Specifies a file with revoked certificates (CRL)\nin the PEM format used to verify\nthe certificate of the gRPC SSL server.
path
\n" + ], + "isBlock": false, + "description_md": "Enables logging of gRPC SSL server connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\n[SSLKEYLOGFILE](https://datatracker.ietf.org/doc/html/draft-ietf-tls-keylogfile)\nformat compatible with Wireshark.\n\n> This directive is available as part of our\n> [commercial subscription](https://nginx.com/products/).", + "description_html": "Enables logging of gRPC SSL server connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\nSSLKEYLOGFILE\nformat compatible with Wireshark.
\n\n\n\n" + }, { "name": "grpc_ssl_name", "default": "host from grpc_pass", @@ -6900,6 +6918,24 @@ "description_md": "Specifies a *`file`* with revoked certificates (CRL)\nin the PEM format used to [verify](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_verify)\nthe certificate of the proxied HTTPS server.", "description_html": "This directive is available as part of our\ncommercial subscription.
\n
Specifies a file with revoked certificates (CRL)\nin the PEM format used to verify\nthe certificate of the proxied HTTPS server.
path
\n" + ], + "isBlock": false, + "description_md": "Enables logging of proxied HTTPS server connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\n[SSLKEYLOGFILE](https://datatracker.ietf.org/doc/html/draft-ietf-tls-keylogfile)\nformat compatible with Wireshark.\n\n> This directive is available as part of our\n> [commercial subscription](https://nginx.com/products/).", + "description_html": "Enables logging of proxied HTTPS server connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\nSSLKEYLOGFILE\nformat compatible with Wireshark.
\n\n\n\n" + }, { "name": "proxy_ssl_name", "default": "$proxy_host", @@ -8752,6 +8788,23 @@ "description_md": "Specifies a *`curve`* for ECDHE ciphers.\n\nWhen using OpenSSL 1.0.2 or higher,\nit is possible to specify multiple curves (1.11.0), for example:\n```\nssl_ecdh_curve prime256v1:secp384r1;\n```\n\nThe special value `auto` (1.11.0) instructs nginx to use\na list built into the OpenSSL library when using OpenSSL 1.0.2 or higher,\nor `prime256v1` with older versions.\n\n> Prior to version 1.11.0,\n> the `prime256v1` curve was used by default.\n\n> When using OpenSSL 1.0.2 or higher,\n> this directive sets the list of curves supported by the server.\n> Thus, in order for ECDSA certificates to work,\n> it is important to include the curves used in the certificates.", "description_html": "This directive is available as part of our\ncommercial subscription.
\n
Specifies a curve for ECDHE ciphers.
When using OpenSSL 1.0.2 or higher,\nit is possible to specify multiple curves (1.11.0), for example:
\n\nssl_ecdh_curve prime256v1:secp384r1;\nThe special value auto (1.11.0) instructs nginx to use\na list built into the OpenSSL library when using OpenSSL 1.0.2 or higher,\nor prime256v1 with older versions.
\n\n" }, + { + "name": "ssl_key_log", + "default": "", + "contexts": [ + "http", + "server" + ], + "syntax_md": [ + "path" + ], + "syntax_html": [ + "Prior to version 1.11.0,\nthe
\n\nprime256v1curve was used by default.When using OpenSSL 1.0.2 or higher,\nthis directive sets the list of curves supported by the server.\nThus, in order for ECDSA certificates to work,\nit is important to include the curves used in the certificates.
\n
path
\n" + ], + "isBlock": false, + "description_md": "Enables logging of client connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\n[SSLKEYLOGFILE](https://datatracker.ietf.org/doc/html/draft-ietf-tls-keylogfile)\nformat compatible with Wireshark.\n\n> This directive is available as part of our\n> [commercial subscription](https://nginx.com/products/).", + "description_html": "Enables logging of client connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\nSSLKEYLOGFILE\nformat compatible with Wireshark.
\n\n\n\n" + }, { "name": "ssl_ocsp", "default": "off", @@ -10854,6 +10907,24 @@ "description_md": "Specifies a *`file`* with revoked certificates (CRL)\nin the PEM format used to [verify](https://nginx.org/en/docs/http/ngx_http_uwsgi_module.html#uwsgi_ssl_verify)\nthe certificate of the secured uwsgi server.", "description_html": "This directive is available as part of our\ncommercial subscription.
\n
Specifies a file with revoked certificates (CRL)\nin the PEM format used to verify\nthe certificate of the secured uwsgi server.
path
\n" + ], + "isBlock": false, + "description_md": "Enables logging of secured uwsgi server connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\n[SSLKEYLOGFILE](https://datatracker.ietf.org/doc/html/draft-ietf-tls-keylogfile)\nformat compatible with Wireshark.\n\n> This directive is available as part of our\n> [commercial subscription](https://nginx.com/products/).", + "description_html": "Enables logging of secured uwsgi server connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\nSSLKEYLOGFILE\nformat compatible with Wireshark.
\n\n\n\n" + }, { "name": "uwsgi_ssl_name", "default": "host from uwsgi_pass", @@ -12967,22 +13038,6 @@ "id": "/en/docs/ngx_mgmt_module.html", "name": "ngx_mgmt_module", "directives": [ - { - "name": "connect_timeout", - "default": "15s", - "contexts": [ - "mgmt" - ], - "syntax_md": [ - "*`time`*" - ], - "syntax_html": [ - "This directive is available as part of our\ncommercial subscription.
\n
time
Defines a timeout for establishing a connection with the Instance Manager.
\n" - }, { "name": "mgmt", "default": "", @@ -12996,75 +13051,11 @@ "{...}
Provides the configuration file context\nin which the management server directives are specified.
\n" - }, - { - "name": "read_timeout", - "default": "60s", - "contexts": [ - "mgmt" - ], - "syntax_md": [ - "*`time`*" - ], - "syntax_html": [ - "time
Defines a timeout for reading a response from the Instance Manager.\nThe timeout is set only between two successive read operations,\nnot for the transmission of the whole response.\nIf the Instance Manager does not transmit anything within this time,\nthe connection is closed.
\n" - }, - { - "name": "resolver", - "default": "", - "contexts": [ - "mgmt" - ], - "syntax_md": [ - "*`address`* ... [`valid`=*`time`*] [`ipv4`=`on`|`off`] [`ipv6`=`on`|`off`] [`status_zone`=*`zone`*]" - ], - "syntax_html": [ - "address … [valid=time] [ipv4=on|off] [ipv6=on|off] [status_zone=zone]
Configures name servers used to resolve names of the Instance Manager\ninto addresses, for example:
\n\nresolver 127.0.0.1 [::1]:5353;\nThe address can be specified as a domain name or IP address,\nwith an optional port.\nIf port is not specified, the port 53 is used.\nName servers are queried in a round-robin fashion.
\n\nBy default, nginx will look up both IPv4 and IPv6 addresses while resolving.\nIf looking up of IPv4 or IPv6 addresses is not desired,\nthe ipv4=off or\nthe ipv6=off parameter can be specified.
By default, nginx caches answers using the TTL value of a response.\nAn optional valid parameter allows overriding it:
resolver 127.0.0.1 [::1]:5353 valid=30s;\n\n\n\nTo prevent DNS spoofing, it is recommended\nconfiguring DNS servers in a properly secured trusted local network.
\n
The optional status_zone parameter\nenables\ncollection\nof DNS server statistics of requests and responses\nin the specified zone.
time
Sets a timeout for name resolution.
\n" - }, - { - "name": "send_timeout", - "default": "60s", - "contexts": [ - "mgmt" - ], - "syntax_md": [ - "*`time`*" - ], - "syntax_html": [ - "time
Sets a timeout for transmitting a request to the Instance Manager.\nThe timeout is set only between two successive write operations,\nnot for the transmission of the whole request.\nIf the Instance Manager does not receive anything within this time,\nthe connection is closed.
\n" + "description_md": "Provides the configuration file context in which\nusage reporting and license management directives\nare specified.", + "description_html": "Provides the configuration file context in which\nusage reporting and license management directives\nare specified.
\n" }, { - "name": "ssl", + "name": "enforce_initial_report", "default": "on", "contexts": [ "mgmt" @@ -13076,12 +13067,12 @@ "on | off
Enables the HTTPS protocol for all\nconnections to the Instance Manager.
\n" + "description_md": "Enables or disables the 180-day grace period\nfor sending the initial usage report.\n\nThe initial usage report is sent immediately\nupon nginx first start after installation.\nBy default, if the initial report is not received by F5 licensing endpoint,\nnginx stops processing traffic until the report is successfully delivered.\nSetting the directive value to `off` enables\nthe 180-day grace period during which\nthe initial usage report must be received by F5 licensing endpoint.", + "description_html": "Enables or disables the 180-day grace period\nfor sending the initial usage report.
\n\nThe initial usage report is sent immediately\nupon nginx first start after installation.\nBy default, if the initial report is not received by F5 licensing endpoint,\nnginx stops processing traffic until the report is successfully delivered.\nSetting the directive value to off enables\nthe 180-day grace period during which\nthe initial usage report must be received by F5 licensing endpoint.
file
Specifies a file with the certificate in the PEM format\nused for authentication to the Instance Manager.
Specifies a JWT license file.\nBy default, the license.jwt file is expected to be at\n/etc/nginx/ for Linux or at\n/usr/local/etc/nginx/ for FreeBSD.
file
Specifies a file with the secret key in the PEM format\nused for authentication to the Instance Manager.
ciphers
address … [valid=time] [ipv4=on|off] [ipv6=on|off] [status_zone=zone]
Specifies the enabled ciphers for requests to the Instance Manager.\nThe ciphers are specified in the format understood by the OpenSSL library.
\n\nThe full list can be viewed using the\nāopenssl ciphersā command.
Configures name servers used to resolve usage reporting endpoint name.\nBy default, the system resolver is used.
\n\nSee resolver for details.
file
Specifies a file with revoked certificates (CRL)\nin the PEM format used to verify\nthe certificate of the Instance Manager.
name
Allows overriding the server name used to\nverify\nthe certificate of the Instance Manager and to be\npassed through SNI\nwhen establishing a connection with the Instance Manager.
\n" - }, - { - "name": "ssl_password_file", - "default": "", - "contexts": [ - "mgmt" - ], - "syntax_md": [ - "*`file`*" - ], - "syntax_html": [ - "file
Specifies a file with passphrases for\nsecret keys\nwhere each passphrase is specified on a separate line.\nPassphrases are tried in turn when loading the key.
[SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3]
Enables the specified protocols for requests to the Instance Manager.
\n" - }, - { - "name": "ssl_server_name", - "default": "off", - "contexts": [ - "mgmt" - ], - "syntax_md": [ - "`on` | `off`" - ], - "syntax_html": [ - "on | off
Enables or disables passing of the server name through\nTLS Server Name Indication extension (SNI, RFC 6066)\nwhen establishing a connection with the Instance Manager.
\n" + "description_md": "Specifies a *`file`* with revoked certificates (CRL)\nin the PEM format used to [verify](https://nginx.org/en/docs/ngx_mgmt_module.html#ssl_verify)\nthe certificate of the usage reporting endpoint.", + "description_html": "Specifies a file with revoked certificates (CRL)\nin the PEM format used to verify\nthe certificate of the usage reporting endpoint.
file
Specifies a file with trusted CA certificates in the PEM format\nused to verify\nthe certificate of the Instance Manager.
Specifies a file with trusted CA certificates in the PEM format\nused to verify\nthe certificate of the usage reporting endpoint.
on | off
Enables or disables verification of the Instance Manager certificate.
\n" + "description_md": "Enables or disables verification of the usage reporting endpoint certificate.\n\n> Before 1.27.2, the default value was `off`.", + "description_html": "Enables or disables verification of the usage reporting endpoint certificate.
\n\n\n\n" }, { - "name": "ssl_verify_depth", - "default": "1", + "name": "state_path", + "default": "", "contexts": [ "mgmt" ], "syntax_md": [ - "*`number`*" + "*`path`*" ], "syntax_html": [ - "Before 1.27.2, the default value was
\noff.
number
path
Sets the verification depth in the Instance Manager certificates chain.
\n" + "description_md": "Defines a directory for storing state files\n(`nginx-mgmt-*`)\ncreated by the `ngx_mgmt_module` module.\nThe default directory\nfor Linux is `/var/lib/nginx/state`,\nfor FreeBSD is `/var/db/nginx/state`.", + "description_html": "Defines a directory for storing state files\n(nginx-mgmt-*)\ncreated by the ngx_mgmt_module module.\nThe default directory\nfor Linux is /var/lib/nginx/state,\nfor FreeBSD is /var/db/nginx/state.
[endpoint=address] [interval=time]
Sets the address and port for IP,\nor the path for a UNIX-domain socket on which\nthe Instance Manager is installed,\nby default nginx-mgmt.local.\nThe interval sets an interval between reports\nto the Instance Manager, by default 30m.
file
Specifies a file that keeps the ID of nginx instance.
Examples:
\n\nuuid_file /var/lib/nginx/nginx.id; # path for Linux\nuuid_file /var/db/nginx/nginx.id; # path for FreeBSD\nChanging the file content directly should be avoided.
\n" + "description_md": "Sets the *`address`* and *`port`*\nof the usage reporting endpoint.\nThe `interval` parameter sets an interval between\ntwo consecutive reports.\n> Before 1.27.2, the default values were\n> `nginx-mgmt.local` and\n> `30m`.", + "description_html": "Sets the address and port\nof the usage reporting endpoint.\nThe interval parameter sets an interval between\ntwo consecutive reports.
\n\n" } ] }, @@ -14949,6 +14844,23 @@ "description_md": "Specifies a *`file`* with revoked certificates (CRL)\nin the PEM format used to [verify](https://nginx.org/en/docs/stream/ngx_stream_proxy_module.html#proxy_ssl_verify)\nthe certificate of the proxied server.", "description_html": "Before 1.27.2, the default values were\n
\nnginx-mgmt.localand\n30m.
Specifies a file with revoked certificates (CRL)\nin the PEM format used to verify\nthe certificate of the proxied server.
path
\n" + ], + "isBlock": false, + "description_md": "Enables logging of proxied server connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\n[SSLKEYLOGFILE](https://datatracker.ietf.org/doc/html/draft-ietf-tls-keylogfile)\nformat compatible with Wireshark.\n\n> This directive is available as part of our\n> [commercial subscription](https://nginx.com/products/).", + "description_html": "Enables logging of proxied server connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\nSSLKEYLOGFILE\nformat compatible with Wireshark.
\n\n\n\n" + }, { "name": "proxy_ssl_name", "default": "host from proxy_pass", @@ -15396,6 +15308,23 @@ "description_md": "Specifies a timeout for the SSL handshake to complete.", "description_html": "This directive is available as part of our\ncommercial subscription.
\n
Specifies a timeout for the SSL handshake to complete.
\n" }, + { + "name": "ssl_key_log", + "default": "", + "contexts": [ + "stream", + "server" + ], + "syntax_md": [ + "path" + ], + "syntax_html": [ + "path
\n" + ], + "isBlock": false, + "description_md": "Enables logging of client connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\n[SSLKEYLOGFILE](https://datatracker.ietf.org/doc/html/draft-ietf-tls-keylogfile)\nformat compatible with Wireshark.\n\n> This directive is available as part of our\n> [commercial subscription](https://nginx.com/products/).", + "description_html": "Enables logging of client connection SSL keys\nand specifies the path to the key log file.\nKeys are logged in the\nSSLKEYLOGFILE\nformat compatible with Wireshark.
\n\n\n\n" + }, { "name": "ssl_ocsp", "default": "off", @@ -16456,5 +16385,5 @@ ] } ], - "version": "https://github.com/nginx/nginx.org/commit/120efa0a24ae3e19529f7c94a11603699ced5472" + "version": "https://github.com/nginx/nginx.org/commit/3aad6b0f8f073986c4114a57cb42395a0d1b18ad" }This directive is available as part of our\ncommercial subscription.
\n