1
<?xml version="1.0"?>
2

3
<!--
4
  Copyright (C) Nginx, Inc.
5
  -->
6

7
<!DOCTYPE module SYSTEM "../../../../dtd/module.dtd">
8

9
<module name="Module ngx_stream_proxy_module"
10
        link="/en/docs/stream/ngx_stream_proxy_module.html"
11
        lang="en"
12
        rev="38">
13

14
<section id="summary">
15

16
<para>
17
The <literal>ngx_stream_proxy_module</literal> module (1.9.0) allows proxying
18
data streams over TCP, UDP (1.9.13), and UNIX-domain sockets.
19
</para>
20

21
</section>
22

23

24
<section id="example" name="Example Configuration">
25

26
<para>
27
<example>
28
server {
29
    listen 127.0.0.1:12345;
30
    proxy_pass 127.0.0.1:8080;
31
}
32

33
server {
34
    listen 12345;
35
    proxy_connect_timeout 1s;
36
    proxy_timeout 1m;
37
    proxy_pass example.com:12345;
38
}
39

40
server {
41
    listen 53 udp reuseport;
42
    proxy_timeout 20s;
43
    proxy_pass dns.example.com:53;
44
}
45

46
server {
47
    listen [::1]:12345;
48
    proxy_pass unix:/tmp/stream.socket;
49
}
50
</example>
51
</para>
52

53
</section>
54

55

56
<section id="directives" name="Directives">
57

58
<directive name="proxy_bind">
59
<syntax>
60
    <value>address</value>
61
    [<literal>transparent</literal>] |
62
    <literal>off</literal></syntax>
63
<default/>
64
<context>stream</context>
65
<context>server</context>
66
<appeared-in>1.9.2</appeared-in>
67

68
<para>
69
Makes outgoing connections to a proxied server originate
70
from the specified local IP <value>address</value>.
71
Parameter value can contain variables (1.11.2).
72
The special value <literal>off</literal> cancels the effect
73
of the <literal>proxy_bind</literal> directive
74
inherited from the previous configuration level, which allows the
75
system to auto-assign the local IP address.
76
</para>
77

78
<para id="proxy_bind_transparent">
79
The <literal>transparent</literal> parameter (1.11.0) allows
80
outgoing connections to a proxied server originate
81
from a non-local IP address,
82
for example, from a real IP address of a client:
83
<example>
84
proxy_bind $remote_addr transparent;
85
</example>
86
In order for this parameter to work,
87
it is usually necessary to run nginx worker processes with the
88
<link doc="../ngx_core_module.xml" id="user">superuser</link> privileges.
89
On Linux it is not required (1.13.8) as if
90
the <literal>transparent</literal> parameter is specified, worker processes
91
inherit the <literal>CAP_NET_RAW</literal> capability from the master process.
92
It is also necessary to configure kernel routing table
93
to intercept network traffic from the proxied server.
94
</para>
95

96
</directive>
97

98

99
<directive name="proxy_bind_dynamic">
100
<syntax><literal>on</literal> | <literal>off</literal></syntax>
101
<default>off</default>
102
<context>stream</context>
103
<context>server</context>
104
<appeared-in>1.29.3</appeared-in>
105

106
<para>
107
When enabled, makes the <link id="proxy_bind">bind</link> operation
108
at each connection attempt.
109
</para>
110

111
<para>
112
<note>
113
This directive is available as part of our
114
<commercial_version>commercial subscription</commercial_version>.
115
</note>
116
</para>
117

118
</directive>
119

120

121
<directive name="proxy_buffer_size">
122
<syntax><value>size</value></syntax>
123
<default>16k</default>
124
<context>stream</context>
125
<context>server</context>
126
<appeared-in>1.9.4</appeared-in>
127

128
<para>
129
Sets the <value>size</value> of the buffer used for reading data
130
from the proxied server.
131
Also sets the <value>size</value> of the buffer used for reading data
132
from the client.
133
</para>
134

135
</directive>
136

137

138
<directive name="proxy_connect_timeout">
139
<syntax><value>time</value></syntax>
140
<default>60s</default>
141
<context>stream</context>
142
<context>server</context>
143

144
<para>
145
Defines a timeout for establishing a connection with a proxied server.
146
</para>
147

148
</directive>
149

150

151
<directive name="proxy_download_rate">
152
<syntax><value>rate</value></syntax>
153
<default>0</default>
154
<context>stream</context>
155
<context>server</context>
156
<appeared-in>1.9.3</appeared-in>
157

158
<para>
159
Limits the speed of reading the data from the proxied server.
160
The <value>rate</value> is specified in bytes per second.
161
The zero value disables rate limiting.
162
The limit is set per a connection, so if nginx simultaneously opens
163
two connections to the proxied server,
164
the overall rate will be twice as much as the specified limit.
165
</para>
166

167
<para>
168
Parameter value can contain variables (1.17.0).
169
It may be useful in cases where rate should be limited
170
depending on a certain condition:
171
<example>
172
map $slow $rate {
173
    1     4k;
174
    2     8k;
175
}
176

177
proxy_download_rate $rate;
178
</example>
179
</para>
180

181
</directive>
182

183

184
<directive name="proxy_half_close">
185
<syntax><literal>on</literal> | <literal>off</literal></syntax>
186
<default>off</default>
187
<context>stream</context>
188
<context>server</context>
189
<appeared-in>1.21.4</appeared-in>
190

191
<para>
192
Enables or disables closing
193
each direction of a TCP connection independently (“TCP half-close”).
194
If enabled, proxying over TCP will be kept
195
until both sides close the connection.
196
</para>
197

198
</directive>
199

200

201
<directive name="proxy_next_upstream">
202
<syntax><literal>on</literal> | <literal>off</literal></syntax>
203
<default>on</default>
204
<context>stream</context>
205
<context>server</context>
206

207
<para>
208
When a connection to the proxied server cannot be established, determines
209
whether a client connection will be passed to the next server.
210
</para>
211

212
<para>
213
Passing a connection to the next server can be limited by
214
<link id="proxy_next_upstream_tries">the number of tries</link>
215
and by <link id="proxy_next_upstream_timeout">time</link>.
216
</para>
217

218
</directive>
219

220

221
<directive name="proxy_next_upstream_timeout">
222
<syntax><value>time</value></syntax>
223
<default>0</default>
224
<context>stream</context>
225
<context>server</context>
226

227
<para>
228
Limits the time allowed to pass a connection to the
229
<link id="proxy_next_upstream">next server</link>.
230
The <literal>0</literal> value turns off this limitation.
231
</para>
232

233
</directive>
234

235

236
<directive name="proxy_next_upstream_tries">
237
<syntax><value>number</value></syntax>
238
<default>0</default>
239
<context>stream</context>
240
<context>server</context>
241

242
<para>
243
Limits the number of possible tries for passing a connection to the
244
<link id="proxy_next_upstream">next server</link>.
245
The <literal>0</literal> value turns off this limitation.
246
</para>
247

248
</directive>
249

250

251
<directive name="proxy_pass">
252
<syntax><value>address</value></syntax>
253
<default/>
254
<context>server</context>
255

256
<para>
257
Sets the address of a proxied server.
258
The address can be specified as a domain name or IP address,
259
and a port:
260
<example>
261
proxy_pass localhost:12345;
262
</example>
263
or as a UNIX-domain socket path:
264
<example>
265
proxy_pass unix:/tmp/stream.socket;
266
</example>
267
</para>
268

269
<para>
270
If a domain name resolves to several addresses, all of them will be
271
used in a round-robin fashion.
272
In addition, an address can be specified as a
273
<link doc="ngx_stream_upstream_module.xml">server group</link>.
274
</para>
275

276
<para>
277
The address can also be specified using variables (1.11.3):
278
<example>
279
proxy_pass $upstream;
280
</example>
281
In this case, the server name is searched among the described
282
<link doc="ngx_stream_upstream_module.xml">server groups</link>,
283
and, if not found, is determined using a
284
<link doc="ngx_stream_core_module.xml" id="resolver"/>.
285
</para>
286

287
</directive>
288

289

290
<directive name="proxy_protocol">
291
<syntax><literal>on</literal> | <literal>off</literal></syntax>
292
<default>off</default>
293
<context>stream</context>
294
<context>server</context>
295
<appeared-in>1.9.2</appeared-in>
296

297
<para>
298
Enables the
299
<link url="http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt">PROXY
300
protocol</link> for connections to a proxied server.
301
</para>
302

303
</directive>
304

305

306
<directive name="proxy_requests">
307
<syntax><value>number</value></syntax>
308
<default>0</default>
309
<context>stream</context>
310
<context>server</context>
311
<appeared-in>1.15.7</appeared-in>
312

313
<para>
314
Sets the number of client datagrams at which
315
binding between a client and existing UDP stream session is dropped.
316
After receiving the specified number of datagrams, next datagram
317
from the same client starts a new session.
318
The session terminates when all client datagrams are transmitted
319
to a proxied server and the expected number of
320
<link id="proxy_responses">responses</link> is received,
321
or when it reaches a <link id="proxy_timeout">timeout</link>.
322
</para>
323

324
</directive>
325

326

327
<directive name="proxy_responses">
328
<syntax><value>number</value></syntax>
329
<default/>
330
<context>stream</context>
331
<context>server</context>
332
<appeared-in>1.9.13</appeared-in>
333

334
<para>
335
Sets the number of datagrams expected from the proxied server
336
in response to a client datagram
337
if the <link doc="ngx_stream_core_module.xml" id="udp">UDP</link>
338
protocol is used.
339
The number serves as a hint for session termination.
340
By default, the number of datagrams is not limited.
341
</para>
342

343
<para>
344
If zero value is specified, no response is expected.
345
However, if a response is received and the
346
session is still not finished, the response will be handled.
347
</para>
348

349
</directive>
350

351

352
<directive name="proxy_session_drop">
353
<syntax><literal>on</literal> | <literal>off</literal></syntax>
354
<default>off</default>
355
<context>stream</context>
356
<context>server</context>
357
<appeared-in>1.15.8</appeared-in>
358

359
<para>
360
Enables terminating all sessions to a proxied server
361
after it was removed from the group or marked as permanently unavailable.
362
This can occur because of
363
<link doc="ngx_stream_core_module.xml" id="resolver">re-resolve</link>
364
or with the API
365
<link doc="../http/ngx_http_api_module.xml" id="deleteStreamUpstreamServer"><literal>DELETE</literal></link>
366
command.
367
A server can be marked as permanently unavailable if it is considered
368
<link doc="ngx_stream_upstream_hc_module.xml" id="health_check">unhealthy</link>
369
or with the API
370
<link doc="../http/ngx_http_api_module.xml" id="patchStreamUpstreamServer"><literal>PATCH</literal></link>
371
command.
372
Each session is terminated when the next
373
read or write event is processed for the client or proxied server.
374
</para>
375

376
<para>
377
<note>
378
This directive is available as part of our
379
<commercial_version>commercial subscription</commercial_version>.
380
</note>
381
</para>
382

383
</directive>
384

385

386
<directive name="proxy_socket_keepalive">
387
<syntax><literal>on</literal> | <literal>off</literal></syntax>
388
<default>off</default>
389
<context>stream</context>
390
<context>server</context>
391
<appeared-in>1.15.6</appeared-in>
392

393
<para>
394
Configures the “TCP keepalive” behavior
395
for outgoing connections to a proxied server.
396
By default, the operating system’s settings are in effect for the socket.
397
If the directive is set to the value “<literal>on</literal>”, the
398
<c-def>SO_KEEPALIVE</c-def> socket option is turned on for the socket.
399
</para>
400

401
</directive>
402

403

404
<directive name="proxy_ssl">
405
<syntax><literal>on</literal> | <literal>off</literal></syntax>
406
<default>off</default>
407
<context>stream</context>
408
<context>server</context>
409

410
<para>
411
Enables the SSL/TLS protocol for connections to a proxied server.
412
</para>
413

414
</directive>
415

416

417
<directive name="proxy_ssl_alpn">
418
<syntax><value>protocol</value> ...</syntax>
419
<default/>
420
<context>stream</context>
421
<context>server</context>
422
<appeared-in>1.31.0</appeared-in>
423

424
<para>
425
Specifies the list of protocols to advertise via the
426
<link url="https://datatracker.ietf.org/doc/html/rfc7301">ALPN</link>
427
extension when establishing a connection with the proxied server.
428
For example:
429
<example>
430
proxy_ssl_alpn h2 http/1.1;
431
</example>
432
</para>
433

434
<para>
435
Parameter value can contain variables:
436
<example>
437
proxy_ssl_alpn $ssl_alpn_protocol;
438
</example>
439
</para>
440

441
</directive>
442

443

444
<directive name="proxy_ssl_certificate">
445
<syntax><value>file</value></syntax>
446
<default/>
447
<context>stream</context>
448
<context>server</context>
449

450
<para>
451
Specifies a <value>file</value> with the certificate in the PEM format
452
used for authentication to a proxied server.
453
</para>
454

455
<para id="proxy_ssl_certificate_variables">
456
Since version 1.21.0, variables can be used in the <value>file</value> name.
457
</para>
458

459
</directive>
460

461

462
<directive name="proxy_ssl_certificate_cache">
463
<syntax><literal>off</literal></syntax>
464
<syntax>
465
    <literal>max</literal>=<value>N</value>
466
    [<literal>inactive</literal>=<value>time</value>]
467
    [<literal>valid</literal>=<value>time</value>]</syntax>
468
<default>off</default>
469
<context>stream</context>
470
<context>server</context>
471
<appeared-in>1.27.4</appeared-in>
472

473
<para>
474
Defines a cache that stores
475
<link id="proxy_ssl_certificate">SSL certificates</link> and
476
<link id="proxy_ssl_certificate_key">secret keys</link>
477
specified with <link id="proxy_ssl_certificate_key_variables">variables</link>.
478
</para>
479

480
<para>
481
The directive has the following parameters:
482
<list type="tag">
483

484
<tag-name id="proxy_ssl_certificate_cache_max">
485
<literal>max</literal>
486
</tag-name>
487
<tag-desc>
488
sets the maximum number of elements in the cache;
489
on cache overflow the least recently used (LRU) elements are removed;
490
</tag-desc>
491

492
<tag-name id="proxy_ssl_certificate_cache_inactive">
493
<literal>inactive</literal>
494
</tag-name>
495
<tag-desc>
496
defines a time after which an element is removed from the cache
497
if it has not been accessed during this time;
498
by default, it is 10 seconds;
499
</tag-desc>
500

501
<tag-name id="proxy_ssl_certificate_cache_valid">
502
<literal>valid</literal>
503
</tag-name>
504
<tag-desc>
505
defines a time during which
506
an element in the cache is considered valid
507
and can be reused;
508
by default, it is 60 seconds.
509
Certificates that exceed this time will be reloaded or revalidated;
510
</tag-desc>
511

512
<tag-name id="proxy_ssl_certificate_cache_off">
513
<literal>off</literal>
514
</tag-name>
515
<tag-desc>
516
disables the cache.
517
</tag-desc>
518

519
</list>
520
</para>
521

522
<para>
523
Example:
524
<example>
525
proxy_ssl_certificate       $proxy_ssl_server_name.crt;
526
proxy_ssl_certificate_key   $proxy_ssl_server_name.key;
527
proxy_ssl_certificate_cache max=1000 inactive=20s valid=1m;
528
</example>
529
</para>
530

531
</directive>
532

533

534
<directive name="proxy_ssl_certificate_key">
535
<syntax><value>file</value></syntax>
536
<default/>
537
<context>stream</context>
538
<context>server</context>
539

540
<para>
541
The value
542
<literal>store</literal>:<value>scheme</value>:<value>id</value>
543
can be specified instead of the <value>file</value> (1.29.0),
544
which is used to load a secret key with a specified <value>id</value>
545
and OpenSSL provider registered URI <value>scheme</value>, such as
546
<link url="https://datatracker.ietf.org/doc/html/rfc7512"><literal>pkcs11</literal></link>.
547
</para>
548

549
<para>
550
Specifies a <value>file</value> with the secret key in the PEM format
551
used for authentication to a proxied server.
552
</para>
553

554
<para id="proxy_ssl_certificate_key_variables">
555
Since version 1.21.0, variables can be used in the <value>file</value> name.
556
</para>
557

558
</directive>
559

560

561
<directive name="proxy_ssl_ciphers">
562
<syntax><value>ciphers</value></syntax>
563
<default>DEFAULT</default>
564
<context>stream</context>
565
<context>server</context>
566

567
<para>
568
Specifies the enabled ciphers for connections to a proxied server.
569
The ciphers are specified in the format understood by the OpenSSL library.
570
</para>
571

572
<para>
573
The full list can be viewed using the
574
“<command>openssl ciphers</command>” command.
575
</para>
576

577
</directive>
578

579

580
<directive name="proxy_ssl_conf_command">
581
<syntax><value>name</value> <value>value</value></syntax>
582
<default/>
583
<context>stream</context>
584
<context>server</context>
585
<appeared-in>1.19.4</appeared-in>
586

587
<para>
588
Sets arbitrary OpenSSL configuration
589
<link url="https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html">commands</link>
590
when establishing a connection with the proxied server.
591
<note>
592
The directive is supported when using OpenSSL 1.0.2 or higher.
593
</note>
594
</para>
595

596
<para>
597
Several <literal>proxy_ssl_conf_command</literal> directives
598
can be specified on the same level.
599
These directives are inherited from the previous configuration level
600
if and only if there are
601
no <literal>proxy_ssl_conf_command</literal> directives
602
defined on the current level.
603
</para>
604

605
<para>
606
<note>
607
Note that configuring OpenSSL directly
608
might result in unexpected behavior.
609
</note>
610
</para>
611

612
</directive>
613

614

615
<directive name="proxy_ssl_crl">
616
<syntax><value>file</value></syntax>
617
<default/>
618
<context>stream</context>
619
<context>server</context>
620

621
<para>
622
Specifies a <value>file</value> with revoked certificates (CRL)
623
in the PEM format used to <link id="proxy_ssl_verify">verify</link>
624
the certificate of the proxied server.
625
When using intermediate certificates, their CRLs should be
626
specified in the same file.
627
</para>
628

629
</directive>
630

631

632
<directive name="proxy_ssl_key_log">
633
<syntax>path</syntax>
634
<default/>
635
<context>stream</context>
636
<context>server</context>
637
<appeared-in>1.27.2</appeared-in>
638

639
<para>
640
Enables logging of proxied server connection SSL keys
641
and specifies the path to the key log file.
642
Keys are logged in the
643
<link url="https://datatracker.ietf.org/doc/html/draft-ietf-tls-keylogfile">SSLKEYLOGFILE</link>
644
format compatible with Wireshark.
645
</para>
646

647
<para>
648
<note>
649
This directive is available as part of our
650
<commercial_version>commercial subscription</commercial_version>.
651
</note>
652
</para>
653

654
</directive>
655

656

657
<directive name="proxy_ssl_name">
658
<syntax><value>name</value></syntax>
659
<default>host from proxy_pass</default>
660
<context>stream</context>
661
<context>server</context>
662

663
<para>
664
Allows overriding the server name used to
665
<link id="proxy_ssl_verify">verify</link>
666
the certificate of the proxied server and to be
667
<link id="proxy_ssl_server_name">passed through SNI</link>
668
when establishing a connection with the proxied server.
669
The server name can also be specified using variables (1.11.3).
670
</para>
671

672
<para>
673
By default, the host part of the <link id="proxy_pass"/> address is used.
674
</para>
675

676
</directive>
677

678

679
<directive name="proxy_ssl_password_file">
680
<syntax><value>file</value></syntax>
681
<default/>
682
<context>stream</context>
683
<context>server</context>
684

685
<para>
686
Specifies a <value>file</value> with passphrases for
687
<link id="proxy_ssl_certificate_key">secret keys</link>
688
where each passphrase is specified on a separate line.
689
Passphrases are tried in turn when loading the key.
690
</para>
691

692
</directive>
693

694

695
<directive name="proxy_ssl_protocols">
696
<syntax>
697
    [<literal>SSLv2</literal>]
698
    [<literal>SSLv3</literal>]
699
    [<literal>TLSv1</literal>]
700
    [<literal>TLSv1.1</literal>]
701
    [<literal>TLSv1.2</literal>]
702
    [<literal>TLSv1.3</literal>]</syntax>
703
<default>TLSv1.2 TLSv1.3</default>
704
<context>stream</context>
705
<context>server</context>
706

707
<para>
708
Enables the specified protocols for connections to a proxied server.
709
</para>
710

711
<para>
712
<note>
713
The <literal>TLSv1.3</literal> parameter is used by default
714
since 1.23.4.
715
</note>
716
</para>
717

718
</directive>
719

720

721
<directive name="proxy_ssl_server_name">
722
<syntax><literal>on</literal> | <literal>off</literal></syntax>
723
<default>off</default>
724
<context>stream</context>
725
<context>server</context>
726

727
<para>
728
Enables or disables passing of the server name through
729
<link url="http://en.wikipedia.org/wiki/Server_Name_Indication">TLS
730
Server Name Indication extension</link> (SNI, RFC 6066)
731
when establishing a connection with the proxied server.
732
</para>
733

734
</directive>
735

736

737
<directive name="proxy_ssl_session_reuse">
738
<syntax><literal>on</literal> | <literal>off</literal></syntax>
739
<default>on</default>
740
<context>stream</context>
741
<context>server</context>
742

743
<para>
744
Determines whether SSL sessions can be reused when working with
745
the proxied server.
746
If the errors
747
“<literal>digest check failed</literal>”
748
appear in the logs, try disabling session reuse.
749
</para>
750

751
</directive>
752

753

754
<directive name="proxy_ssl_trusted_certificate">
755
<syntax><value>file</value></syntax>
756
<default/>
757
<context>stream</context>
758
<context>server</context>
759

760
<para>
761
Specifies a <value>file</value> with trusted CA certificates in the PEM format
762
used to <link id="proxy_ssl_verify">verify</link>
763
the certificate of the proxied server.
764
</para>
765

766
</directive>
767

768

769
<directive name="proxy_ssl_verify">
770
<syntax><literal>on</literal> | <literal>off</literal></syntax>
771
<default>off</default>
772
<context>stream</context>
773
<context>server</context>
774

775
<para>
776
Enables or disables verification of the proxied server certificate.
777
</para>
778

779
</directive>
780

781

782
<directive name="proxy_ssl_verify_depth">
783
<syntax><value>number</value></syntax>
784
<default>1</default>
785
<context>stream</context>
786
<context>server</context>
787

788
<para>
789
Sets the verification depth in the proxied server certificates chain.
790
</para>
791

792
</directive>
793

794

795
<directive name="proxy_timeout">
796
<syntax><value>timeout</value></syntax>
797
<default>10m</default>
798
<context>stream</context>
799
<context>server</context>
800

801
<para>
802
Sets the <value>timeout</value> between two successive
803
read or write operations on client or proxied server connections.
804
If no data is transmitted within this time, the connection is closed.
805
</para>
806

807
</directive>
808

809

810
<directive name="proxy_upload_rate">
811
<syntax><value>rate</value></syntax>
812
<default>0</default>
813
<context>stream</context>
814
<context>server</context>
815
<appeared-in>1.9.3</appeared-in>
816

817
<para>
818
Limits the speed of reading the data from the client.
819
The <value>rate</value> is specified in bytes per second.
820
The zero value disables rate limiting.
821
The limit is set per a connection, so if the client simultaneously opens
822
two connections,
823
the overall rate will be twice as much as the specified limit.
824
</para>
825

826
<para>
827
Parameter value can contain variables (1.17.0).
828
It may be useful in cases where rate should be limited
829
depending on a certain condition:
830
<example>
831
map $slow $rate {
832
    1     4k;
833
    2     8k;
834
}
835

836
proxy_upload_rate $rate;
837
</example>
838
</para>
839

840
</directive>
841

842
</section>
843

844
</module>
845

846