name {...}
Defines an ACME certificate issuer object.
\n" + }, + { + "name": "uri", + "default": "", + "contexts": [ + "acme_issuer" + ], + "syntax_md": [ + "*`uri`*" + ], + "syntax_html": [ + "uri
The\ndirectory URL\nof the ACME server.\nThis directive is mandatory.
\n" + }, + { + "name": "account_key", + "default": "", + "contexts": [ + "acme_issuer" + ], + "syntax_md": [ + "*`alg`*[:*`size`*] | *`file`*" + ], + "syntax_html": [ + "alg[:size] | file
The account’s private key used for request authentication.
\n\nAccepted values:
\n\necdsa:256/384/521\nfor ES256, ES384, or ES512 JSON Web Signature algorithmsrsa:2048/3072/4096\nfor RS256.The generated account keys are preserved across reloads,\nbut will be lost on restart unless state_path is configured.
URL
Sets an array of URLs that the ACME server can use\nto contact the client regarding account issues.\nThe mailto: scheme will be used\nunless specified explicitly.
file
Specifies a file with trusted CA certificates in the PEM format\nused to verify the certificate\nof the ACME server.
on | off
Enables or disables verification of the ACME server certificate.
\n" + }, + { + "name": "state_path", + "default": "", + "contexts": [ + "acme_issuer" + ], + "syntax_md": [ + "*`path`*" + ], + "syntax_html": [ + "path
Defines a directory for storing the module data\nthat can be persisted across restarts.\nThis can improve the load time by skipping some requests on startup,\nand avoid hitting request rate limits on the ACME server.
\n\nThe directory contains sensitive content, such as\nthe account key, issued certificates, and private keys.
\n" + }, + { + "name": "accept_terms_of_service", + "default": "", + "contexts": [ + "acme_issuer" + ], + "syntax_md": [ + "" + ], + "syntax_html": [ + "" + ], + "isBlock": false, + "description_md": "Agrees to the terms of service under which the ACME server will be used.\nSome servers require accepting the terms of service\nbefore account registration.\nThe terms are usually available on the ACME server's website,\nand the URL will be printed to the error log if necessary.", + "description_html": "Agrees to the terms of service under which the ACME server will be used.\nSome servers require accepting the terms of service\nbefore account registration.\nThe terms are usually available on the ACME server’s website,\nand the URL will be printed to the error log if necessary.
\n" + }, + { + "name": "acme_shared_zone", + "default": "zone=ngx_acme_shared:256k", + "contexts": [ + "http" + ], + "syntax_md": [ + "`zone`=*`name`*:*`size`*" + ], + "syntax_html": [ + "zone=name:size
Allows increasing the size of in-memory storage of the module.\nThe shared memory zone will be used to store the issued certificates,\nkeys and challenge data for all the configured certificate issuers.
\n\nThe default zone size is sufficient to hold approximately\n50 ECDSA prime256v1 keys or 35 RSA 2048 keys.
\n" + }, + { + "name": "acme_certificate", + "default": "", + "contexts": [ + "server" + ], + "syntax_md": [ + "*`issuer`* [*`identifier`* ...] [`key`=*`alg`*[:*`size`*]]" + ], + "syntax_html": [ + "issuer [identifier …] [key=alg[:size]]
Defines a certificate with the list of identifiers\nrequested from issuer issuer.
The explicit list of identifiers can be omitted.\nIn this case, the identifiers will be taken from the\nserver_name directive\nin the same server block.\nNot all values accepted in the server_name\nare valid certificate identifiers:\nregular expressions and wildcards are not supported.
The key parameter sets the type of a generated private key.\nSupported key algorithms and sizes:\necdsa:256 (default),\necdsa:384,\necdsa:521,\nrsa:2048,\nrsa:3072,\nrsa:4096.
SSL certificate that can be passed to the\nssl_certificate
SSL certificate private key that can be passed to\nssl_certificate_key
$value … [error=4xx | 5xx]
Enables authorization based on the specified variables.\nThe access is allowed only if all the variables are not\nempty and are not equal to “0”.\nOtherwise, the module returns 403 code, which can be\noverridden by the error parameter.\nSeveral auth_require directives can be used to return\ndifferent error codes.
name | off
Enables end user authentication with the\nspecified OpenID Provider.
\n\nThe special value off cancels the effect\nof the auth_oidc directive\ninherited from the previous configuration level.
Enables end user authentication with the\nspecified OpenID Provider.
\n\nParameter value can contain variables (1.29.0).
\n\nThe special value off cancels the effect\nof the auth_oidc directive\ninherited from the previous configuration level.
uri
Defines the Redirection URI path for post-authentication redirects\nexpected by the module from the OpenID Provider.\nThe uri must match the configuration on the Provider’s side.
Defines the Redirection URI path for post-authentication redirects\nexpected by the module from the OpenID Provider.\nThe uri must match the configuration on the Provider’s side.
Absolute “https” URIs are supported since 1.29.0.
uri
Defines the URI path for initiating session logout.\nUpon session termination, the user is redirected to\nProvider’s Logout Endpoint\nor to the post logout page.\nIf neither is configured, the built-in post logout page is displayed.
\n" + }, + { + "name": "post_logout_uri", + "default": "", + "contexts": [ + "oidc_provider" + ], + "syntax_md": [ + "*`uri`*" + ], + "syntax_html": [ + "uri
Defines the path or absolute URI\nto redirect the user to after the logout.\nThe uri must match the configuration on the Provider’s side.\nIf the post logout page is served by NGINX,\nthe OIDC module shouldn’t be enabled for this location:
http {\n oidc_provider my_idp {\n ...\n\n logout_uri /logout;\n post_logout_uri /logged_out_page.html;\n }\n\n server {\n auth_oidc my_idp;\n\n location /logged_out_page.html {\n auth_oidc off;\n }\n }\n}\non | off
Adds the\nid_token_hint\nargument to the\nProvider’s Logout Endpoint\nwhen redirecting user during logout.\nThis argument can be required by some OpenID Providers.
Specifies a file with trusted CA certificates in the PEM format\nused to verify\nthe certificates of the OpenID Provider endpoints.
on | off
Enables downloading of the\nUserInfo\ndata and makes UserInfo claims available via the\n$oidcclaimname variables.
top-level ID token claim
\n\nNested claims can be fetched with the\nauth_jwt module:
\n\nhttp {\n auth_jwt_claim_set $postal_code address postal_code;\n\n server {\n location / {\n auth_oidc my_idp;\n auth_jwt off token=$oidc_id_token;\n\n proxy_set_header x-postal_code $postal_code;\n proxy_pass http://backend;\n }\n }\n}\ntop-level ID token or UserInfo claim
\n\nNested claims can be fetched with the\nauth_jwt module:
\n\nhttp {\n auth_jwt_claim_set $postal_code address postal_code;\n\n server {\n location / {\n auth_oidc my_idp;\n auth_jwt off token=$oidc_id_token;\n\n proxy_set_header x-postal_code $postal_code;\n proxy_pass http://backend;\n }\n }\n}\nUserInfo data in the JSON format (1.29.0)
\n" } ] }, @@ -8996,6 +9268,23 @@ "description_md": "Defines a cache that stores\n[SSL certificates](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate) and\n[secret keys](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key)\nspecified with [variables](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key_variables).\n\nThe directive has the following parameters:\n- `max`\n\n sets the maximum number of elements in the cache;\n on cache overflow the least recently used (LRU) elements are removed;\n- `inactive`\n\n defines a time after which an element is removed from the cache\n if it has not been accessed during this time;\n by default, it is 10 seconds;\n- `valid`\n\n defines a time during which\n an element in the cache is considered valid\n and can be reused;\n by default, it is 60 seconds.\n Certificates that exceed this time will be reloaded or revalidated;\n- `off`\n\n disables the cache.\n\nExample:\n```\nssl_certificate $ssl_server_name.crt;\nssl_certificate_key $ssl_server_name.key;\nssl_certificate_cache max=1000 inactive=20s valid=1m;\n```", "description_html": "Defines a cache that stores\nSSL certificates and\nsecret keys\nspecified with variables.
\n\nThe directive has the following parameters:
\n\nmax
sets the maximum number of elements in the cache;\non cache overflow the least recently used (LRU) elements are removed;
inactive
defines a time after which an element is removed from the cache\nif it has not been accessed during this time;\nby default, it is 10 seconds;
valid
defines a time during which\nan element in the cache is considered valid\nand can be reused;\nby default, it is 60 seconds.\nCertificates that exceed this time will be reloaded or revalidated;
off
disables the cache.
Example:
\n\nssl_certificate $ssl_server_name.crt;\nssl_certificate_key $ssl_server_name.key;\nssl_certificate_cache max=1000 inactive=20s valid=1m;\non | off
Enables TLS 1.3\ncompression\nof server certificates.
\n\n\n\n" + }, { "name": "ssl_certificate_key", "default": "", @@ -12591,6 +12880,23 @@ "description_md": "Specifies a *`file`* with the certificate in the PEM format\nfor the given server.\nIf intermediate certificates should be specified in addition to a primary\ncertificate, they should be specified in the same file in the following\norder: the primary certificate comes first, then the intermediate certificates.\nA secret key in the PEM format may be placed in the same file.\n\nSince version 1.11.0,\nthis directive can be specified multiple times\nto load certificates of different types, for example, RSA and ECDSA:\n```\nserver {\n listen 993 ssl;\n\n ssl_certificate example.com.rsa.crt;\n ssl_certificate_key example.com.rsa.key;\n\n ssl_certificate example.com.ecdsa.crt;\n ssl_certificate_key example.com.ecdsa.key;\n\n ...\n}\n```\n> Only OpenSSL 1.0.2 or higher supports separate\n> [certificate chains](https://nginx.org/en/docs/http/configuring_https_servers.html#chains)\n> for different certificates.\n> With older versions, only one certificate chain can be used.\n\nThe value\n`data`:*`certificate`*\ncan be specified instead of the *`file`* (1.15.10),\nwhich loads a certificate\nwithout using intermediate files.\nNote that inappropriate use of this syntax may have its security implications,\nsuch as writing secret key data to\n[error log](https://nginx.org/en/docs/ngx_core_module.html#error_log).", "description_html": "The directive is supported when using OpenSSL 3.2 or higher;\nthe list of supported compression algorithms is provided by the library.
\n
Specifies a file with the certificate in the PEM format\nfor the given server.\nIf intermediate certificates should be specified in addition to a primary\ncertificate, they should be specified in the same file in the following\norder: the primary certificate comes first, then the intermediate certificates.\nA secret key in the PEM format may be placed in the same file.
Since version 1.11.0,\nthis directive can be specified multiple times\nto load certificates of different types, for example, RSA and ECDSA:
\n\nserver {\n listen 993 ssl;\n\n ssl_certificate example.com.rsa.crt;\n ssl_certificate_key example.com.rsa.key;\n\n ssl_certificate example.com.ecdsa.crt;\n ssl_certificate_key example.com.ecdsa.key;\n\n ...\n}\n\n\n\nOnly OpenSSL 1.0.2 or higher supports separate\ncertificate chains\nfor different certificates.\nWith older versions, only one certificate chain can be used.
\n
The value\ndata:certificate\ncan be specified instead of the file (1.15.10),\nwhich loads a certificate\nwithout using intermediate files.\nNote that inappropriate use of this syntax may have its security implications,\nsuch as writing secret key data to\nerror log.
on | off
Enables TLS 1.3\ncompression\nof server certificates.
\n\n\n\n" + }, { "name": "ssl_certificate_key", "default": "", @@ -13180,6 +13486,22 @@ "description_md": "If enabled, SSL objects\n(SSL certificates, secret keys, trusted CA certificates, CRL lists)\nwill be inherited across configuration reloads.\n\nSSL objects loaded from a file are inherited\nif the modification time and file index has not been changed\nsince the previous configuration load.\nSecret keys specified as\n`engine:name:id` are never inherited.\nSecret keys specified as\n`data:value` are always inherited.\n\n> SSL objects loaded from variables cannot be inherited.\n\nExample:\n```\nssl_object_cache_inheritable on;\n\nhttp {\n ...\n server {\n ...\n ssl_certificate example.com.crt;\n ssl_certificate_key example.com.key;\n }\n}\n```", "description_html": "The directive is supported when using OpenSSL 3.2 or higher;\nthe list of supported compression algorithms is provided by the library.
\n
If enabled, SSL objects\n(SSL certificates, secret keys, trusted CA certificates, CRL lists)\nwill be inherited across configuration reloads.
\n\nSSL objects loaded from a file are inherited\nif the modification time and file index has not been changed\nsince the previous configuration load.\nSecret keys specified as\nengine:name:id are never inherited.\nSecret keys specified as\ndata:value are always inherited.
\n\n\nSSL objects loaded from variables cannot be inherited.
\n
Example:
\n\nssl_object_cache_inheritable on;\n\nhttp {\n ...\n server {\n ...\n ssl_certificate example.com.crt;\n ssl_certificate_key example.com.key;\n }\n}\ntime
Allows overriding the default time threshold for the event loop iteration\nbefore a stall is reported.\nBy default, a stall is reported\nwhen an event loop iteration exceeds 1000ms.\nIf the timer_resolution directive is enabled,\nthe time threshold will be ignored.
\n\n" + }, { "name": "thread_pool", "default": "default threads=32 max_queue=65536", @@ -15654,6 +15976,23 @@ "description_md": "Defines a cache that stores\n[SSL certificates](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_certificate) and\n[secret keys](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_certificate_key)\nspecified with [variables](https://nginx.org/en/docs/stream/ngx_stream_ssl_module.html#ssl_certificate_key_variables).\n\nThe directive has the following parameters:\n- `max`\n\n sets the maximum number of elements in the cache;\n on cache overflow the least recently used (LRU) elements are removed;\n- `inactive`\n\n defines a time after which an element is removed from the cache\n if it has not been accessed during this time;\n by default, it is 10 seconds;\n- `valid`\n\n defines a time during which\n an element in the cache is considered valid\n and can be reused;\n by default, it is 60 seconds.\n Certificates that exceed this time will be reloaded or revalidated;\n- `off`\n\n disables the cache.\n\nExample:\n```\nssl_certificate $ssl_server_name.crt;\nssl_certificate_key $ssl_server_name.key;\nssl_certificate_cache max=1000 inactive=20s valid=1m;\n```", "description_html": "This directive is available as part of our\ncommercial subscription.
\n
Defines a cache that stores\nSSL certificates and\nsecret keys\nspecified with variables.
\n\nThe directive has the following parameters:
\n\nmax
sets the maximum number of elements in the cache;\non cache overflow the least recently used (LRU) elements are removed;
inactive
defines a time after which an element is removed from the cache\nif it has not been accessed during this time;\nby default, it is 10 seconds;
valid
defines a time during which\nan element in the cache is considered valid\nand can be reused;\nby default, it is 60 seconds.\nCertificates that exceed this time will be reloaded or revalidated;
off
disables the cache.
Example:
\n\nssl_certificate $ssl_server_name.crt;\nssl_certificate_key $ssl_server_name.key;\nssl_certificate_cache max=1000 inactive=20s valid=1m;\non | off
Enables TLS 1.3\ncompression\nof server certificates.
\n\n\n\n" + }, { "name": "ssl_certificate_key", "default": "", @@ -16867,5 +17206,5 @@ ] } ], - "version": "https://github.com/nginx/nginx.org/commit/fcef8c30af61b8d02d9e223c6daf1ab5c76d63ba" + "version": "https://github.com/nginx/nginx.org/commit/d670e1a9ff75d30e0142aa7bb34f152227041827" }The directive is supported when using OpenSSL 3.2 or higher;\nthe list of supported compression algorithms is provided by the library.
\n