# HG changeset patch # User Yaroslav Zhuravlev # Date 1683023961 -3600 # Node ID a85e4d126bc771298819cef45d979151e15ab8a4 # Parent 2c4d7151b9a9a60691f85af47e4e6f890b59ec39 Updated docs for the upcoming NGINX Plus release. diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/GNUmakefile --- a/xml/en/GNUmakefile Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/en/GNUmakefile Tue May 02 11:39:21 2023 +0100 @@ -24,6 +24,7 @@ contributing_changes \ beginners_guide \ configure \ + quic \ FAQ = \ welcome_nginx_facebook \ @@ -61,6 +62,7 @@ http/ngx_http_hls_module \ http/ngx_http_image_filter_module \ http/ngx_http_index_module \ + http/ngx_http_internal_redirect_module \ http/ngx_http_js_module \ http/ngx_http_keyval_module \ http/ngx_http_limit_conn_module \ @@ -94,6 +96,7 @@ http/ngx_http_userid_module \ http/ngx_http_uwsgi_module \ http/ngx_http_v2_module \ + http/ngx_http_v3_module \ http/ngx_http_xslt_module \ mail/ngx_mail_auth_http_module \ mail/ngx_mail_core_module \ @@ -112,6 +115,8 @@ stream/ngx_stream_limit_conn_module \ stream/ngx_stream_log_module \ stream/ngx_stream_map_module \ + stream/ngx_stream_mqtt_filter_module \ + stream/ngx_stream_mqtt_preread_module \ stream/ngx_stream_proxy_module \ stream/ngx_stream_proxy_protocol_vendor_module \ stream/ngx_stream_realip_module \ @@ -125,6 +130,7 @@ stream/ngx_stream_zone_sync_module \ stream/stream_processing \ ngx_google_perftools_module \ + ngx_otel_module \ dev/development_guide \ njs/index \ njs/changes \ diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/configure.xml --- a/xml/en/docs/configure.xml Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/en/docs/configure.xml Tue May 02 11:39:21 2023 +0100 @@ -239,6 +239,24 @@ +--with-http_v3_module + + +enables building a module that provides support for +HTTP/3. +This module is not built by default. +An SSL library that provides HTTP/3 support +is recommended to build and run this module, such as +BoringSSL, +LibreSSL, or +QuicTLS. +Otherwise, if using the OpenSSL library, +OpenSSL compatibility layer will be used +that does not support QUIC +early data. + + + --with-http_realip_module diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/http/ngx_http_api_module.xml --- a/xml/en/docs/http/ngx_http_api_module.xml Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/en/docs/http/ngx_http_api_module.xml Tue May 02 11:39:21 2023 +0100 @@ -208,6 +208,11 @@ +Detailed failure counters were added to SSL statistics +in version 8 (1.23.2). + + + The ssl data for each HTTP upstream, @@ -215,7 +220,7 @@ and stream upstream, server zone, -were added in version 8. +were added in version 8 (1.21.6). @@ -3400,7 +3405,7 @@ server (string) -Same as the address parameter of the HTTP upstream server. When adding a server, it is possible to specify it as a domain name. In this case, changes of the IP addresses that correspond to a domain name will be monitored and automatically applied to the upstream configuration without the need of restarting nginx. This requires the resolver directive in the “http” block. See also the resolve parameter of the HTTP upstream server. +Same as the address parameter of the HTTP upstream server. When adding a server, it is possible to specify it as a domain name. In this case, changes of the IP addresses that correspond to a domain name will be monitored and automatically applied to the upstream configuration without the need of restarting nginx. This requires the resolver directive in the “http” block. See also the resolve parameter of the HTTP upstream server. service (string) diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/http/ngx_http_api_module_head.xml --- a/xml/en/docs/http/ngx_http_api_module_head.xml Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/en/docs/http/ngx_http_api_module_head.xml Tue May 02 11:39:21 2023 +0100 @@ -208,6 +208,11 @@ +Detailed failure counters were added to SSL statistics +in version 8 (1.23.2). + + + The ssl data for each HTTP upstream, @@ -215,7 +220,7 @@ and stream upstream, server zone, -were added in version 8. +were added in version 8 (1.21.6). diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/http/ngx_http_core_module.xml --- a/xml/en/docs/http/ngx_http_core_module.xml Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/en/docs/http/ngx_http_core_module.xml Tue May 02 11:39:21 2023 +0100 @@ -855,6 +855,7 @@ requests redirected by the , , +, , and directives; @@ -1270,7 +1271,9 @@ address[:port] [default_server] [ssl] - [http2 | spdy] + [http2 | + quic | + spdy] [proxy_protocol] [setfib=number] [fastopen=number] @@ -1287,7 +1290,9 @@ port [default_server] [ssl] - [http2 | spdy] + [http2 | + quic | + spdy] [proxy_protocol] [setfib=number] [fastopen=number] @@ -1304,7 +1309,9 @@ unix:path [default_server] [ssl] - [http2 | spdy] + [http2 | + quic | + spdy] [proxy_protocol] [backlog=number] [rcvbuf=size] @@ -1382,6 +1389,11 @@ connections without SSL. + +The quic parameter (1.23.4) configures the port to accept +QUIC connections. + + The spdy parameter (1.3.15-1.9.4) allows accepting SPDY connections on this port. @@ -1706,7 +1718,7 @@ the “/documents/1.jpg” request will match configuration E. - + The “@” prefix defines a named location. Such a location is not used for a regular request processing, but instead used for request redirection. @@ -3490,8 +3502,9 @@ request protocol, usually “HTTP/1.0”, “HTTP/1.1”, +“HTTP/2.0”, or -“HTTP/2.0” +“HTTP/3.0” $status diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/http/ngx_http_internal_redirect_module.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/en/docs/http/ngx_http_internal_redirect_module.xml Tue May 02 11:39:21 2023 +0100 @@ -0,0 +1,97 @@ + + + + + + + + +
+ + +The ngx_http_internal_redirect_module module (1.23.4) allows +making an internal redirect. +In contrast to +rewriting URIs, +the redirection is made after checking +request and +connection processing limits, +and access limits. + + + + +This module is available as part of our +commercial subscription. + + + +
+ + +
+ + + +limit_req_zone $jwt_claim_sub zone=jwt_sub:10m rate=1r/s; + +server { + location / { + auth_jwt "realm"; + auth_jwt_key_file key.jwk; + + internal_redirect @rate_limited; + } + + location @rate_limited { + internal; + + limit_req zone=jwt_sub burst=10; + proxy_pass http://backend; + } +} + +The example implements +per-user +rate limiting. +Implementation without internal_redirect +is vulnerable to DoS attacks by unsigned JWTs, as normally the +limit_req +check is performed +before +auth_jwt check. +Using internal_redirect +allows reordering these checks. + + +
+ + +
+ + +uri + +server +location + + +Sets the URI for internal redirection of the request. +It is also possible to use a +named location +instead of the URI. +The uri value can contain variables. +If the uri value is empty, +then the redirect will not be made. + + + + +
+ + diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/http/ngx_http_limit_conn_module.xml --- a/xml/en/docs/http/ngx_http_limit_conn_module.xml Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/en/docs/http/ngx_http_limit_conn_module.xml Tue May 02 11:39:21 2023 +0100 @@ -77,7 +77,8 @@ allow only one connection per an IP address at a time. -In HTTP/2 and SPDY, each concurrent request is considered a separate connection. +In HTTP/2 and HTTP/3, +each concurrent request is considered a separate connection. diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/http/ngx_http_v3_module.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/en/docs/http/ngx_http_v3_module.xml Tue May 02 11:39:21 2023 +0100 @@ -0,0 +1,353 @@ + + + + + + + + +
+ + +The ngx_http_v3_module module (1.23.4) provides +experimental support for +HTTP/3. + + + +This module is not built by default, it should be enabled with the +--with-http_v3_module +configuration parameter. + +An SSL library that provides QUIC support +such as +BoringSSL, +LibreSSL, or +QuicTLS +is recommended to build and run this module. +Otherwise, +when using the OpenSSL library, +OpenSSL compatibility layer will be used that does not support +early data. + + + + + + +The module is available as +nginx-quic in +prebult Linux packages. +The module is also available as part of our +commercial subscription +in a separate nginx-plus-http3 package. + + + +
+ + +
+ + +The module is experimental, caveat emptor applies. + + +
+ + +
+ + + +http { + log_format quic '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$http3"'; + + access_log logs/access.log quic; + + server { + # for better compatibility it's recommended + # to use the same port for http/3 and https + listen 8443 quic reuseport; + listen 8443 ssl; + + ssl_certificate certs/example.com.crt; + ssl_certificate_key certs/example.com.key; + + location / { + # used to advertise the availability of HTTP/3 + add_header Alt-Svc 'h3=":8443"; ma=86400'; + } + } +} + +Note that accepting HTTP/3 connections over TLS requires +the TLSv1.3 protocol support, which is available since +OpenSSL version 1.1.1. + + +
+ + +
+ + +on | off +on +http +server + + +Enables +HTTP/3 +protocol negotiation. + + + + + + +on | off +off +http +server + + +Enables HTTP/0.9 protocol negotiation +used in +QUIC +interoperability tests. + + + + + + +number +10 +http +server + + +Limits the maximum number of concurrent +push requests in a connection. + + + + + + +number +128 +http +server + + +Sets the maximum number of concurrent HTTP/3 request streams +in a connection. + + + + + + +uri | off +off +http +server +location + + +Pre-emptively sends +(pushes) +a request to the specified uri +along with the response to the original request. +Only relative URIs with absolute path will be processed, +for example: + +http3_push /static/css/main.css; + +The uri value can contain variables. + + + +Several http3_push directives +can be specified on the same configuration level. +The off parameter cancels the effect +of the http3_push directives +inherited from the previous configuration level. + + + + + + +on | off +off +http +server +location + + +Enables automatic conversion of +preload +links +specified in the
Link
response header fields into +push +requests. + + + + + + +size +64k +http +server + + +Sets the size of the buffer used for reading and writing of the +QUIC streams. + + + + + + +number +2 +http +server + + +Sets the +QUIC active_connection_id_limit transport parameter value. +This is the maximum number of client connection IDs +which can be stored on the server. + + + + + + +on | off +off +main + + +Enables routing of QUIC packets using +eBPF. +When enabled, this allows supporting QUIC connection migration. + + + + +The directive is only supported on Linux 5.7+. + + + + + + + +on | off +off +http +server + + +Enables sending in optimized batch mode +using segmentation offloading. + + + + +Optimized sending is supported only on Linux +featuring UDP_SEGMENT. + + + + + + + +file + +http +server + + +Sets a file with the secret key used to encrypt +stateless reset and address validation tokens. +By default, a random key is generated on each reload. +Tokens generated with old keys are not accepted. + + + + + + +size +65527 +http +server + + +Sets the +QUIC max_udp_payload_size transport parameter value. +This is the maximum UDP payload possible to receive. + + + + + + +on | off +off +http +server + + +Enables the +QUIC +Address Validation feature. +This includes sending a new token in a Retry packet +or a NEW_TOKEN frame +and +validating a token received in the Initial packet. + + + + +
+ + +
+ + +The ngx_http_v3_module module +supports the following embedded variables: + + +$http3 + +negotiated protocol identifier: +“h3” for HTTP/3 connections, +“hq” for hq connections, +or an empty string otherwise. + + + + + +
+ + diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/index.xml --- a/xml/en/docs/index.xml Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/en/docs/index.xml Tue May 02 11:39:21 2023 +0100 @@ -65,6 +65,10 @@ + + + + @@ -325,6 +329,11 @@ + +ngx_http_internal_redirect_module + + + ngx_http_js_module @@ -490,6 +499,11 @@ + +ngx_http_v3_module + + + ngx_http_xslt_module @@ -592,6 +606,16 @@ + +ngx_stream_mqtt_preread_module + + + + +ngx_stream_mqtt_filter_module + + + ngx_stream_proxy_module @@ -657,6 +681,11 @@ ngx_google_perftools_module + + +ngx_otel_module + + diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/ngx_otel_module.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/en/docs/ngx_otel_module.xml Tue May 02 11:39:21 2023 +0100 @@ -0,0 +1,347 @@ + + + + + + + + +
+ + +The ngx_otel_module module (1.23.4) provides +OpenTelemetry +distributed tracing support. +The module supports +W3C +context propagation and OTLP/gRPC export protocol. + + + + +This module is available as part of our +commercial subscription +in nginx-plus-module-otel package. +After installation, the module can be loaded +dynamically. + + + +
+ + +
+ + + +load_module modules/ngx_otel_module.so; + +events { +} + +http { + + otel_exporter { + endpoint localhost:4317; + } + + server { + listen 127.0.0.1:8080; + + location / { + otel_trace on; + otel_trace_context inject; + + proxy_pass http://backend; + } + } +} + + + +
+ + +
+ + + + +http + + +Specifies OTel data export parameters: + + + +endpoint + +the address of OTLP/gRPC endpoint that will accept telemetry data. + + +interval + +the maximum interval between two exports, +by default is 5 seconds. + + +batch_size + +the maximum number of spans to be sent in one batch per worker, +by default is 512. + + +batch_count + +the number of pending batches per worker, +spans exceeding the limit are dropped, +by default is 4. + + + +Example: + +otel_exporter { + endpoint localhost:4317; + interval 5s; + batch_size 512; + batch_count 4; +} + + + + + + + +name +unknown_service:nginx +http + + +Sets the +“service.name” +attribute of the OTel resource. + + + + + + +on | + off | + $variable +off +http +server +location + + +Enables or disables OpenTelemetry tracing. +The directive can also be enabled by specifying a variable: + +split_clients "$otel_trace_id" $ratio_sampler { + 10% on; + * off; +} + +server { + location / { + otel_trace $ratio_sampler; + otel_trace_context inject; + proxy_pass http://backend; + } +} + + + + + + + +extract | + inject | + propagate | + ignore +ignore +http +server +location + + +Specifies how to propagate +traceparent/tracestate headers: + + + +extract + +uses an existing trace context from the request, +so that the identifiers of +a trace and +the parent span +are inherited from the incoming request. + + +inject + +adds a new context to the request, overwriting existing headers, if any. + + +propagate + +updates the existing context +(combines and ). + + +ignore + +skips context headers processing. + + + + + + + + + +name + +http +server +location + + +Defines the name of the OTel +span. +By default, it is a name of the location for a request. +The name can contain variables. + + + + + + +name value + +http +server +location + + +Adds a custom OTel span attribute. +The value can contain variables. + + + + +
+ + +
+ + +The following span attributes +are added automatically: + + + + +http.method + + + +http.target + + + +http.route + + + +http.scheme + + + +http.flavor + + + +http.user_agent + + + +http.request_content_length + + + +http.response_content_length + + + +http.status_code + + + +net.host.name + + + +net.host.port + + + +net.sock.peer.addr + + + +net.sock.peer.port + + + + + +
+ + +
+ + + + +$otel_trace_id + +the identifier of the trace the current span belongs to, +for example, 56552bc4daa3bf39c08362527e1dd6c4 + + +$otel_span_id + +the identifier of the current span, +for example, 4c0b8531ec38ca59 + + +$otel_parent_id + +the identifier of the parent span, +for example, dc94d281b0f884ea + + +$otel_parent_sampled + +the “sampled” flag of the parent span, +can be “1” or “0” + + + + + +
+ + diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/quic.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/en/docs/quic.xml Tue May 02 11:39:21 2023 +0100 @@ -0,0 +1,415 @@ + + + + +
+ +
+ + +QUIC +and +HTTP/3 +protocols are supported since 1.23.4 and are available +as a separate nginx-quic +prebult Linux package +or as part of our +commercial subscription +in a separate nginx-plus-http3 package. + + + + +The QUIC and HTTP/3 support is experimental, caveat emptor applies. + + + +
+ + +
+ + +For Linux, nginx-quic packages +from nginx.org can be used. +The packages +are available for the following Linux distributions and +versions: + + + +RHEL 9 and derivatives: amd64, arm64 + + + +Ubuntu 22.04: amd64, arm64 + + + + + + +The nginx-quic packages are dynamically linked with the +QuicTLS library. +It will be installed as a runtime dependency +alongside system-wide OpenSSL packages. +QuicTLS differs from operating system-provided OpenSSL package in the following: + + + +does not follow system-wide crypto policies + + + +does not have distribution-specific patches applied + + + +uses configuration from /etc/pki/quictls (RHEL9) +or /etc/quictls (Ubuntu 22.04) + + + + + + +The nginx-quic packages +cannot be installed alongside nginx or nginx-plus packages. + + + +Please back up your configuration files +before installing nginx-quic: + +sudo cp -a /etc/nginx /etc/nginx-quic-backup + + + + +
+ + +The nginx-quic package and be installed on +Red Hat Enterprise Linux and its derivatives such as +CentOS, Oracle Linux, Rocky Linux, AlmaLinux. + + + +Install the prerequisites: + +sudo dnf install yum-utils + + +To set up the yum repository, create the file named +/etc/yum.repos.d/nginx-quic.repo +with the following contents: + + +[nginx-quic] +name=nginx-quic repo +baseurl=https://packages.nginx.org/nginx-quic/rhel/9/$basearch/ +gpgcheck=1 +enabled=1 +gpgkey=https://nginx.org/keys/nginx_signing.key + + +To install nginx-quic, run the following commands: + +sudo dnf install nginx-quic + + +When prompted to accept the GPG key, verify that the fingerprint matches +573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62, +and if so, accept it. + + +
+ + +
+ + +Install the prerequisites: + +sudo apt update && sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring + + + + +Import an official nginx signing key so apt could verify the packages +authenticity. +Fetch the key: + +curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ + | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null + + +To set up the apt repository for nginx-quic packages, run the following command: + +echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ + https://packages.nginx.org/nginx-quic/ubuntu `lsb_release -cs` nginx-quic" \ + | sudo tee /etc/apt/sources.list.d/nginx-quic.list + + + + +To install nginx-quic, run the following commands: + +sudo apt update +sudo apt install nginx-quic + + + +
+ +
+ + +
+ + +The build is configured using the configure command. +Please refer to for details. + + + +When configuring nginx, it is possible to enable QUIC and HTTP/3 +using the following configuration options: + + + + +--with-http_v3_module
+ + +enables QUIC and HTTP/3. + + + + + + +An SSL library that provides QUIC support is recommended to build nginx, such as +BoringSSL, +LibreSSL, or +QuicTLS. +Otherwise, the OpenSSL +compatibility layer will be used that does not support +early data. + + + +Use the following command to configure nginx with +BoringSSL: + +./auto/configure --with-debug --with-http_v3_module \ + --with-cc-opt="-I../boringssl/include" \ + --with-ld-opt="-L../boringssl/build/ssl \ + -L../boringssl/build/crypto" + + + + +Alternatively, nginx can be configured with +QuicTLS: + +./auto/configure --with-debug --with-http_v3_module \ + --with-cc-opt="-I../quictls/build/include" \ + --with-ld-opt="-L../quictls/build/lib" + + + + +Alternatively, nginx can be configured with a modern version of +LibreSSL: + +./auto/configure --with-debug --with-http_v3_module \ + --with-cc-opt="-I../libressl/build/include" \ + --with-ld-opt="-L../libressl/build/lib" + + + + +After configuration, +nginx is compiled and installed using make. + + +
+ + +
+ + +The directive in +ngx_http_core_module +module got a new parameter +quic +which enables HTTP/3 over QUIC on the specified port. + + + +Along with the quic parameter +it is also possible to specify the +reuseport +parameter to make it work properly with multiple workers. + + + +To enable +address validation: + +quic_retry on; + + +To enable +0-RTT: + +ssl_early_data on; + + +To enable +GSO (Generic Segmentation Offloading): + +quic_gso on; + + +To limit +maximum UDP payload size on receive path: + +quic_mtu <size>; + + +To set +host key for various tokens: + +quic_host_key <filename>; + + + + + +QUIC requires TLSv1.3 protocol version which is enabled by default +in the directive. + + + +By default, +GSO Linux-specific optimization +is disabled. +Enable it in case a corresponding network interface is configured +to support GSO. + + +
+ + +
+ + + +http { + log_format quic '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$http3"'; + + access_log logs/access.log quic; + + server { + # for better compatibility it's recommended + # to use the same port for quic and https + listen 8443 quic reuseport; + listen 8443 ssl; + + ssl_certificate certs/example.com.crt; + ssl_certificate_key certs/example.com.key; + + location / { + # required for browsers to direct them into quic port + add_header Alt-Svc 'h3=":8443"; ma=86400'; + } + } +} + + + +
+ + +
+ + +For the list of directives, please refer to +ngx_http_v3_module +module documentation. + + +
+ + +
+ + +Tips that may help to identify problems: + + + +Ensure nginx is built with the proper SSL library that supports QUIC. + + + +Ensure nginx is using the proper SSL library in runtime +(the nginx -V shows what it is currently used). + + + +Ensure a client is actually sending requests over QUIC +(see the Clients section +for information about browsers and cache). +We recommend starting with a simple console client such as +ngtcp2 +to ensure the server is configured properly before trying +with real browsers that may be quite picky with certificates. + + + +Build nginx with debug support +and check the debug log. +It should contain all details about the connection and why it failed. +All related messages contain the “quic” prefix +and can be easily filtered out. + + + +For a deeper investigation, please enable additional debugging in +src/event/quic/ngx_event_quic_connection.h: + + + +#define NGX_QUIC_DEBUG_PACKETS +#define NGX_QUIC_DEBUG_FRAMES +#define NGX_QUIC_DEBUG_ALLOC +#define NGX_QUIC_DEBUG_CRYPTO + + + + + + + +
+ + +
+ + +Please refer to . + + +
+ +
diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/stream/ngx_stream_mqtt_filter_module.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/en/docs/stream/ngx_stream_mqtt_filter_module.xml Tue May 02 11:39:21 2023 +0100 @@ -0,0 +1,108 @@ + + + + + + + + +
+ + +The ngx_stream_mqtt_filter_module module (1.23.4) provides +support for Message Queuing Telemetry Transport protocol (MQTT) versions +3.1.1 +and +5.0. + + + + +This module is available as part of our +commercial subscription. + + + +
+ + +
+ + + +listen 127.0.0.1:18883; +proxy_pass backend; +proxy_buffer_size 16k; + +mqtt on; +mqtt_set_connect clientid "$client"; +mqtt_set_connect username "$name"; + + + +
+ + +
+ + +on | off +off +stream +server + + +Enables the MQTT protocol for the given virtual server. + + + + + +size +4k|8k +server + + +Sets the size of the buffer +used for writing a modified message. +By default, the buffer size is equal to one memory page. +This is either 4K or 8K, depending on a platform. +It can be made smaller, however. + + + + + +field value + +server + + +Sets the message field +to the given value for CONNECT message. +The following fields are supported: +clientid, +username, and +password. +The value can contain text, variables, and their combination. + + + +Several mqtt_set_connect directives +can be specified on the same level: + +mqtt_set_connect clientid "$client"; +mqtt_set_connect username "$name"; + + + + + +
+ + diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/en/docs/stream/ngx_stream_mqtt_preread_module.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/en/docs/stream/ngx_stream_mqtt_preread_module.xml Tue May 02 11:39:21 2023 +0100 @@ -0,0 +1,86 @@ + + + + + + + + +
+ + +The ngx_stream_mqtt_preread_module module (1.23.4) allows +extracting information from the CONNECT message +of the Message Queuing Telemetry Transport protocol (MQTT) versions +3.1.1 +and +5.0, +for example, a username or a client ID. + + + + +This module is available as part of our +commercial subscription. + + + +
+ + +
+ + + +mqtt_preread on; +return $mqtt_preread_clientid; + + + +
+ + +
+ + +on | off +off +stream +server + + +Enables extracting information from the MQTT CONNECT message at +the preread phase. + + + + +
+ + +
+ + + + +$mqtt_preread_clientid + +the clientid value from the CONNECT message + + +$mqtt_preread_username + +the username value from the CONNECT message + + + + + +
+ + diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/ru/GNUmakefile --- a/xml/ru/GNUmakefile Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/ru/GNUmakefile Tue May 02 11:39:21 2023 +0100 @@ -49,6 +49,7 @@ http/ngx_http_hls_module \ http/ngx_http_image_filter_module \ http/ngx_http_index_module \ + http/ngx_http_internal_redirect_module \ http/ngx_http_js_module \ http/ngx_http_limit_conn_module \ http/ngx_http_limit_req_module \ @@ -81,6 +82,7 @@ http/ngx_http_userid_module \ http/ngx_http_uwsgi_module \ http/ngx_http_v2_module \ + http/ngx_http_v3_module \ http/ngx_http_xslt_module \ mail/ngx_mail_auth_http_module \ mail/ngx_mail_core_module \ @@ -98,6 +100,8 @@ stream/ngx_stream_limit_conn_module \ stream/ngx_stream_log_module \ stream/ngx_stream_map_module \ + stream/ngx_stream_mqtt_filter_module \ + stream/ngx_stream_mqtt_preread_module \ stream/ngx_stream_proxy_module \ stream/ngx_stream_proxy_protocol_vendor_module \ stream/ngx_stream_realip_module \ diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/ru/docs/configure.xml --- a/xml/ru/docs/configure.xml Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/ru/docs/configure.xml Tue May 02 11:39:21 2023 +0100 @@ -237,6 +237,25 @@ +--with-http_v3_module + + +разрешает сборку модуля для работы HTTP-сервера по протоколу +HTTP/3. +По умолчанию модуль не собирается. +Для сборки и работы этого модуля рекомендуется библиотека SSL с поддержкой HTTP/3, +например +BoringSSL, +LibreSSL или +QuicTLS. +Иначе, при использовании библиотеки OpenSSL, +будет использоваться OpenSSL compatibility layer, +в котором не поддерживается QUIC +early data. + + + + --with-http_realip_module diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/ru/docs/http/ngx_http_core_module.xml --- a/xml/ru/docs/http/ngx_http_core_module.xml Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/ru/docs/http/ngx_http_core_module.xml Tue May 02 11:39:21 2023 +0100 @@ -848,6 +848,7 @@ запросы, перенаправленные директивами , , +, и ; @@ -1264,7 +1265,9 @@ адрес[:порт] [default_server] [ssl] - [http2 | spdy] + [http2 | + quic | + spdy] [proxy_protocol] [setfib=число] [fastopen=число] @@ -1281,7 +1284,9 @@ порт [default_server] [ssl] - [http2 | spdy] + [http2 | + quic | + spdy] [proxy_protocol] [setfib=число] [fastopen=число] @@ -1298,7 +1303,9 @@ unix:путь [default_server] [ssl] - [http2 | spdy] + [http2 | + quic | + spdy] [proxy_protocol] [backlog=число] [rcvbuf=размер] @@ -1374,6 +1381,11 @@ HTTP/2-соединений без SSL. + +Параметр quic (1.23.4) позволяет принимать на этом порту +QUIC-соединения. + + Параметр spdy (1.3.15-1.9.4) позволяет принимать на этом порту SPDY-соединения. @@ -1701,7 +1713,7 @@ а для запроса “/documents/1.jpg” — конфигурация Д. - + Префикс “@” задаёт именованный location. Такой location не используется при обычной обработке запросов, а предназначен только для перенаправления в него запросов. @@ -3481,9 +3493,10 @@ протокол запроса, обычно “HTTP/1.0”, -“HTTP/1.1” +“HTTP/1.1”, +“HTTP/2.0” или -“HTTP/2.0” +“HTTP/3.0” $status diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/ru/docs/http/ngx_http_internal_redirect_module.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/ru/docs/http/ngx_http_internal_redirect_module.xml Tue May 02 11:39:21 2023 +0100 @@ -0,0 +1,99 @@ + + + + + + + + +
+ + +Модуль ngx_http_internal_redirect_module (1.23.4) позволяет +осуществлять внутреннее перенаправление. +В отличие от +изменения URI, +перенаправление происходит после проверок ограничений +скорости обработки запросов, +числа соединений +и доступа. + + + + +Модуль доступен как часть +коммерческой подписки + + + +
+ + +
+ + + +limit_req_zone $jwt_claim_sub zone=jwt_sub:10m rate=1r/s; + +server { + location / { + auth_jwt "realm"; + auth_jwt_key_file key.jwk; + + internal_redirect @rate_limited; + } + + location @rate_limited { + internal; + + limit_req zone=jwt_sub burst=10; + proxy_pass http://backend; + } +} + +В примере +скорость обработки запросов +ограничивается по +идентификатору +клиента. +Конфигурация без internal_redirect +может быть подвержена DoS-атакам при помощи неподписанных JWT, так как проверка +limit_req +выполняется +перед +проверкой +auth_jwt. +Использование internal_redirect +позволяет изменить порядок этих проверок. + + +
+ + +
+ + +uri + +server +location + + +Задаёт URI для внутреннего перенаправления запроса. +Вместо URI также можно использовать +именованный location. +В значении uri можно использовать переменные. +Если значение uri пустое, +то перенаправление не осуществляется. + + + + +
+ + diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/ru/docs/http/ngx_http_limit_conn_module.xml --- a/xml/ru/docs/http/ngx_http_limit_conn_module.xml Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/ru/docs/http/ngx_http_limit_conn_module.xml Tue May 02 11:39:21 2023 +0100 @@ -76,7 +76,8 @@ разрешают одновременно обрабатывать не более одного соединения с одного IP-адреса. -В HTTP/2 и SPDY каждый параллельный запрос считается отдельным соединением. +В HTTP/2 и HTTP/3 +каждый параллельный запрос считается отдельным соединением. diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/ru/docs/http/ngx_http_v3_module.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/ru/docs/http/ngx_http_v3_module.xml Tue May 02 11:39:21 2023 +0100 @@ -0,0 +1,352 @@ + + + + + + + + +
+ + +Модуль ngx_http_v3_module (1.23.4) обеспечивает +экспериментальную поддержку +HTTP/3. + + + +По умолчанию этот модуль не собирается, его сборку необходимо +разрешить с помощью конфигурационного параметра +--with-http_v3_module. + +Для сборки и работы этого модуля рекомендуется использовать +библиотеку SSL с поддержкой QUIC, например +BoringSSL, +LibreSSL, +QuicTLS. +Иначе, +при использовании библиотеки OpenSSL, +будет использоваться OpenSSL compatibility layer, +в котором не поддерживается +early data. + + + + + +Модуль доступен в виде +готовых пакетов +nginx-quic для Linux. +Модуль также доступен как часть +коммерческой подписки +в виде отдельного пакета nginx-plus-http3. + + + + +
+ + +
+ + +Модуль экспериментальный, поэтому возможно всё. + + +
+ + +
+ + + +http { + log_format quic '$remote_addr - $remote_user [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent" "$http3"'; + + access_log logs/access.log quic; + + server { + # для лучшей совместимости рекомендуется + # использовать одинаковый порт для http/3 и https + listen 8443 quic reuseport; + listen 8443 ssl; + + ssl_certificate certs/example.com.crt; + ssl_certificate_key certs/example.com.key; + + location / { + # используется для объявления о поддержке http/3 + add_header Alt-Svc 'h3=":8443"; ma=86400'; + } + } +} + +Чтобы принимать HTTP/3-соединения по TLS, необходимо +наличие поддержки протокола TLSv1.3, появившейся в +OpenSSL версии 1.1.1. + + +
+ + +
+ + +on | off +on +http +server + + +Разрешает +согласование протокола +HTTP/3. + + + + + + +on | off +off +http +server + + +Разрешает согласование протокола HTTP/0.9, +используемого в +функциональных +тестах QUIC. + + + + + + +число +10 +http +server + + +Ограничивает максимальное число параллельных +push-запросов в соединении. + + + + + + +число +128 +http +server + + +Задаёт максимальное число параллельных HTTP/3-потоков +в соединении. + + + + + + +uri | off +off +http +server +location + + +Заблаговременно отправляет +(push) запрос +к заданному uri +вместе с ответом на оригинальный запрос. +Будут обработаны только относительные URI с абсолютными путями, +например: + +http3_push /static/css/main.css; + +В значении uri допустимо использование переменных. + + + +На одном уровне конфигурации можно указать несколько +http3_push директив. +Параметр off отменяет действие +унаследованных с предыдущего уровня конфигурации +директив http3_push. + + + + + + +on | off +off +http +server +location + + +Разрешает автоматическое преобразование +preload +links, +указанных в полях
Link
заголовка ответа, в +push-запросы. + + + + + + +размер +64k +http +server + + +Задаёт размер буфера, используемого для чтения и записи +QUIC-потоков. + + + + + + +число +2 +http +server + + +Устанавливает +значение транспортного параметра QUIC active_connection_id_limit. +Это максимальное значение ID соединений, +возможное для хранения на сервере. + + + + + + +on | off +off +main + + +Разрешает маршрутизацию пакетов QUIC при помощи +eBPF. +Если маршрутизация включена, то обеспечивается поддержка миграции QUIC-соединений. + + + + +Директива поддерживается только на Linux 5.7+. + + + + + + + +on | off +off +http +server + + +Разрешает отправку оптимизированного пакетного режима +при помощи segmentation offloading. + + + + +Оптимизированная отправка поддерживается только на Linux +с поддержкой UDP_SEGMENT. + + + + + + + +файл + +http +server + + +Задаёт файл с секретным ключом, применяемым при шифровании +stateless reset и address validation токенов. +По умолчанию создаётся случайный ключ при каждой перезагрузке. +Токены, созданные при помощи старых ключей, не принимаются. + + + + + + +размер +65527 +http +server + + +Устанавливает +значение транспортного параметра QUIC max_udp_payload_size. +Это максимально возможное значение для получения UDP payload. + + + + + + +on | off +off +http +server + + +Разрешает функциональность +QUIC +Address Validation, +в том числе отправку нового токена в Retry-пакете +или NEW_TOKEN frame +и +валидацию токена, полученного в Initial-пакете. + + + + +
+ + +
+ + +Модуль ngx_http_v3_module +поддерживает следующие встроенные переменные: + + +$http3 + +согласованный идентификатор протокола: +“h3” для HTTP/3-соединений, +“hq” для hq-соединений, +либо пустая строка. + + + + + +
+ + diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/ru/docs/index.xml --- a/xml/ru/docs/index.xml Fri Apr 28 09:25:05 2023 -0700 +++ b/xml/ru/docs/index.xml Tue May 02 11:39:21 2023 +0100 @@ -65,6 +65,10 @@ + +Поддержка QUIC и HTTP/3 [en] + + @@ -330,6 +334,11 @@ + +ngx_http_internal_redirect_module + + + ngx_http_js_module @@ -495,6 +504,12 @@ + +ngx_http_v3_module + + + + ngx_http_xslt_module @@ -597,6 +612,16 @@ + +ngx_stream_mqtt_preread_module + + + + +ngx_stream_mqtt_filter_module + + + ngx_stream_proxy_module @@ -662,6 +687,11 @@ ngx_google_perftools_module + + +ngx_otel_module [en] + + diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/ru/docs/stream/ngx_stream_mqtt_filter_module.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/ru/docs/stream/ngx_stream_mqtt_filter_module.xml Tue May 02 11:39:21 2023 +0100 @@ -0,0 +1,109 @@ + + + + + + + + +
+ + +Модуль ngx_stream_mqtt_filter_module (1.23.4) обеспечивает +поддержку протокола Message Queuing Telemetry Transport (MQTT) +версий +3.1.1 +и +5.0. + + + + +Модуль доступен как часть +коммерческой подписки. + + + +
+ + +
+ + + +listen 127.0.0.1:18883; +proxy_pass backend; +proxy_buffer_size 16k; + +mqtt on; +mqtt_set_connect clientid "$client"; +mqtt_set_connect username "$name"; + + + +
+ + +
+ + +on | off +off +stream +server + + +Включает протокол MQTT для данного виртуального сервера. + + + + + +размер +4k|8k +server + + +Задаёт размер буфера, +в который будет записываться модифицированное сообщение. +По умолчанию размер одного буфера равен размеру страницы памяти. +В зависимости от платформы это или 4K, или 8K, +однако его можно сделать меньше. + + + + + +поле значение + +server + + +Устанавливает поле +в заданное значение для сообщения CONNECT. +Поддерживаются следующие поля: +clientid, +username и +password. +В качестве значения можно использовать текст, переменные и их комбинации. + + + +На одном уровне может быть указано +несколько директив mqtt_set_connect: + +mqtt_set_connect clientid "$client"; +mqtt_set_connect username "$name"; + + + + + +
+ + diff -r 2c4d7151b9a9 -r a85e4d126bc7 xml/ru/docs/stream/ngx_stream_mqtt_preread_module.xml --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/xml/ru/docs/stream/ngx_stream_mqtt_preread_module.xml Tue May 02 11:39:21 2023 +0100 @@ -0,0 +1,87 @@ + + + + + + + + +
+ + +Модуль ngx_stream_mqtt_preread_module (1.23.4) позволяет +извлекать информацию из сообщения CONNECT +протокола Message Queuing Telemetry Transport (MQTT) +версий +3.1.1 +и +5.0, +например имя пользователя или ID клиента. + + + + +Модуль доступен как часть +коммерческой подписки. + + + +
+ + +
+ + + +mqtt_preread on; +return $mqtt_preread_clientid; + + + +
+ + +
+ + +on | off +off +stream +server + + +Разрешает извлечение информации из сообщения СONNECT во время фазы +предварительного чтения. + + + + +
+ + +
+ + + + +$mqtt_preread_clientid + +значение clientid из СONNECT-сообщения + + +$mqtt_preread_username + +значение username из СONNECT-сообщения + + + + + +
+ + diff -r 2c4d7151b9a9 -r a85e4d126bc7 yaml/nginx_api.yaml --- a/yaml/nginx_api.yaml Fri Apr 28 09:25:05 2023 -0700 +++ b/yaml/nginx_api.yaml Tue May 02 11:39:21 2023 +0100 @@ -280,7 +280,7 @@ - in: query name: fields type: string - description: Limits which fields of client HTTP requests statistics + description: Limits which fields of client HTTP requests statistics will be output. responses: '200': @@ -3573,7 +3573,7 @@ server: type: string description: Same as the - address + address parameter of the HTTP upstream server. When adding a server, it is possible to specify it as a domain name. In this case, changes of the IP addresses