand this may have a negative impact on performance.
\n\nThe value\ndata:$variable\ncan be specified instead of the file (1.15.10),\nwhich loads a certificate from a variable without using intermediate files.\nNote that inappropriate use of this syntax may have its security implications,\nsuch as writing secret key data to\nerror log.
Specifies a file with the certificate in the PEM format\nfor the given virtual server.\nIf intermediate certificates should be specified in addition to a primary\ncertificate, they should be specified in the same file in the following\norder: the primary certificate comes first, then the intermediate certificates.\nA secret key in the PEM format may be placed in the same file.
Since version 1.11.0,\nthis directive can be specified multiple times\nto load certificates of different types, for example, RSA and ECDSA:
\n\nserver {\n listen 12345 ssl;\n\n ssl_certificate example.com.rsa.crt;\n ssl_certificate_key example.com.rsa.key;\n\n ssl_certificate example.com.ecdsa.crt;\n ssl_certificate_key example.com.ecdsa.key;\n\n ...\n}\n\n\n\nOnly OpenSSL 1.0.2 or higher supports separate\ncertificate chains\nfor different certificates.\nWith older versions, only one certificate chain can be used.
\n
Since version 1.15.9, variables can be used in the file name\nwhen using OpenSSL 1.0.2 or higher:
ssl_certificate $ssl_server_name.crt;\nssl_certificate_key $ssl_server_name.key;\nNote that using variables implies that\na certificate will be loaded for each SSL handshake,\nand this may have a negative impact on performance.
\n\nThe value\ndata:$variable\ncan be specified instead of the file (1.15.10),\nwhich loads a certificate from a variable\nwithout using intermediate files.\nNote that inappropriate use of this syntax may have its security implications,\nsuch as writing secret key data to\nerror log.
It should be kept in mind that due to the SSL/TLS protocol limitations,\nfor maximum interoperability with clients that do not use\nSNI,\nvirtual servers with different certificates should listen on\ndifferent IP addresses.
\n" }, { "name": "ssl_certificate_cache", @@ -15337,8 +15337,8 @@ "file
Specifies a file with the secret key in the PEM format\nfor the given server.
The value\nengine:name:id\ncan be specified instead of the file,\nwhich loads a secret key with a specified id\nfrom the OpenSSL engine name.
The value\ndata:$variable\ncan be specified instead of the file (1.15.10),\nwhich loads a secret key from a variable without using intermediate files.\nNote that inappropriate use of this syntax may have its security implications,\nsuch as writing secret key data to\nerror log.
Since version 1.15.9, variables can be used in the file name\nwhen using OpenSSL 1.0.2 or higher.
Specifies a file with the secret key in the PEM format\nfor the given virtual server.
The value\nengine:name:id\ncan be specified instead of the file,\nwhich loads a secret key with a specified id\nfrom the OpenSSL engine name.
The value\ndata:$variable\ncan be specified instead of the file (1.15.10),\nwhich loads a secret key from a variable without using intermediate files.\nNote that inappropriate use of this syntax may have its security implications,\nsuch as writing secret key data to\nerror log.
Since version 1.15.9, variables can be used in the file name\nwhen using OpenSSL 1.0.2 or higher.
off | [shared:name:size]
Sets name and size of the cache\nthat stores client certificates status for OCSP validation.\nThe cache is shared between all worker processes.\nA cache with the same name can be used in several virtual servers.
The off parameter prohibits the use of the cache.
Sets name and size of the cache\nthat stores client certificates status for OCSP validation.\nThe cache is shared between all worker processes.\nA cache with the same name can be used in several\nvirtual servers.
The off parameter prohibits the use of the cache.
[SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]
Enables the specified protocols.
\n\nIf the directive is specified\non the server level,\nthe value from the default server can be used.
\n\n" + "description_md": "Enables the specified protocols.\n\nIf the directive is specified\non the [`server`](https://nginx.org/en/docs/stream/ngx_stream_core_module.html#server) level,\nthe value from the default server can be used.\nDetails are provided in the\n“[Virtual server selection](https://nginx.org/en/docs/http/server_names.html#virtual_server_selection)” section.\n\n> The `TLSv1.1` and `TLSv1.2` parameters\n> work only when OpenSSL 1.0.1 or higher is used.\n\n> The `TLSv1.3` parameter (1.13.0) works only when\n> OpenSSL 1.1.1 or higher is used.\n\n> The `TLSv1.3` parameter is used by default\n> since 1.23.4.", + "description_html": "The
\n\nTLSv1.1andTLSv1.2parameters work\nonly when OpenSSL 1.0.1 or higher is used.The
\n\nTLSv1.3parameter (1.13.0) works only when\nOpenSSL 1.1.1 or higher is used.The
\nTLSv1.3parameter is used by default\nsince 1.23.4.
Enables the specified protocols.
\n\nIf the directive is specified\non the server level,\nthe value from the default server can be used.\nDetails are provided in the\n“Virtual server selection” section.
\n\n" }, { "name": "ssl_reject_handshake", @@ -15609,8 +15609,8 @@ "The
\n\nTLSv1.1andTLSv1.2parameters\nwork only when OpenSSL 1.0.1 or higher is used.The
\n\nTLSv1.3parameter (1.13.0) works only when\nOpenSSL 1.1.1 or higher is used.The
\nTLSv1.3parameter is used by default\nsince 1.23.4.
off | none | [builtin[:size]] [shared:name:size]
Sets the types and sizes of caches that store session parameters.\nA cache can be of any of the following types:
\n\noff
the use of a session cache is strictly prohibited:\nnginx explicitly tells a client that sessions may not be reused.
none
the use of a session cache is gently disallowed:\nnginx tells a client that sessions may be reused, but does not\nactually store session parameters in the cache.
builtin
a cache built in OpenSSL; used by one worker process only.\nThe cache size is specified in sessions.\nIf size is not given, it is equal to 20480 sessions.\nUse of the built-in cache can cause memory fragmentation.
shared
a cache shared between all worker processes.\nThe cache size is specified in bytes; one megabyte can store\nabout 4000 sessions.\nEach shared cache should have an arbitrary name.\nA cache with the same name can be used in several\nservers.\nIt is also used to automatically generate, store, and\nperiodically rotate TLS session ticket keys (1.23.2)\nunless configured explicitly\nusing the ssl_session_ticket_key directive.
Both cache types can be used simultaneously, for example:
\n\nssl_session_cache builtin:1000 shared:SSL:10m;\nbut using only shared cache without the built-in cache should\nbe more efficient.
\n" + "description_md": "Sets the types and sizes of caches that store session parameters.\nA cache can be of any of the following types:\n- `off`\n\n the use of a session cache is strictly prohibited:\n nginx explicitly tells a client that sessions may not be reused.\n- `none`\n\n the use of a session cache is gently disallowed:\n nginx tells a client that sessions may be reused, but does not\n actually store session parameters in the cache.\n- `builtin`\n\n a cache built in OpenSSL; used by one worker process only.\n The cache size is specified in sessions.\n If size is not given, it is equal to 20480 sessions.\n Use of the built-in cache can cause memory fragmentation.\n- `shared`\n\n a cache shared between all worker processes.\n The cache size is specified in bytes; one megabyte can store\n about 4000 sessions.\n Each shared cache should have an arbitrary name.\n A cache with the same name can be used in several\n virtual servers.\n It is also used to automatically generate, store, and\n periodically rotate TLS session ticket keys (1.23.2)\n unless configured explicitly\n using the [`ssl_session_ticket_key`](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_session_ticket_key) directive.\n\nBoth cache types can be used simultaneously, for example:\n```\nssl_session_cache builtin:1000 shared:SSL:10m;\n```\nbut using only shared cache without the built-in cache should\nbe more efficient.", + "description_html": "Sets the types and sizes of caches that store session parameters.\nA cache can be of any of the following types:
\n\noff
the use of a session cache is strictly prohibited:\nnginx explicitly tells a client that sessions may not be reused.
none
the use of a session cache is gently disallowed:\nnginx tells a client that sessions may be reused, but does not\nactually store session parameters in the cache.
builtin
a cache built in OpenSSL; used by one worker process only.\nThe cache size is specified in sessions.\nIf size is not given, it is equal to 20480 sessions.\nUse of the built-in cache can cause memory fragmentation.
shared
a cache shared between all worker processes.\nThe cache size is specified in bytes; one megabyte can store\nabout 4000 sessions.\nEach shared cache should have an arbitrary name.\nA cache with the same name can be used in several\nvirtual servers.\nIt is also used to automatically generate, store, and\nperiodically rotate TLS session ticket keys (1.23.2)\nunless configured explicitly\nusing the ssl_session_ticket_key directive.
Both cache types can be used simultaneously, for example:
\n\nssl_session_cache builtin:1000 shared:SSL:10m;\nbut using only shared cache without the built-in cache should\nbe more efficient.
\n" }, { "name": "ssl_session_ticket_key", @@ -16536,5 +16536,5 @@ ] } ], - "version": "https://github.com/nginx/nginx.org/commit/7ce55f6a9579d4b928d03f94e3a7901767ea9a50" + "version": "https://github.com/nginx/nginx.org/commit/602b6808b4d5ebe0d52b366bb95015116523cf54" }