CoCalc -- ngx_http_proxy

GitHub Repository: nginx/nginx.org
Path: blob/main/xml/en/docs/http/ngx_http_proxy_module.xml
¹ views
1
<?xml version="1.0"?>
2

3
<!--
4
  Copyright (C) Igor Sysoev
5
  Copyright (C) Nginx, Inc.
6
  -->
7

8
<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
9

10
<module name="Module ngx_http_proxy_module"
11
        link="/en/docs/http/ngx_http_proxy_module.html"
12
        lang="en"
13
        rev="88">
14

15
<section id="summary">
16

17
<para>
18
The <literal>ngx_http_proxy_module</literal> module allows passing
19
requests to another server.
20
</para>
21

22
</section>
23

24

25
<section id="example" name="Example Configuration">
26

27
<para>
28
<example>
29
location / {
30
    proxy_pass       http://localhost:8000;
31
    proxy_set_header Host      $host;
32
    proxy_set_header X-Real-IP $remote_addr;
33
}
34
</example>
35
</para>
36

37
</section>
38

39

40
<section id="directives" name="Directives">
41

42
<directive name="proxy_allow_upstream">
43
<syntax><value>string</value> ...</syntax>
44
<default/>
45
<context>http</context>
46
<context>server</context>
47
<context>location</context>
48
<appeared-in>1.29.3</appeared-in>
49

50
<para>
51
Defines conditions under which access to a proxied server
52
is allowed or <link id="denied">denied</link>.
53
If all string parameters are not empty
54
and not equal to “0” then the access is allowed.
55
The conditions are evaluated each time
56
before a connection to a proxied server is established.
57
Parameter values can contain variables:
58
<example>
59
geo $upstream_last_addr $allow {
60
    volatile;
61
    10.10.0.0/24        1;
62
}
63

64
server {
65
    listen 127.0.0.1:8080;
66

67
    location / {
68
        proxy_pass           localhost:8000;
69
        proxy_allow_upstream $allow;
70
        ...
71
    }
72
}
73
</example>
74
</para>
75

76
<para>
77
<note>
78
This directive is available as part of our
79
<commercial_version>commercial subscription</commercial_version>.
80
</note>
81
</para>
82

83
</directive>
84

85

86
<directive name="proxy_bind">
87
<syntax>
88
    <value>address</value>
89
    [<literal>transparent</literal>] |
90
    <literal>off</literal></syntax>
91
<default/>
92
<context>http</context>
93
<context>server</context>
94
<context>location</context>
95
<appeared-in>0.8.22</appeared-in>
96

97
<para>
98
Makes outgoing connections to a proxied server originate
99
from the specified local IP address with an optional port (1.11.2).
100
Parameter value can contain variables (1.3.12).
101
The special value <literal>off</literal> (1.3.12) cancels the effect
102
of the <literal>proxy_bind</literal> directive
103
inherited from the previous configuration level, which allows the
104
system to auto-assign the local IP address and port.
105
</para>
106

107
<para id="proxy_bind_transparent">
108
The <literal>transparent</literal> parameter (1.11.0) allows
109
outgoing connections to a proxied server originate
110
from a non-local IP address,
111
for example, from a real IP address of a client:
112
<example>
113
proxy_bind $remote_addr transparent;
114
</example>
115
In order for this parameter to work,
116
it is usually necessary to run nginx worker processes with the
117
<link doc="../ngx_core_module.xml" id="user">superuser</link> privileges.
118
On Linux it is not required (1.13.8) as if
119
the <literal>transparent</literal> parameter is specified, worker processes
120
inherit the <literal>CAP_NET_RAW</literal> capability from the master process.
121
It is also necessary to configure kernel routing table
122
to intercept network traffic from the proxied server.
123
</para>
124

125
</directive>
126

127

128
<directive name="proxy_bind_dynamic">
129
<syntax><literal>on</literal> | <literal>off</literal></syntax>
130
<default>off</default>
131
<context>http</context>
132
<context>server</context>
133
<context>location</context>
134
<appeared-in>1.29.3</appeared-in>
135

136
<para>
137
When enabled, makes the <link id="proxy_bind">bind</link> operation
138
at each connection attempt.
139
</para>
140

141
<para>
142
<note>
143
This directive is available as part of our
144
<commercial_version>commercial subscription</commercial_version>.
145
</note>
146
</para>
147

148
</directive>
149

150

151
<directive name="proxy_buffer_size">
152
<syntax><value>size</value></syntax>
153
<default>4k|8k</default>
154
<context>http</context>
155
<context>server</context>
156
<context>location</context>
157

158
<para>
159
Sets the <value>size</value> of the buffer used for reading the first part
160
of the response received from the proxied server.
161
This part usually contains a small response header;
162
if it exceeds the buffer size, the response is considered
163
<link id="invalid_header">invalid</link>.
164
By default, the buffer size is equal to one memory page.
165
This is either 4K or 8K, depending on a platform.
166
It can be made smaller, however.
167
</para>
168

169
</directive>
170

171

172
<directive name="proxy_buffering">
173
<syntax><literal>on</literal> | <literal>off</literal></syntax>
174
<default>on</default>
175
<context>http</context>
176
<context>server</context>
177
<context>location</context>
178

179
<para>
180
Enables or disables buffering of responses from the proxied server.
181
</para>
182

183
<para>
184
When buffering is enabled, nginx receives a response from the proxied server
185
as soon as possible, saving it into the buffers set by the
186
<link id="proxy_buffer_size"/> and <link id="proxy_buffers"/> directives.
187
If the whole response does not fit into memory, a part of it can be saved
188
to a <link id="proxy_temp_path">temporary file</link> on the disk.
189
Writing to temporary files is controlled by the
190
<link id="proxy_max_temp_file_size"/> and
191
<link id="proxy_temp_file_write_size"/> directives.
192
</para>
193

194
<para>
195
When buffering is disabled, the response is passed to a client synchronously,
196
immediately as it is received.
197
nginx will not try to read the whole response from the proxied server.
198
The maximum size of the data that nginx can receive from the server
199
at a time is set by the <link id="proxy_buffer_size"/> directive.
200
</para>
201

202
<para>
203
Buffering can also be enabled or disabled by passing
204
“<literal>yes</literal>” or “<literal>no</literal>” in the
205
<header>X-Accel-Buffering</header> response header field.
206
This capability can be disabled using the
207
<link id="proxy_ignore_headers"/> directive.
208
</para>
209

210
</directive>
211

212

213
<directive name="proxy_buffers">
214
<syntax><value>number</value> <value>size</value></syntax>
215
<default>8 4k|8k</default>
216
<context>http</context>
217
<context>server</context>
218
<context>location</context>
219

220
<para>
221
Sets the <value>number</value> and <value>size</value> of the
222
buffers used for reading a response from the proxied server,
223
for a single connection.
224
By default, the buffer size is equal to one memory page.
225
This is either 4K or 8K, depending on a platform.
226
</para>
227

228
</directive>
229

230

231
<directive name="proxy_busy_buffers_size">
232
<syntax><value>size</value></syntax>
233
<default>8k|16k</default>
234
<context>http</context>
235
<context>server</context>
236
<context>location</context>
237

238
<para>
239
When <link id="proxy_buffering">buffering</link> of responses from the proxied
240
server is enabled, limits the total <value>size</value> of buffers that
241
can be busy sending a response to the client while the response is not
242
yet fully read.
243
In the meantime, the rest of the buffers can be used for reading the response
244
and, if needed, buffering part of the response to a temporary file.
245
By default, <value>size</value> is limited by the size of two buffers set by the
246
<link id="proxy_buffer_size"/> and <link id="proxy_buffers"/> directives.
247
</para>
248

249
</directive>
250

251

252
<directive name="proxy_cache">
253
<syntax><value>zone</value> | <literal>off</literal></syntax>
254
<default>off</default>
255
<context>http</context>
256
<context>server</context>
257
<context>location</context>
258

259
<para>
260
Defines a shared memory zone used for caching.
261
The same zone can be used in several places.
262
Parameter value can contain variables (1.7.9).
263
The <literal>off</literal> parameter disables caching inherited
264
from the previous configuration level.
265
</para>
266

267
</directive>
268

269

270
<directive name="proxy_cache_background_update">
271
<syntax><literal>on</literal> | <literal>off</literal></syntax>
272
<default>off</default>
273
<context>http</context>
274
<context>server</context>
275
<context>location</context>
276
<appeared-in>1.11.10</appeared-in>
277

278
<para>
279
Allows starting a background subrequest
280
to update an expired cache item,
281
while a stale cached response is returned to the client.
282
Note that it is necessary to
283
<link id="proxy_cache_use_stale_updating">allow</link>
284
the usage of a stale cached response when it is being updated.
285
</para>
286

287
</directive>
288

289

290
<directive name="proxy_cache_bypass">
291
<syntax><value>string</value> ...</syntax>
292
<default/>
293
<context>http</context>
294
<context>server</context>
295
<context>location</context>
296

297
<para>
298
Defines conditions under which the response will not be taken from a cache.
299
If at least one value of the string parameters is not empty and is not
300
equal to “0” then the response will not be taken from the cache:
301
<example>
302
proxy_cache_bypass $cookie_nocache $arg_nocache$arg_comment;
303
proxy_cache_bypass $http_pragma    $http_authorization;
304
</example>
305
Can be used along with the <link id="proxy_no_cache"/> directive.
306
</para>
307

308
</directive>
309

310
<directive name="proxy_cache_convert_head">
311
<syntax><literal>on</literal> | <literal>off</literal></syntax>
312
<default>on</default>
313
<context>http</context>
314
<context>server</context>
315
<context>location</context>
316
<appeared-in>1.9.7</appeared-in>
317

318
<para>
319
Enables or disables the conversion of the “<literal>HEAD</literal>” method
320
to “<literal>GET</literal>” for caching.
321
When the conversion is disabled, the
322
<link id="proxy_cache_key">cache key</link> should be configured
323
to include the <var>$request_method</var>.
324
</para>
325

326
</directive>
327

328

329
<directive name="proxy_cache_key">
330
<syntax><value>string</value></syntax>
331
<default>$scheme$proxy_host$request_uri</default>
332
<context>http</context>
333
<context>server</context>
334
<context>location</context>
335

336
<para>
337
Defines a key for caching, for example
338
<example>
339
proxy_cache_key "$host$request_uri $cookie_user";
340
</example>
341
By default, the directive’s value is close to the string
342
<example>
343
proxy_cache_key $scheme$proxy_host$uri$is_args$args;
344
</example>
345
</para>
346

347
</directive>
348

349

350
<directive name="proxy_cache_lock">
351
<syntax><literal>on</literal> | <literal>off</literal></syntax>
352
<default>off</default>
353
<context>http</context>
354
<context>server</context>
355
<context>location</context>
356
<appeared-in>1.1.12</appeared-in>
357

358
<para>
359
When enabled, only one request at a time will be allowed to populate
360
a new cache element identified according to the <link id="proxy_cache_key"/>
361
directive by passing a request to a proxied server.
362
Other requests of the same cache element will either wait
363
for a response to appear in the cache or the cache lock for
364
this element to be released, up to the time set by the
365
<link id="proxy_cache_lock_timeout"/> directive.
366
</para>
367

368
</directive>
369

370

371
<directive name="proxy_cache_lock_age">
372
<syntax><value>time</value></syntax>
373
<default>5s</default>
374
<context>http</context>
375
<context>server</context>
376
<context>location</context>
377
<appeared-in>1.7.8</appeared-in>
378

379
<para>
380
If the last request passed to the proxied server
381
for populating a new cache element
382
has not completed for the specified <value>time</value>,
383
one more request may be passed to the proxied server.
384
</para>
385

386
</directive>
387

388

389
<directive name="proxy_cache_lock_timeout">
390
<syntax><value>time</value></syntax>
391
<default>5s</default>
392
<context>http</context>
393
<context>server</context>
394
<context>location</context>
395
<appeared-in>1.1.12</appeared-in>
396

397
<para>
398
Sets a timeout for <link id="proxy_cache_lock"/>.
399
When the <value>time</value> expires,
400
the request will be passed to the proxied server,
401
however, the response will not be cached.
402
<note>
403
Before 1.7.8, the response could be cached.
404
</note>
405
</para>
406

407
</directive>
408

409

410
<directive name="proxy_cache_max_range_offset">
411
<syntax><value>number</value></syntax>
412
<default/>
413
<context>http</context>
414
<context>server</context>
415
<context>location</context>
416
<appeared-in>1.11.6</appeared-in>
417

418
<para>
419
Sets an offset in bytes for byte-range requests.
420
If the range is beyond the offset,
421
the range request will be passed to the proxied server
422
and the response will not be cached.
423
</para>
424

425
</directive>
426

427

428
<directive name="proxy_cache_methods">
429
<syntax>
430
    <literal>GET</literal> |
431
    <literal>HEAD</literal> |
432
    <literal>POST</literal>
433
    ...</syntax>
434
<default>GET HEAD</default>
435
<context>http</context>
436
<context>server</context>
437
<context>location</context>
438
<appeared-in>0.7.59</appeared-in>
439

440
<para>
441
If the client request method is listed in this directive then
442
the response will be cached.
443
“<literal>GET</literal>” and “<literal>HEAD</literal>” methods are always
444
added to the list, though it is recommended to specify them explicitly.
445
See also the <link id="proxy_no_cache"/> directive.
446
</para>
447

448
</directive>
449

450

451
<directive name="proxy_cache_min_uses">
452
<syntax><value>number</value></syntax>
453
<default>1</default>
454
<context>http</context>
455
<context>server</context>
456
<context>location</context>
457

458
<para>
459
Sets the <value>number</value> of requests after which the response
460
will be cached.
461
</para>
462

463
</directive>
464

465

466
<directive name="proxy_cache_path">
467
<syntax>
468
    <value>path</value>
469
    [<literal>levels</literal>=<value>levels</value>]
470
    [<literal>use_temp_path</literal>=<literal>on</literal>|<literal>off</literal>]
471
    <literal>keys_zone</literal>=<value>name</value>:<value>size</value>
472
    [<literal>inactive</literal>=<value>time</value>]
473
    [<literal>max_size</literal>=<value>size</value>]
474
    [<literal>min_free</literal>=<value>size</value>]
475
    [<literal>manager_files</literal>=<value>number</value>]
476
    [<literal>manager_sleep</literal>=<value>time</value>]
477
    [<literal>manager_threshold</literal>=<value>time</value>]
478
    [<literal>loader_files</literal>=<value>number</value>]
479
    [<literal>loader_sleep</literal>=<value>time</value>]
480
    [<literal>loader_threshold</literal>=<value>time</value>]
481
    [<literal>purger</literal>=<literal>on</literal>|<literal>off</literal>]
482
    [<literal>purger_files</literal>=<value>number</value>]
483
    [<literal>purger_sleep</literal>=<value>time</value>]
484
    [<literal>purger_threshold</literal>=<value>time</value>]</syntax>
485
<default/>
486
<context>http</context>
487

488
<para>
489
Sets the path and other parameters of a cache.
490
Cache data are stored in files.
491
The file name in a cache is a result of
492
applying the MD5 function to the
493
<link id="proxy_cache_key">cache key</link>.
494
The <literal>levels</literal> parameter defines hierarchy levels of a cache:
495
from 1 to 3, each level accepts values 1 or 2.
496
For example, in the following configuration
497
<example>
498
proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=one:10m;
499
</example>
500
file names in a cache will look like this:
501
<example>
502
/data/nginx/cache/<emphasis>c</emphasis>/<emphasis>29</emphasis>/b7f54b2df7773722d382f4809d650<emphasis>29c</emphasis>
503
</example>
504
</para>
505

506
<para>
507
A cached response is first written to a temporary file,
508
and then the file is renamed.
509
Starting from version 0.8.9, temporary files and the cache can be put on
510
different file systems.
511
However, be aware that in this case a file is copied
512
across two file systems instead of the cheap renaming operation.
513
It is thus recommended that for any given location both cache and a directory
514
holding temporary files
515
are put on the same file system.
516
The directory for temporary files is set based on
517
the <literal>use_temp_path</literal> parameter (1.7.10).
518
If this parameter is omitted or set to the value <literal>on</literal>,
519
the directory set by the <link id="proxy_temp_path"/> directive
520
for the given location will be used.
521
If the value is set to <literal>off</literal>,
522
temporary files will be put directly in the cache directory.
523
</para>
524

525
<para>
526
In addition, all active keys and information about data are stored
527
in a shared memory zone, whose <value>name</value> and <value>size</value>
528
are configured by the <literal>keys_zone</literal> parameter.
529
One megabyte zone can store about 8 thousand keys.
530
<note>
531
As part of
532
<commercial_version>commercial subscription</commercial_version>,
533
the shared memory zone also stores extended
534
cache <link doc="ngx_http_api_module.xml" id="http_caches_">information</link>,
535
thus, it is required to specify a larger zone size for the same number of keys.
536
For example,
537
one megabyte zone can store about 4 thousand keys.
538
</note>
539
</para>
540

541
<para>
542
Cached data that are not accessed during the time specified by the
543
<literal>inactive</literal> parameter get removed from the cache
544
regardless of their freshness.
545
By default, <literal>inactive</literal> is set to 10 minutes.
546
</para>
547

548
<para id="proxy_cache_path_max_size">
549
The special “cache manager” process monitors the maximum cache size set
550
by the <literal>max_size</literal> parameter,
551
and the minimum amount of free space set
552
by the <literal>min_free</literal> (1.19.1) parameter
553
on the file system with cache.
554
When the size is exceeded or there is not enough free space,
555
it removes the least recently used data.
556
The data is removed in iterations configured by
557
<literal>manager_files</literal>,
558
<literal>manager_threshold</literal>, and
559
<literal>manager_sleep</literal> parameters (1.11.5).
560
During one iteration no more than <literal>manager_files</literal> items
561
are deleted (by default, 100).
562
The duration of one iteration is limited by the
563
<literal>manager_threshold</literal> parameter (by default, 200 milliseconds).
564
Between iterations, a pause configured by the <literal>manager_sleep</literal>
565
parameter (by default, 50 milliseconds) is made.
566
</para>
567

568
<para>
569
A minute after the start the special “cache loader” process is activated.
570
It loads information about previously cached data stored on file system
571
into a cache zone.
572
The loading is also done in iterations.
573
During one iteration no more than <literal>loader_files</literal> items
574
are loaded (by default, 100).
575
Besides, the duration of one iteration is limited by the
576
<literal>loader_threshold</literal> parameter (by default, 200 milliseconds).
577
Between iterations, a pause configured by the <literal>loader_sleep</literal>
578
parameter (by default, 50 milliseconds) is made.
579
</para>
580

581
<para>
582
Additionally,
583
the following parameters are available as part of our
584
<commercial_version>commercial subscription</commercial_version>:
585
</para>
586

587
<para>
588
<list type="tag">
589

590
<tag-name id="purger">
591
<literal>purger</literal>=<literal>on</literal>|<literal>off</literal>
592
</tag-name>
593
<tag-desc>
594
Instructs whether cache entries that match a
595
<link id="proxy_cache_purge">wildcard key</link>
596
will be removed from the disk by the cache purger (1.7.12).
597
Setting the parameter to <literal>on</literal>
598
(default is <literal>off</literal>)
599
will activate the “cache purger” process that
600
permanently iterates through all cache entries
601
and deletes the entries that match the wildcard key.
602
</tag-desc>
603

604
<tag-name id="purger_files">
605
<literal>purger_files</literal>=<value>number</value>
606
</tag-name>
607
<tag-desc>
608
Sets the number of items that will be scanned during one iteration (1.7.12).
609
By default, <literal>purger_files</literal> is set to 10.
610
</tag-desc>
611

612
<tag-name id="purger_threshold">
613
<literal>purger_threshold</literal>=<value>number</value>
614
</tag-name>
615
<tag-desc>
616
Sets the duration of one iteration (1.7.12).
617
By default, <literal>purger_threshold</literal> is set to 50 milliseconds.
618
</tag-desc>
619

620
<tag-name id="purger_sleep">
621
<literal>purger_sleep</literal>=<value>number</value>
622
</tag-name>
623
<tag-desc>
624
Sets a pause between iterations (1.7.12).
625
By default, <literal>purger_sleep</literal> is set to 50 milliseconds.
626
</tag-desc>
627

628
</list>
629
</para>
630

631
<para>
632
<note>
633
In versions 1.7.3, 1.7.7, and 1.11.10 cache header format has been changed.
634
Previously cached responses will be considered invalid
635
after upgrading to a newer nginx version.
636
</note>
637
</para>
638

639
</directive>
640

641

642
<directive name="proxy_cache_purge">
643
<syntax>string ...</syntax>
644
<default/>
645
<context>http</context>
646
<context>server</context>
647
<context>location</context>
648
<appeared-in>1.5.7</appeared-in>
649

650
<para>
651
Defines conditions under which the request will be considered a cache
652
purge request.
653
If at least one value of the string parameters is not empty and is not equal
654
to “0” then the cache entry with a corresponding
655
<link id="proxy_cache_key">cache key</link> is removed.
656
The result of successful operation is indicated by returning
657
the <http-status code="204" text="No Content"/> response.
658
</para>
659

660
<para>
661
If the <link id="proxy_cache_key">cache key</link> of a purge request ends
662
with an asterisk (“<literal>*</literal>”), all cache entries matching the
663
wildcard key will be removed from the cache.
664
However, these entries will remain on the disk until they are deleted
665
for either <link id="proxy_cache_path">inactivity</link>,
666
or processed by the <link id="purger">cache purger</link> (1.7.12),
667
or a client attempts to access them.
668
</para>
669

670
<para>
671
Example configuration:
672
<example>
673
proxy_cache_path /data/nginx/cache keys_zone=cache_zone:10m;
674

675
map $request_method $purge_method {
676
    PURGE   1;
677
    default 0;
678
}
679

680
server {
681
    ...
682
    location / {
683
        proxy_pass http://backend;
684
        proxy_cache cache_zone;
685
        proxy_cache_key $uri;
686
        proxy_cache_purge $purge_method;
687
    }
688
}
689
</example>
690
<note>
691
This functionality is available as part of our
692
<commercial_version>commercial subscription</commercial_version>.
693
</note>
694
</para>
695

696
</directive>
697

698

699
<directive name="proxy_cache_revalidate">
700
<syntax><literal>on</literal> | <literal>off</literal></syntax>
701
<default>off</default>
702
<context>http</context>
703
<context>server</context>
704
<context>location</context>
705
<appeared-in>1.5.7</appeared-in>
706

707
<para>
708
Enables revalidation of expired cache items using conditional requests with
709
the <header>If-Modified-Since</header> and <header>If-None-Match</header>
710
header fields.
711
</para>
712

713
</directive>
714

715

716
<directive name="proxy_cache_use_stale">
717
<syntax>
718
    <literal>error</literal> |
719
    <literal>timeout</literal> |
720
    <literal>invalid_header</literal> |
721
    <literal>updating</literal> |
722
    <literal>http_500</literal> |
723
    <literal>http_502</literal> |
724
    <literal>http_503</literal> |
725
    <literal>http_504</literal> |
726
    <literal>http_403</literal> |
727
    <literal>http_404</literal> |
728
    <literal>http_429</literal> |
729
    <literal>off</literal>
730
    ...</syntax>
731
<default>off</default>
732
<context>http</context>
733
<context>server</context>
734
<context>location</context>
735

736
<para>
737
Determines in which cases a stale cached response can be used
738
during communication with the proxied server.
739
The directive’s parameters match the parameters of the
740
<link id="proxy_next_upstream"/> directive.
741
</para>
742

743
<para>
744
The <literal>error</literal> parameter also permits
745
using a stale cached response if a proxied server to process a request
746
cannot be selected.
747
</para>
748

749
<para id="proxy_cache_use_stale_updating">
750
Additionally, the <literal>updating</literal> parameter permits
751
using a stale cached response if it is currently being updated.
752
This allows minimizing the number of accesses to proxied servers
753
when updating cached data.
754
</para>
755

756
<para>
757
Using a stale cached response
758
can also be enabled directly in the response header
759
for a specified number of seconds after the response became stale (1.11.10).
760
This has lower priority than using the directive parameters.
761
<list type="bullet" compact="no">
762

763
<listitem>
764
The
765
“<link url="https://datatracker.ietf.org/doc/html/rfc5861#section-3">stale-while-revalidate</link>”
766
extension of the <header>Cache-Control</header> header field permits
767
using a stale cached response if it is currently being updated.
768
</listitem>
769

770
<listitem>
771
The
772
“<link url="https://datatracker.ietf.org/doc/html/rfc5861#section-4">stale-if-error</link>”
773
extension of the <header>Cache-Control</header> header field permits
774
using a stale cached response in case of an error.
775
</listitem>
776

777
</list>
778
</para>
779

780
<para>
781
To minimize the number of accesses to proxied servers when
782
populating a new cache element, the <link id="proxy_cache_lock"/>
783
directive can be used.
784
</para>
785

786
</directive>
787

788

789
<directive name="proxy_cache_valid">
790
<syntax>[<value>code</value> ...] <value>time</value></syntax>
791
<default/>
792
<context>http</context>
793
<context>server</context>
794
<context>location</context>
795

796
<para>
797
Sets caching time for different response codes.
798
For example, the following directives
799
<example>
800
proxy_cache_valid 200 302 10m;
801
proxy_cache_valid 404      1m;
802
</example>
803
set 10 minutes of caching for responses with codes 200 and 302
804
and 1 minute for responses with code 404.
805
</para>
806

807
<para>
808
If only caching <value>time</value> is specified
809
<example>
810
proxy_cache_valid 5m;
811
</example>
812
then only 200, 301, and 302 responses are cached.
813
</para>
814

815
<para>
816
In addition, the <literal>any</literal> parameter can be specified
817
to cache any responses:
818
<example>
819
proxy_cache_valid 200 302 10m;
820
proxy_cache_valid 301      1h;
821
proxy_cache_valid any      1m;
822
</example>
823
</para>
824

825
<para>
826
Parameters of caching can also be set directly
827
in the response header.
828
This has higher priority than setting of caching time using the directive.
829
<list type="bullet" compact="no">
830

831
<listitem>
832
The <header>X-Accel-Expires</header> header field sets caching time of a
833
response in seconds.
834
The zero value disables caching for a response.
835
If the value starts with the <literal>@</literal> prefix, it sets an absolute
836
time in seconds since Epoch, up to which the response may be cached.
837
</listitem>
838

839
<listitem>
840
If the header does not include the <header>X-Accel-Expires</header> field,
841
parameters of caching may be set in the header fields
842
<header>Expires</header> or <header>Cache-Control</header>.
843
</listitem>
844

845
<listitem>
846
If the header includes the <header>Set-Cookie</header> field, such a
847
response will not be cached.
848
</listitem>
849

850
<listitem>
851
If the header includes the <header>Vary</header> field
852
with the special value “<literal>*</literal>”, such a
853
response will not be cached (1.7.7).
854
If the header includes the <header>Vary</header> field
855
with another value, such a response will be cached
856
taking into account the corresponding request header fields (1.7.7).
857
</listitem>
858

859
</list>
860
Processing of one or more of these response header fields can be disabled
861
using the <link id="proxy_ignore_headers"/> directive.
862
</para>
863

864
</directive>
865

866

867
<directive name="proxy_connect_timeout">
868
<syntax><value>time</value></syntax>
869
<default>60s</default>
870
<context>http</context>
871
<context>server</context>
872
<context>location</context>
873

874
<para>
875
Defines a timeout for establishing a connection with a proxied server.
876
It should be noted that this timeout cannot usually exceed 75 seconds.
877
</para>
878

879
</directive>
880

881

882
<directive name="proxy_cookie_domain">
883
<syntax><literal>off</literal></syntax>
884
<syntax><value>domain</value> <value>replacement</value></syntax>
885
<default>off</default>
886
<context>http</context>
887
<context>server</context>
888
<context>location</context>
889
<appeared-in>1.1.15</appeared-in>
890

891
<para>
892
Sets a text that should be changed in the <literal>domain</literal>
893
attribute of the <header>Set-Cookie</header> header fields of a
894
proxied server response.
895
Suppose a proxied server returned the <header>Set-Cookie</header>
896
header field with the attribute
897
“<literal>domain=localhost</literal>”.
898
The directive
899
<example>
900
proxy_cookie_domain localhost example.org;
901
</example>
902
will rewrite this attribute to
903
“<literal>domain=example.org</literal>”.
904
</para>
905

906
<para>
907
A dot at the beginning of the <value>domain</value> and
908
<value>replacement</value> strings and the <literal>domain</literal>
909
attribute is ignored.
910
Matching is case-insensitive.
911
</para>
912

913
<para>
914
The <value>domain</value> and <value>replacement</value> strings
915
can contain variables:
916
<example>
917
proxy_cookie_domain www.$host $host;
918
</example>
919
</para>
920

921
<para>
922
The directive can also be specified using regular expressions.
923
In this case, <value>domain</value> should start from
924
the “<literal>~</literal>” symbol.
925
A regular expression can contain named and positional captures,
926
and <value>replacement</value> can reference them:
927
<example>
928
proxy_cookie_domain ~\.(?P&lt;sl_domain&gt;[-0-9a-z]+\.[a-z]+)$ $sl_domain;
929
</example>
930
</para>
931

932
<para>
933
Several <literal>proxy_cookie_domain</literal> directives
934
can be specified on the same level:
935
<example>
936
proxy_cookie_domain localhost example.org;
937
proxy_cookie_domain ~\.([a-z]+\.[a-z]+)$ $1;
938
</example>
939
If several directives can be applied to the cookie,
940
the first matching directive will be chosen.
941
</para>
942

943
<para>
944
The <literal>off</literal> parameter cancels the effect
945
of the <literal>proxy_cookie_domain</literal> directives
946
inherited from the previous configuration level.
947
</para>
948

949
</directive>
950

951

952
<directive name="proxy_cookie_flags">
953
<syntax>
954
    <literal>off</literal> |
955
    <value>cookie</value>
956
    [<value>flag</value> ...]</syntax>
957
<default>off</default>
958
<context>http</context>
959
<context>server</context>
960
<context>location</context>
961
<appeared-in>1.19.3</appeared-in>
962

963
<para>
964
Sets one or more flags for the cookie.
965
The <value>cookie</value> can contain text, variables, and their combinations.
966
The <value>flag</value>
967
can contain text, variables, and their combinations (1.19.8).
968
The
969
<literal>secure</literal>,
970
<literal>httponly</literal>,
971
<literal>samesite=strict</literal>,
972
<literal>samesite=lax</literal>,
973
<literal>samesite=none</literal>
974
parameters add the corresponding flags.
975
The
976
<literal>nosecure</literal>,
977
<literal>nohttponly</literal>,
978
<literal>nosamesite</literal>
979
parameters remove the corresponding flags.
980
</para>
981

982
<para>
983
The cookie can also be specified using regular expressions.
984
In this case, <value>cookie</value> should start from
985
the “<literal>~</literal>” symbol.
986
</para>
987

988
<para>
989
Several <literal>proxy_cookie_flags</literal> directives
990
can be specified on the same configuration level:
991
<example>
992
proxy_cookie_flags one httponly;
993
proxy_cookie_flags ~ nosecure samesite=strict;
994
</example>
995
If several directives can be applied to the cookie,
996
the first matching directive will be chosen.
997
In the example, the <literal>httponly</literal> flag
998
is added to the cookie <literal>one</literal>,
999
for all other cookies
1000
the <literal>samesite=strict</literal> flag is added and
1001
the <literal>secure</literal> flag is deleted.
1002
</para>
1003

1004
<para>
1005
The <literal>off</literal> parameter cancels the effect
1006
of the <literal>proxy_cookie_flags</literal> directives
1007
inherited from the previous configuration level.
1008
</para>
1009

1010
</directive>
1011

1012

1013
<directive name="proxy_cookie_path">
1014
<syntax><literal>off</literal></syntax>
1015
<syntax><value>path</value> <value>replacement</value></syntax>
1016
<default>off</default>
1017
<context>http</context>
1018
<context>server</context>
1019
<context>location</context>
1020
<appeared-in>1.1.15</appeared-in>
1021

1022
<para>
1023
Sets a text that should be changed in the <literal>path</literal>
1024
attribute of the <header>Set-Cookie</header> header fields of a
1025
proxied server response.
1026
Suppose a proxied server returned the <header>Set-Cookie</header>
1027
header field with the attribute
1028
“<literal>path=/two/some/uri/</literal>”.
1029
The directive
1030
<example>
1031
proxy_cookie_path /two/ /;
1032
</example>
1033
will rewrite this attribute to
1034
“<literal>path=/some/uri/</literal>”.
1035
</para>
1036

1037
<para>
1038
The <value>path</value> and <value>replacement</value> strings
1039
can contain variables:
1040
<example>
1041
proxy_cookie_path $uri /some$uri;
1042
</example>
1043
</para>
1044

1045
<para>
1046
The directive can also be specified using regular expressions.
1047
In this case, <value>path</value> should either start from
1048
the “<literal>~</literal>” symbol for a case-sensitive matching,
1049
or from the “<literal>~*</literal>” symbols for case-insensitive
1050
matching.
1051
The regular expression can contain named and positional captures,
1052
and <value>replacement</value> can reference them:
1053
<example>
1054
proxy_cookie_path ~*^/user/([^/]+) /u/$1;
1055
</example>
1056
</para>
1057

1058
<para>
1059
Several <literal>proxy_cookie_path</literal> directives
1060
can be specified on the same level:
1061
<example>
1062
proxy_cookie_path /one/ /;
1063
proxy_cookie_path / /two/;
1064
</example>
1065
If several directives can be applied to the cookie,
1066
the first matching directive will be chosen.
1067
</para>
1068

1069
<para>
1070
The <literal>off</literal> parameter cancels the effect
1071
of the <literal>proxy_cookie_path</literal> directives
1072
inherited from the previous configuration level.
1073
</para>
1074

1075
</directive>
1076

1077

1078
<directive name="proxy_force_ranges">
1079
<syntax><literal>on</literal> | <literal>off</literal></syntax>
1080
<default>off</default>
1081
<context>http</context>
1082
<context>server</context>
1083
<context>location</context>
1084
<appeared-in>1.7.7</appeared-in>
1085

1086
<para>
1087
Enables byte-range support
1088
for both cached and uncached responses from the proxied server
1089
regardless of the <header>Accept-Ranges</header> field in these responses.
1090
</para>
1091

1092
</directive>
1093

1094

1095
<directive name="proxy_headers_hash_bucket_size">
1096
<syntax><value>size</value></syntax>
1097
<default>64</default>
1098
<context>http</context>
1099
<context>server</context>
1100
<context>location</context>
1101

1102
<para>
1103
Sets the bucket <value>size</value> for hash tables
1104
used by the <link id="proxy_hide_header"/> and <link id="proxy_set_header"/>
1105
directives.
1106
The details of setting up hash tables are provided in a separate
1107
<link doc="../hash.xml">document</link>.
1108
</para>
1109

1110
</directive>
1111

1112

1113
<directive name="proxy_headers_hash_max_size">
1114
<syntax><value>size</value></syntax>
1115
<default>512</default>
1116
<context>http</context>
1117
<context>server</context>
1118
<context>location</context>
1119

1120
<para>
1121
Sets the maximum <value>size</value> of hash tables
1122
used by the <link id="proxy_hide_header"/> and <link id="proxy_set_header"/>
1123
directives.
1124
The details of setting up hash tables are provided in a separate
1125
<link doc="../hash.xml">document</link>.
1126
</para>
1127

1128
</directive>
1129

1130

1131
<directive name="proxy_hide_header">
1132
<syntax><value>field</value></syntax>
1133
<default/>
1134
<context>http</context>
1135
<context>server</context>
1136
<context>location</context>
1137

1138
<para>
1139
By default,
1140
nginx does not pass the header fields <header>Date</header>,
1141
<header>Server</header>, <header>X-Pad</header>, and
1142
<header>X-Accel-...</header> from the response of a proxied
1143
server to a client.
1144
The <literal>proxy_hide_header</literal> directive sets additional fields
1145
that will not be passed.
1146
If, on the contrary, the passing of fields needs to be permitted,
1147
the <link id="proxy_pass_header"/> directive can be used.
1148
</para>
1149

1150
</directive>
1151

1152

1153
<directive name="proxy_http_version">
1154
<syntax>
1155
    <literal>1.0</literal> | <literal>1.1</literal> |
1156
    <literal>2</literal></syntax>
1157
<default>1.1</default>
1158
<context>http</context>
1159
<context>server</context>
1160
<context>location</context>
1161
<appeared-in>1.1.4</appeared-in>
1162

1163
<para>
1164
Sets the HTTP protocol version for proxying.
1165
Since 1.29.7, version 1.1 is used by default.
1166
Before 1.29.7, version 1.0 was used by default.
1167
Version 1.1 or 2 (1.29.4) is recommended for use with
1168
<link doc="ngx_http_upstream_module.xml" id="keepalive"/>
1169
connections and
1170
<link doc="ngx_http_upstream_module.xml" id="ntlm">NTLM authentication</link>.
1171
<note>
1172
Version 2 requires the
1173
<link doc="ngx_http_v2_module.xml">ngx_http_v2_module</link> module.
1174
</note>
1175
</para>
1176

1177
</directive>
1178

1179

1180
<directive name="proxy_ignore_client_abort">
1181
<syntax><literal>on</literal> | <literal>off</literal></syntax>
1182
<default>off</default>
1183
<context>http</context>
1184
<context>server</context>
1185
<context>location</context>
1186

1187
<para>
1188
Determines whether the connection with a proxied server should be
1189
closed when a client closes the connection without waiting
1190
for a response.
1191
</para>
1192

1193
</directive>
1194

1195

1196
<directive name="proxy_ignore_headers">
1197
<syntax><value>field</value> ...</syntax>
1198
<default/>
1199
<context>http</context>
1200
<context>server</context>
1201
<context>location</context>
1202

1203
<para>
1204
Disables processing of certain response header fields from the proxied server.
1205
The following fields can be ignored: <header>X-Accel-Redirect</header>,
1206
<header>X-Accel-Expires</header>, <header>X-Accel-Limit-Rate</header> (1.1.6),
1207
<header>X-Accel-Buffering</header> (1.1.6),
1208
<header>X-Accel-Charset</header> (1.1.6), <header>Expires</header>,
1209
<header>Cache-Control</header>, <header>Set-Cookie</header> (0.8.44),
1210
and <header>Vary</header> (1.7.7).
1211
</para>
1212

1213
<para>
1214
If not disabled, processing of these header fields has the following
1215
effect:
1216
<list type="bullet" compact="no">
1217

1218
<listitem>
1219
<header>X-Accel-Expires</header>, <header>Expires</header>,
1220
<header>Cache-Control</header>, <header>Set-Cookie</header>,
1221
and <header>Vary</header>
1222
set the parameters of response <link id="proxy_cache_valid">caching</link>;
1223
</listitem>
1224

1225
<listitem>
1226
<header>X-Accel-Redirect</header> performs an
1227
<link doc="ngx_http_core_module.xml" id="internal">internal
1228
redirect</link> to the specified URI;
1229
</listitem>
1230

1231
<listitem>
1232
<header>X-Accel-Limit-Rate</header> sets the
1233
<link doc="ngx_http_core_module.xml" id="limit_rate">rate
1234
limit</link> for transmission of a response to a client;
1235
</listitem>
1236

1237
<listitem>
1238
<header>X-Accel-Buffering</header> enables or disables
1239
<link id="proxy_buffering">buffering</link> of a response;
1240
</listitem>
1241

1242
<listitem>
1243
<header>X-Accel-Charset</header> sets the desired
1244
<link doc="ngx_http_charset_module.xml" id="charset"/>
1245
of a response.
1246
</listitem>
1247

1248
</list>
1249
</para>
1250

1251
</directive>
1252

1253

1254
<directive name="proxy_intercept_errors">
1255
<syntax><literal>on</literal> | <literal>off</literal></syntax>
1256
<default>off</default>
1257
<context>http</context>
1258
<context>server</context>
1259
<context>location</context>
1260

1261
<para>
1262
Determines whether proxied responses with codes greater than or equal
1263
to 300 should be passed to a client
1264
or be intercepted and redirected to nginx for processing
1265
with the <link doc="ngx_http_core_module.xml" id="error_page"/> directive.
1266
</para>
1267

1268
</directive>
1269

1270

1271
<directive name="proxy_limit_rate">
1272
<syntax><value>rate</value></syntax>
1273
<default>0</default>
1274
<context>http</context>
1275
<context>server</context>
1276
<context>location</context>
1277
<appeared-in>1.7.7</appeared-in>
1278

1279
<para>
1280
Limits the speed of reading the response from the proxied server.
1281
The <value>rate</value> is specified in bytes per second.
1282
The zero value disables rate limiting.
1283
The limit is set per a request, and so if nginx simultaneously opens
1284
two connections to the proxied server,
1285
the overall rate will be twice as much as the specified limit.
1286
The limitation works only if
1287
<link id="proxy_buffering">buffering</link> of responses from the proxied
1288
server is enabled.
1289
Parameter value can contain variables (1.27.0).
1290
</para>
1291

1292
</directive>
1293

1294

1295
<directive name="proxy_max_temp_file_size">
1296
<syntax><value>size</value></syntax>
1297
<default>1024m</default>
1298
<context>http</context>
1299
<context>server</context>
1300
<context>location</context>
1301

1302
<para>
1303
When <link id="proxy_buffering">buffering</link> of responses from the proxied
1304
server is enabled, and the whole response does not fit into the buffers
1305
set by the <link id="proxy_buffer_size"/> and <link id="proxy_buffers"/>
1306
directives, a part of the response can be saved to a temporary file.
1307
This directive sets the maximum <value>size</value> of the temporary file.
1308
The size of data written to the temporary file at a time is set
1309
by the <link id="proxy_temp_file_write_size"/> directive.
1310
</para>
1311

1312
<para>
1313
The zero value disables buffering of responses to temporary files.
1314
</para>
1315

1316
<para>
1317
<note>
1318
This restriction does not apply to responses
1319
that will be <link id="proxy_cache">cached</link>
1320
or <link id="proxy_store">stored</link> on disk.
1321
</note>
1322
</para>
1323

1324
</directive>
1325

1326

1327
<directive name="proxy_method">
1328
<syntax><value>method</value></syntax>
1329
<default/>
1330
<context>http</context>
1331
<context>server</context>
1332
<context>location</context>
1333

1334
<para>
1335
Specifies the HTTP <value>method</value> to use in requests forwarded
1336
to the proxied server instead of the method from the client request.
1337
Parameter value can contain variables (1.11.6).
1338
</para>
1339

1340
</directive>
1341

1342

1343
<directive name="proxy_next_upstream">
1344
<syntax>
1345
    <literal>error</literal> |
1346
    <literal>timeout</literal> |
1347
    <literal>denied</literal> |
1348
    <literal>invalid_header</literal> |
1349
    <literal>http_500</literal> |
1350
    <literal>http_502</literal> |
1351
    <literal>http_503</literal> |
1352
    <literal>http_504</literal> |
1353
    <literal>http_403</literal> |
1354
    <literal>http_404</literal> |
1355
    <literal>http_429</literal> |
1356
    <literal>non_idempotent</literal> |
1357
    <literal>off</literal>
1358
    ...</syntax>
1359
<default>error timeout</default>
1360
<context>http</context>
1361
<context>server</context>
1362
<context>location</context>
1363

1364
<para>
1365
Specifies in which cases a request should be passed to the next server:
1366
<list type="tag">
1367

1368
<tag-name><literal>error</literal></tag-name>
1369
<tag-desc>an error occurred while establishing a connection with the
1370
server, passing a request to it, or reading the response header;</tag-desc>
1371

1372
<tag-name><literal>timeout</literal></tag-name>
1373
<tag-desc>a timeout has occurred while establishing a connection with the
1374
server, passing a request to it, or reading the response header;</tag-desc>
1375

1376
<tag-name id="denied"><literal>denied</literal></tag-name>
1377
<tag-desc>the server <link id="proxy_allow_upstream">denied</link>
1378
the connection (1.29.3);
1379
<para>
1380
<note>
1381
This parameter is available as part of our
1382
<commercial_version>commercial subscription</commercial_version>.
1383
</note>
1384
</para>
1385
</tag-desc>
1386

1387
<tag-name id="invalid_header"><literal>invalid_header</literal></tag-name>
1388
<tag-desc>a server returned an empty or invalid response;</tag-desc>
1389

1390
<tag-name><literal>http_500</literal></tag-name>
1391
<tag-desc>a server returned a response with the code 500;</tag-desc>
1392

1393
<tag-name><literal>http_502</literal></tag-name>
1394
<tag-desc>a server returned a response with the code 502;</tag-desc>
1395

1396
<tag-name><literal>http_503</literal></tag-name>
1397
<tag-desc>a server returned a response with the code 503;</tag-desc>
1398

1399
<tag-name><literal>http_504</literal></tag-name>
1400
<tag-desc>a server returned a response with the code 504;</tag-desc>
1401

1402
<tag-name><literal>http_403</literal></tag-name>
1403
<tag-desc>a server returned a response with the code 403;</tag-desc>
1404

1405
<tag-name><literal>http_404</literal></tag-name>
1406
<tag-desc>a server returned a response with the code 404;</tag-desc>
1407

1408
<tag-name><literal>http_429</literal></tag-name>
1409
<tag-desc>a server returned a response with the code 429 (1.11.13);</tag-desc>
1410

1411
<tag-name id="non_idempotent"><literal>non_idempotent</literal></tag-name>
1412
<tag-desc>normally, requests with a
1413
<link url="https://datatracker.ietf.org/doc/html/rfc7231#section-4.2.2">non-idempotent</link>
1414
method
1415
(<literal>POST</literal>, <literal>LOCK</literal>, <literal>PATCH</literal>)
1416
are not passed to the next server
1417
if a request has been sent to an upstream server (1.9.13);
1418
enabling this option explicitly allows retrying such requests;
1419
</tag-desc>
1420

1421
<tag-name><literal>off</literal></tag-name>
1422
<tag-desc>disables passing a request to the next server.</tag-desc>
1423

1424
</list>
1425
</para>
1426

1427
<para>
1428
One should bear in mind that passing a request to the next server is
1429
only possible if nothing has been sent to a client yet.
1430
That is, if an error or timeout occurs in the middle of the
1431
transferring of a response, fixing this is impossible.
1432
</para>
1433

1434
<para>
1435
The directive also defines what is considered an
1436
<link doc="ngx_http_upstream_module.xml" id="max_fails">unsuccessful
1437
attempt</link> of communication with a server.
1438
The cases of <literal>error</literal>, <literal>timeout</literal>,
1439
<literal>denied</literal> and
1440
<literal>invalid_header</literal> are always considered unsuccessful attempts,
1441
even if they are not specified in the directive.
1442
The cases of <literal>http_500</literal>, <literal>http_502</literal>,
1443
<literal>http_503</literal>, <literal>http_504</literal>,
1444
and <literal>http_429</literal> are
1445
considered unsuccessful attempts only if they are specified in the directive.
1446
The cases of <literal>http_403</literal> and <literal>http_404</literal>
1447
are never considered unsuccessful attempts.
1448
</para>
1449

1450
<para>
1451
Passing a request to the next server can be limited by
1452
<link id="proxy_next_upstream_tries">the number of tries</link>
1453
and by <link id="proxy_next_upstream_timeout">time</link>.
1454
</para>
1455

1456
</directive>
1457

1458

1459
<directive name="proxy_next_upstream_timeout">
1460
<syntax><value>time</value></syntax>
1461
<default>0</default>
1462
<context>http</context>
1463
<context>server</context>
1464
<context>location</context>
1465
<appeared-in>1.7.5</appeared-in>
1466

1467
<para>
1468
Limits the time during which a request can be passed to the
1469
<link id="proxy_next_upstream">next server</link>.
1470
The <literal>0</literal> value turns off this limitation.
1471
</para>
1472

1473
</directive>
1474

1475

1476
<directive name="proxy_next_upstream_tries">
1477
<syntax><value>number</value></syntax>
1478
<default>0</default>
1479
<context>http</context>
1480
<context>server</context>
1481
<context>location</context>
1482
<appeared-in>1.7.5</appeared-in>
1483

1484
<para>
1485
Limits the number of possible tries for passing a request to the
1486
<link id="proxy_next_upstream">next server</link>.
1487
The <literal>0</literal> value turns off this limitation.
1488
</para>
1489

1490
</directive>
1491

1492

1493
<directive name="proxy_no_cache">
1494
<syntax><value>string</value> ...</syntax>
1495
<default/>
1496
<context>http</context>
1497
<context>server</context>
1498
<context>location</context>
1499

1500
<para>
1501
Defines conditions under which the response will not be saved to a cache.
1502
If at least one value of the string parameters is not empty and is not
1503
equal to “0” then the response will not be saved:
1504
<example>
1505
proxy_no_cache $cookie_nocache $arg_nocache$arg_comment;
1506
proxy_no_cache $http_pragma    $http_authorization;
1507
</example>
1508
Can be used along with the <link id="proxy_cache_bypass"/> directive.
1509
</para>
1510

1511
</directive>
1512

1513

1514
<directive name="proxy_pass">
1515
<syntax><value>URL</value></syntax>
1516
<default/>
1517
<context>location</context>
1518
<context>if in location</context>
1519
<context>limit_except</context>
1520

1521
<para>
1522
Sets the protocol and address of a proxied server and an optional URI
1523
to which a location should be mapped.
1524
As a protocol, “<literal>http</literal>” or “<literal>https</literal>”
1525
can be specified.
1526
The address can be specified as a domain name or IP address,
1527
and an optional port:
1528
<example>
1529
proxy_pass http://localhost:8000/uri/;
1530
</example>
1531
or as a UNIX-domain socket path specified after the word
1532
“<literal>unix</literal>” and enclosed in colons:
1533
<example>
1534
proxy_pass http://unix:/tmp/backend.socket:/uri/;
1535
</example>
1536
</para>
1537

1538
<para>
1539
If a domain name resolves to several addresses, all of them will be
1540
used in a round-robin fashion.
1541
In addition, an address can be specified as a
1542
<link doc="ngx_http_upstream_module.xml">server group</link>.
1543
</para>
1544

1545
<para>
1546
Parameter value can contain variables.
1547
In this case, if an address is specified as a domain name,
1548
the name is searched among the described server groups,
1549
and, if not found, is determined using a
1550
<link doc="ngx_http_core_module.xml" id="resolver"/>.
1551
</para>
1552

1553
<para>
1554
A request URI is passed to the server as follows:
1555
<list type="bullet" compact="no">
1556

1557
<listitem>
1558
If the <literal>proxy_pass</literal> directive is specified with a URI,
1559
then when a request is passed to the server, the part of a
1560
<link doc="ngx_http_core_module.xml" id="location">normalized</link>
1561
request URI matching the location is replaced by a URI
1562
specified in the directive:
1563
<example>
1564
location /name/ {
1565
    proxy_pass http://127.0.0.1/remote/;
1566
}
1567
</example>
1568
</listitem>
1569

1570
<listitem>
1571
If <literal>proxy_pass</literal> is specified without a URI,
1572
the request URI is passed to the server in the same form
1573
as sent by a client when the original request is processed,
1574
or the full normalized request URI is passed
1575
when processing the changed URI:
1576
<example>
1577
location /some/path/ {
1578
    proxy_pass http://127.0.0.1;
1579
}
1580
</example>
1581
<note>
1582
Before version 1.1.12,
1583
if <literal>proxy_pass</literal> is specified without a URI,
1584
the original request URI might be passed
1585
instead of the changed URI in some cases.
1586
</note>
1587
</listitem>
1588
</list>
1589
</para>
1590

1591
<para>
1592
In some cases, the part of a request URI to be replaced cannot be determined:
1593
<list type="bullet" compact="no">
1594

1595
<listitem>
1596
When location is specified using a regular expression,
1597
and also inside named locations.
1598
<para>
1599
In these cases,
1600
<literal>proxy_pass</literal> should be specified without a URI.
1601
</para>
1602
</listitem>
1603

1604
<listitem>
1605
When the URI is changed inside a proxied location using the
1606
<link doc="ngx_http_rewrite_module.xml" id="rewrite"/> directive,
1607
and this same configuration will be used to process a request
1608
(<literal>break</literal>):
1609
<example>
1610
location /name/ {
1611
    rewrite    /name/([^/]+) /users?name=$1 break;
1612
    proxy_pass http://127.0.0.1;
1613
}
1614
</example>
1615
<para>
1616
In this case, the URI specified in the directive is ignored and
1617
the full changed request URI is passed to the server.
1618
</para>
1619
</listitem>
1620

1621
<listitem>
1622
When variables are used in <literal>proxy_pass</literal>:
1623
<example>
1624
location /name/ {
1625
    proxy_pass http://127.0.0.1$request_uri;
1626
}
1627
</example>
1628
In this case, if URI is specified in the directive,
1629
it is passed to the server as is,
1630
replacing the original request URI.
1631
</listitem>
1632
</list>
1633
</para>
1634

1635
<para>
1636
<link doc="websocket.xml">WebSocket</link> proxying requires special
1637
configuration and is supported since version 1.3.13.
1638
</para>
1639

1640
</directive>
1641

1642

1643
<directive name="proxy_pass_header">
1644
<syntax><value>field</value></syntax>
1645
<default/>
1646
<context>http</context>
1647
<context>server</context>
1648
<context>location</context>
1649

1650
<para>
1651
Permits passing <link id="proxy_hide_header">otherwise disabled</link> header
1652
fields from a proxied server to a client.
1653
</para>
1654

1655
</directive>
1656

1657

1658
<directive name="proxy_pass_request_body">
1659
<syntax><literal>on</literal> | <literal>off</literal></syntax>
1660
<default>on</default>
1661
<context>http</context>
1662
<context>server</context>
1663
<context>location</context>
1664

1665
<para>
1666
Indicates whether the original request body is passed
1667
to the proxied server.
1668
<example>
1669
location /x-accel-redirect-here/ {
1670
    proxy_method GET;
1671
    proxy_pass_request_body off;
1672
    proxy_set_header Content-Length "";
1673

1674
    proxy_pass ...
1675
}
1676
</example>
1677
See also the <link id="proxy_set_header"/> and
1678
<link id="proxy_pass_request_headers"/> directives.
1679
</para>
1680

1681
</directive>
1682

1683

1684
<directive name="proxy_pass_request_headers">
1685
<syntax><literal>on</literal> | <literal>off</literal></syntax>
1686
<default>on</default>
1687
<context>http</context>
1688
<context>server</context>
1689
<context>location</context>
1690

1691
<para>
1692
Indicates whether the header fields of the original request are passed
1693
to the proxied server.
1694
<example>
1695
location /x-accel-redirect-here/ {
1696
    proxy_method GET;
1697
    proxy_pass_request_headers off;
1698
    proxy_pass_request_body off;
1699

1700
    proxy_pass ...
1701
}
1702
</example>
1703
See also the <link id="proxy_set_header"/> and
1704
<link id="proxy_pass_request_body"/> directives.
1705
</para>
1706

1707
</directive>
1708

1709

1710
<directive name="proxy_pass_trailers">
1711
<syntax><literal>on</literal> | <literal>off</literal></syntax>
1712
<default>off</default>
1713
<context>http</context>
1714
<context>server</context>
1715
<context>location</context>
1716
<appeared-in>1.27.2</appeared-in>
1717

1718
<para>
1719
Permits passing trailer fields from a proxied server to a client.
1720
</para>
1721

1722
<para>
1723
<note>
1724
A trailer section should be
1725
<link url="https://datatracker.ietf.org/doc/html/rfc9110#section-6.5.1">explicitly enabled</link>:
1726
</note>
1727
<example>
1728
location / {
1729
    # proxy_http_version 1.1;  #for versions before 1.29.7
1730
    proxy_set_header     Connection "te";
1731
    proxy_set_header     TE "trailers";
1732
    proxy_pass_trailers  on;
1733

1734
    proxy_pass ...
1735
}
1736
</example>
1737
</para>
1738

1739
<para>
1740
<note>
1741
Trailer fields received from
1742
an upstream server are passed to a client as is, without interpretation.
1743
</note>
1744
</para>
1745

1746
</directive>
1747

1748

1749
<directive name="proxy_read_timeout">
1750
<syntax><value>time</value></syntax>
1751
<default>60s</default>
1752
<context>http</context>
1753
<context>server</context>
1754
<context>location</context>
1755

1756
<para>
1757
Defines a timeout for reading a response from the proxied server.
1758
The timeout is set only between two successive read operations,
1759
not for the transmission of the whole response.
1760
If the proxied server does not transmit anything within this time,
1761
the connection is closed.
1762
</para>
1763

1764
</directive>
1765

1766

1767
<directive name="proxy_redirect">
1768
<syntax><literal>default</literal></syntax>
1769
<syntax><literal>off</literal></syntax>
1770
<syntax><value>redirect</value> <value>replacement</value></syntax>
1771
<default>default</default>
1772
<context>http</context>
1773
<context>server</context>
1774
<context>location</context>
1775

1776
<para>
1777
Sets the text that should be changed in the <header>Location</header>
1778
and <header>Refresh</header> header fields of a proxied server response.
1779
Suppose a proxied server returned the header field
1780
“<literal>Location: http://localhost:8000/two/some/uri/</literal>”.
1781
The directive
1782
<example>
1783
proxy_redirect http://localhost:8000/two/ http://frontend/one/;
1784
</example>
1785
will rewrite this string to
1786
“<literal>Location: http://frontend/one/some/uri/</literal>”.
1787
</para>
1788

1789
<para>
1790
A server name may be omitted in the <value>replacement</value> string:
1791
<example>
1792
proxy_redirect http://localhost:8000/two/ /;
1793
</example>
1794
then the primary server’s name and port, if different from 80,
1795
will be inserted.
1796
</para>
1797

1798
<para>
1799
The default replacement specified by the <literal>default</literal> parameter
1800
uses the parameters of the
1801
<link doc="ngx_http_core_module.xml" id="location"/> and
1802
<link id="proxy_pass"/> directives.
1803
Hence, the two configurations below are equivalent:
1804
<example>
1805
location /one/ {
1806
    proxy_pass     http://upstream:port/two/;
1807
    proxy_redirect default;
1808
</example>
1809

1810
<example>
1811
location /one/ {
1812
    proxy_pass     http://upstream:port/two/;
1813
    proxy_redirect http://upstream:port/two/ /one/;
1814
</example>
1815
The <literal>default</literal> parameter is not permitted if
1816
<link id="proxy_pass"/> is specified using variables.
1817
</para>
1818

1819
<para>
1820
A <value>replacement</value> string can contain variables:
1821
<example>
1822
proxy_redirect http://localhost:8000/ http://$host:$server_port/;
1823
</example>
1824
</para>
1825

1826
<para>
1827
A <value>redirect</value> can also contain (1.1.11) variables:
1828
<example>
1829
proxy_redirect http://$proxy_host:8000/ /;
1830
</example>
1831
</para>
1832

1833
<para>
1834
The directive can be specified (1.1.11) using regular expressions.
1835
In this case, <value>redirect</value> should either start with
1836
the “<literal>~</literal>” symbol for a case-sensitive matching,
1837
or with the “<literal>~*</literal>” symbols for case-insensitive
1838
matching.
1839
The regular expression can contain named and positional captures,
1840
and <value>replacement</value> can reference them:
1841
<example>
1842
proxy_redirect ~^(http://[^:]+):\d+(/.+)$ $1$2;
1843
proxy_redirect ~*/user/([^/]+)/(.+)$      http://$1.example.com/$2;
1844
</example>
1845
</para>
1846

1847
<para>
1848
Several <literal>proxy_redirect</literal> directives
1849
can be specified on the same level:
1850
<example>
1851
proxy_redirect default;
1852
proxy_redirect http://localhost:8000/  /;
1853
proxy_redirect http://www.example.com/ /;
1854
</example>
1855
If several directives can be applied to
1856
the header fields of a proxied server response,
1857
the first matching directive will be chosen.
1858
</para>
1859

1860
<para>
1861
The <literal>off</literal> parameter cancels the effect
1862
of the <literal>proxy_redirect</literal> directives
1863
inherited from the previous configuration level.
1864
</para>
1865

1866
<para>
1867
Using this directive, it is also possible to add host names to relative
1868
redirects issued by a proxied server:
1869
<example>
1870
proxy_redirect / /;
1871
</example>
1872
</para>
1873

1874
</directive>
1875

1876

1877
<directive name="proxy_request_buffering">
1878
<syntax><literal>on</literal> | <literal>off</literal></syntax>
1879
<default>on</default>
1880
<context>http</context>
1881
<context>server</context>
1882
<context>location</context>
1883
<appeared-in>1.7.11</appeared-in>
1884

1885
<para>
1886
Enables or disables buffering of a client request body.
1887
</para>
1888

1889
<para>
1890
When buffering is enabled, the entire request body is
1891
<link doc="ngx_http_core_module.xml" id="client_body_buffer_size">read</link>
1892
from the client before sending the request to a proxied server.
1893
</para>
1894

1895
<para>
1896
When buffering is disabled, the request body is sent to the proxied server
1897
immediately as it is received.
1898
In this case, the request cannot be passed to the
1899
<link id="proxy_next_upstream">next server</link>
1900
if nginx already started sending the request body.
1901
</para>
1902

1903
<para>
1904
When HTTP/1.1 chunked transfer encoding is used
1905
to send the original request body,
1906
the request body will be buffered regardless of the directive value unless
1907
HTTP/1.1 or HTTP/2 is <link id="proxy_http_version">enabled</link> for proxying.
1908
</para>
1909

1910
</directive>
1911

1912

1913
<directive name="proxy_request_dynamic">
1914
<syntax><literal>on</literal> | <literal>off</literal></syntax>
1915
<default>off</default>
1916
<context>http</context>
1917
<context>server</context>
1918
<context>location</context>
1919
<appeared-in>1.29.3</appeared-in>
1920

1921
<para>
1922
Enables or disables creation of a separate request instance
1923
for each proxied server.
1924
By default, a single request is used for all proxied servers.
1925
If enabled, a separate request instance is created,
1926
allowing per-server request customization.
1927
For example, the server-specific <header>Host</header> request header field
1928
can be set:
1929
<example>
1930
proxy_request_dynamic on;
1931
proxy_set_header      Host $upstream_last_server_name;
1932
</example>
1933
</para>
1934

1935
<para>
1936
<note>
1937
This directive is available as part of our
1938
<commercial_version>commercial subscription</commercial_version>.
1939
</note>
1940
</para>
1941

1942
</directive>
1943

1944

1945
<directive name="proxy_send_lowat">
1946
<syntax><value>size</value></syntax>
1947
<default>0</default>
1948
<context>http</context>
1949
<context>server</context>
1950
<context>location</context>
1951

1952
<para>
1953
If the directive is set to a non-zero value, nginx will try to
1954
minimize the number
1955
of send operations on outgoing connections to a proxied server by using either
1956
<c-def>NOTE_LOWAT</c-def> flag of the
1957
<link doc="../events.xml" id="kqueue"/> method,
1958
or the <c-def>SO_SNDLOWAT</c-def> socket option,
1959
with the specified <value>size</value>.
1960
</para>
1961

1962
<para>
1963
This directive is ignored on Linux, Solaris, and Windows.
1964
</para>
1965

1966
</directive>
1967

1968

1969
<directive name="proxy_send_timeout">
1970
<syntax><value>time</value></syntax>
1971
<default>60s</default>
1972
<context>http</context>
1973
<context>server</context>
1974
<context>location</context>
1975

1976
<para>
1977
Sets a timeout for transmitting a request to the proxied server.
1978
The timeout is set only between two successive write operations,
1979
not for the transmission of the whole request.
1980
If the proxied server does not receive anything within this time,
1981
the connection is closed.
1982
</para>
1983

1984
</directive>
1985

1986

1987
<directive name="proxy_set_body">
1988
<syntax><value>value</value></syntax>
1989
<default/>
1990
<context>http</context>
1991
<context>server</context>
1992
<context>location</context>
1993

1994
<para>
1995
Allows redefining the request body passed to the proxied server.
1996
The <value>value</value> can contain text, variables, and their combination.
1997
</para>
1998

1999
</directive>
2000

2001

2002
<directive name="proxy_set_header">
2003
<syntax><value>field</value> <value>value</value></syntax>
2004
<default>Host $proxy_host</default>
2005
<default>Connection close</default>
2006
<context>http</context>
2007
<context>server</context>
2008
<context>location</context>
2009

2010
<para>
2011
Allows redefining or appending fields to the request header
2012
<link id="proxy_pass_request_headers">passed</link> to the proxied server.
2013
The <value>value</value> can contain text, variables, and their combinations.
2014
These directives are inherited from the previous configuration level
2015
if and only if there are no <literal>proxy_set_header</literal> directives
2016
defined on the current level.
2017
</para>
2018

2019
<para>
2020
By default, the header fields
2021
<header>Host</header>
2022
and
2023
<header>Connection</header>
2024
from the original request are not passed to the proxied server.
2025
If HTTP/1.0 or HTTP/1.1 is
2026
<link id="proxy_http_version">enabled</link> for proxying,
2027
these fields are redefined:
2028
<example>
2029
proxy_set_header Host       $proxy_host;
2030
proxy_set_header Connection close;
2031
</example>
2032
For HTTP/2, the
2033
<header>:authority</header>
2034
pseudo-header field with the
2035
<value>$proxy_host</value>
2036
value is sent by default,
2037
unless it is replaced with an explicit <header>Host</header> header field.
2038
</para>
2039

2040
<para>
2041
If caching is enabled, the header fields
2042
<header>If-Modified-Since</header>,
2043
<header>If-Unmodified-Since</header>,
2044
<header>If-None-Match</header>,
2045
<header>If-Match</header>,
2046
<header>Range</header>,
2047
and
2048
<header>If-Range</header>
2049
from the original request are not passed to the proxied server.
2050
</para>
2051

2052
<para>
2053
An unchanged <header>Host</header> request header field can be passed like this:
2054
<example>
2055
proxy_set_header Host       $http_host;
2056
</example>
2057
</para>
2058

2059
<para>
2060
However, if this field is not present in a client request header then
2061
nothing will be passed.
2062
In such a case it is better to use the <var>$host</var> variable&mdash;its
2063
value equals the server name in the <header>Host</header> request header
2064
field or the primary server name if this field is not present:
2065
<example>
2066
proxy_set_header Host       $host;
2067
</example>
2068
</para>
2069

2070
<para>
2071
In addition, the server name can be passed together with the port of the
2072
proxied server:
2073
<example>
2074
proxy_set_header Host       $host:$proxy_port;
2075
</example>
2076
</para>
2077

2078
<para>
2079
If the value of a header field is an empty string then this
2080
field will not be passed to a proxied server:
2081
<example>
2082
proxy_set_header Accept-Encoding "";
2083
</example>
2084
</para>
2085

2086
</directive>
2087

2088

2089
<directive name="proxy_socket_keepalive">
2090
<syntax><literal>on</literal> | <literal>off</literal></syntax>
2091
<default>off</default>
2092
<context>http</context>
2093
<context>server</context>
2094
<context>location</context>
2095
<appeared-in>1.15.6</appeared-in>
2096

2097
<para>
2098
Configures the “TCP keepalive” behavior
2099
for outgoing connections to a proxied server.
2100
By default, the operating system’s settings are in effect for the socket.
2101
If the directive is set to the value “<literal>on</literal>”, the
2102
<c-def>SO_KEEPALIVE</c-def> socket option is turned on for the socket.
2103
</para>
2104

2105
</directive>
2106

2107

2108
<directive name="proxy_ssl_certificate">
2109
<syntax><value>file</value></syntax>
2110
<default/>
2111
<context>http</context>
2112
<context>server</context>
2113
<context>location</context>
2114
<appeared-in>1.7.8</appeared-in>
2115

2116
<para>
2117
Specifies a <value>file</value> with the certificate in the PEM format
2118
used for authentication to a proxied HTTPS server.
2119
</para>
2120

2121
<para id="proxy_ssl_certificate_variables">
2122
Since version 1.21.0, variables can be used in the <value>file</value> name.
2123
</para>
2124

2125
</directive>
2126

2127

2128
<directive name="proxy_ssl_certificate_cache">
2129
<syntax><literal>off</literal></syntax>
2130
<syntax>
2131
    <literal>max</literal>=<value>N</value>
2132
    [<literal>inactive</literal>=<value>time</value>]
2133
    [<literal>valid</literal>=<value>time</value>]</syntax>
2134
<default>off</default>
2135
<context>http</context>
2136
<context>server</context>
2137
<context>location</context>
2138
<appeared-in>1.27.4</appeared-in>
2139

2140
<para>
2141
Defines a cache that stores
2142
<link id="proxy_ssl_certificate">SSL certificates</link> and
2143
<link id="proxy_ssl_certificate_key">secret keys</link>
2144
specified with <link id="proxy_ssl_certificate_key_variables">variables</link>.
2145
</para>
2146

2147
<para>
2148
The directive has the following parameters:
2149
<list type="tag">
2150

2151
<tag-name id="proxy_ssl_certificate_cache_max">
2152
<literal>max</literal>
2153
</tag-name>
2154
<tag-desc>
2155
sets the maximum number of elements in the cache;
2156
on cache overflow the least recently used (LRU) elements are removed;
2157
</tag-desc>
2158

2159
<tag-name id="proxy_ssl_certificate_cache_inactive">
2160
<literal>inactive</literal>
2161
</tag-name>
2162
<tag-desc>
2163
defines a time after which an element is removed from the cache
2164
if it has not been accessed during this time;
2165
by default, it is 10 seconds;
2166
</tag-desc>
2167

2168
<tag-name id="proxy_ssl_certificate_cache_valid">
2169
<literal>valid</literal>
2170
</tag-name>
2171
<tag-desc>
2172
defines a time during which
2173
an element in the cache is considered valid
2174
and can be reused;
2175
by default, it is 60 seconds.
2176
Certificates that exceed this time will be reloaded or revalidated;
2177
</tag-desc>
2178

2179
<tag-name id="proxy_ssl_certificate_cache_off">
2180
<literal>off</literal>
2181
</tag-name>
2182
<tag-desc>
2183
disables the cache.
2184
</tag-desc>
2185

2186
</list>
2187
</para>
2188

2189
<para>
2190
Example:
2191
<example>
2192
proxy_ssl_certificate       $proxy_ssl_server_name.crt;
2193
proxy_ssl_certificate_key   $proxy_ssl_server_name.key;
2194
proxy_ssl_certificate_cache max=1000 inactive=20s valid=1m;
2195
</example>
2196
</para>
2197

2198
</directive>
2199

2200

2201
<directive name="proxy_ssl_certificate_key">
2202
<syntax><value>file</value></syntax>
2203
<default/>
2204
<context>http</context>
2205
<context>server</context>
2206
<context>location</context>
2207
<appeared-in>1.7.8</appeared-in>
2208

2209
<para>
2210
Specifies a <value>file</value> with the secret key in the PEM format
2211
used for authentication to a proxied HTTPS server.
2212
</para>
2213

2214
<para>
2215
The value
2216
<literal>engine</literal>:<value>name</value>:<value>id</value>
2217
can be specified instead of the <value>file</value> (1.7.9),
2218
which loads a secret key with a specified <value>id</value>
2219
from the OpenSSL engine <value>name</value>.
2220
</para>
2221

2222
<para>
2223
The value
2224
<literal>store</literal>:<value>scheme</value>:<value>id</value>
2225
can be specified instead of the <value>file</value> (1.29.0),
2226
which is used to load a secret key with a specified <value>id</value>
2227
and OpenSSL provider registered URI <value>scheme</value>, such as
2228
<link url="https://datatracker.ietf.org/doc/html/rfc7512"><literal>pkcs11</literal></link>.
2229
</para>
2230

2231
<para id="proxy_ssl_certificate_key_variables">
2232
Since version 1.21.0, variables can be used in the <value>file</value> name.
2233
</para>
2234

2235
</directive>
2236

2237

2238
<directive name="proxy_ssl_ciphers">
2239
<syntax><value>ciphers</value></syntax>
2240
<default>DEFAULT</default>
2241
<context>http</context>
2242
<context>server</context>
2243
<context>location</context>
2244
<appeared-in>1.5.6</appeared-in>
2245

2246
<para>
2247
Specifies the enabled ciphers for requests to a proxied HTTPS server.
2248
The ciphers are specified in the format understood by the OpenSSL library.
2249
</para>
2250

2251
<para>
2252
The full list can be viewed using the
2253
“<command>openssl ciphers</command>” command.
2254
</para>
2255

2256
</directive>
2257

2258

2259
<directive name="proxy_ssl_conf_command">
2260
<syntax><value>name</value> <value>value</value></syntax>
2261
<default/>
2262
<context>http</context>
2263
<context>server</context>
2264
<context>location</context>
2265
<appeared-in>1.19.4</appeared-in>
2266

2267
<para>
2268
Sets arbitrary OpenSSL configuration
2269
<link url="https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html">commands</link>
2270
when establishing a connection with the proxied HTTPS server.
2271
<note>
2272
The directive is supported when using OpenSSL 1.0.2 or higher.
2273
</note>
2274
</para>
2275

2276
<para>
2277
Several <literal>proxy_ssl_conf_command</literal> directives
2278
can be specified on the same level.
2279
These directives are inherited from the previous configuration level
2280
if and only if there are
2281
no <literal>proxy_ssl_conf_command</literal> directives
2282
defined on the current level.
2283
</para>
2284

2285
<para>
2286
<note>
2287
Note that configuring OpenSSL directly
2288
might result in unexpected behavior.
2289
</note>
2290
</para>
2291

2292
</directive>
2293

2294

2295
<directive name="proxy_ssl_crl">
2296
<syntax><value>file</value></syntax>
2297
<default/>
2298
<context>http</context>
2299
<context>server</context>
2300
<context>location</context>
2301
<appeared-in>1.7.0</appeared-in>
2302

2303
<para>
2304
Specifies a <value>file</value> with revoked certificates (CRL)
2305
in the PEM format used to <link id="proxy_ssl_verify">verify</link>
2306
the certificate of the proxied HTTPS server.
2307
When using intermediate certificates, their CRLs should be
2308
specified in the same file.
2309
</para>
2310

2311
</directive>
2312

2313

2314
<directive name="proxy_ssl_key_log">
2315
<syntax>path</syntax>
2316
<default/>
2317
<context>http</context>
2318
<context>server</context>
2319
<context>location</context>
2320
<appeared-in>1.27.2</appeared-in>
2321

2322
<para>
2323
Enables logging of proxied HTTPS server connection SSL keys
2324
and specifies the path to the key log file.
2325
Keys are logged in the
2326
<link url="https://datatracker.ietf.org/doc/html/draft-ietf-tls-keylogfile">SSLKEYLOGFILE</link>
2327
format compatible with Wireshark.
2328
</para>
2329

2330
<para>
2331
<note>
2332
This directive is available as part of our
2333
<commercial_version>commercial subscription</commercial_version>.
2334
</note>
2335
</para>
2336

2337
</directive>
2338

2339

2340
<directive name="proxy_ssl_name">
2341
<syntax><value>name</value></syntax>
2342
<default>$proxy_host</default>
2343
<context>http</context>
2344
<context>server</context>
2345
<context>location</context>
2346
<appeared-in>1.7.0</appeared-in>
2347

2348
<para>
2349
Allows overriding the server name used to
2350
<link id="proxy_ssl_verify">verify</link>
2351
the certificate of the proxied HTTPS server and to be
2352
<link id="proxy_ssl_server_name">passed through SNI</link>
2353
when establishing a connection with the proxied HTTPS server.
2354
</para>
2355

2356
<para>
2357
By default, the host part of the <link id="proxy_pass"/> URL is used.
2358
</para>
2359

2360
</directive>
2361

2362

2363
<directive name="proxy_ssl_password_file">
2364
<syntax><value>file</value></syntax>
2365
<default/>
2366
<context>http</context>
2367
<context>server</context>
2368
<context>location</context>
2369
<appeared-in>1.7.8</appeared-in>
2370

2371
<para>
2372
Specifies a <value>file</value> with passphrases for
2373
<link id="proxy_ssl_certificate_key">secret keys</link>
2374
where each passphrase is specified on a separate line.
2375
Passphrases are tried in turn when loading the key.
2376
</para>
2377

2378
</directive>
2379

2380

2381
<directive name="proxy_ssl_protocols">
2382
<syntax>
2383
    [<literal>SSLv2</literal>]
2384
    [<literal>SSLv3</literal>]
2385
    [<literal>TLSv1</literal>]
2386
    [<literal>TLSv1.1</literal>]
2387
    [<literal>TLSv1.2</literal>]
2388
    [<literal>TLSv1.3</literal>]</syntax>
2389
<default>TLSv1.2 TLSv1.3</default>
2390
<context>http</context>
2391
<context>server</context>
2392
<context>location</context>
2393
<appeared-in>1.5.6</appeared-in>
2394

2395
<para>
2396
Enables the specified protocols for requests to a proxied HTTPS server.
2397
</para>
2398

2399
<para>
2400
<note>
2401
The <literal>TLSv1.3</literal> parameter is used by default
2402
since 1.23.4.
2403
</note>
2404
</para>
2405

2406
</directive>
2407

2408

2409
<directive name="proxy_ssl_server_name">
2410
<syntax><literal>on</literal> | <literal>off</literal></syntax>
2411
<default>off</default>
2412
<context>http</context>
2413
<context>server</context>
2414
<context>location</context>
2415
<appeared-in>1.7.0</appeared-in>
2416

2417
<para>
2418
Enables or disables passing of the server name through
2419
<link url="http://en.wikipedia.org/wiki/Server_Name_Indication">TLS
2420
Server Name Indication extension</link> (SNI, RFC 6066)
2421
when establishing a connection with the proxied HTTPS server.
2422
</para>
2423

2424
</directive>
2425

2426

2427
<directive name="proxy_ssl_session_reuse">
2428
<syntax><literal>on</literal> | <literal>off</literal></syntax>
2429
<default>on</default>
2430
<context>http</context>
2431
<context>server</context>
2432
<context>location</context>
2433

2434
<para>
2435
Determines whether SSL sessions can be reused when working with
2436
the proxied server.
2437
If the errors
2438
“<literal>digest check failed</literal>”
2439
appear in the logs, try disabling session reuse.
2440
</para>
2441

2442
</directive>
2443

2444

2445
<directive name="proxy_ssl_trusted_certificate">
2446
<syntax><value>file</value></syntax>
2447
<default/>
2448
<context>http</context>
2449
<context>server</context>
2450
<context>location</context>
2451
<appeared-in>1.7.0</appeared-in>
2452

2453
<para>
2454
Specifies a <value>file</value> with trusted CA certificates in the PEM format
2455
used to <link id="proxy_ssl_verify">verify</link>
2456
the certificate of the proxied HTTPS server.
2457
</para>
2458

2459
</directive>
2460

2461

2462
<directive name="proxy_ssl_verify">
2463
<syntax><literal>on</literal> | <literal>off</literal></syntax>
2464
<default>off</default>
2465
<context>http</context>
2466
<context>server</context>
2467
<context>location</context>
2468
<appeared-in>1.7.0</appeared-in>
2469

2470
<para>
2471
Enables or disables verification of the proxied HTTPS server certificate.
2472
</para>
2473

2474
</directive>
2475

2476

2477
<directive name="proxy_ssl_verify_depth">
2478
<syntax><value>number</value></syntax>
2479
<default>1</default>
2480
<context>http</context>
2481
<context>server</context>
2482
<context>location</context>
2483
<appeared-in>1.7.0</appeared-in>
2484

2485
<para>
2486
Sets the verification depth in the proxied HTTPS server certificates chain.
2487
</para>
2488

2489
</directive>
2490

2491

2492
<directive name="proxy_store">
2493
<syntax>
2494
    <literal>on</literal> |
2495
    <literal>off</literal> |
2496
    <value>string</value></syntax>
2497
<default>off</default>
2498
<context>http</context>
2499
<context>server</context>
2500
<context>location</context>
2501

2502
<para>
2503
Enables saving of files to a disk.
2504
The <literal>on</literal> parameter saves files with paths
2505
corresponding to the directives
2506
<link doc="ngx_http_core_module.xml" id="alias"/> or
2507
<link doc="ngx_http_core_module.xml" id="root"/>.
2508
The <literal>off</literal> parameter disables saving of files.
2509
In addition, the file name can be set explicitly using the
2510
<value>string</value> with variables:
2511
<example>
2512
proxy_store /data/www$original_uri;
2513
</example>
2514
</para>
2515

2516
<para>
2517
The modification time of files is set according to the received
2518
<header>Last-Modified</header> response header field.
2519
The response is first written to a temporary file,
2520
and then the file is renamed.
2521
Starting from version 0.8.9, temporary files and the persistent store
2522
can be put on different file systems.
2523
However, be aware that in this case a file is copied
2524
across two file systems instead of the cheap renaming operation.
2525
It is thus recommended that for any given location both saved files and a
2526
directory holding temporary files, set by the <link id="proxy_temp_path"/>
2527
directive, are put on the same file system.
2528
</para>
2529

2530
<para>
2531
This directive can be used to create local copies of static unchangeable
2532
files, e.g.:
2533
<example>
2534
location /images/ {
2535
    root               /data/www;
2536
    error_page         404 = /fetch$uri;
2537
}
2538

2539
location /fetch/ {
2540
    internal;
2541

2542
    proxy_pass         http://backend/;
2543
    proxy_store        on;
2544
    proxy_store_access user:rw group:rw all:r;
2545
    proxy_temp_path    /data/temp;
2546

2547
    alias              /data/www/;
2548
}
2549
</example>
2550
</para>
2551

2552
<para>
2553
or like this:
2554
<example>
2555
location /images/ {
2556
    root               /data/www;
2557
    error_page         404 = @fetch;
2558
}
2559

2560
location @fetch {
2561
    internal;
2562

2563
    proxy_pass         http://backend;
2564
    proxy_store        on;
2565
    proxy_store_access user:rw group:rw all:r;
2566
    proxy_temp_path    /data/temp;
2567

2568
    root               /data/www;
2569
}
2570
</example>
2571
</para>
2572

2573
</directive>
2574

2575

2576
<directive name="proxy_store_access">
2577
<syntax><value>users</value>:<value>permissions</value> ...</syntax>
2578
<default>user:rw</default>
2579
<context>http</context>
2580
<context>server</context>
2581
<context>location</context>
2582

2583
<para>
2584
Sets access permissions for newly created files and directories, e.g.:
2585
<example>
2586
proxy_store_access user:rw group:rw all:r;
2587
</example>
2588
</para>
2589

2590
<para>
2591
If any <literal>group</literal> or <literal>all</literal> access permissions
2592
are specified then <literal>user</literal> permissions may be omitted:
2593
<example>
2594
proxy_store_access group:rw all:r;
2595
</example>
2596
</para>
2597

2598
</directive>
2599

2600

2601
<directive name="proxy_temp_file_write_size">
2602
<syntax><value>size</value></syntax>
2603
<default>8k|16k</default>
2604
<context>http</context>
2605
<context>server</context>
2606
<context>location</context>
2607

2608
<para>
2609
Limits the <value>size</value> of data written to a temporary file
2610
at a time, when buffering of responses from the proxied server
2611
to temporary files is enabled.
2612
By default, <value>size</value> is limited by two buffers set by the
2613
<link id="proxy_buffer_size"/> and <link id="proxy_buffers"/> directives.
2614
The maximum size of a temporary file is set by the
2615
<link id="proxy_max_temp_file_size"/> directive.
2616
</para>
2617

2618
</directive>
2619

2620

2621
<directive name="proxy_temp_path">
2622
<syntax>
2623
    <value>path</value>
2624
    [<value>level1</value>
2625
    [<value>level2</value>
2626
    [<value>level3</value>]]]</syntax>
2627
<default>proxy_temp</default>
2628
<context>http</context>
2629
<context>server</context>
2630
<context>location</context>
2631

2632
<para>
2633
Defines a directory for storing temporary files
2634
with data received from proxied servers.
2635
Up to three-level subdirectory hierarchy can be used underneath the specified
2636
directory.
2637
For example, in the following configuration
2638
<example>
2639
proxy_temp_path /spool/nginx/proxy_temp 1 2;
2640
</example>
2641
a temporary file might look like this:
2642
<example>
2643
/spool/nginx/proxy_temp/<emphasis>7</emphasis>/<emphasis>45</emphasis>/00000123<emphasis>457</emphasis>
2644
</example>
2645
</para>
2646

2647
<para>
2648
See also the <literal>use_temp_path</literal> parameter of the
2649
<link id="proxy_cache_path"/> directive.
2650
</para>
2651

2652
</directive>
2653

2654
</section>
2655

2656

2657
<section id="variables" name="Embedded Variables">
2658

2659
<para>
2660
The <literal>ngx_http_proxy_module</literal> module supports embedded variables
2661
that can be used to compose headers using the
2662
<link id="proxy_set_header"/> directive:
2663
<list type="tag">
2664

2665
<tag-name id="var_proxy_host"><var>$proxy_host</var></tag-name>
2666
<tag-desc>name and port of a proxied server as specified in the
2667
<link id="proxy_pass"/> directive;</tag-desc>
2668

2669
<tag-name id="var_proxy_port"><var>$proxy_port</var></tag-name>
2670
<tag-desc>port of a proxied server as specified in the
2671
<link id="proxy_pass"/> directive, or the protocol’s default port;</tag-desc>
2672

2673
<tag-name id="var_proxy_add_x_forwarded_for">
2674
<var>$proxy_add_x_forwarded_for</var></tag-name>
2675
<tag-desc>the <header>X-Forwarded-For</header> client request header field
2676
with the <var>$remote_addr</var> variable appended to it, separated by a comma.
2677
If the <header>X-Forwarded-For</header> field is not present in the client
2678
request header, the <var>$proxy_add_x_forwarded_for</var> variable is equal
2679
to the <var>$remote_addr</var> variable.</tag-desc>
2680
</list>
2681
</para>
2682

2683
</section>
2684

2685
</module>
2686

2687
Product

Resources

Company
