Mercurial > hg > nginx-site
comparison xml/en/docs/http/ngx_http_ssl_module.xml @ 966:95c3c3bbf1ce
Text review.
author | Egor Nikitin <yegor.nikitin@gmail.com> |
---|---|
date | Wed, 14 Aug 2013 12:03:41 +0400 |
parents | d7f2325fa832 |
children | 2b6a858c60dc |
comparison
equal
deleted
inserted
replaced
965:fadccc156188 | 966:95c3c3bbf1ce |
---|---|
45 <listitem> | 45 <listitem> |
46 enable keep-alive connections, | 46 enable keep-alive connections, |
47 </listitem> | 47 </listitem> |
48 | 48 |
49 <listitem> | 49 <listitem> |
50 enable shared session cache, | 50 enable the shared session cache, |
51 </listitem> | 51 </listitem> |
52 | 52 |
53 <listitem> | 53 <listitem> |
54 disable built-in session cache, | 54 disable the built-in session cache, |
55 </listitem> | 55 </listitem> |
56 | 56 |
57 <listitem> | 57 <listitem> |
58 and possibly increase the session lifetime (by default, 5 minutes): | 58 and possibly increase the session lifetime (by default, 5 minutes): |
59 </listitem> | 59 </listitem> |
111 <default/> | 111 <default/> |
112 <context>http</context> | 112 <context>http</context> |
113 <context>server</context> | 113 <context>server</context> |
114 | 114 |
115 <para> | 115 <para> |
116 Specifies a <value>file</value> with a certificate in the PEM format | 116 Specifies a <value>file</value> with the certificate in the PEM format |
117 for the given virtual server. | 117 for the given virtual server. |
118 If intermediate certificates should be specified in addition | 118 If intermediate certificates should be specified in addition |
119 to a primary certificate, they should be specified in the same file | 119 to a primary certificate, they should be specified in the same file |
120 in the following order: the primary certificate comes first, then | 120 in the following order: the primary certificate comes first, then |
121 the intermediate certificates. | 121 the intermediate certificates. |
154 <default/> | 154 <default/> |
155 <context>http</context> | 155 <context>http</context> |
156 <context>server</context> | 156 <context>server</context> |
157 | 157 |
158 <para> | 158 <para> |
159 Specifies a <value>file</value> with a secret key in the PEM format | 159 Specifies a <value>file</value> with the secret key in the PEM format |
160 for the given virtual server. | 160 for the given virtual server. |
161 </para> | 161 </para> |
162 | 162 |
163 </directive> | 163 </directive> |
164 | 164 |
269 <context>http</context> | 269 <context>http</context> |
270 <context>server</context> | 270 <context>server</context> |
271 | 271 |
272 <para> | 272 <para> |
273 Enables the specified protocols. | 273 Enables the specified protocols. |
274 The parameters <literal>TLSv1.1</literal> and <literal>TLSv1.2</literal> work | 274 The <literal>TLSv1.1</literal> and <literal>TLSv1.2</literal> parameters work |
275 only when using the OpenSSL library version 1.0.1 and higher. | 275 only when the OpenSSL library of version 1.0.1 or higher is used. |
276 <note> | 276 <note> |
277 The parameters <literal>TLSv1.1</literal> and <literal>TLSv1.2</literal> are | 277 The <literal>TLSv1.1</literal> and <literal>TLSv1.2</literal> parameters are |
278 supported starting from versions 1.1.13 and 1.0.12 | 278 supported starting from versions 1.1.13 and 1.0.12, |
279 so when using OpenSSL version 1.0.1 | 279 so when the OpenSSL version 1.0.1 or higher |
280 and higher on older nginx versions these protocols will work but could not | 280 is used on older nginx versions, these protocols work, but cannot |
281 be disabled. | 281 be disabled. |
282 </note> | 282 </note> |
283 </para> | 283 </para> |
284 | 284 |
285 </directive> | 285 </directive> |
294 <default>none</default> | 294 <default>none</default> |
295 <context>http</context> | 295 <context>http</context> |
296 <context>server</context> | 296 <context>server</context> |
297 | 297 |
298 <para> | 298 <para> |
299 Sets types and sizes of caches that store session parameters. | 299 Sets the types and sizes of caches that store session parameters. |
300 A cache can be any of the following types: | 300 A cache can be of any of the following types: |
301 <list type="tag"> | 301 <list type="tag"> |
302 | 302 |
303 <tag-name><literal>off</literal></tag-name> | 303 <tag-name><literal>off</literal></tag-name> |
304 <tag-desc> | 304 <tag-desc> |
305 the use of session cache is strictly prohibited: | 305 the use of a session cache is strictly prohibited: |
306 nginx explicitly tells a client that sessions may not be reused. | 306 nginx explicitly tells a client that sessions may not be reused. |
307 </tag-desc> | 307 </tag-desc> |
308 | 308 |
309 <tag-name><literal>none</literal></tag-name> | 309 <tag-name><literal>none</literal></tag-name> |
310 <tag-desc> | 310 <tag-desc> |
311 the use of session cache is gently disallowed: | 311 the use of a session cache is gently disallowed: |
312 nginx tells a client that sessions may be reused, but does not | 312 nginx tells a client that sessions may be reused, but does not |
313 actually do that. | 313 actually store session parameters in the cache. |
314 </tag-desc> | 314 </tag-desc> |
315 | 315 |
316 <tag-name><literal>builtin</literal></tag-name> | 316 <tag-name><literal>builtin</literal></tag-name> |
317 <tag-desc> | 317 <tag-desc> |
318 a cache built in OpenSSL; used by one worker process only. | 318 a cache built in OpenSSL; used by one worker process only. |
321 Use of the built-in cache can cause memory fragmentation. | 321 Use of the built-in cache can cause memory fragmentation. |
322 </tag-desc> | 322 </tag-desc> |
323 | 323 |
324 <tag-name><literal>shared</literal></tag-name> | 324 <tag-name><literal>shared</literal></tag-name> |
325 <tag-desc> | 325 <tag-desc> |
326 shared between all worker processes. | 326 a cache shared between all worker processes. |
327 The cache size is specified in bytes; one megabyte can store | 327 The cache size is specified in bytes; one megabyte can store |
328 about 4000 sessions. | 328 about 4000 sessions. |
329 Each shared cache should have an arbitrary name. | 329 Each shared cache should have an arbitrary name. |
330 A cache with the same name can be used in several virtual servers. | 330 A cache with the same name can be used in several virtual servers. |
331 </tag-desc> | 331 </tag-desc> |
376 resolver 192.0.2.1; | 376 resolver 192.0.2.1; |
377 </example> | 377 </example> |
378 </para> | 378 </para> |
379 | 379 |
380 <para> | 380 <para> |
381 For the OCSP stapling to work, the certificate of the issuer of the server | 381 For the OCSP stapling to work, the certificate of the server certificate |
382 certificate should be known. | 382 issuer should be known. |
383 If the <link id="ssl_certificate"/> file does | 383 If the <link id="ssl_certificate"/> file does |
384 not contain intermediate certificates, | 384 not contain intermediate certificates, |
385 the certificate of the issuer of the server certificate should be | 385 the certificate of the server certificate issuer should be |
386 present in the | 386 present in the |
387 <link id="ssl_trusted_certificate"/> file. | 387 <link id="ssl_trusted_certificate"/> file. |
388 </para> | 388 </para> |
389 | 389 |
390 <para> | 390 <para> |
391 The <link doc="ngx_http_core_module.xml" id="resolver"/> directive | 391 For a resolution of the OCSP responder hostname, |
392 should also be specified to allow for a resolution | 392 the <link doc="ngx_http_core_module.xml" id="resolver"/> directive |
393 of an OCSP responder hostname. | 393 should also be specified. |
394 </para> | 394 </para> |
395 | 395 |
396 </directive> | 396 </directive> |
397 | 397 |
398 | 398 |
423 <context>http</context> | 423 <context>http</context> |
424 <context>server</context> | 424 <context>server</context> |
425 <appeared-in>1.3.7</appeared-in> | 425 <appeared-in>1.3.7</appeared-in> |
426 | 426 |
427 <para> | 427 <para> |
428 Overrides the URL of OCSP responder specified in the | 428 Overrides the URL of the OCSP responder specified in the |
429 “<link url="http://tools.ietf.org/html/rfc5280#section-4.2.2.1">Authority | 429 “<link url="http://tools.ietf.org/html/rfc5280#section-4.2.2.1">Authority |
430 Information Access</link>” certificate extension. | 430 Information Access</link>” certificate extension. |
431 </para> | 431 </para> |
432 | 432 |
433 <para> | 433 <para> |
450 <para> | 450 <para> |
451 Enables or disables verification of OCSP responses by the server. | 451 Enables or disables verification of OCSP responses by the server. |
452 </para> | 452 </para> |
453 | 453 |
454 <para> | 454 <para> |
455 For verification to work, the certificate of the issuer of the server | 455 For verification to work, the certificate of the server certificate |
456 certificate, the root certificate, and all intermediate certificates | 456 issuer, the root certificate, and all intermediate certificates |
457 should be configured as trusted using the | 457 should be configured as trusted using the |
458 <link id="ssl_trusted_certificate"/> directive. | 458 <link id="ssl_trusted_certificate"/> directive. |
459 </para> | 459 </para> |
460 | 460 |
461 </directive> | 461 </directive> |
473 used to verify client certificates and | 473 used to verify client certificates and |
474 OCSP responses if <link id="ssl_stapling"/> is enabled. | 474 OCSP responses if <link id="ssl_stapling"/> is enabled. |
475 </para> | 475 </para> |
476 | 476 |
477 <para> | 477 <para> |
478 In contrast to <link id="ssl_client_certificate"/>, the list of these | 478 In contrast to the certificate set by <link id="ssl_client_certificate"/>, |
479 certificates will not be sent to clients. | 479 the list of these certificates will not be sent to clients. |
480 </para> | 480 </para> |
481 | 481 |
482 </directive> | 482 </directive> |
483 | 483 |
484 | 484 |
490 <context>http</context> | 490 <context>http</context> |
491 <context>server</context> | 491 <context>server</context> |
492 | 492 |
493 <para> | 493 <para> |
494 Enables verification of client certificates. | 494 Enables verification of client certificates. |
495 The result of verification is stored in the | 495 The verification result is stored in the |
496 <var>$ssl_client_verify</var> variable. | 496 <var>$ssl_client_verify</var> variable. |
497 </para> | 497 </para> |
498 | 498 |
499 <para> | 499 <para> |
500 The <literal>optional</literal> parameter (0.8.7+) requests the client | 500 The <literal>optional</literal> parameter (0.8.7+) requests the client |
501 certificate, and if certificate was present, verifies it. | 501 certificate and verifies it if the certificate is present. |
502 </para> | 502 </para> |
503 | 503 |
504 <para> | 504 <para> |
505 The <literal>optional_no_ca</literal> parameter (1.3.8, 1.2.5) | 505 The <literal>optional_no_ca</literal> parameter (1.3.8, 1.2.5) |
506 requests the client | 506 requests the client |
507 certificate but does not require it to be signed by a trusted CA certificate. | 507 certificate but does not require it to be signed by a trusted CA certificate. |
508 This is intended for the use in cases where actual certificate verification | 508 This is intended for the use in cases when a service that is external to nginx |
509 is performed by a service that is external to nginx. | 509 performs the actual certificate verification. |
510 The contents of a certificate is made available through the | 510 The contents of the certificate is accessible through the |
511 <var>$ssl_client_cert</var> variable. | 511 <var>$ssl_client_cert</var> variable. |
512 </para> | 512 </para> |
513 | 513 |
514 </directive> | 514 </directive> |
515 | 515 |
519 <default>1</default> | 519 <default>1</default> |
520 <context>http</context> | 520 <context>http</context> |
521 <context>server</context> | 521 <context>server</context> |
522 | 522 |
523 <para> | 523 <para> |
524 Sets a verification depth in the client certificates chain. | 524 Sets the verification depth in the client certificates chain. |
525 </para> | 525 </para> |
526 | 526 |
527 </directive> | 527 </directive> |
528 | 528 |
529 </section> | 529 </section> |
542 an error has occurred during the client certificate verification; | 542 an error has occurred during the client certificate verification; |
543 </tag-desc> | 543 </tag-desc> |
544 | 544 |
545 <tag-name>496</tag-name> | 545 <tag-name>496</tag-name> |
546 <tag-desc> | 546 <tag-desc> |
547 a client did not present the required certificate; | 547 a client has not presented the required certificate; |
548 </tag-desc> | 548 </tag-desc> |
549 | 549 |
550 <tag-name>497</tag-name> | 550 <tag-name>497</tag-name> |
551 <tag-desc> | 551 <tag-desc> |
552 a regular request was sent to the HTTPS port. | 552 a regular request has been sent to the HTTPS port. |
553 </tag-desc> | 553 </tag-desc> |
554 | 554 |
555 </list> | 555 </list> |
556 </para> | 556 </para> |
557 | 557 |
558 <para> | 558 <para> |
559 A redirection happens after the request was fully parsed and | 559 The redirection happens after the request is fully parsed and |
560 variables such as <var>$request_uri</var>, | 560 the variables, such as <var>$request_uri</var>, |
561 <var>$uri</var>, <var>$args</var> and others were made available. | 561 <var>$uri</var>, <var>$args</var> and others, are available. |
562 </para> | 562 </para> |
563 | 563 |
564 </section> | 564 </section> |
565 | 565 |
566 | 566 |