nginx/src/http/modules/ngx_http_ssl_module.h


/*
 * Copyright (C) Igor Sysoev
 * Copyright (C) Nginx, Inc.
 */


#ifndef _NGX_HTTP_SSL_H_INCLUDED_
#define _NGX_HTTP_SSL_H_INCLUDED_


#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>


typedef struct {
    ngx_flag_t                      enable;

    ngx_ssl_t                       ssl;

    ngx_flag_t                      prefer_server_ciphers;

    ngx_uint_t                      protocols;

    ngx_uint_t                      verify;
    ngx_uint_t                      verify_depth;

    size_t                          buffer_size;

    ssize_t                         builtin_session_cache;

    time_t                          session_timeout;

    ngx_str_t                       certificate;
    ngx_str_t                       certificate_key;
    ngx_str_t                       dhparam;
    ngx_str_t                       ecdh_curve;
    ngx_str_t                       client_certificate;
    ngx_str_t                       trusted_certificate;
    ngx_str_t                       crl;

    ngx_str_t                       ciphers;

    ngx_array_t                    *passwords;

    ngx_shm_zone_t                 *shm_zone;

    ngx_flag_t                      session_tickets;
    ngx_array_t                    *session_ticket_keys;

    ngx_flag_t                      stapling;
    ngx_flag_t                      stapling_verify;
    ngx_str_t                       stapling_file;
    ngx_str_t                       stapling_responder;

    u_char                         *file;
    ngx_uint_t                      line;
} ngx_http_ssl_srv_conf_t;


extern ngx_module_t  ngx_http_ssl_module;


#endif /* _NGX_HTTP_SSL_H_INCLUDED_ */
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files 2004-09-28 16:34:51 +08:00
			`/*`
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright 2004-09-30 00:00:49 +08:00			`* Copyright (C) Igor Sysoev`
Copyright updated. 2012-01-18 23:07:43 +08:00			`* Copyright (C) Nginx, Inc.`
nginx-0.1.0-2004-09-28-12:34:51 import; set copyright and remove unused files 2004-09-28 16:34:51 +08:00			`*/`


nginx-0.0.7-2004-07-16-21:11:43 import 2004-07-17 01:11:43 +08:00			`#ifndef _NGX_HTTP_SSL_H_INCLUDED_`
			`#define _NGX_HTTP_SSL_H_INCLUDED_`
nginx-0.0.7-2004-07-08-19:17:47 import 2004-07-08 23:17:47 +08:00

			`#include <ngx_config.h>`
			`#include <ngx_core.h>`
			`#include <ngx_http.h>`


nginx-0.0.7-2004-07-15-20:35:51 import 2004-07-16 00:35:51 +08:00			`typedef struct {`
ssl_session_cache 2007-01-03 07:55:05 +08:00			`ngx_flag_t enable;`

			`ngx_ssl_t ssl;`

			`ngx_flag_t prefer_server_ciphers;`
nginx-0.2.2-RELEASE import ) Feature: the "config errmsg" command of the ngx_http_ssi_module. ) Change: the ngx_http_geo_module variables can be overridden by the "set" directive. ) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers" directives of the ngx_http_ssl_module and ngx_imap_ssl_module. ) Bugfix: the ngx_http_autoindex_module did not show correctly the long file names; ) Bugfix: the ngx_http_autoindex_module now do not show the files starting by dot. ) Bugfix: if the SSL handshake failed then another connection may be closed too. Thanks to Rob Mueller. *) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS. 2005-09-30 22:41:25 +08:00
ssl_session_cache 2007-01-03 07:55:05 +08:00			`ngx_uint_t protocols;`
nginx-0.2.2-RELEASE import ) Feature: the "config errmsg" command of the ngx_http_ssi_module. ) Change: the ngx_http_geo_module variables can be overridden by the "set" directive. ) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers" directives of the ngx_http_ssl_module and ngx_imap_ssl_module. ) Bugfix: the ngx_http_autoindex_module did not show correctly the long file names; ) Bugfix: the ngx_http_autoindex_module now do not show the files starting by dot. ) Bugfix: if the SSL handshake failed then another connection may be closed too. Thanks to Rob Mueller. *) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS. 2005-09-30 22:41:25 +08:00
) ssl_verify_client ask ) test ssl_client_certificate for ssl_verify_client ) $ssl_client_cert adds TAB before each line except first one ) $ssl_client_raw_cert contains certificate as is 2008-07-29 22:29:02 +08:00			`ngx_uint_t verify;`
			`ngx_uint_t verify_depth;`
nginx-0.2.2-RELEASE import ) Feature: the "config errmsg" command of the ngx_http_ssi_module. ) Change: the ngx_http_geo_module variables can be overridden by the "set" directive. ) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers" directives of the ngx_http_ssl_module and ngx_imap_ssl_module. ) Bugfix: the ngx_http_autoindex_module did not show correctly the long file names; ) Bugfix: the ngx_http_autoindex_module now do not show the files starting by dot. ) Bugfix: if the SSL handshake failed then another connection may be closed too. Thanks to Rob Mueller. *) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS. 2005-09-30 22:41:25 +08:00
SSL: ssl_buffer_size directive. 2013-12-20 20:18:25 +08:00			`size_t buffer_size;`

ssl_session_cache 2007-01-03 07:55:05 +08:00			`ssize_t builtin_session_cache;`
nginx-0.2.2-RELEASE import ) Feature: the "config errmsg" command of the ngx_http_ssi_module. ) Change: the ngx_http_geo_module variables can be overridden by the "set" directive. ) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers" directives of the ngx_http_ssl_module and ngx_imap_ssl_module. ) Bugfix: the ngx_http_autoindex_module did not show correctly the long file names; ) Bugfix: the ngx_http_autoindex_module now do not show the files starting by dot. ) Bugfix: if the SSL handshake failed then another connection may be closed too. Thanks to Rob Mueller. *) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS. 2005-09-30 22:41:25 +08:00
ssl_session_cache 2007-01-03 07:55:05 +08:00			`time_t session_timeout;`
nginx-0.3.45-RELEASE import ) Feature: the "ssl_verify_client", "ssl_verify_depth", and "ssl_client_certificate" directives. ) Change: the $request_method variable now returns the main request method. ) Change: the ° symbol codes were changed in koi-win conversion table. ) Feature: the euro and N symbols were added to koi-win conversion table. *) Bugfix: if nginx distributed the requests among several backends and some backend failed, then requests intended for this backend was directed to one live backend only instead of being distributed among the rest. 2006-05-07 00:28:56 +08:00
ssl_session_cache 2007-01-03 07:55:05 +08:00			`ngx_str_t certificate;`
			`ngx_str_t certificate_key;`
DH parameters, ssl_dhparam 2008-06-16 13:51:32 +08:00			`ngx_str_t dhparam;`
ECDHE support patch by Adrian Kotelba 2011-07-20 23:42:40 +08:00			`ngx_str_t ecdh_curve;`
ssl_session_cache 2007-01-03 07:55:05 +08:00			`ngx_str_t client_certificate;`
OCSP stapling: ssl_trusted_certificate directive. The directive allows to specify additional trusted Certificate Authority certificates to be used during certificate verification. In contrast to ssl_client_certificate DNs of these cerificates aren't sent to a client during handshake. Trusted certificates are loaded regardless of the fact whether client certificates verification is enabled as the same certificates will be used for OCSP stapling, during construction of an OCSP request and for verification of an OCSP response. The same applies to a CRL (which is now always loaded). 2012-10-01 20:39:36 +08:00			`ngx_str_t trusted_certificate;`
ssl_crl 2009-07-23 20:21:26 +08:00			`ngx_str_t crl;`
nginx-0.3.8-RELEASE import ) Security: nginx now checks URI got from a backend in "X-Accel-Redirect" header line or in SSI file for the "/../" paths and zeroes. ) Change: nginx now does not treat the empty user name in the "Authorization" header line as valid one. ) Feature: the "ssl_session_timeout" directives of the ngx_http_ssl_module and ngx_imap_ssl_module. ) Feature: the "auth_http_header" directive of the ngx_imap_auth_http_module. ) Feature: the "add_header" directive. ) Feature: the ngx_http_realip_module. ) Feature: the new variables to use in the "log_format" directive: $bytes_sent, $apache_bytes_sent, $status, $time_gmt, $uri, $request_time, $request_length, $upstream_status, $upstream_response_time, $gzip_ratio, $uid_got, $uid_set, $connection, $pipe, and $msec. The parameters in the "%name" form will be canceled soon. ) Change: now the false variable values in the "if" directive are the empty string "" and string starting with "0". ) Bugfix: while using proxied or FastCGI-server nginx may leave connections and temporary files with client requests in open state. ) Bugfix: the worker processes did not flush the buffered logs on graceful exit. ) Bugfix: if the request URI was changes by the "rewrite" directive and the request was proxied in location given by regular expression, then the incorrect request was transferred to backend; the bug had appeared in 0.2.6. ) Bugfix: the "expires" directive did not remove the previous "Expires" header. ) Bugfix: nginx may stop to accept requests if the "rtsig" method and several worker processes were used. ) Bugfix: the "\"" and "\'" escape symbols were incorrectly handled in SSI commands. *) Bugfix: if the response was ended just after the SSI command and gzipping was used, then the response did not transferred complete or did not transferred at all. 2005-11-10 01:25:55 +08:00
ssl_session_cache 2007-01-03 07:55:05 +08:00			`ngx_str_t ciphers;`
nginx-0.0.7-2004-07-15-20:35:51 import 2004-07-16 00:35:51 +08:00
SSL: the "ssl_password_file" directive. 2014-06-16 23:43:25 +08:00			`ngx_array_t *passwords;`

ssl_session_cache 2007-01-03 07:55:05 +08:00			`ngx_shm_zone_t *shm_zone;`
) listen ssl ) no default ssl_cetificate and ssl_cetificate_key 2008-09-01 22:19:01 +08:00
SSL: ssl_session_tickets directive. This adds support so it's possible to explicitly disable SSL Session Tickets. In order to have good Forward Secrecy support either the session ticket key has to be reloaded by using nginx' binary upgrade process or using an external key file and reloading the configuration. This directive adds another possibility to have good support by disabling session tickets altogether. If session tickets are enabled and the process lives for a long a time, an attacker can grab the session ticket from the process and use that to decrypt any traffic that occured during the entire lifetime of the process. 2014-01-10 23:12:40 +08:00			`ngx_flag_t session_tickets;`
SSL: added ability to set keys used for Session Tickets (RFC5077). In order to support key rollover, ssl_session_ticket_key can be defined multiple times. The first key will be used to issue and resume Session Tickets, while the rest will be used only to resume them. ssl_session_ticket_key session_tickets/current.key; ssl_session_ticket_key session_tickets/prev-1h.key; ssl_session_ticket_key session_tickets/prev-2h.key; Please note that nginx supports Session Tickets even without explicit configuration of the keys and this feature should be only used in setups where SSL traffic is distributed across multiple nginx servers. Signed-off-by: Piotr Sikora <piotr@cloudflare.com> 2013-10-12 07:05:24 +08:00			`ngx_array_t *session_ticket_keys;`

OCSP stapling: ssl_stapling_file support. Very basic version without any OCSP responder query code, assuming valid DER-encoded OCSP response is present in a ssl_stapling_file configured. Such file might be produced with openssl like this: openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \ -url http://ocsp.example.com 2012-10-01 20:41:08 +08:00			`ngx_flag_t stapling;`
OCSP stapling: ssl_stapling_verify directive. OCSP response verification is now switched off by default to simplify configuration, and the ssl_stapling_verify allows to switch it on. Note that for stapling OCSP response verification isn't something required as it will be done by a client anyway. But doing verification on a server allows to mitigate some attack vectors, most notably stop an attacker from presenting some specially crafted data to all site clients. 2012-10-01 20:53:11 +08:00			`ngx_flag_t stapling_verify;`
OCSP stapling: ssl_stapling_file support. Very basic version without any OCSP responder query code, assuming valid DER-encoded OCSP response is present in a ssl_stapling_file configured. Such file might be produced with openssl like this: openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \ -url http://ocsp.example.com 2012-10-01 20:41:08 +08:00			`ngx_str_t stapling_file;`
OCSP stapling: loading OCSP responses. This includes the ssl_stapling_responder directive (defaults to OCSP responder set in certificate's AIA extension). OCSP response for a given certificate is requested once we get at least one connection with certificate_status extension in ClientHello, and certificate status won't be sent in the connection in question. This due to limitations in the OpenSSL API (certificate status callback is blocking). Note: SSL_CTX_use_certificate_chain_file() was reimplemented as it doesn't allow to access the certificate loaded via SSL_CTX. 2012-10-01 20:47:55 +08:00			`ngx_str_t stapling_responder;`
OCSP stapling: ssl_stapling_file support. Very basic version without any OCSP responder query code, assuming valid DER-encoded OCSP response is present in a ssl_stapling_file configured. Such file might be produced with openssl like this: openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \ -url http://ocsp.example.com 2012-10-01 20:41:08 +08:00
) listen ssl ) no default ssl_cetificate and ssl_cetificate_key 2008-09-01 22:19:01 +08:00			`u_char *file;`
			`ngx_uint_t line;`
nginx-0.0.7-2004-07-15-20:35:51 import 2004-07-16 00:35:51 +08:00			`} ngx_http_ssl_srv_conf_t;`
nginx-0.0.7-2004-07-12-01:03:47 import 2004-07-12 05:03:47 +08:00

nginx-0.0.7-2004-07-16-21:11:43 import 2004-07-17 01:11:43 +08:00			`extern ngx_module_t ngx_http_ssl_module;`
nginx-0.0.7-2004-07-15-20:35:51 import 2004-07-16 00:35:51 +08:00

nginx-0.0.7-2004-07-16-21:11:43 import 2004-07-17 01:11:43 +08:00			`#endif /* _NGX_HTTP_SSL_H_INCLUDED_ */`