NGINX modules reference

Nginx, Inc.

NGINX Plus Reference Guide

NGINX Plus - release 30, based on 1.25.1 core

August 2, 2023

Nginx, Inc. product or service name or logo used herein are trademarks of Nginx, Inc.

All other trademarks used herein belong to their respective owners. The trademarks

and logos displayed herein may not be used without the prior written consent of

Nginx, Inc. or their respective owners.

This documentation is provided “AS IS” and is subject to change without notice

and should not be interpreted as a commitment by Nginx, Inc. This documentation

may not be copied, modiﬁed or distributed without authorization of Nginx, Inc. and

may be used only in connection with Nginx, Inc. products and services. Nginx, Inc.

assumes no responsibility or liability for any errors or inaccuracies that may appear

in this documentation.

Preface

About NGINX

NGINX

(“engine x”) is a high performance, high concurrency web server

excelling at large scale content delivery, web acceleration and protecting

application containers. Its precise integration with modern operating systems

allows unprecedented levels of eﬃciency even when running on commodity

hardware.

Nginx, Inc. develops and maintains NGINX open source distribution, and

oﬀers commercial support and professional services for NGINX.

About NGINX Plus

• Oﬀers additional features on top of the free open source NGINX version.

• Prepared, tested and supported by NGINX core engineering team.

For more information

• Find more details about NGINX products and support at

https://www.nginx.com/.

• For online NGINX documentation visit https://nginx.org/en/docs.

• NGINX and NGINX Plus Tutorial and Admin Guide is available here:

https://www.nginx.com/resources/admin-guide/.

• For general inquiries, please use: nginx-i[email protected]

Contents

Title 1

Preface 2

Table of Contents 3

1 Core modules 6

1.1 Core functionality . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.2 Setting up hashes . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.3 Connection processing methods . . . . . . . . . . . . . . . . . . 17

1.4 Logging to syslog . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2 HTTP server modules 19

2.1 Module ngx http core module . . . . . . . . . . . . . . . . . . . 19

2.2 Module ngx http access module . . . . . . . . . . . . . . . . . . 59

2.3 Module ngx http addition module . . . . . . . . . . . . . . . . . 61

2.4 Module ngx http api module . . . . . . . . . . . . . . . . . . . 63

2.5 Module ngx http auth basic module . . . . . . . . . . . . . . . 116

2.6 Module ngx http auth jwt module . . . . . . . . . . . . . . . . 118

2.7 Module ngx http auth request module . . . . . . . . . . . . . . 123

2.8 Module ngx http autoindex module . . . . . . . . . . . . . . . . 125

2.9 Module ngx http browser module . . . . . . . . . . . . . . . . . 127

2.10 Module ngx http charset module . . . . . . . . . . . . . . . . . 129

2.11 Module ngx http dav module . . . . . . . . . . . . . . . . . . . 132

2.12 Module ngx http empty gif module . . . . . . . . . . . . . . . . 135

2.13 Module ngx http f4f module . . . . . . . . . . . . . . . . . . . . 136

2.14 Module ngx http fastcgi module . . . . . . . . . . . . . . . . . . 137

2.15 Module ngx http ﬂv module . . . . . . . . . . . . . . . . . . . . 158

2.16 Module ngx http geo module . . . . . . . . . . . . . . . . . . . 159

2.17 Module ngx http geoip module . . . . . . . . . . . . . . . . . . 162

2.18 Module ngx http grpc module . . . . . . . . . . . . . . . . . . . 165

2.19 Module ngx http gunzip module . . . . . . . . . . . . . . . . . 174

2.20 Module ngx http gzip module . . . . . . . . . . . . . . . . . . . 175

2.21 Module ngx http gzip static module . . . . . . . . . . . . . . . 179

2.22 Module ngx http headers module . . . . . . . . . . . . . . . . . 180

2.23 Module ngx http hls module . . . . . . . . . . . . . . . . . . . . 183

2.24 Module ngx http image ﬁlter module . . . . . . . . . . . . . . . 187

CONTENTS CONTENTS

2.25 Module ngx http index module . . . . . . . . . . . . . . . . . . 191

2.26 Module ngx http int ... module . . . . . . . . . . . . . . . . . . 192

2.27 Module ngx http js module . . . . . . . . . . . . . . . . . . . . 194

2.28 Module ngx http keyval module . . . . . . . . . . . . . . . . . . 203

2.29 Module ngx http limit conn module . . . . . . . . . . . . . . . 205

2.30 Module ngx http limit req module . . . . . . . . . . . . . . . . 209

2.31 Module ngx http log module . . . . . . . . . . . . . . . . . . . . 213

2.32 Module ngx http map module . . . . . . . . . . . . . . . . . . . 217

2.33 Module ngx http memcached module . . . . . . . . . . . . . . . 220

2.34 Module ngx http mirror module . . . . . . . . . . . . . . . . . . 225

2.35 Module ngx http mp4 module . . . . . . . . . . . . . . . . . . . 227

2.36 Module ngx http perl module . . . . . . . . . . . . . . . . . . . 230

2.37 Module ngx http proxy module . . . . . . . . . . . . . . . . . . 236

2.38 Module ngx http pro ... module . . . . . . . . . . . . . . . . . 265

2.39 Module ngx http random index module . . . . . . . . . . . . . 266

2.40 Module ngx http realip module . . . . . . . . . . . . . . . . . . 267

2.41 Module ngx http referer module . . . . . . . . . . . . . . . . . . 269

2.42 Module ngx http rewrite module . . . . . . . . . . . . . . . . . 271

2.43 Module ngx http scgi module . . . . . . . . . . . . . . . . . . . 277

2.44 Module ngx http secure link module . . . . . . . . . . . . . . . 295

2.45 Module ngx http session log module . . . . . . . . . . . . . . . 298

2.46 Module ngx http slice module . . . . . . . . . . . . . . . . . . . 300

2.47 Module ngx http split clients module . . . . . . . . . . . . . . . 302

2.48 Module ngx http ssi module . . . . . . . . . . . . . . . . . . . . 303

2.49 Module ngx http ssl module . . . . . . . . . . . . . . . . . . . . 309

2.50 Module ngx http status module . . . . . . . . . . . . . . . . . . 324

2.51 Module ngx http stub status module . . . . . . . . . . . . . . . 334

2.52 Module ngx http sub module . . . . . . . . . . . . . . . . . . . 336

2.53 Module ngx http upstream module . . . . . . . . . . . . . . . . 338

2.54 Module ngx http upstream conf module . . . . . . . . . . . . . 355

2.55 Module ngx http upstream hc module . . . . . . . . . . . . . . 359

2.56 Module ngx http userid module . . . . . . . . . . . . . . . . . . 364

2.57 Module ngx http uwsgi module . . . . . . . . . . . . . . . . . . 368

2.58 Module ngx http v2 module . . . . . . . . . . . . . . . . . . . . 390

2.59 Module ngx http v3 module . . . . . . . . . . . . . . . . . . . . 395

2.60 Module ngx http xslt module . . . . . . . . . . . . . . . . . . . 399

3 Stream server modules 402

3.1 Module ngx stream core module . . . . . . . . . . . . . . . . . 402

3.2 Module ngx stream access module . . . . . . . . . . . . . . . . 411

3.3 Module ngx stream geo module . . . . . . . . . . . . . . . . . . 412

3.4 Module ngx stream geoip module . . . . . . . . . . . . . . . . . 414

3.5 Module ngx stream js module . . . . . . . . . . . . . . . . . . . 417

3.6 Module ngx stream keyval module . . . . . . . . . . . . . . . . 425

3.7 Module ngx stream limit conn module . . . . . . . . . . . . . . 427

3.8 Module ngx stream log module . . . . . . . . . . . . . . . . . . 430

Nginx, Inc. p.4 of 542

CONTENTS CONTENTS

3.9 Module ngx stream map module . . . . . . . . . . . . . . . . . 433

3.10 Module ngx stream mqtt ﬁlter module . . . . . . . . . . . . . . 436

3.11 Module ngx stream mqtt preread module . . . . . . . . . . . . 438

3.12 Module ngx stream proxy module . . . . . . . . . . . . . . . . . 439

3.13 Module ngx stream p ... module . . . . . . . . . . . . . . . . . 448

3.14 Module ngx stream realip module . . . . . . . . . . . . . . . . . 449

3.15 Module ngx stream return module . . . . . . . . . . . . . . . . 450

3.16 Module ngx stream set module . . . . . . . . . . . . . . . . . . 451

3.17 Module ngx stream split clients module . . . . . . . . . . . . . 452

3.18 Module ngx stream ssl module . . . . . . . . . . . . . . . . . . 453

3.19 Module ngx stream ssl preread module . . . . . . . . . . . . . . 463

3.20 Module ngx stream upstream module . . . . . . . . . . . . . . . 465

3.21 Module ngx stream upstream hc module . . . . . . . . . . . . . 473

3.22 Module ngx stream zone sync module . . . . . . . . . . . . . . 477

4 Mail server modules 485

4.1 Module ngx mail core module . . . . . . . . . . . . . . . . . . . 485

4.2 Module ngx mail auth http module . . . . . . . . . . . . . . . . 491

4.3 Module ngx mail proxy module . . . . . . . . . . . . . . . . . . 495

4.4 Module ngx mail realip module . . . . . . . . . . . . . . . . . . 497

4.5 Module ngx mail ssl module . . . . . . . . . . . . . . . . . . . . 498

4.6 Module ngx mail imap module . . . . . . . . . . . . . . . . . . 507

4.7 Module ngx mail pop3 module . . . . . . . . . . . . . . . . . . 509

4.8 Module ngx mail smtp module . . . . . . . . . . . . . . . . . . 510

5 Miscellaneous 512

5.1 Command-line parameters . . . . . . . . . . . . . . . . . . . . . 512

5.2 Module ngx otel module . . . . . . . . . . . . . . . . . . . . . . 514

A Changelog for NGINX Plus 518

B Legal Notices 530

Index 535

Nginx, Inc. p.5 of 542

Chapter 1

Core modules

1.1 Core functionality

1.1.1 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 7

1.1.2 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 7

accept mutex . . . . . . . . . . . . . . . . . . . . . . . . 7

accept mutex delay . . . . . . . . . . . . . . . . . . . . . 7

daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

debug connection . . . . . . . . . . . . . . . . . . . . . . 8

debug points . . . . . . . . . . . . . . . . . . . . . . . . 8

env . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

error log . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

events . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

include . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

load module . . . . . . . . . . . . . . . . . . . . . . . . . 10

lock ﬁle . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

master process . . . . . . . . . . . . . . . . . . . . . . . 11

multi accept . . . . . . . . . . . . . . . . . . . . . . . . . 11

pcre jit . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

pid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

ssl

engine . . . . . . . . . . . . . . . . . . . . . . . . . . 11

thread pool . . . . . . . . . . . . . . . . . . . . . . . . . 12

timer resolution . . . . . . . . . . . . . . . . . . . . . . . 12

use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

worker aio requests . . . . . . . . . . . . . . . . . . . . . 13

worker connections . . . . . . . . . . . . . . . . . . . . . 13

worker cpu aﬃnity . . . . . . . . . . . . . . . . . . . . . 13

worker priority . . . . . . . . . . . . . . . . . . . . . . . 14

worker processes . . . . . . . . . . . . . . . . . . . . . . 14

worker rlimit core . . . . . . . . . . . . . . . . . . . . . . 15

worker rlimit noﬁle . . . . . . . . . . . . . . . . . . . . . 15

worker shutdown timeout . . . . . . . . . . . . . . . . . 15

working directory . . . . . . . . . . . . . . . . . . . . . . 15

CHAPTER 1. CORE MODULES 1.1. CORE FUNCTIONALITY

1.1.1 Example Conﬁguration

user www www;

worker_processes 2;

error_log /var/log/nginx-error.log info;

events {

use kqueue;

worker_connections 2048;

}

...

1.1.2 Directives

accept mutex

Syntax: accept_mutex on | off;

Default off

Context: events

If accept_mutex is enabled, worker processes will accept new connections

by turn. Otherwise, all worker processes will be notiﬁed about new

connections, and if volume of new connections is low, some of the worker

processes may just waste system resources.

There is no need to enable accept_mutex on systems that support the

EPOLLEXCLUSIVE ﬂag (1.11.3) or when using reuseport.

Prior to version 1.11.3, the default value was on.

accept mutex delay

Syntax: accept_mutex_delay time;

Default 500ms

Context: events

If accept mutex is enabled, speciﬁes the maximum time during which a

worker process will try to restart accepting new connections if another worker

process is currently accepting new connections.

daemon

Syntax: daemon on | off;

Default on

Context: main

Determines whether nginx should become a daemon. Mainly used during

development.

Nginx, Inc. p.7 of 542

CHAPTER 1. CORE MODULES 1.1. CORE FUNCTIONALITY

debug connection

Syntax: debug_connection address | CIDR | unix:;

Default —

Context: events

Enables debugging log for selected client connections. Other connections

will use logging level set by the error log directive. Debugged connections

are speciﬁed by IPv4 or IPv6 (1.3.0, 1.2.1) address or network. A connection

may also be speciﬁed using a hostname. For connections using UNIX-domain

sockets (1.3.0, 1.2.1), debugging log is enabled by the “unix:” parameter.

events {

debug_connection 127.0.0.1;

debug_connection localhost;

debug_connection 192.0.2.0/24;

debug_connection ::1;

debug_connection 2001:0db8::/32;

debug_connection unix:;

...

}

For this directive to work, nginx needs to be built with --with-debug,

see “A debugging log”.

debug points

Syntax: debug_points abort | stop;

Default —

Context: main

This directive is used for debugging.

When internal error is detected, e.g. the leak of sockets on restart of

working processes, enabling debug_points leads to a core ﬁle creation

(abort) or to stopping of a process (stop) for further analysis using a system

debugger.

env

Syntax: env variable[=value];

Default TZ

Context: main

By default, nginx removes all environment variables inherited from its

parent process except the TZ variable. This directive allows preserving some

of the inherited variables, changing their values, or creating new environment

variables. These variables are then:

• inherited during a live upgrade of an executable ﬁle;

• used by the ngx http perl module module;

Nginx, Inc. p.8 of 542

CHAPTER 1. CORE MODULES 1.1. CORE FUNCTIONALITY

• used by worker processes. One should bear in mind that controlling

system libraries in this way is not always possible as it is common for

libraries to check variables only during initialization, well before they can

be set using this directive. An exception from this is an above mentioned

live upgrade of an executable ﬁle.

The TZ variable is always inherited and available to the ngx http perl -

module module, unless it is conﬁgured explicitly.

Usage example:

env MALLOC_OPTIONS;

env PERL5LIB=/data/site/modules;

env OPENSSL_ALLOW_PROXY_CERTS=1;

The NGINX environment variable is used internally by nginx and should

not be set directly by the user.

error log

Syntax: error_log ﬁle [level];

Default logs/error.log error

Context: main, http, mail, stream, server, location

Conﬁgures logging. Several logs can be speciﬁed on the same conﬁguration

level (1.5.2). If on the main conﬁguration level writing a log to a ﬁle is not

explicitly deﬁned, the default ﬁle will be used.

The ﬁrst parameter deﬁnes a ﬁle that will store the log.

The special value stderr selects the standard error ﬁle. Logging to syslog

can be conﬁgured by specifying the “syslog:” preﬁx. Logging to a cyclic

memory buﬀer can be conﬁgured by specifying the “memory:” preﬁx and

buﬀer size, and is generally used for debugging (1.7.11).

The second parameter determines the level of logging, and can be one of the

following: debug, info, notice, warn, error, crit, alert, or emerg.

Log levels above are listed in the order of increasing severity. Setting a certain

log level will cause all messages of the speciﬁed and more severe log levels to

be logged. For example, the default level error will cause error, crit,

alert, and emerg messages to be logged. If this parameter is omitted then

error is used.

For debug logging to work, nginx needs to be built with --with-debug,

see “A debugging log”.

The directive can be speciﬁed on the stream level starting from version

1.7.11, and on the mail level starting from version 1.9.0.

Nginx, Inc. p.9 of 542

CHAPTER 1. CORE MODULES 1.1. CORE FUNCTIONALITY

events

Syntax: events { . . . }

Default —

Context: main

Provides the conﬁguration ﬁle context in which the directives that aﬀect

connection processing are speciﬁed.

include

Syntax: include ﬁle | mask;

Default —

Context: any

Includes another ﬁle, or ﬁles matching the speciﬁed mask, into

conﬁguration. Included ﬁles should consist of syntactically correct directives

and blocks.

Usage example:

include mime.types;

include vhosts/

.conf;

load module

Syntax: load_module ﬁle;

Default —

Context: main

This directive appeared in version 1.9.11.

Loads a dynamic module.

Example:

load_module modules/ngx_mail_module.so;

lock ﬁle

Syntax: lock_file ﬁle;

Default logs/nginx.lock

Context: main

nginx uses the locking mechanism to implement accept mutex and serialize

access to shared memory. On most systems the locks are implemented using

atomic operations, and this directive is ignored. On other systems the “lock

ﬁle” mechanism is used. This directive speciﬁes a preﬁx for the names of lock

ﬁles.

Nginx, Inc. p.10 of 542

CHAPTER 1. CORE MODULES 1.1. CORE FUNCTIONALITY

master process

Syntax: master_process on | off;

Default on

Context: main

Determines whether worker processes are started. This directive is intended

for nginx developers.

multi accept

Syntax: multi_accept on | off;

Default off

Context: events

If multi_accept is disabled, a worker process will accept one new

connection at a time. Otherwise, a worker process will accept all new

connections at a time.

The directive is ignored if kqueue connection processing method is used,

because it reports the number of new connections waiting to be accepted.

pcre jit

Syntax: pcre_jit on | off;

Default off

Context: main

This directive appeared in version 1.1.12.

Enables or disables the use of “just-in-time compilation” (PCRE JIT) for

the regular expressions known by the time of conﬁguration parsing.

PCRE JIT can speed up processing of regular expressions signiﬁcantly.

The JIT is available in PCRE libraries starting from version 8.20 built

with the --enable-jit conﬁguration parameter. When the PCRE library

is built with nginx (--with-pcre=), the JIT support is enabled via the

--with-pcre-jit conﬁguration parameter.

pid

Syntax: pid ﬁle;

Default logs/nginx.pid

Context: main

Deﬁnes a ﬁle that will store the process ID of the main process.

ssl engine

Syntax: ssl_engine device;

Default —

Context: main

Nginx, Inc. p.11 of 542

CHAPTER 1. CORE MODULES 1.1. CORE FUNCTIONALITY

Deﬁnes the name of the hardware SSL accelerator.

thread pool

Syntax: thread_pool name threads=number [max_queue=number];

Default default threads=32 max_queue=65536

Context: main

This directive appeared in version 1.7.11.

Deﬁnes the name and parameters of a thread pool used for multi-threaded

reading and sending of ﬁles without blocking worker processes.

The threads parameter deﬁnes the number of threads in the pool.

In the event that all threads in the pool are busy, a new task will wait in

the queue. The max_queue parameter limits the number of tasks allowed to

be waiting in the queue. By default, up to 65536 tasks can wait in the queue.

When the queue overﬂows, the task is completed with an error.

timer resolution

Syntax: timer_resolution interval;

Default —

Context: main

Reduces timer resolution in worker processes, thus reducing the number

of gettimeofday system calls made. By default, gettimeofday is called

each time a kernel event is received. With reduced resolution, gettimeofday

is only called once per speciﬁed interval.

Example:

timer_resolution 100ms;

Internal implementation of the interval depends on the method used:

• the EVFILT_TIMER ﬁlter if kqueue is used;

• timer_create if eventport is used;

• setitimer otherwise.

use

Syntax: use method;

Default —

Context: events

Speciﬁes the connection processing method to use. There is normally no

need to specify it explicitly, because nginx will by default use the most eﬃcient

method.

Nginx, Inc. p.12 of 542

CHAPTER 1. CORE MODULES 1.1. CORE FUNCTIONALITY

user

Syntax: user user [group];

Default nobody nobody

Context: main

Deﬁnes user and group credentials used by worker processes. If group is

omitted, a group whose name equals that of user is used.

worker aio requests

Syntax: worker_aio_requests number;

Default 32

Context: events

This directive appeared in versions 1.1.4 and 1.0.7.

When using aio with the epoll connection processing method, sets the

maximum number of outstanding asynchronous I/O operations for a single

worker process.

worker connections

Syntax: worker_connections number;

Default 512

Context: events

Sets the maximum number of simultaneous connections that can be opened

by a worker process.

It should be kept in mind that this number includes all connections (e.g.

connections with proxied servers, among others), not only connections with

clients. Another consideration is that the actual number of simultaneous

connections cannot exceed the current limit on the maximum number of open

ﬁles, which can be changed by worker rlimit noﬁle.

worker cpu aﬃnity

Syntax: worker_cpu_affinity cpumask . . . ;

Syntax: worker_cpu_affinity auto [cpumask];

Default —

Context: main

Binds worker processes to the sets of CPUs. Each CPU set is represented

by a bitmask of allowed CPUs. There should be a separate set deﬁned for each

of the worker processes. By default, worker processes are not bound to any

speciﬁc CPUs.

For example,

worker_processes 4;

worker_cpu_affinity 0001 0010 0100 1000;

binds each worker process to a separate CPU, while

Nginx, Inc. p.13 of 542

CHAPTER 1. CORE MODULES 1.1. CORE FUNCTIONALITY

worker_processes 2;

worker_cpu_affinity 0101 1010;

binds the ﬁrst worker process to CPU0/CPU2, and the second worker

process to CPU1/CPU3. The second example is suitable for hyper-threading.

The special value auto (1.9.10) allows binding worker processes

automatically to available CPUs:

worker_processes auto;

worker_cpu_affinity auto;

The optional mask parameter can be used to limit the CPUs available for

automatic binding:

worker_cpu_affinity auto 01010101;

The directive is only available on FreeBSD and Linux.

worker priority

Syntax: worker_priority number;

Default 0

Context: main

Deﬁnes the scheduling priority for worker processes like it is done by the

nice command: a negative number means higher priority. Allowed range

normally varies from -20 to 20.

Example:

worker_priority -10;

worker processes

Syntax: worker_processes number | auto;

Default 1

Context: main

Deﬁnes the number of worker processes.

The optimal value depends on many factors including (but not limited to)

the number of CPU cores, the number of hard disk drives that store data, and

load pattern. When one is in doubt, setting it to the number of available CPU

cores would be a good start (the value “auto” will try to autodetect it).

The auto parameter is supported starting from versions 1.3.8 and 1.2.5.

Nginx, Inc. p.14 of 542

CHAPTER 1. CORE MODULES 1.1. CORE FUNCTIONALITY

worker rlimit core

Syntax: worker_rlimit_core size;

Default —

Context: main

Changes the limit on the largest size of a core ﬁle (RLIMIT_CORE) for

worker processes. Used to increase the limit without restarting the main

process.

worker rlimit noﬁle

Syntax: worker_rlimit_nofile number;

Default —

Context: main

Changes the limit on the maximum number of open ﬁles

(RLIMIT_NOFILE) for worker processes. Used to increase the limit

without restarting the main process.

worker shutdown timeout

Syntax: worker_shutdown_timeout time;

Default —

Context: main

This directive appeared in version 1.11.11.

Conﬁgures a timeout for a graceful shutdown of worker processes. When

the time expires, nginx will try to close all the connections currently open to

facilitate shutdown.

working directory

Syntax: working_directory directory;

Default —

Context: main

Deﬁnes the current working directory for a worker process. It is primarily

used when writing a core-ﬁle, in which case a worker process should have write

permission for the speciﬁed directory.

Nginx, Inc. p.15 of 542

CHAPTER 1. CORE MODULES 1.2. SETTING UP HASHES

1.2 Setting up hashes

1.2.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.2.1 Overview

To quickly process static sets of data such as server names, map directive’s

values, MIME types, names of request header strings, nginx uses hash tables.

During the start and each re-conﬁguration nginx selects the minimum possible

sizes of hash tables such that the bucket size that stores keys with identical

hash values does not exceed the conﬁgured parameter (hash bucket size). The

size of a table is expressed in buckets. The adjustment is continued until

the table size exceeds the hash max size parameter. Most hashes have the

corresponding directives that allow changing these parameters, for example,

for the server names hash they are server names hash max size and server -

names hash bucket size.

The hash bucket size parameter is aligned to the size that is a multiple of

the processor’s cache line size. This speeds up key search in a hash on modern

processors by reducing the number of memory accesses. If hash bucket size is

equal to one processor’s cache line size then the number of memory accesses

during the key search will be two in the worst case — ﬁrst to compute the

bucket address, and second during the key search inside the bucket. Therefore,

if nginx emits the message requesting to increase either hash max size or hash

bucket size then the ﬁrst parameter should ﬁrst be increased.

Nginx, Inc. p.16 of 542

CHAPTER 1. CORE MODULES 1.3. CONNECTION PROCESSING METHODS

1.3 Connection processing methods

1.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.3.1 Overview

nginx supports a variety of connection processing methods. The availability

of a particular method depends on the platform used. On platforms that

support several methods nginx will normally select the most eﬃcient method

automatically. However, if needed, a connection processing method can be

selected explicitly with the use directive.

The following connection processing methods are supported:

• select — standard method. The supporting module is built au-

tomatically on platforms that lack more eﬃcient methods. The

--with-select_module and --without-select_module con-

ﬁguration parameters can be used to forcibly enable or disable the build

of this module.

• poll — standard method. The supporting module is built au-

tomatically on platforms that lack more eﬃcient methods. The

--with-poll_module and --without-poll_module conﬁgura-

tion parameters can be used to forcibly enable or disable the build of

this module.

• kqueue — eﬃcient method used on FreeBSD 4.1+, OpenBSD 2.9+,

NetBSD 2.0, and macOS.

• epoll — eﬃcient method used on Linux 2.6+.

The EPOLLRDHUP (Linux 2.6.17, glibc 2.8) and EPOLLEXCLUSIVE

(Linux 4.5, glibc 2.24) ﬂags are supported since 1.11.3.

Some older distributions like SuSE 8.2 provide patches that add epoll

support to 2.4 kernels.

• /dev/poll — eﬃcient method used on Solaris 7 11/99+, HP/UX

11.22+ (eventport), IRIX 6.5.15+, and Tru64 UNIX 5.1A+.

• eventport — event ports, method used on Solaris 10+ (due to known

issues, it is recommended using the /dev/poll method instead).

Nginx, Inc. p.17 of 542

CHAPTER 1. CORE MODULES 1.4. LOGGING TO SYSLOG

1.4 Logging to syslog

1.4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 18

1.4.1 Overview

The error log and access log directives support logging to syslog. The

following parameters conﬁgure logging to syslog:

server=address

Deﬁnes the address of a syslog server. The address can be speciﬁed as a

domain name or IP address, with an optional port, or as a UNIX-domain

socket path speciﬁed after the“unix:”preﬁx. If port is not speciﬁed, the

UDP port 514 is used. If a domain name resolves to several IP addresses,

the ﬁrst resolved address is used.

facility=string

Sets facility of syslog messages, as deﬁned in RFC 3164. Facility can

be one of “kern”, “user”, “mail”, “daemon”, “auth”, “intern”,

“lpr”,“news”, “uucp”, “clock”, “authpriv”, “ftp”,“ntp”,“audit”,

“alert”, “cron”, “local0”..“local7”. Default is “local7”.

severity=string

Sets severity of syslog messages for access log, as deﬁned in RFC 3164.

Possible values are the same as for the second parameter (level) of the

error log directive. Default is “info”.

Severity of error messages is determined by nginx, thus the parameter

is ignored in the error_log directive.

tag=string

Sets the tag of syslog messages. Default is “nginx”.

nohostname

Disables adding the “hostname” ﬁeld into the syslog message header

(1.9.7).

Example syslog conﬁguration:

error_log syslog:server=192.168.1.1 debug;

access_log syslog:server=unix:/var/log/nginx.sock,nohostname;

access_log syslog:server=[2001:db8::1]:12345,facility=local7,tag=nginx,severity

=info combined;

Logging to syslog is available since version 1.7.1. As part of our

commercial subscription logging to syslog is available since version 1.5.3.

Nginx, Inc. p.18 of 542

Chapter 2

HTTP server modules

2.1 Module ngx http core module

2.1.1 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 21

absolute redirect . . . . . . . . . . . . . . . . . . . . . . 21

aio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

aio write . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

auth delay . . . . . . . . . . . . . . . . . . . . . . . . . . 23

chunked transfer encoding . . . . . . . . . . . . . . . . . 23

client body buﬀer size . . . . . . . . . . . . . . . . . . . 24

client body in ﬁle only . . . . . . . . . . . . . . . . . . . 24

client body in single buﬀer . . . . . . . . . . . . . . . . 24

client body temp path . . . . . . . . . . . . . . . . . . . 24

client body timeout . . . . . . . . . . . . . . . . . . . . . 25

client header buﬀer size . . . . . . . . . . . . . . . . . . 25

client header timeout . . . . . . . . . . . . . . . . . . . . 25

client max body size . . . . . . . . . . . . . . . . . . . . 25

connection pool size . . . . . . . . . . . . . . . . . . . . 26

default type . . . . . . . . . . . . . . . . . . . . . . . . . 26

directio . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

directio alignment . . . . . . . . . . . . . . . . . . . . . 26

disable symlinks . . . . . . . . . . . . . . . . . . . . . . 27

error page . . . . . . . . . . . . . . . . . . . . . . . . . . 28

etag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

http . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

if modiﬁed since . . . . . . . . . . . . . . . . . . . . . . 29

ignore invalid headers . . . . . . . . . . . . . . . . . . . 29

internal . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

keepalive disable . . . . . . . . . . . . . . . . . . . . . . 30

keepalive requests . . . . . . . . . . . . . . . . . . . . . . 31

keepalive time . . . . . . . . . . . . . . . . . . . . . . . . 31

keepalive timeout . . . . . . . . . . . . . . . . . . . . . . 31

large client header buﬀers . . . . . . . . . . . . . . . . . 32

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

limit except . . . . . . . . . . . . . . . . . . . . . . . . . 32

limit rate . . . . . . . . . . . . . . . . . . . . . . . . . . 32

limit rate after . . . . . . . . . . . . . . . . . . . . . . . 33

lingering close . . . . . . . . . . . . . . . . . . . . . . . . 33

lingering time . . . . . . . . . . . . . . . . . . . . . . . . 34

lingering timeout . . . . . . . . . . . . . . . . . . . . . . 34

listen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

location . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

log not found . . . . . . . . . . . . . . . . . . . . . . . . 39

log subrequest . . . . . . . . . . . . . . . . . . . . . . . . 40

max ranges . . . . . . . . . . . . . . . . . . . . . . . . . 40

merge slashes . . . . . . . . . . . . . . . . . . . . . . . . 40

msie padding . . . . . . . . . . . . . . . . . . . . . . . . 41

msie refresh . . . . . . . . . . . . . . . . . . . . . . . . . 41

open ﬁle cache . . . . . . . . . . . . . . . . . . . . . . . 41

open ﬁle cache errors . . . . . . . . . . . . . . . . . . . . 42

open ﬁle cache min uses . . . . . . . . . . . . . . . . . . 42

open

ﬁle cache valid . . . . . . . . . . . . . . . . . . . . 42

output buﬀers . . . . . . . . . . . . . . . . . . . . . . . . 42

port in redirect . . . . . . . . . . . . . . . . . . . . . . . 42

postpone output . . . . . . . . . . . . . . . . . . . . . . 43

read ahead . . . . . . . . . . . . . . . . . . . . . . . . . 43

recursive error pages . . . . . . . . . . . . . . . . . . . . 43

request pool size . . . . . . . . . . . . . . . . . . . . . . 43

reset timedout connection . . . . . . . . . . . . . . . . . 43

resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

resolver timeout . . . . . . . . . . . . . . . . . . . . . . . 45

root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

satisfy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

send lowat . . . . . . . . . . . . . . . . . . . . . . . . . . 46

send timeout . . . . . . . . . . . . . . . . . . . . . . . . 46

sendﬁle . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

sendﬁle max chunk . . . . . . . . . . . . . . . . . . . . . 47

server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

server name . . . . . . . . . . . . . . . . . . . . . . . . . 47

server name in redirect . . . . . . . . . . . . . . . . . . . 49

server names hash bucket size . . . . . . . . . . . . . . . 49

server names hash max size . . . . . . . . . . . . . . . . 49

server tokens . . . . . . . . . . . . . . . . . . . . . . . . 50

subrequest output buﬀer size . . . . . . . . . . . . . . . 50

tcp nodelay . . . . . . . . . . . . . . . . . . . . . . . . . 50

tcp nopush . . . . . . . . . . . . . . . . . . . . . . . . . 50

try ﬁles . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

types hash bucket size . . . . . . . . . . . . . . . . . . . 53

types hash max size . . . . . . . . . . . . . . . . . . . . 53

Nginx, Inc. p.20 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

underscores in headers . . . . . . . . . . . . . . . . . . . 54

variables hash bucket size . . . . . . . . . . . . . . . . . 54

variables hash max size . . . . . . . . . . . . . . . . . . 54

2.1.2 Embedded Variables . . . . . . . . . . . . . . . . . . . . 54

2.1.1 Directives

absolute redirect

Syntax: absolute_redirect on | off;

Default on

Context: http, server, location

This directive appeared in version 1.11.8.

If disabled, redirects issued by nginx will be relative.

See also server name in redirect and port in redirect directives.

aio

Syntax: aio on | off | threads[=pool];

Default off

Context: http, server, location

This directive appeared in version 0.8.11.

Enables or disables the use of asynchronous ﬁle I/O (AIO) on FreeBSD and

Linux:

location /video/ {

aio on;

output_buffers 1 64k;

}

On FreeBSD, AIO can be used starting from FreeBSD 4.3. Prior to

FreeBSD 11.0, AIO can either be linked statically into a kernel:

options VFS_AIO

or loaded dynamically as a kernel loadable module:

kldload aio

On Linux, AIO can be used starting from kernel version 2.6.22. Also, it is

necessary to enable directio, or otherwise reading will be blocking:

location /video/ {

aio on;

directio 512;

output_buffers 1 128k;

}

On Linux, directio can only be used for reading blocks that are aligned on

512-byte boundaries (or 4K for XFS). File’s unaligned end is read in blocking

Nginx, Inc. p.21 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

mode. The same holds true for byte range requests and for FLV requests not

from the beginning of a ﬁle: reading of unaligned data at the beginning and

end of a ﬁle will be blocking.

When both AIO and sendﬁle are enabled on Linux, AIO is used for ﬁles

that are larger than or equal to the size speciﬁed in the directio directive, while

sendﬁle is used for ﬁles of smaller sizes or when directio is disabled.

location /video/ {

sendfile on;

aio on;

directio 8m;

}

Finally, ﬁles can be read and sent using multi-threading (1.7.11), without

blocking a worker process:

location /video/ {

sendfile on;

aio threads;

}

Read and send ﬁle operations are oﬄoaded to threads of the speciﬁed pool.

If the pool name is omitted, the pool with the name “default” is used. The

pool name can also be set with variables:

aio threads=pool$disk;

By default, multi-threading is disabled, it should be enabled with the

--with-threads conﬁguration parameter. Currently, multi-threading is

compatible only with the epoll, kqueue, and eventport methods. Multi-

threaded sending of ﬁles is only supported on Linux.

See also the sendﬁle directive.

aio write

Syntax: aio_write on | off;

Default off

Context: http, server, location

This directive appeared in version 1.9.13.

If aio is enabled, speciﬁes whether it is used for writing ﬁles. Currently,

this only works when using aio threads and is limited to writing temporary

ﬁles with data received from proxied servers.

alias

Syntax: alias path;

Default —

Context: location

Deﬁnes a replacement for the speciﬁed location. For example, with the

following conﬁguration

Nginx, Inc. p.22 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

location /i/ {

alias /data/w3/images/;

}

on request of “/i/top.gif”, the ﬁle /data/w3/images/top.gif will

be sent.

The path value can contain variables, except $document root and

$realpath root.

If alias is used inside a location deﬁned with a regular expression then

such regular expression should contain captures and alias should refer to

these captures (0.7.40), for example:

location ~ ^/users/(.+\.(?:gif|jpe?g|png))$ {

alias /data/w3/images/$1;

}

When location matches the last part of the directive’s value:

location /images/ {

alias /data/w3/images/;

}

it is better to use the root directive instead:

location /images/ {

root /data/w3;

}

auth delay

Syntax: auth_delay time;

Default 0s

Context: http, server, location

This directive appeared in version 1.17.10.

Delays processing of unauthorized requests with 401 response code to

prevent timing attacks when access is limited by password, by the result of

subrequest, or by JWT.

chunked transfer encoding

Syntax: chunked_transfer_encoding on | off;

Default on

Context: http, server, location

Allows disabling chunked transfer encoding in HTTP/1.1. It may come in

handy when using a software failing to support chunked encoding despite the

standard’s requirement.

Nginx, Inc. p.23 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

client body buﬀer size

Syntax: client_body_buffer_size size;

Default 8k|16k

Context: http, server, location

Sets buﬀer size for reading client request body. In case the request body is

larger than the buﬀer, the whole body or only its part is written to a temporary

ﬁle. By default, buﬀer size is equal to two memory pages. This is 8K on x86,

other 32-bit platforms, and x86-64. It is usually 16K on other 64-bit platforms.

client body in ﬁle only

Syntax: client_body_in_file_only on | clean | off;

Default off

Context: http, server, location

Determines whether nginx should save the entire client request body into

a ﬁle. This directive can be used during debugging, or when using the

$request body ﬁle variable, or the $r->request body ﬁle method of the module

ngx http perl module.

When set to the value on, temporary ﬁles are not removed after request

processing.

The value clean will cause the temporary ﬁles left after request processing

to be removed.

client body in single buﬀer

Syntax: client_body_in_single_buffer on | off;

Default off

Context: http, server, location

Determines whether nginx should save the entire client request body in

a single buﬀer. The directive is recommended when using the $request body

variable, to save the number of copy operations involved.

client body temp path

Syntax: client_body_temp_path path [level1 [level2 [level3]]];

Default client_body_temp

Context: http, server, location

Deﬁnes a directory for storing temporary ﬁles holding client request bodies.

Up to three-level subdirectory hierarchy can be used under the speciﬁed

directory. For example, in the following conﬁguration

client_body_temp_path /spool/nginx/client_temp 1 2;

a path to a temporary ﬁle might look like this:

Nginx, Inc. p.24 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

/spool/nginx/client_temp/7/45/00000123457

client body timeout

Syntax: client_body_timeout time;

Default 60s

Context: http, server, location

Deﬁnes a timeout for reading client request body. The timeout is set only

for a period between two successive read operations, not for the transmission

of the whole request body. If a client does not transmit anything within this

time, the request is terminated with the 408 Request Time-out error.

client header buﬀer size

Syntax: client_header_buffer_size size;

Default 1k

Context: http, server

Sets buﬀer size for reading client request header. For most requests, a

buﬀer of 1K bytes is enough. However, if a request includes long cookies, or

comes from a WAP client, it may not ﬁt into 1K. If a request line or a request

header ﬁeld does not ﬁt into this buﬀer then larger buﬀers, conﬁgured by the

large client header buﬀers directive, are allocated.

If the directive is speciﬁed on the server level, the value from the default

server can be used. Details are provided in the “Virtual server selection”

section.

client header timeout

Syntax: client_header_timeout time;

Default 60s

Context: http, server

Deﬁnes a timeout for reading client request header. If a client does not

transmit the entire header within this time, the request is terminated with the

408 Request Time-out error.

client max body size

Syntax: client_max_body_size size;

Default 1m

Context: http, server, location

Sets the maximum allowed size of the client request body. If the size

in a request exceeds the conﬁgured value, the 413 Request Entity Too

Large error is returned to the client. Please be aware that browsers cannot

Nginx, Inc. p.25 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

correctly display this error. Setting size to 0 disables checking of client request

body size.

connection pool size

Syntax: connection_pool_size size;

Default 256|512

Context: http, server

Allows accurate tuning of per-connection memory allocations. This

directive has minimal impact on performance and should not generally be

used. By default, the size is equal to 256 bytes on 32-bit platforms and 512

bytes on 64-bit platforms.

Prior to version 1.9.8, the default value was 256 on all platforms.

default type

Syntax: default_type mime-type;

Default text/plain

Context: http, server, location

Deﬁnes the default MIME type of a response. Mapping of ﬁle name

extensions to MIME types can be set with the types directive.

directio

Syntax: directio size | off;

Default off

Context: http, server, location

This directive appeared in version 0.7.7.

Enables the use of the O_DIRECT ﬂag (FreeBSD, Linux), the F_NOCACHE

ﬂag (macOS), or the directio function (Solaris), when reading ﬁles that are

larger than or equal to the speciﬁed size. The directive automatically disables

(0.7.15) the use of sendﬁle for a given request. It can be useful for serving large

ﬁles:

directio 4m;

or when using aio on Linux.

directio alignment

Syntax: directio_alignment size;

Default 512

Context: http, server, location

This directive appeared in version 0.8.11.

Nginx, Inc. p.26 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

Sets the alignment for directio. In most cases, a 512-byte alignment is

enough. However, when using XFS under Linux, it needs to be increased to

4K.

disable symlinks

Syntax: disable_symlinks off;

Syntax: disable_symlinks on | if_not_owner [from=part];

Default off

Context: http, server, location

This directive appeared in version 1.1.15.

Determines how symbolic links should be treated when opening ﬁles:

off

Symbolic links in the pathname are allowed and not checked. This is the

default behavior.

If any component of the pathname is a symbolic link, access to a ﬁle is

denied.

if_not_owner

Access to a ﬁle is denied if any component of the pathname is a symbolic

link, and the link and object that the link points to have diﬀerent owners.

from=part

When checking symbolic links (parameters on and if_not_owner), all

components of the pathname are normally checked. Checking of symbolic

links in the initial part of the pathname may be avoided by specifying

additionally the from=part parameter. In this case, symbolic links are

checked only from the pathname component that follows the speciﬁed

initial part. If the value is not an initial part of the pathname checked,

the whole pathname is checked as if this parameter was not speciﬁed

at all. If the value matches the whole ﬁle name, symbolic links are not

checked. The parameter value can contain variables.

Example:

disable_symlinks on from=$document_root;

This directive is only available on systems that have the openat and

fstatat interfaces. Such systems include modern versions of FreeBSD,

Linux, and Solaris.

Parameters on and if_not_owner add a processing overhead.

On systems that do not support opening of directories only for search,

to use these parameters it is required that worker processes have read

permissions for all directories being checked.

Nginx, Inc. p.27 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

The ngx http autoindex module, ngx http random index module, and

ngx http dav module modules currently ignore this directive.

error page

Syntax: error_page code . . . [=[response]] uri;

Default —

Context: http, server, location, if in location

Deﬁnes the URI that will be shown for the speciﬁed errors. A uri value can

contain variables.

Example:

error_page 404 /404.html;

error_page 500 502 503 504 /50x.html;

This causes an internal redirect to the speciﬁed uri with the client request

method changed to “GET” (for all methods other than “GET” and “HEAD”).

Furthermore, it is possible to change the response code to another using

the “=response” syntax, for example:

error_page 404 =200 /empty.gif;

If an error response is processed by a proxied server or a FastCGI/uwsgi/

SCGI/gRPC server, and the server may return diﬀerent response codes (e.g.,

200, 302, 401 or 404), it is possible to respond with the code it returns:

error_page 404 = /404.php;

If there is no need to change URI and method during internal redirection

it is possible to pass error processing into a named location:

location / {

error_page 404 = @fallback;

}

location @fallback {

proxy_pass http://backend;

}

If uri processing leads to an error, the status code of the last occurred

error is returned to the client.

It is also possible to use URL redirects for error processing:

error_page 403 http://example.com/forbidden.html;

error_page 404 =301 http://example.com/notfound.html;

In this case, by default, the response code 302 is returned to the client. It

can only be changed to one of the redirect status codes (301, 302, 303, 307,

and 308).

Nginx, Inc. p.28 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

The code 307 was not treated as a redirect until versions 1.1.16 and 1.0.13.

The code 308 was not treated as a redirect until version 1.13.0.

These directives are inherited from the previous conﬁguration level if and

only if there are no error_page directives deﬁned on the current level.

etag

Syntax: etag on | off;

Default on

Context: http, server, location

This directive appeared in version 1.3.3.

Enables or disables automatic generation of the ETag response header ﬁeld

for static resources.

http

Syntax: http { . . . }

Default —

Context: main

Provides the conﬁguration ﬁle context in which the HTTP server directives

are speciﬁed.

if modiﬁed since

Syntax: if_modified_since off | exact | before;

Default exact

Context: http, server, location

This directive appeared in version 0.7.24.

Speciﬁes how to compare modiﬁcation time of a response with the time in

the If-Modified-Since request header ﬁeld:

off

the response is always considered modiﬁed (0.7.34);

exact

exact match;

before

modiﬁcation time of the response is less than or equal to the time in the

If-Modified-Since request header ﬁeld.

ignore invalid headers

Syntax: ignore_invalid_headers on | off;

Default on

Context: http, server

Nginx, Inc. p.29 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

Controls whether header ﬁelds with invalid names should be ignored.

Valid names are composed of English letters, digits, hyphens, and possibly

underscores (as controlled by the underscores in headers directive).

If the directive is speciﬁed on the server level, the value from the default

server can be used. Details are provided in the “Virtual server selection”

section.

internal

Syntax: internal;

Default —

Context: location

Speciﬁes that a given location can only be used for internal requests. For

external requests, the client error 404 Not Found is returned. Internal

requests are the following:

• requests redirected by the error page, index, internal redirect, random -

index, and try ﬁles directives;

• requests redirected by the X-Accel-Redirect response header ﬁeld

from an upstream server;

• subrequests formed by the “include virtual” command of the

ngx http ssi module module, by the ngx http addition module module

directives, and by auth request and mirror directives;

• requests changed by the rewrite directive.

Example:

error_page 404 /404.html;

location = /404.html {

internal;

}

There is a limit of 10 internal redirects per request to prevent request

processing cycles that can occur in incorrect conﬁgurations. If this limit is

reached, the error 500 Internal Server Error is returned. In such

cases, the “rewrite or internal redirection cycle” message can be seen in the

error log.

keepalive disable

Syntax: keepalive_disable none | browser . . . ;

Default msie6

Context: http, server, location

Nginx, Inc. p.30 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

Disables keep-alive connections with misbehaving browsers. The browser

parameters specify which browsers will be aﬀected. The value msie6 disables

keep-alive connections with old versions of MSIE, once a POST request is

received. The value safari disables keep-alive connections with Safari and

Safari-like browsers on macOS and macOS-like operating systems. The value

none enables keep-alive connections with all browsers.

Prior to version 1.1.18, the value safari matched all Safari and Safari-

like browsers on all operating systems, and keep-alive connections with them

were disabled by default.

keepalive requests

Syntax: keepalive_requests number;

Default 1000

Context: http, server, location

This directive appeared in version 0.8.0.

Sets the maximum number of requests that can be served through one

keep-alive connection. After the maximum number of requests are made, the

connection is closed.

Closing connections periodically is necessary to free per-connection memory

allocations. Therefore, using too high maximum number of requests could

result in excessive memory usage and not recommended.

Prior to version 1.19.10, the default value was 100.

keepalive time

Syntax: keepalive_time time;

Default 1h

Context: http, server, location

This directive appeared in version 1.19.10.

Limits the maximum time during which requests can be processed through

one keep-alive connection. After this time is reached, the connection is closed

following the subsequent request processing.

keepalive timeout

Syntax: keepalive_timeout timeout [header timeout];

Default 75s

Context: http, server, location

The ﬁrst parameter sets a timeout during which a keep-alive client

connection will stay open on the server side. The zero value disables keep-

alive client connections. The optional second parameter sets a value in the

Keep-Alive: timeout=time response header ﬁeld. Two parameters

may diﬀer.

Nginx, Inc. p.31 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

The Keep-Alive: timeout=time header ﬁeld is recognized by

Mozilla and Konqueror. MSIE closes keep-alive connections by itself in about

60 seconds.

large client header buﬀers

Syntax: large_client_header_buffers number size;

Default 4 8k

Context: http, server

Sets the maximum number and size of buﬀers used for reading large client

request header. A request line cannot exceed the size of one buﬀer, or the

414 Request-URI Too Large error is returned to the client. A request

header ﬁeld cannot exceed the size of one buﬀer as well, or the 400 Bad

Request error is returned to the client. Buﬀers are allocated only on demand.

By default, the buﬀer size is equal to 8K bytes. If after the end of request

processing a connection is transitioned into the keep-alive state, these buﬀers

are released.

If the directive is speciﬁed on the server level, the value from the default

server can be used. Details are provided in the “Virtual server selection”

section.

limit except

Syntax: limit_except method . . . { . . . }

Default —

Context: location

Limits allowed HTTP methods inside a location. The method parameter

can be one of the following: GET, HEAD, POST, PUT, DELETE, MKCOL,

COPY, MOVE, OPTIONS, PROPFIND, PROPPATCH, LOCK, UNLOCK, or PATCH.

Allowing the GET method makes the HEAD method also allowed. Access

to other methods can be limited using the ngx http access module, ngx -

http auth basic module, and ngx http auth jwt module (1.13.10) modules

directives:

limit_except GET {

allow 192.168.1.0/32;

deny all;

}

Please note that this will limit access to all methods except GET and

HEAD.

limit rate

Syntax: limit_rate rate;

Default 0

Context: http, server, location, if in location

Nginx, Inc. p.32 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

Limits the rate of response transmission to a client. The rate is speciﬁed

in bytes per second. The zero value disables rate limiting.

The limit is set per a request, and so if a client simultaneously opens two

connections, the overall rate will be twice as much as the speciﬁed limit.

Parameter value can contain variables (1.17.0). It may be useful in cases

where rate should be limited depending on a certain condition:

map $slow $rate {

1 4k;

2 8k;

}

limit_rate $rate;

Rate limit can also be set in the $limit rate variable, however, since version

1.17.0, this method is not recommended:

server {

if ($slow) {

set $limit_rate 4k;

}

...

}

Rate limit can also be set in the X-Accel-Limit-Rate header ﬁeld

of a proxied server response. This capability can be disabled using the

proxy ignore headers, fastcgi ignore headers, uwsgi ignore headers, and scgi -

ignore headers directives.

limit rate after

Syntax: limit_rate_after size;

Default 0

Context: http, server, location, if in location

This directive appeared in version 0.8.0.

Sets the initial amount after which the further transmission of a response

to a client will be rate limited. Parameter value can contain variables (1.17.0).

Example:

location /flv/ {

flv;

limit_rate_after 500k;

limit_rate 50k;

}

lingering close

Syntax: lingering_close off | on | always;

Default on

Context: http, server, location

Nginx, Inc. p.33 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

This directive appeared in versions 1.1.0 and 1.0.6.

Controls how nginx closes client connections.

The default value “on” instructs nginx to wait for and process additional

data from a client before fully closing a connection, but only if heuristics

suggests that a client may be sending more data.

The value “always” will cause nginx to unconditionally wait for and

process additional client data.

The value “off” tells nginx to never wait for more data and close the

connection immediately. This behavior breaks the protocol and should not be

used under normal circumstances.

To control closing HTTP/2 connections, the directive must be speciﬁed on

the server level (1.19.1).

lingering time

Syntax: lingering_time time;

Default 30s

Context: http, server, location

When lingering close is in eﬀect, this directive speciﬁes the maximum time

during which nginx will process (read and ignore) additional data coming from

a client. After that, the connection will be closed, even if there will be more

data.

lingering timeout

Syntax: lingering_timeout time;

Default 5s

Context: http, server, location

When lingering close is in eﬀect, this directive speciﬁes the maximum

waiting time for more client data to arrive. If data are not received during

this time, the connection is closed. Otherwise, the data are read and ignored,

and nginx starts waiting for more data again. The “wait-read-ignore” cycle is

repeated, but no longer than speciﬁed by the lingering time directive.

Nginx, Inc. p.34 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

listen

Syntax: listen address[:port] [default_server] [ssl] [http2 | quic]

[proxy_protocol] [setfib=number] [fastopen=number]

[backlog=number] [rcvbuf=size] [sndbuf=size]

[accept_filter=ﬁlter] [deferred] [bind] [ipv6only=on|off]

[reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];

Syntax: listen port [default_server] [ssl] [http2 | quic]

[proxy_protocol] [setfib=number] [fastopen=number]

[backlog=number] [rcvbuf=size] [sndbuf=size]

[accept_filter=ﬁlter] [deferred] [bind] [ipv6only=on|off]

[reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];

Syntax: listen unix:path [default_server] [ssl] [http2 | quic]

[proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size]

[accept_filter=ﬁlter] [deferred] [bind]

[so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];

Default

:80 |

:8000

Context: server

Sets the address and port for IP, or the path for a UNIX-domain socket on

which the server will accept requests. Both address and port, or only address

or only port can be speciﬁed. An address may also be a hostname, for example:

listen 127.0.0.1:8000;

listen 127.0.0.1;

listen 8000;

listen

:8000;

listen localhost:8000;

IPv6 addresses (0.7.36) are speciﬁed in square brackets:

listen [::]:8000;

listen [::1];

UNIX-domain sockets (0.8.21) are speciﬁed with the “unix:” preﬁx:

listen unix:/var/run/nginx.sock;

If only address is given, the port 80 is used.

If the directive is not present then either

:80 is used if nginx runs with

the superuser privileges, or

:8000 otherwise.

The default_server parameter, if present, will cause the server to

become the default server for the speciﬁed address:port pair. If none of the

directives have the default_server parameter then the ﬁrst server with

the address:port pair will be the default server for this pair.

In versions prior to 0.8.21 this parameter is named simply default.

The ssl parameter (0.7.14) allows specifying that all connections accepted

on this port should work in SSL mode. This allows for a more compact

conﬁguration for the server that handles both HTTP and HTTPS requests.

Nginx, Inc. p.35 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

The http2 parameter (1.9.5) conﬁgures the port to accept HTTP/2

connections. Normally, for this to work the ssl parameter should be speciﬁed

as well, but nginx can also be conﬁgured to accept HTTP/2 connections

without SSL.

The parameter is deprecated, the http2 directive should be used instead.

The quic parameter (1.25.0) conﬁgures the port to accept QUIC

connections.

The proxy_protocol parameter (1.5.12) allows specifying that all

connections accepted on this port should use the PROXY protocol.

The PROXY protocol version 2 is supported since version 1.13.11.

The listen directive can have several additional parameters speciﬁc to

socket-related system calls. These parameters can be speciﬁed in any listen

directive, but only once for a given address:port pair.

In versions prior to 0.8.21, they could only be speciﬁed in the listen

directive together with the default parameter.

setfib=number

this parameter (0.8.44) sets the associated routing table, FIB (the

SO_SETFIB option) for the listening socket. This currently works only

on FreeBSD.

fastopen=number

enables “TCP Fast Open” for the listening socket (1.5.8) and limits

the maximum length for the queue of connections that have not yet

completed the three-way handshake.

Do not enable this feature unless the server can handle receiving the

same SYN packet with data more than once.

backlog=number

sets the backlog parameter in the listen call that limits the

maximum length for the queue of pending connections. By default,

backlog is set to -1 on FreeBSD, DragonFly BSD, and macOS, and

to 511 on other platforms.

rcvbuf=size

sets the receive buﬀer size (the SO_RCVBUF option) for the listening

socket.

sndbuf=size

sets the send buﬀer size (the SO_SNDBUF option) for the listening socket.

accept_filter=ﬁlter

sets the name of accept ﬁlter (the SO_ACCEPTFILTER option) for the

listening socket that ﬁlters incoming connections before passing them

to accept. This works only on FreeBSD and NetBSD 5.0+. Possible

values are dataready and httpready.

Nginx, Inc. p.36 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

deferred

instructs to use a deferred accept (the TCP_DEFER_ACCEPT socket

option) on Linux.

bind

instructs to make a separate bind call for a given address:port pair. This

is useful because if there are several listen directives with the same

port but diﬀerent addresses, and one of the listen directives listens on

all addresses for the given port (

:port), nginx will bind only to

:port.

It should be noted that the getsockname system call will be made in

this case to determine the address that accepted the connection. If the

setfib, fastopen, backlog, rcvbuf, sndbuf, accept_filter,

deferred, ipv6only, reuseport, or so_keepalive parameters

are used then for a given address:port pair a separate bind call will

always be made.

ipv6only=on|off

this parameter (0.7.42) determines (via the IPV6_V6ONLY socket

option) whether an IPv6 socket listening on a wildcard address [::]

will accept only IPv6 connections or both IPv6 and IPv4 connections.

This parameter is turned on by default. It can only be set once on start.

Prior to version 1.3.4, if this parameter was omitted then the operating

system’s settings were in eﬀect for the socket.

reuseport

this parameter (1.9.1) instructs to create an individual listening socket for

each worker process (using the SO_REUSEPORT socket option on Linux

3.9+ and DragonFly BSD, or SO_REUSEPORT_LB on FreeBSD 12+),

allowing a kernel to distribute incoming connections between worker

processes. This currently works only on Linux 3.9+, DragonFly BSD,

and FreeBSD 12+ (1.15.1).

Inappropriate use of this option may have its security implications.

so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]

this parameter (1.1.11) conﬁgures the “TCP keepalive” behavior for

the listening socket. If this parameter is omitted then the operating

system’s settings will be in eﬀect for the socket. If it is set to the

value “on”, the SO_KEEPALIVE option is turned on for the socket.

If it is set to the value “off”, the SO_KEEPALIVE option is turned

oﬀ for the socket. Some operating systems support setting of TCP

keepalive parameters on a per-socket basis using the TCP_KEEPIDLE,

TCP_KEEPINTVL, and TCP_KEEPCNT socket options. On such systems

(currently, Linux 2.4+, NetBSD 5+, and FreeBSD 9.0-STABLE), they

can be conﬁgured using the keepidle, keepintvl, and keepcnt parameters.

One or two parameters may be omitted, in which case the system default

setting for the corresponding socket option will be in eﬀect. For example,

Nginx, Inc. p.37 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

so_keepalive=30m::10

will set the idle timeout (TCP_KEEPIDLE) to 30 minutes, leave the probe

interval (TCP_KEEPINTVL) at its system default, and set the probes

count (TCP_KEEPCNT) to 10 probes.

Example:

listen 127.0.0.1 default_server accept_filter=dataready backlog=1024;

location

Syntax: location [ = | ~ | ~

| ˆ~ ] uri { . . . }

Syntax: location @name { . . . }

Default —

Context: server, location

Sets conﬁguration depending on a request URI.

The matching is performed against a normalized URI, after decoding

the text encoded in the “%XX” form, resolving references to relative path

components “.” and “..”, and possible compression of two or more adjacent

slashes into a single slash.

A location can either be deﬁned by a preﬁx string, or by a regular

expression. Regular expressions are speciﬁed with the preceding “~

”

modiﬁer (for case-insensitive matching), or the “~” modiﬁer (for case-sensitive

matching). To ﬁnd location matching a given request, nginx ﬁrst checks

locations deﬁned using the preﬁx strings (preﬁx locations). Among them,

the location with the longest matching preﬁx is selected and remembered.

Then regular expressions are checked, in the order of their appearance in the

conﬁguration ﬁle. The search of regular expressions terminates on the ﬁrst

match, and the corresponding conﬁguration is used. If no match with a regular

expression is found then the conﬁguration of the preﬁx location remembered

earlier is used.

location blocks can be nested, with some exceptions mentioned below.

For case-insensitive operating systems such as macOS and Cygwin,

matching with preﬁx strings ignores a case (0.7.7). However, comparison is

limited to one-byte locales.

Regular expressions can contain captures (0.7.40) that can later be used in

other directives.

If the longest matching preﬁx location has the “ˆ~” modiﬁer then regular

expressions are not checked.

Also, using the “=” modiﬁer it is possible to deﬁne an exact match of

URI and location. If an exact match is found, the search terminates. For

example, if a “/” request happens frequently, deﬁning “location = /” will

speed up the processing of these requests, as search terminates right after the

ﬁrst comparison. Such a location cannot obviously contain nested locations.

Nginx, Inc. p.38 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

In versions from 0.7.1 to 0.8.41, if a request matched the preﬁx location

without the “=” and “ˆ~” modiﬁers, the search also terminated and regular

expressions were not checked.

Let’s illustrate the above by an example:

location = / {

[ configuration A ]

}

location / {

[ configuration B ]

}

location /documents/ {

[ configuration C ]

}

location ^~ /images/ {

[ configuration D ]

}

location ~

\.(gif|jpg|jpeg)$ {

[ configuration E ]

}

The “/” request will match conﬁguration A, the “/index.html”

request will match conﬁguration B, the “/documents/document.html”

request will match conﬁguration C, the “/images/1.gif” request will

match conﬁguration D, and the “/documents/1.jpg” request will match

conﬁguration E.

The “@” preﬁx deﬁnes a named location. Such a location is not used for

a regular request processing, but instead used for request redirection. They

cannot be nested, and cannot contain nested locations.

If a location is deﬁned by a preﬁx string that ends with the slash character,

and requests are processed by one of proxy pass, fastcgi pass, uwsgi pass,

scgi pass, memcached pass, or grpc pass, then the special processing is

performed. In response to a request with URI equal to this string, but without

the trailing slash, a permanent redirect with the code 301 will be returned to

the requested URI with the slash appended. If this is not desired, an exact

match of the URI and location could be deﬁned like this:

location /user/ {

proxy_pass http://user.example.com;

}

location = /user {

proxy_pass http://login.example.com;

}

log not found

Syntax: log_not_found on | off;

Default on

Context: http, server, location

Nginx, Inc. p.39 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

Enables or disables logging of errors about not found ﬁles into error log.

log subrequest

Syntax: log_subrequest on | off;

Default off

Context: http, server, location

Enables or disables logging of subrequests into access log.

max ranges

Syntax: max_ranges number;

Default —

Context: http, server, location

This directive appeared in version 1.1.2.

Limits the maximum allowed number of ranges in byte-range requests.

Requests that exceed the limit are processed as if there were no byte ranges

speciﬁed. By default, the number of ranges is not limited. The zero value

disables the byte-range support completely.

merge slashes

Syntax: merge_slashes on | off;

Default on

Context: http, server

Enables or disables compression of two or more adjacent slashes in a URI

into a single slash.

Note that compression is essential for the correct matching of preﬁx string

and regular expression locations. Without it, the “//scripts/one.php”

request would not match

location /scripts/ {

...

}

and might be processed as a static ﬁle. So it gets converted to “/scripts/

one.php”.

Turning the compression off can become necessary if a URI contains

base64-encoded names, since base64 uses the“/”character internally. However,

for security considerations, it is better to avoid turning the compression oﬀ.

If the directive is speciﬁed on the server level, the value from the default

server can be used. Details are provided in the “Virtual server selection”

section.

Nginx, Inc. p.40 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

msie padding

Syntax: msie_padding on | off;

Default on

Context: http, server, location

Enables or disables adding comments to responses for MSIE clients with

status greater than 400 to increase the response size to 512 bytes.

msie refresh

Syntax: msie_refresh on | off;

Default off

Context: http, server, location

Enables or disables issuing refreshes instead of redirects for MSIE clients.

open ﬁle cache

Syntax: open_file_cache off;

Syntax: open_file_cache max=N [inactive=time];

Default off

Context: http, server, location

Conﬁgures a cache that can store:

• open ﬁle descriptors, their sizes and modiﬁcation times;

• information on existence of directories;

• ﬁle lookup errors, such as “ﬁle not found”, “no read permission”, and so

on.

Caching of errors should be enabled separately by the open ﬁle cache -

errors directive.

The directive has the following parameters:

max

sets the maximum number of elements in the cache; on cache overﬂow

the least recently used (LRU) elements are removed;

inactive

deﬁnes a time after which an element is removed from the cache if it has

not been accessed during this time; by default, it is 60 seconds;

off

disables the cache.

Example:

open_file_cache max=1000 inactive=20s;

open_file_cache_valid 30s;

open_file_cache_min_uses 2;

open_file_cache_errors on;

Nginx, Inc. p.41 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

open ﬁle cache errors

Syntax: open_file_cache_errors on | off;

Default off

Context: http, server, location

Enables or disables caching of ﬁle lookup errors by open ﬁle cache.

open ﬁle cache min uses

Syntax: open_file_cache_min_uses number;

Default 1

Context: http, server, location

Sets the minimum number of ﬁle accesses during the period conﬁgured by

the inactive parameter of the open ﬁle cache directive, required for a ﬁle

descriptor to remain open in the cache.

open ﬁle cache valid

Syntax: open_file_cache_valid time;

Default 60s

Context: http, server, location

Sets a time after which open ﬁle cache elements should be validated.

output buﬀers

Syntax: output_buffers number size;

Default 2 32k

Context: http, server, location

Sets the number and size of the buﬀers used for reading a response from a

disk.

Prior to version 1.9.5, the default value was 1 32k.

port in redirect

Syntax: port_in_redirect on | off;

Default on

Context: http, server, location

Enables or disables specifying the port in absolute redirects issued by nginx.

The use of the primary server name in redirects is controlled by the server -

name in redirect directive.

Nginx, Inc. p.42 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

postpone output

Syntax: postpone_output size;

Default 1460

Context: http, server, location

If possible, the transmission of client data will be postponed until nginx

has at least size bytes of data to send. The zero value disables postponing data

transmission.

read ahead

Syntax: read_ahead size;

Default 0

Context: http, server, location

Sets the amount of pre-reading for the kernel when working with ﬁle.

On Linux, the posix_fadvise(0, 0, 0, POSIX_FADV_SEQUEN-

TIAL) system call is used, and so the size parameter is ignored.

On FreeBSD, the fcntl(O_READAHEAD, size) system call, supported

since FreeBSD 9.0-CURRENT, is used. FreeBSD 7 has to be patched.

recursive error pages

Syntax: recursive_error_pages on | off;

Default off

Context: http, server, location

Enables or disables doing several redirects using the error page directive.

The number of such redirects is limited.

request pool size

Syntax: request_pool_size size;

Default 4k

Context: http, server

Allows accurate tuning of per-request memory allocations. This directive

has minimal impact on performance and should not generally be used.

reset timedout connection

Syntax: reset_timedout_connection on | off;

Default off

Context: http, server, location

Enables or disables resetting timed out connections and connections closed

with the non-standard code 444 (1.15.2). The reset is performed as follows.

Before closing a socket, the SO_LINGER option is set on it with a timeout

value of 0. When the socket is closed, TCP RST is sent to the client, and

Nginx, Inc. p.43 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

all memory occupied by this socket is released. This helps avoid keeping an

already closed socket with ﬁlled buﬀers in a FIN WAIT1 state for a long time.

It should be noted that timed out keep-alive connections are closed

normally.

resolver

Syntax: resolver address . . . [valid=time] [ipv4=on|off] [ipv6=on|off]

[status_zone=zone];

Default —

Context: http, server, location

Conﬁgures name servers used to resolve names of upstream servers into

addresses, for example:

resolver 127.0.0.1 [::1]:5353;

The address can be speciﬁed as a domain name or IP address, with an

optional port (1.3.1, 1.2.2). If port is not speciﬁed, the port 53 is used. Name

servers are queried in a round-robin fashion.

Before version 1.1.7, only a single name server could be conﬁgured.

Specifying name servers using IPv6 addresses is supported starting from

versions 1.3.1 and 1.2.2.

By default, nginx will look up both IPv4 and IPv6 addresses while resolving.

If looking up of IPv4 or IPv6 addresses is not desired, the ipv4=off (1.23.1)

or the ipv6=off parameter can be speciﬁed.

Resolving of names into IPv6 addresses is supported starting from version

1.5.8.

By default, nginx caches answers using the TTL value of a response. An

optional valid parameter allows overriding it:

resolver 127.0.0.1 [::1]:5353 valid=30s;

Before version 1.1.9, tuning of caching time was not possible, and nginx

always cached answers for the duration of 5 minutes.

To prevent DNS spooﬁng, it is recommended conﬁguring DNS servers in

a properly secured trusted local network.

The optional status_zone parameter (1.17.1) enables collection of DNS

server statistics of requests and responses in the speciﬁed zone. The parameter

is available as part of our commercial subscription.

Nginx, Inc. p.44 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

resolver timeout

Syntax: resolver_timeout time;

Default 30s

Context: http, server, location

Sets a timeout for name resolution, for example:

resolver_timeout 5s;

root

Syntax: root path;

Default html

Context: http, server, location, if in location

Sets the root directory for requests. For example, with the following

conﬁguration

location /i/ {

root /data/w3;

}

The /data/w3/i/top.gif ﬁle will be sent in response to the “/i/

top.gif” request.

The path value can contain variables, except $document root and

$realpath root.

A path to the ﬁle is constructed by merely adding a URI to the value of

the root directive. If a URI has to be modiﬁed, the alias directive should be

used.

satisfy

Syntax: satisfy all | any;

Default all

Context: http, server, location

Allows access if all (all) or at least one (any) of the ngx http -

access module, ngx http auth basic module, ngx http auth request module,

or ngx http auth jwt module modules allow access.

Example:

location / {

satisfy any;

allow 192.168.1.0/32;

deny all;

auth_basic "closed site";

auth_basic_user_file conf/htpasswd;

}

Nginx, Inc. p.45 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

send lowat

Syntax: send_lowat size;

Default 0

Context: http, server, location

If the directive is set to a non-zero value, nginx will try to minimize the

number of send operations on client sockets by using either NOTE_LOWAT ﬂag

of the kqueue method or the SO_SNDLOWAT socket option. In both cases the

speciﬁed size is used.

This directive is ignored on Linux, Solaris, and Windows.

send timeout

Syntax: send_timeout time;

Default 60s

Context: http, server, location

Sets a timeout for transmitting a response to the client. The timeout is set

only between two successive write operations, not for the transmission of the

whole response. If the client does not receive anything within this time, the

connection is closed.

sendﬁle

Syntax: sendfile on | off;

Default off

Context: http, server, location, if in location

Enables or disables the use of sendfile.

Starting from nginx 0.8.12 and FreeBSD 5.2.1, aio can be used to pre-load

data for sendfile:

location /video/ {

sendfile on;

tcp_nopush on;

aio on;

}

In this conﬁguration, sendfile is called with the SF_NODISKIO ﬂag

which causes it not to block on disk I/O, but, instead, report back that the

data are not in memory. nginx then initiates an asynchronous data load by

reading one byte. On the ﬁrst read, the FreeBSD kernel loads the ﬁrst 128K

bytes of a ﬁle into memory, although next reads will only load data in 16K

chunks. This can be changed using the read ahead directive.

Before version 1.7.11, pre-loading could be enabled with aio send-

file;.

Nginx, Inc. p.46 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

sendﬁle max chunk

Syntax: sendfile_max_chunk size;

Default 2m

Context: http, server, location

Limits the amount of data that can be transferred in a single sendfile

call. Without the limit, one fast connection may seize the worker process

entirely.

Prior to version 1.21.4, by default there was no limit.

server

Syntax: server { . . . }

Default —

Context: http

Sets conﬁguration for a virtual server. There is no clear separation between

IP-based (based on the IP address) and name-based (based on the Host

request header ﬁeld) virtual servers. Instead, the listen directives describe

all addresses and ports that should accept connections for the server, and

the server name directive lists all server names. Example conﬁgurations are

provided in the “How nginx processes a request” document.

server name

Syntax: server_name name . . . ;

Default ""

Context: server

Sets names of a virtual server, for example:

server {

server_name example.com www.example.com;

}

The ﬁrst name becomes the primary server name.

Server names can include an asterisk (“

”) replacing the ﬁrst or last part

of a name:

server {

server_name example.com

.example.com www.example.

;

}

Such names are called wildcard names.

The ﬁrst two of the names mentioned above can be combined in one:

server {

server_name .example.com;

}

Nginx, Inc. p.47 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

It is also possible to use regular expressions in server names, preceding the

name with a tilde (“~”):

server {

server_name www.example.com ~^www\d+\.example\.com$;

}

Regular expressions can contain captures (0.7.40) that can later be used in

other directives:

server {

server_name ~^(www\.)?(.+)$;

location / {

root /sites/$2;

}

server {

server_name _;

location / {

root /sites/default;

}

Named captures in regular expressions create variables (0.8.25) that can

later be used in other directives:

server {

server_name ~^(www\.)?(?<domain>.+)$;

location / {

root /sites/$domain;

}

server {

server_name _;

location / {

root /sites/default;

}

If the directive’s parameter is set to “$hostname” (0.9.4), the machine’s

hostname is inserted.

It is also possible to specify an empty server name (0.7.11):

server {

server_name www.example.com "";

}

It allows this server to process requests without the Host header ﬁeld —

instead of the default server — for the given address:port pair. This is the

default setting.

Nginx, Inc. p.48 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

Before 0.8.48, the machine’s hostname was used by default.

During searching for a virtual server by name, if the name matches more

than one of the speciﬁed variants, (e.g. both a wildcard name and regular

expression match), the ﬁrst matching variant will be chosen, in the following

order of priority:

1. the exact name

2. the longest wildcard name starting with an asterisk, e.g.

“

.example.com”

3. the longest wildcard name ending with an asterisk, e.g. “mail.

”

4. the ﬁrst matching regular expression (in order of appearance in the

conﬁguration ﬁle)

Detailed description of server names is provided in a separate Server names

document.

server name in redirect

Syntax: server_name_in_redirect on | off;

Default off

Context: http, server, location

Enables or disables the use of the primary server name, speciﬁed by the

server name directive, in absolute redirects issued by nginx. When the use of

the primary server name is disabled, the name from the Host request header

ﬁeld is used. If this ﬁeld is not present, the IP address of the server is used.

The use of a port in redirects is controlled by the port in redirect directive.

server names hash bucket size

Syntax: server_names_hash_bucket_size size;

Default 32|64|128

Context: http

Sets the bucket size for the server names hash tables. The default value

depends on the size of the processor’s cache line. The details of setting up

hash tables are provided in a separate document.

server names hash max size

Syntax: server_names_hash_max_size size;

Default 512

Context: http

Sets the maximum size of the server names hash tables. The details of

setting up hash tables are provided in a separate document.

Nginx, Inc. p.49 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

server tokens

Syntax: server_tokens on | off | build | string;

Default on

Context: http, server, location

Enables or disables emitting nginx version on error pages and in the

Server response header ﬁeld.

The build parameter (1.11.10) enables emitting a build name along with

nginx version.

Additionally, as part of our commercial subscription, starting from version

1.9.13 the signature on error pages and the Server response header ﬁeld value

can be set explicitly using the string with variables. An empty string disables

the emission of the Server ﬁeld.

subrequest output buﬀer size

Syntax: subrequest_output_buffer_size size;

Default 4k|8k

Context: http, server, location

This directive appeared in version 1.13.10.

Sets the size of the buﬀer used for storing the response body of a subrequest.

By default, the buﬀer size is equal to one memory page. This is either 4K or

8K, depending on a platform. It can be made smaller, however.

The directive is applicable only for subrequests with response bodies saved

into memory. For example, such subrequests are created by SSI.

tcp nodelay

Syntax: tcp_nodelay on | off;

Default on

Context: http, server, location

Enables or disables the use of the TCP_NODELAY option. The option

is enabled when a connection is transitioned into the keep-alive state.

Additionally, it is enabled on SSL connections, for unbuﬀered proxying, and

for WebSocket proxying.

tcp nopush

Syntax: tcp_nopush on | off;

Default off

Context: http, server, location

Enables or disables the use of the TCP_NOPUSH socket option on FreeBSD

or the TCP_CORK socket option on Linux. The options are enabled only when

sendﬁle is used. Enabling the option allows

• sending the response header and the beginning of a ﬁle in one packet, on

Linux and FreeBSD 4.*;

Nginx, Inc. p.50 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

• sending a ﬁle in full packets.

try ﬁles

Syntax: try_files ﬁle . . . uri;

Syntax: try_files ﬁle . . . =code;

Default —

Context: server, location

Checks the existence of ﬁles in the speciﬁed order and uses the ﬁrst found

ﬁle for request processing; the processing is performed in the current context.

The path to a ﬁle is constructed from the ﬁle parameter according to the root

and alias directives. It is possible to check directory’s existence by specifying

a slash at the end of a name, e.g. “$uri/”. If none of the ﬁles were found,

an internal redirect to the uri speciﬁed in the last parameter is made. For

example:

location /images/ {

try_files $uri /images/default.gif;

}

location = /images/default.gif {

expires 30s;

}

The last parameter can also point to a named location, as shown in

examples below. Starting from version 0.7.51, the last parameter can also

be a code:

location / {

try_files $uri $uri/index.html $uri.html =404;

}

Example in proxying Mongrel:

location / {

try_files /system/maintenance.html

$uri $uri/index.html $uri.html

@mongrel;

}

location @mongrel {

proxy_pass http://mongrel;

}

Example for Drupal/FastCGI:

location / {

try_files $uri $uri/ @drupal;

}

location ~ \.php$ {

try_files $uri @drupal;

fastcgi_pass ...;

fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name;

Nginx, Inc. p.51 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

fastcgi_param SCRIPT_NAME $fastcgi_script_name;

fastcgi_param QUERY_STRING $args;

... other fastcgi_param’s

}

location @drupal {

fastcgi_pass ...;

fastcgi_param SCRIPT_FILENAME /path/to/index.php;

fastcgi_param SCRIPT_NAME /index.php;

fastcgi_param QUERY_STRING q=$uri&$args;

... other fastcgi_param’s

}

In the following example,

location / {

try_files $uri $uri/ @drupal;

}

the try_files directive is equivalent to

location / {

error_page 404 = @drupal;

log_not_found off;

}

And here,

location ~ \.php$ {

try_files $uri @drupal;

fastcgi_pass ...;

fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name;

...

}

try_files checks the existence of the PHP ﬁle before passing the request

to the FastCGI server.

Example for Wordpress and Joomla:

location / {

try_files $uri $uri/ @wordpress;

}

location ~ \.php$ {

try_files $uri @wordpress;

fastcgi_pass ...;

fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name;

... other fastcgi_param’s

}

location @wordpress {

fastcgi_pass ...;

fastcgi_param SCRIPT_FILENAME /path/to/index.php;

... other fastcgi_param’s

Nginx, Inc. p.52 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

}

types

Syntax: types { . . . }

Default text/html html; image/gif gif; image/jpeg jpg;

Context: http, server, location

Maps ﬁle name extensions to MIME types of responses. Extensions are

case-insensitive. Several extensions can be mapped to one type, for example:

types {

application/octet-stream bin exe dll;

application/octet-stream deb;

application/octet-stream dmg;

}

A suﬃciently full mapping table is distributed with nginx in the conf/¬

mime.types ﬁle.

To make a particular location emit the “application/octet-stream”

MIME type for all requests, the following conﬁguration can be used:

location /download/ {

types { }

default_type application/octet-stream;

}

types hash bucket size

Syntax: types_hash_bucket_size size;

Default 64

Context: http, server, location

Sets the bucket size for the types hash tables. The details of setting up

hash tables are provided in a separate document.

Prior to version 1.5.13, the default value depended on the size of the

processor’s cache line.

types hash max size

Syntax: types_hash_max_size size;

Default 1024

Context: http, server, location

Sets the maximum size of the types hash tables. The details of setting up

hash tables are provided in a separate document.

Nginx, Inc. p.53 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

underscores in headers

Syntax: underscores_in_headers on | off;

Default off

Context: http, server

Enables or disables the use of underscores in client request header ﬁelds.

When the use of underscores is disabled, request header ﬁelds whose names

contain underscores are marked as invalid and become subject to the ignore -

invalid headers directive.

If the directive is speciﬁed on the server level, the value from the default

server can be used. Details are provided in the “Virtual server selection”

section.

variables hash bucket size

Syntax: variables_hash_bucket_size size;

Default 64

Context: http

Sets the bucket size for the variables hash table. The details of setting up

hash tables are provided in a separate document.

variables hash max size

Syntax: variables_hash_max_size size;

Default 1024

Context: http

Sets the maximum size of the variables hash table. The details of setting

up hash tables are provided in a separate document.

Prior to version 1.5.13, the default value was 512.

2.1.2 Embedded Variables

The ngx_http_core_module module supports embedded variables with

names matching the Apache Server variables. First of all, these are variables

representing client request header ﬁelds, such as $http user agent, $http cookie,

and so on. Also there are other variables:

$arg name

argument name in the request line

$args

arguments in the request line

$binary remote addr

client address in a binary form, value’s length is always 4 bytes for IPv4

addresses or 16 bytes for IPv6 addresses

Nginx, Inc. p.54 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

$body bytes sent

number of bytes sent to a client, not counting the response header; this

variable is compatible with the“%B”parameter of the mod_log_config

Apache module

$bytes sent

number of bytes sent to a client (1.3.8, 1.2.5)

$connection

connection serial number (1.3.8, 1.2.5)

$connection requests

current number of requests made through a connection (1.3.8, 1.2.5)

$connection time

connection time in seconds with a milliseconds resolution (1.19.10)

$content length

Content-Length request header ﬁeld

$content type

Content-Type request header ﬁeld

$cookie name

the name cookie

$document root

root or alias directive’s value for the current request

$document uri

same as $uri

$host

in this order of precedence: host name from the request line, or host

name from the Host request header ﬁeld, or the server name matching

a request

$hostname

host name

$http name

arbitrary request header ﬁeld; the last part of a variable name is the ﬁeld

name converted to lower case with dashes replaced by underscores

$https

“on” if connection operates in SSL mode, or an empty string otherwise

$is args

“?” if a request line has arguments, or an empty string otherwise

$limit rate

setting this variable enables response rate limiting; see limit rate

$msec

current time in seconds with the milliseconds resolution (1.3.9, 1.2.6)

$nginx version

nginx version

$pid

PID of the worker process

$pipe

“p” if request was pipelined, “.” otherwise (1.3.12, 1.2.7)

Nginx, Inc. p.55 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

$proxy protocol addr

client address from the PROXY protocol header (1.5.12)

The PROXY protocol must be previously enabled by setting the

proxy_protocol parameter in the listen directive.

$proxy protocol port

client port from the PROXY protocol header (1.11.0)

The PROXY protocol must be previously enabled by setting the

proxy_protocol parameter in the listen directive.

$proxy protocol server addr

server address from the PROXY protocol header (1.17.6)

The PROXY protocol must be previously enabled by setting the

proxy_protocol parameter in the listen directive.

$proxy protocol server port

server port from the PROXY protocol header (1.17.6)

The PROXY protocol must be previously enabled by setting the

proxy_protocol parameter in the listen directive.

$proxy protocol tlv name

TLV from the PROXY Protocol header (1.23.2). The name can be a

TLV type name or its numeric value. In the latter case, the value is

hexadecimal and should be preﬁxed with 0x:

$proxy_protocol_tlv_alpn

$proxy_protocol_tlv_0x01

SSL TLVs can also be accessed by TLV type name or its numeric value,

both preﬁxed by ssl_:

$proxy_protocol_tlv_ssl_version

$proxy_protocol_tlv_ssl_0x21

The following TLV type names are supported:

• alpn (0x01) - upper layer protocol used over the connection

• authority (0x02) - host name value passed by the client

• unique_id (0x05) - unique connection id

• netns (0x30) - name of the namespace

• ssl (0x20) - binary SSL TLV structure

The following SSL TLV type names are supported:

• ssl_version (0x21) - SSL version used in client connection

• ssl_cn (0x22) - SSL certiﬁcate Common Name

• ssl_cipher (0x23) - name of the used cipher

• ssl_sig_alg (0x24) - algorithm used to sign the certiﬁcate

• ssl_key_alg (0x25) - public-key algorithm

Also, the following special SSL TLV type name is supported:

Nginx, Inc. p.56 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

• ssl_verify - client SSL certiﬁcate veriﬁcation result, 0 if the

client presented a certiﬁcate and it was successfully veriﬁed, non-

zero otherwise.

The PROXY protocol must be previously enabled by setting the

proxy_protocol parameter in the listen directive.

$query string

same as $args

$realpath root

an absolute pathname corresponding to the root or alias directive’s value

for the current request, with all symbolic links resolved to real paths

$remote addr

client address

$remote port

client port

$remote user

user name supplied with the Basic authentication

$request

full original request line

$request

body

request body

The variable’s value is made available in locations processed by the

proxy pass, fastcgi pass, uwsgi pass, and scgi pass directives when the

request body was read to a memory buﬀer.

$request body ﬁle

name of a temporary ﬁle with the request body

At the end of processing, the ﬁle needs to be removed. To always write

the request body to a ﬁle, client body in ﬁle only needs to be enabled.

When the name of a temporary ﬁle is passed in a proxied request or in

a request to a FastCGI/uwsgi/SCGI server, passing the request body

should be disabled by the proxy pass request body oﬀ, fastcgi pass -

request body oﬀ, uwsgi pass request body oﬀ, or scgi pass request -

body oﬀ directives, respectively.

$request completion

“OK” if a request has completed, or an empty string otherwise

$request ﬁlename

ﬁle path for the current request, based on the root or alias directives,

and the request URI

$request id

unique request identiﬁer generated from 16 random bytes, in hexadecimal

(1.11.0)

$request length

request length (including request line, header, and request body) (1.3.12,

1.2.7)

$request method

request method, usually “GET” or “POST”

Nginx, Inc. p.57 of 542

CHAPTER 2. HTTP SERVER MODULES 2.1. MODULE NGX HTTP CORE MODULE

$request time

request processing time in seconds with a milliseconds resolution (1.3.9,

1.2.6); time elapsed since the ﬁrst bytes were read from the client

$request uri

full original request URI (with arguments)

$scheme

request scheme, “http” or “https”

$sent http name

arbitrary response header ﬁeld; the last part of a variable name is the

ﬁeld name converted to lower case with dashes replaced by underscores

$sent trailer name

arbitrary ﬁeld sent at the end of the response (1.13.2); the last part of

a variable name is the ﬁeld name converted to lower case with dashes

replaced by underscores

$server addr

an address of the server which accepted a request

Computing a value of this variable usually requires one system call. To

avoid a system call, the listen directives must specify addresses and use

the bind parameter.

$server name

name of the server which accepted a request

$server port

port of the server which accepted a request

$server protocol

request protocol, usually “HTTP/1.0”, “HTTP/1.1”, “HTTP/2.0”, or

“HTTP/3.0”

$status

response status (1.3.2, 1.2.2)

$tcpinfo rtt, $tcpinfo rttvar, $tcpinfo snd cwnd, $tcpinfo rcv space

information about the client TCP connection; available on systems that

support the TCP_INFO socket option

$time iso8601

local time in the ISO 8601 standard format (1.3.12, 1.2.7)

$time local

local time in the Common Log Format (1.3.12, 1.2.7)

$uri

current URI in request, normalized

The value of $uri may change during request processing, e.g. when doing

internal redirects, or when using index ﬁles.

Nginx, Inc. p.58 of 542

CHAPTER 2. HTTP SERVER MODULES 2.2. MODULE NGX HTTP ACCESS MODULE

2.2 Module ngx http access module

2.2.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 59

2.2.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 59

2.2.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 59

allow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

deny . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

2.2.1 Summary

The ngx_http_access_module module allows limiting access to

certain client addresses.

Access can also be limited by password, by the result of subrequest, or

by JWT. Simultaneous limitation of access by address and by password is

controlled by the satisfy directive.

2.2.2 Example Conﬁguration

location / {

deny 192.168.1.1;

allow 192.168.1.0/24;

allow 10.1.1.0/16;

allow 2001:0db8::/32;

deny all;

}

The rules are checked in sequence until the ﬁrst match is found. In

this example, access is allowed only for IPv4 networks 10.1.1.0/16 and

192.168.1.0/24 excluding the address 192.168.1.1, and for IPv6

network 2001:0db8::/32. In case of a lot of rules, the use of the ngx -

http geo module module variables is preferable.

2.2.3 Directives

allow

Syntax: allow address | CIDR | unix: | all;

Default —

Context: http, server, location, limit except

Allows access for the speciﬁed network or address. If the special value

unix: is speciﬁed (1.5.1), allows access for all UNIX-domain sockets.

deny

Syntax: deny address | CIDR | unix: | all;

Default —

Context: http, server, location, limit except

Nginx, Inc. p.59 of 542

CHAPTER 2. HTTP SERVER MODULES 2.2. MODULE NGX HTTP ACCESS MODULE

Denies access for the speciﬁed network or address. If the special value

unix: is speciﬁed (1.5.1), denies access for all UNIX-domain sockets.

Nginx, Inc. p.60 of 542

CHAPTER 2. HTTP SERVER MODULES 2.3. MODULE NGX HTTP ADDITION MODULE

2.3 Module ngx http addition module

2.3.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 61

2.3.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 61

2.3.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 61

add before body . . . . . . . . . . . . . . . . . . . . . . 61

add after body . . . . . . . . . . . . . . . . . . . . . . . 61

addition types . . . . . . . . . . . . . . . . . . . . . . . . 62

2.3.1 Summary

The ngx_http_addition_module module is a ﬁlter that adds text

before and after a response. This module is not built by default, it should

be enabled with the --with-http_addition_module conﬁguration

parameter.

2.3.2 Example Conﬁguration

location / {

add_before_body /before_action;

add_after_body /after_action;

}

2.3.3 Directives

add before body

Syntax: add_before_body uri;

Default —

Context: http, server, location

Adds the text returned as a result of processing a given subrequest before

the response body. An empty string ("") as a parameter cancels addition

inherited from the previous conﬁguration level.

add after body

Syntax: add_after_body uri;

Default —

Context: http, server, location

Adds the text returned as a result of processing a given subrequest after

the response body. An empty string ("") as a parameter cancels addition

inherited from the previous conﬁguration level.

Nginx, Inc. p.61 of 542

CHAPTER 2. HTTP SERVER MODULES 2.3. MODULE NGX HTTP ADDITION MODULE

addition types

Syntax: addition_types mime-type . . . ;

Default text/html

Context: http, server, location

This directive appeared in version 0.7.9.

Allows adding text in responses with the speciﬁed MIME types, in addition

to “text/html”. The special value “

” matches any MIME type (0.8.29).

Nginx, Inc. p.62 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

2.4 Module ngx http api module

2.4.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 63

2.4.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 63

2.4.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 64

api . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

status zone . . . . . . . . . . . . . . . . . . . . . . . . . 65

2.4.4 Compatibility . . . . . . . . . . . . . . . . . . . . . . . . 65

2.4.5 Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . 66

2.4.6 Response Objects . . . . . . . . . . . . . . . . . . . . . . 89

2.4.1 Summary

The ngx_http_api_module module (1.13.3) provides REST API for

accessing various status information, conﬁguring upstream server groups on-

the-ﬂy, and managing key-value pairs without the need of reconﬁguring nginx.

The module supersedes the ngx http status module and ngx http -

upstream conf module modules.

When using the PATCH or POST methods, make sure that the payload does

not exceed the buﬀer size for reading the client request body, otherwise, the

413 Request Entity Too Large error may be returned.

This module is available as part of our commercial subscription.

2.4.2 Example Conﬁguration

http {

upstream backend {

zone http_backend 64k;

server backend1.example.com weight=5;

server backend2.example.com;

}

proxy_cache_path /data/nginx/cache_backend keys_zone=cache_backend:10m;

server {

server_name backend.example.com;

location / {

proxy_pass http://backend;

proxy_cache cache_backend;

health_check;

}

status_zone server_backend;

}

keyval_zone zone=one:32k state=one.keyval;

keyval $arg_text $text zone=one;

Nginx, Inc. p.63 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

server {

listen 127.0.0.1;

location /api {

api write=on;

allow 127.0.0.1;

deny all;

}

stream {

upstream backend {

zone stream_backend 64k;

server backend1.example.com:12345 weight=5;

server backend2.example.com:12345;

}

server {

listen 127.0.0.1:12345;

proxy_pass backend;

status_zone server_backend;

health_check;

}

All API requests include a supported API version in the URI. Examples of

API requests with this conﬁguration:

http://127.0.0.1/api/9/

http://127.0.0.1/api/9/nginx

http://127.0.0.1/api/9/connections

http://127.0.0.1/api/9/workers

http://127.0.0.1/api/9/http/requests

http://127.0.0.1/api/9/http/server_zones/server_backend

http://127.0.0.1/api/9/http/caches/cache_backend

http://127.0.0.1/api/9/http/upstreams/backend

http://127.0.0.1/api/9/http/upstreams/backend/servers/

http://127.0.0.1/api/9/http/upstreams/backend/servers/1

http://127.0.0.1/api/9/http/keyvals/one?key=arg1

http://127.0.0.1/api/9/stream/

http://127.0.0.1/api/9/stream/server_zones/server_backend

http://127.0.0.1/api/9/stream/upstreams/

http://127.0.0.1/api/9/stream/upstreams/backend

http://127.0.0.1/api/9/stream/upstreams/backend/servers/1

2.4.3 Directives

api

Syntax: api [write=on|off];

Default —

Context: location

Turns on the REST API interface in the surrounding location. Access to

this location should be limited.

The write parameter determines whether the API is read-only or read-

write. By default, the API is read-only.

Nginx, Inc. p.64 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

All API requests should contain a supported API version in the URI. If

the request URI equals the location preﬁx, the list of supported API versions

is returned. The current API version is “9”.

The optional “fields” argument in the request line speciﬁes which ﬁelds

of the requested objects will be output:

http://127.0.0.1/api/9/nginx?fields=version,build

status zone

Syntax: status_zone zone;

Default —

Context: server, location, if in location

This directive appeared in version 1.13.12.

Enables collection of virtual http or stream server status information in the

speciﬁed zone. Several servers may share the same zone.

Starting from 1.17.0, status information can be collected per location. The

special value off disables statistics collection in nested location blocks. Note

that the statistics is collected in the context of a location where processing

ends. It may be diﬀerent from the original location, if an internal redirect

happens during request processing.

2.4.4 Compatibility

• The /workers/ data were added in version 9.

• Detailed failure counters were added to SSL statistics in version 8

(1.23.2).

• The ssl data for each HTTP upstream, server zone, and stream

upstream, server zone, were added in version 8 (1.21.6).

• The codes data in responses for each HTTP upstream, server zone,

and location zone were added in version 7.

• The /stream/limit conns/ data were added in version 6.

• The /http/limit conns/ data were added in version 6.

• The /http/limit reqs/ data were added in version 6.

• The “expire” parameter of a key-value pair can be set or changed since

version 5.

• The /resolvers/ data were added in version 5.

• The /http/location zones/ data were added in version 5.

Nginx, Inc. p.65 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

• The path and method ﬁelds of nginx error object were removed in

version 4. These ﬁelds continue to exist in earlier api versions, but show

an empty value.

• The /stream/zone sync/ data were added in version 3.

• The drain parameter was added in version 2.

• The /stream/keyvals/ data were added in version 2.

2.4.5 Endpoints

Supported methods:

• GET - Return list of root endpoints

Returns a list of root endpoints.

Possible responses:

– 200 - Success, returns an array of strings

– 404 - Unknown version (UnknownVersion), returns Error

/nginx

Supported methods:

• GET - Return status of nginx running instance

Returns nginx version, build name, address, number of conﬁguration

reloads, IDs of master and worker processes.

Request parameters:

fields (string, optional)

Limits which ﬁelds of nginx running instance will be output.

Possible responses:

– 200 - Success, returns nginx

– 404 - Unknown version (UnknownVersion), returns Error

/processes

Supported methods:

• GET - Return nginx processes status

Returns the number of abnormally terminated and respawned child

processes.

Possible responses:

– 200 - Success, returns Processes

– 404 - Unknown version (UnknownVersion), returns Error

Nginx, Inc. p.66 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

DELETE - Reset nginx processes statistics

Resets counters of abnormally terminated and respawned child

processes.

Possible responses:

• – 204 - Success

– 404 - Unknown version (UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/connections

Supported methods:

• GET - Return client connections statistics

Returns statistics of client connections.

Request parameters:

fields (string, optional)

Limits which ﬁelds of the connections statistics will be output.

Possible responses:

– 200 - Success, returns Connections

– 404 - Unknown version (UnknownVersion), returns Error

DELETE - Reset client connections statistics

Resets statistics of accepted and dropped client connections.

Possible responses:

• – 204 - Success

– 404 - Unknown version (UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/slabs/

Supported methods:

• GET - Return status of all slabs

Returns status of slabs for each shared memory zone with slab

allocator.

Request parameters:

fields (string, optional)

Limits which ﬁelds of slab zones will be output. If the“fields”

value is empty, then only zone names will be output.

Possible responses:

– 200 - Success, returns a collection of ”Shared memory zone with

slab allocator” objects for all slabs

– 404 - Unknown version (UnknownVersion), returns Error

/slabs/{slabZoneName}

Parameters common for all methods:

Nginx, Inc. p.67 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

slabZoneName (string, required)

The name of the shared memory zone with slab allocator.

Supported methods:

• GET - Return status of a slab

Returns status of slabs for a particular shared memory zone with

slab allocator.

Request parameters:

fields (string, optional)

Limits which ﬁelds of the slab zone will be output.

Possible responses:

– 200 - Success, returns Shared memory zone with slab allocator

– 404 - Slab not found (SlabNotFound), unknown version

(UnknownVersion), returns Error

DELETE - Reset slab statistics

Resets the “reqs” and “fails” metrics for each memory slot.

Possible responses:

• – 204 - Success

– 404 - Slab not found (SlabNotFound), unknown version

(UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/http/

Supported methods:

• GET - Return list of HTTP-related endpoints

Returns a list of ﬁrst level HTTP endpoints.

Possible responses:

– 200 - Success, returns an array of strings

– 404 - Unknown version (UnknownVersion), returns Error

/http/requests

Supported methods:

• GET - Return HTTP requests statistics

Returns status of client HTTP requests.

Request parameters:

fields (string, optional)

Limits which ﬁelds of client HTTP requests statistics will be

output.

Possible responses:

– 200 - Success, returns HTTP Requests

– 404 - Unknown version (UnknownVersion), returns Error

Nginx, Inc. p.68 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

DELETE - Reset HTTP requests statistics

Resets the number of total client HTTP requests.

Possible responses:

• – 204 - Success

– 404 - Unknown version (UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/http/server_zones/

Supported methods:

• GET - Return status of all HTTP server zones

Returns status information for each HTTP server zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of server zones will be output. If the

“fields” value is empty, then only server zone names will be

output.

Possible responses:

– 200 - Success, returns a collection of ”HTTP Server Zone”

objects for all HTTP server zones

– 404 - Unknown version (UnknownVersion), returns Error

/http/server_zones/{httpServerZoneName}

Parameters common for all methods:

httpServerZoneName (string, required)

The name of an HTTP server zone.

Supported methods:

• GET - Return status of an HTTP server zone

Returns status of a particular HTTP server zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of the server zone will be output.

Possible responses:

– 200 - Success, returns HTTP Server Zone

– 404 - Server zone not found (ServerZoneNotFound),

unknown version (UnknownVersion), returns Error

DELETE - Reset statistics for an HTTP server zone

Resets statistics of accepted and discarded requests, responses,

received and sent bytes, counters of SSL handshakes and session

reuses in a particular HTTP server zone.

Possible responses:

• – 204 - Success

Nginx, Inc. p.69 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

– 404 - Server zone not found (ServerZoneNotFound),

unknown version (UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/http/location_zones/

Supported methods:

• GET - Return status of all HTTP location zones

Returns status information for each HTTP location zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of location zones will be output. If the

“fields” value is empty, then only zone names will be output.

Possible responses:

– 200 - Success, returns a collection of ”HTTP Location Zone”

objects for all HTTP location zones

– 404 - Unknown version (UnknownVersion), returns Error

/http/location_zones/{httpLocationZoneName}

Parameters common for all methods:

httpLocationZoneName (string, required)

The name of an HTTP location zone.

Supported methods:

• GET - Return status of an HTTP location zone

Returns status of a particular HTTP location zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of the location zone will be output.

Possible responses:

– 200 - Success, returns HTTP Location Zone

– 404 - Location zone not found (LocationZoneNotFound),

unknown version (UnknownVersion), returns Error

DELETE - Reset statistics for a location zone.

Resets statistics of accepted and discarded requests, responses,

received and sent bytes in a particular location zone.

Possible responses:

• – 204 - Success

– 404 - Location zone not found (LocationZoneNotFound),

unknown version (UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/http/caches/

Supported methods:

Nginx, Inc. p.70 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

• GET - Return status of all caches

Returns status of each cache conﬁgured by proxy cache path and

other “

_cache_path” directives.

Request parameters:

fields (string, optional)

Limits which ﬁelds of cache zones will be output. If the

“fields” value is empty, then only names of cache zones will

be output.

Possible responses:

– 200 - Success, returns a collection of ”HTTP Cache” objects for

all HTTP caches

– 404 - Unknown version (UnknownVersion), returns Error

/http/caches/{httpCacheZoneName}

Parameters common for all methods:

httpCacheZoneName (string, required)

The name of the cache zone.

Supported methods:

• GET - Return status of a cache

Returns status of a particular cache.

Request parameters:

fields (string, optional)

Limits which ﬁelds of the cache zone will be output.

Possible responses:

– 200 - Success, returns HTTP Cache

– 404 - Cache not found (CacheNotFound), unknown version

(UnknownVersion), returns Error

DELETE - Reset cache statistics

Resets statistics of cache hits/misses in a particular cache zone.

Possible responses:

• – 204 - Success

– 404 - Cache not found (CacheNotFound), unknown version

(UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/http/limit_conns/

Supported methods:

• GET - Return status of all HTTP limit conn zones

Returns status information for each HTTP limit conn zone.

Request parameters:

Nginx, Inc. p.71 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

fields (string, optional)

Limits which ﬁelds of limit conn zones will be output. If the

“fields” value is empty, then only zone names will be output.

Possible responses:

– 200 - Success, returns a collection of ”HTTP Connections

Limiting” objects for all HTTP limit conns

– 404 - Unknown version (UnknownVersion), returns Error

/http/limit_conns/{httpLimitConnZoneName}

Parameters common for all methods:

httpLimitConnZoneName (string, required)

The name of a limit conn zone.

Supported methods:

• GET - Return status of an HTTP limit conn zone

Returns status of a particular HTTP limit conn zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of the limit conn zone will be output.

Possible responses:

– 200 - Success, returns HTTP Connections Limiting

– 404 - limit conn not found (LimitConnNotFound), unknown

version (UnknownVersion), returns Error

DELETE - Reset statistics for an HTTP limit conn zone

Resets the connection limiting statistics.

Possible responses:

• – 204 - Success

– 404 - limit conn not found (LimitConnNotFound), unknown

version (UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/http/limit_reqs/

Supported methods:

• GET - Return status of all HTTP limit req zones

Returns status information for each HTTP limit req zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of limit req zones will be output. If the

“fields” value is empty, then only zone names will be output.

Possible responses:

– 200 - Success, returns a collection of ”HTTP Requests Rate

Limiting” objects for all HTTP limit reqs

Nginx, Inc. p.72 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

– 404 - Unknown version (UnknownVersion), returns Error

/http/limit_reqs/{httpLimitReqZoneName}

Parameters common for all methods:

httpLimitReqZoneName (string, required)

The name of a limit req zone.

Supported methods:

• GET - Return status of an HTTP limit req zone

Returns status of a particular HTTP limit req zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of the limit req zone will be output.

Possible responses:

– 200 - Success, returns HTTP Requests Rate Limiting

– 404 - limit req not found (LimitReqNotFound), unknown

version (UnknownVersion), returns Error

DELETE - Reset statistics for an HTTP limit req zone

Resets the requests limiting statistics.

Possible responses:

• – 204 - Success

– 404 - limit req not found (LimitReqNotFound), unknown

version (UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/http/upstreams/

Supported methods:

• GET - Return status of all HTTP upstream server groups

Returns status of each HTTP upstream server group and its servers.

Request parameters:

fields (string, optional)

Limits which ﬁelds of upstream server groups will be output. If

the “fields” value is empty, only names of upstreams will be

output.

Possible responses:

– 200 - Success, returns a collection of ”HTTP Upstream” objects

for all HTTP upstreams

– 404 - Unknown version (UnknownVersion), returns Error

/http/upstreams/{httpUpstreamName}/

Parameters common for all methods:

httpUpstreamName (string, required)

The name of an HTTP upstream server group.

Nginx, Inc. p.73 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

Supported methods:

• GET - Return status of an HTTP upstream server group

Returns status of a particular HTTP upstream server group and its

servers.

Request parameters:

fields (string, optional)

Limits which ﬁelds of the upstream server group will be output.

Possible responses:

– 200 - Success, returns HTTP Upstream

– 400 - Upstream is static (UpstreamStatic), returns Error

– 404 - Unknown version (UnknownVersion), upstream not

found (UpstreamNotFound), returns Error

DELETE - Reset statistics of an HTTP upstream server group

Resets the statistics for each upstream server in an upstream server

group and queue statistics.

Possible responses:

• – 204 - Success

– 400 - Upstream is static (UpstreamStatic), returns Error

– 404 - Unknown version (UnknownVersion), upstream not

found (UpstreamNotFound), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/http/upstreams/{httpUpstreamName}/servers/

Parameters common for all methods:

httpUpstreamName (string, required)

The name of an upstream server group.

Supported methods:

• GET - Return conﬁguration of all servers in an HTTP upstream

server group

Returns conﬁguration of each server in a particular HTTP upstream

server group.

Possible responses:

– 200 - Success, returns an array of HTTP Upstream Servers

– 400 - Upstream is static (UpstreamStatic), returns Error

– 404 - Unknown version (UnknownVersion), upstream not

found (UpstreamNotFound), returns Error

POST - Add a server to an HTTP upstream server group

Adds a new server to an HTTP upstream server group. Server

parameters are speciﬁed in the JSON format.

Request parameters:

Nginx, Inc. p.74 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

• postHttpUpstreamServer (HTTP Upstream Server, re-

quired)

Address of a new server and other optional parameters in

the JSON format. The “ID”, “backup”, and “service”

parameters cannot be changed.

Possible responses:

– 201 - Created, returns HTTP Upstream Server

– 400 - Upstream is static (UpstreamStatic), invalid

“parameter” value (UpstreamConfFormatError), missing

“server” argument (UpstreamConfFormatError), un-

known parameter “name” (UpstreamConfFormatError),

nested object or list (UpstreamConfFormatError),

“error” while parsing (UpstreamBadAddress),

service upstream “host” may not have port

(UpstreamBadAddress), service upstream “host” re-

quires domain name (UpstreamBadAddress), invalid

“weight” (UpstreamBadWeight), invalid “max_-

conns” (UpstreamBadMaxConns), invalid “max_fails”

(UpstreamBadMaxFails), invalid “fail_timeout”

(UpstreamBadFailTimeout), invalid “slow_start”

(UpstreamBadSlowStart), reading request body failed

BodyReadError), route is too long (UpstreamBadRoute),

“service” is empty (UpstreamBadService), no resolver

deﬁned to resolve (UpstreamConfNoResolver), upstream

“name” has no backup (UpstreamNoBackup), upstream

“name” memory exhausted (UpstreamOutOfMemory),

returns Error

– 404 - Unknown version (UnknownVersion), upstream not

found (UpstreamNotFound), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

– 409 - Entry exists (EntryExists), returns Error

– 415 - JSON error (JsonError), returns Error

/http/upstreams/{httpUpstreamName}/servers/

{httpUpstreamServerId}

Parameters common for all methods:

httpUpstreamName (string, required)

The name of the upstream server group.

httpUpstreamServerId (string, required)

The ID of the server.

Supported methods:

• GET - Return conﬁguration of a server in an HTTP upstream server

group

Returns conﬁguration of a particular server in the HTTP upstream

server group.

Nginx, Inc. p.75 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

Possible responses:

– 200 - Success, returns HTTP Upstream Server

– 400 - Upstream is static (UpstreamStatic), invalid server

ID (UpstreamBadServerId), returns Error

– 404 - Server with ID “id” does not exist

(UpstreamServerNotFound), unknown ver-

sion (UnknownVersion), upstream not found

(UpstreamNotFound), returns Error

PATCH - Modify a server in an HTTP upstream server group

Modiﬁes settings of a particular server in an HTTP upstream server

group. Server parameters are speciﬁed in the JSON format.

Request parameters:

• patchHttpUpstreamServer (HTTP Upstream Server, re-

quired)

Server parameters, speciﬁed in the JSON format. The “ID”,

“backup”, and “service” parameters cannot be changed.

Possible responses:

– 200 - Success, returns HTTP Upstream Server

– 400 - Upstream is static (UpstreamStatic), invalid

“parameter” value (UpstreamConfFormatError), un-

known parameter “name” (UpstreamConfFormatError),

nested object or list (UpstreamConfFormatError),

“error” while parsing (UpstreamBadAddress), in-

valid “server” argument (UpstreamBadAddress),

invalid server ID (UpstreamBadServerId), invalid

“weight” (UpstreamBadWeight), invalid “max_-

conns” (UpstreamBadMaxConns), invalid “max_-

fails” (UpstreamBadMaxFails), invalid “fail_-

timeout” (UpstreamBadFailTimeout), invalid

“slow_start” (UpstreamBadSlowStart), read-

ing request body failed BodyReadError), route is

too long (UpstreamBadRoute), “service” is empty

(UpstreamBadService), server “ID” address is immutable

(UpstreamServerImmutable), server “ID” weight is im-

mutable (UpstreamServerWeightImmutable), upstream

“name” memory exhausted (UpstreamOutOfMemory),

returns Error

– 404 - Server with ID “id” does not exist

(UpstreamServerNotFound), unknown ver-

sion (UnknownVersion), upstream not found

(UpstreamNotFound), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

– 415 - JSON error (JsonError), returns Error

Nginx, Inc. p.76 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

DELETE - Remove a server from an HTTP upstream server group

Removes a server from an HTTP upstream server group.

Possible responses:

• – 200 - Success, returns an array of HTTP Upstream Servers

– 400 - Upstream is static (UpstreamStatic), invalid server

ID (UpstreamBadServerId), server “id” not removable

(UpstreamServerImmutable), returns Error

– 404 - Server with ID “id” does not exist

(UpstreamServerNotFound), unknown ver-

sion (UnknownVersion), upstream not found

(UpstreamNotFound), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/http/keyvals/

Supported methods:

• GET - Return key-value pairs from all HTTP keyval zones

Returns key-value pairs for each HTTP keyval shared memory zone.

Request parameters:

fields (string, optional)

If the “fields” value is empty, then only HTTP keyval zone

names will be output.

Possible responses:

– 200 - Success, returns a collection of ”HTTP Keyval Shared

Memory Zone” objects for all HTTP keyvals

– 404 - Unknown version (UnknownVersion), returns Error

/http/keyvals/{httpKeyvalZoneName}

Parameters common for all methods:

httpKeyvalZoneName (string, required)

The name of an HTTP keyval shared memory zone.

Supported methods:

• GET - Return key-value pairs from an HTTP keyval zone

Returns key-value pairs stored in a particular HTTP keyval shared

memory zone.

Request parameters:

key (string, optional)

Get a particular key-value pair from the HTTP keyval zone.

Possible responses:

– 200 - Success, returns HTTP Keyval Shared Memory Zone

– 404 - Keyval not found (KeyvalNotFound), keyval

key not found (KeyvalKeyNotFound), unknown version

(UnknownVersion), returns Error

Nginx, Inc. p.77 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

POST - Add a key-value pair to the HTTP keyval zone

Adds a new key-value pair to the HTTP keyval shared memory

zone. Several key-value pairs can be entered if the HTTP keyval

shared memory zone is empty.

Request parameters:

• Key-value (HTTP Keyval Shared Memory Zone, required)

A key-value pair is speciﬁed in the JSON format. Several key-

value pairs can be entered if the HTTP keyval shared memory

zone is empty. Expiration time in milliseconds can be speciﬁed

for a key-value pair with the expire parameter which overrides

the timeout parameter of the keyval zone directive.

Possible responses:

– 201 - Created

– 400 - Invalid JSON (KeyvalFormatError), invalid

key format (KeyvalFormatError), key required

(KeyvalFormatError), keyval timeout is not enabled

(KeyvalFormatError), only one key can be added

(KeyvalFormatError), reading request body failed

BodyReadError), returns Error

– 404 - Keyval not found (KeyvalNotFound), unknown version

(UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

– 409 - Entry exists (EntryExists), key already exists

(KeyvalKeyExists), returns Error

– 413 - Request Entity Too Large, returns Error

– 415 - JSON error (JsonError), returns Error

PATCH - Modify a key-value or delete a key

Changes the value of the selected key in the key-value pair, deletes

a key by setting the key value to null, changes expiration time

of a key-value pair. If synchronization of keyval zones in a cluster

is enabled, deletes a key only on a target cluster node. Expiration

time in milliseconds can be speciﬁed for a key-value pair with the

expire parameter which overrides the timeout parameter of the

keyval zone directive.

Request parameters:

• httpKeyvalZoneKeyValue (HTTP Keyval Shared Memory

Zone, required)

A new value for the key is speciﬁed in the JSON format.

Possible responses:

– 204 - Success

– 400 - Invalid JSON (KeyvalFormatError), key re-

quired (KeyvalFormatError), keyval timeout is not en-

abled (KeyvalFormatError), only one key can be up-

Nginx, Inc. p.78 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

dated (KeyvalFormatError), reading request body failed

BodyReadError), returns Error

– 404 - Keyval not found (KeyvalNotFound), keyval

key not found (KeyvalKeyNotFound), unknown version

(UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

– 413 - Request Entity Too Large, returns Error

– 415 - JSON error (JsonError), returns Error

DELETE - Empty the HTTP keyval zone

Deletes all key-value pairs from the HTTP keyval shared memory

zone. If synchronization of keyval zones in a cluster is enabled,

empties the keyval zone only on a target cluster node.

Possible responses:

• – 204 - Success

– 404 - Keyval not found (KeyvalNotFound), unknown version

(UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/stream/

Supported methods:

• GET - Return list of stream-related endpoints

Returns a list of ﬁrst level stream endpoints.

Possible responses:

– 200 - Success, returns an array of strings

– 404 - Unknown version (UnknownVersion), returns Error

/stream/server_zones/

Supported methods:

• GET - Return status of all stream server zones

Returns status information for each stream server zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of server zones will be output. If the

“fields” value is empty, then only server zone names will be

output.

Possible responses:

– 200 - Success, returns a collection of ”Stream Server Zone”

objects for all stream server zones

– 404 - Unknown version (UnknownVersion), returns Error

/stream/server_zones/{streamServerZoneName}

Parameters common for all methods:

Nginx, Inc. p.79 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

streamServerZoneName (string, required)

The name of a stream server zone.

Supported methods:

• GET - Return status of a stream server zone

Returns status of a particular stream server zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of the server zone will be output.

Possible responses:

– 200 - Success, returns Stream Server Zone

– 404 - Server zone not found (ServerZoneNotFound),

unknown version (UnknownVersion), returns Error

DELETE - Reset statistics for a stream server zone

Resets statistics of accepted and discarded connections, sessions,

received and sent bytes, counters of SSL handshakes and session

reuses in a particular stream server zone.

Possible responses:

• – 204 - Success

– 404 - Server zone not found (ServerZoneNotFound),

unknown version (UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/stream/limit_conns/

Supported methods:

• GET - Return status of all stream limit conn zones

Returns status information for each stream limit conn zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of limit conn zones will be output. If the

“fields” value is empty, then only zone names will be output.

Possible responses:

– 200 - Success, returns a collection of ”Stream Connections

Limiting” objects for all stream limit conns

– 404 - Unknown version (UnknownVersion), returns Error

/stream/limit_conns/{streamLimitConnZoneName}

Parameters common for all methods:

streamLimitConnZoneName (string, required)

The name of a limit conn zone.

Supported methods:

Nginx, Inc. p.80 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

• GET - Return status of an stream limit conn zone

Returns status of a particular stream limit conn zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of the limit conn zone will be output.

Possible responses:

– 200 - Success, returns Stream Connections Limiting

– 404 - limit conn not found (LimitConnNotFound), unknown

version (UnknownVersion), returns Error

DELETE - Reset statistics for a stream limit conn zone

Resets the connection limiting statistics.

Possible responses:

• – 204 - Success

– 404 - limit conn not found (LimitConnNotFound), unknown

version (UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/stream/upstreams/

Supported methods:

• GET - Return status of all stream upstream server groups

Returns status of each stream upstream server group and its servers.

Request parameters:

fields (string, optional)

Limits which ﬁelds of upstream server groups will be output. If

the “fields” value is empty, only names of upstreams will be

output.

Possible responses:

– 200 - Success, returns a collection of ”Stream Upstream” objects

for all stream upstreams

– 404 - Unknown version (UnknownVersion), returns Error

/stream/upstreams/{streamUpstreamName}/

Parameters common for all methods:

streamUpstreamName (string, required)

The name of a stream upstream server group.

Supported methods:

• GET - Return status of a stream upstream server group

Returns status of a particular stream upstream server group and its

servers.

Request parameters:

Nginx, Inc. p.81 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

fields (string, optional)

Limits which ﬁelds of the upstream server group will be output.

Possible responses:

– 200 - Success, returns Stream Upstream

– 400 - Upstream is static (UpstreamStatic), returns Error

– 404 - Unknown version (UnknownVersion), upstream not

found (UpstreamNotFound), returns Error

DELETE - Reset statistics of a stream upstream server group

Resets the statistics for each upstream server in an upstream server

group.

Possible responses:

• – 204 - Success

– 400 - Upstream is static (UpstreamStatic), returns Error

– 404 - Unknown version (UnknownVersion), upstream not

found (UpstreamNotFound), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/stream/upstreams/{streamUpstreamName}/servers/

Parameters common for all methods:

streamUpstreamName (string, required)

The name of an upstream server group.

Supported methods:

• GET - Return conﬁguration of all servers in a stream upstream server

group

Returns conﬁguration of each server in a particular stream upstream

server group.

Possible responses:

– 200 - Success, returns an array of Stream Upstream Servers

– 400 - Upstream is static (UpstreamStatic), returns Error

– 404 - Unknown version (UnknownVersion), upstream not

found (UpstreamNotFound), returns Error

POST - Add a server to a stream upstream server group

Adds a new server to a stream upstream server group. Server

parameters are speciﬁed in the JSON format.

Request parameters:

• postStreamUpstreamServer (Stream Upstream Server, re-

quired)

Address of a new server and other optional parameters in

the JSON format. The “ID”, “backup”, and “service”

parameters cannot be changed.

Possible responses:

Nginx, Inc. p.82 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

– 201 - Created, returns Stream Upstream Server

– 400 - Upstream is static (UpstreamStatic), invalid

“parameter” value (UpstreamConfFormatError), missing

“server” argument (UpstreamConfFormatError), un-

known parameter “name” (UpstreamConfFormatError),

nested object or list (UpstreamConfFormatError),

“error” while parsing (UpstreamBadAddress),

no port in server “host” (UpstreamBadAddress),

service upstream “host” may not have port

(UpstreamBadAddress), service upstream “host” re-

quires domain name (UpstreamBadAddress), invalid

“weight” (UpstreamBadWeight), invalid “max_-

conns” (UpstreamBadMaxConns), invalid “max_-

fails” (UpstreamBadMaxFails), invalid “fail_-

timeout” (UpstreamBadFailTimeout), invalid “slow_-

start” (UpstreamBadSlowStart), “service” is empty

(UpstreamBadService), no resolver deﬁned to resolve

(UpstreamConfNoResolver), upstream “name” has no

backup (UpstreamNoBackup), upstream “name” memory

exhausted (UpstreamOutOfMemory), reading request body

failed BodyReadError), returns Error

– 404 - Unknown version (UnknownVersion), upstream not

found (UpstreamNotFound), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

– 409 - Entry exists (EntryExists), returns Error

– 415 - JSON error (JsonError), returns Error

/stream/upstreams/{streamUpstreamName}/servers/

{streamUpstreamServerId}

Parameters common for all methods:

streamUpstreamName (string, required)

The name of the upstream server group.

streamUpstreamServerId (string, required)

The ID of the server.

Supported methods:

• GET - Return conﬁguration of a server in a stream upstream server

group

Returns conﬁguration of a particular server in the stream upstream

server group.

Possible responses:

– 200 - Success, returns Stream Upstream Server

– 400 - Upstream is static (UpstreamStatic), invalid server

ID (UpstreamBadServerId), returns Error

Nginx, Inc. p.83 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

– 404 - Unknown version (UnknownVersion), upstream not

found (UpstreamNotFound), server with ID “id” does not

exist (UpstreamServerNotFound), returns Error

PATCH - Modify a server in a stream upstream server group

Modiﬁes settings of a particular server in a stream upstream server

group. Server parameters are speciﬁed in the JSON format.

Request parameters:

• patchStreamUpstreamServer (Stream Upstream Server,

required)

Server parameters, speciﬁed in the JSON format. The “ID”,

“backup”, and “service” parameters cannot be changed.

Possible responses:

– 200 - Success, returns Stream Upstream Server

– 400 - Upstream is static (UpstreamStatic), invalid

“parameter” value (UpstreamConfFormatError), un-

known parameter “name” (UpstreamConfFormatError),

nested object or list (UpstreamConfFormatError),

“error” while parsing (UpstreamBadAddress), in-

valid “server” argument (UpstreamBadAddress),

no port in server “host” (UpstreamBadAddress),

invalid server ID (UpstreamBadServerId), invalid

“weight” (UpstreamBadWeight), invalid “max_-

conns” (UpstreamBadMaxConns), invalid “max_-

fails” (UpstreamBadMaxFails), invalid “fail_-

timeout” (UpstreamBadFailTimeout), invalid “slow_-

start” (UpstreamBadSlowStart), reading request

body failed BodyReadError), “service” is empty

(UpstreamBadService), server “ID” address is immutable

(UpstreamServerImmutable), server “ID” weight is im-

mutable (UpstreamServerWeightImmutable), upstream

“name” memory exhausted (UpstreamOutOfMemory),

returns Error

– 404 - Server with ID “id” does not exist

(UpstreamServerNotFound), unknown ver-

sion (UnknownVersion), upstream not found

(UpstreamNotFound), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

– 415 - JSON error (JsonError), returns Error

DELETE - Remove a server from a stream upstream server group

Removes a server from a stream server group.

Possible responses:

• – 200 - Success, returns an array of Stream Upstream Servers

Nginx, Inc. p.84 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

– 400 - Upstream is static (UpstreamStatic), invalid server

ID (UpstreamBadServerId), server “id” not removable

(UpstreamServerImmutable), returns Error

– 404 - Server with ID “id” does not exist

(UpstreamServerNotFound), unknown ver-

sion (UnknownVersion), upstream not found

(UpstreamNotFound), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/stream/keyvals/

Supported methods:

• GET - Return key-value pairs from all stream keyval zones

Returns key-value pairs for each stream keyval shared memory zone.

Request parameters:

fields (string, optional)

If the “fields” value is empty, then only stream keyval zone

names will be output.

Possible responses:

– 200 - Success, returns a collection of ”Stream Keyval Shared

Memory Zone” objects for all stream keyvals

– 404 - Unknown version (UnknownVersion), returns Error

/stream/keyvals/{streamKeyvalZoneName}

Parameters common for all methods:

streamKeyvalZoneName (string, required)

The name of a stream keyval shared memory zone.

Supported methods:

• GET - Return key-value pairs from a stream keyval zone

Returns key-value pairs stored in a particular stream keyval shared

memory zone.

Request parameters:

key (string, optional)

Get a particular key-value pair from the stream keyval zone.

Possible responses:

– 200 - Success, returns Stream Keyval Shared Memory Zone

– 404 - Keyval not found (KeyvalNotFound), keyval

key not found (KeyvalKeyNotFound), unknown version

(UnknownVersion), returns Error

POST - Add a key-value pair to the stream keyval zone

Adds a new key-value pair to the stream keyval shared memory

zone. Several key-value pairs can be entered if the stream keyval

shared memory zone is empty.

Nginx, Inc. p.85 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

Request parameters:

• Key-value (Stream Keyval Shared Memory Zone, required)

A key-value pair is speciﬁed in the JSON format. Several key-

value pairs can be entered if the stream keyval shared memory

zone is empty. Expiration time in milliseconds can be speciﬁed

for a key-value pair with the expire parameter which overrides

the timeout parameter of the keyval zone directive.

Possible responses:

– 201 - Created

– 400 - Invalid JSON (KeyvalFormatError), invalid

key format (KeyvalFormatError), key required

(KeyvalFormatError), keyval timeout is not enabled

(KeyvalFormatError), only one key can be added

(KeyvalFormatError), reading request body failed

BodyReadError), returns Error

– 404 - Keyval not found (KeyvalNotFound), unknown version

(UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

– 409 - Entry exists (EntryExists), key already exists

(KeyvalKeyExists), returns Error

– 413 - Request Entity Too Large, returns Error

– 415 - JSON error (JsonError), returns Error

PATCH - Modify a key-value or delete a key

Changes the value of the selected key in the key-value pair, deletes

a key by setting the key value to null, changes expiration time

of a key-value pair. If synchronization of keyval zones in a cluster

is enabled, deletes a key only on a target cluster node. Expiration

time is speciﬁed in milliseconds with the expire parameter which

overrides the timeout parameter of the keyval zone directive.

Request parameters:

• streamKeyvalZoneKeyValue (Stream Keyval Shared Memory

Zone, required)

A new value for the key is speciﬁed in the JSON format.

Possible responses:

– 204 - Success

– 400 - Invalid JSON (KeyvalFormatError), key re-

quired (KeyvalFormatError), keyval timeout is not en-

abled (KeyvalFormatError), only one key can be up-

dated (KeyvalFormatError), reading request body failed

BodyReadError), returns Error

– 404 - Keyval not found (KeyvalNotFound), keyval

key not found (KeyvalKeyNotFound), unknown version

(UnknownVersion), returns Error

Nginx, Inc. p.86 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

– 405 - Method disabled (MethodDisabled), returns Error

– 413 - Request Entity Too Large, returns Error

– 415 - JSON error (JsonError), returns Error

DELETE - Empty the stream keyval zone

Deletes all key-value pairs from the stream keyval shared memory

zone. If synchronization of keyval zones in a cluster is enabled,

empties the keyval zone only on a target cluster node.

Possible responses:

• – 204 - Success

– 404 - Keyval not found (KeyvalNotFound), unknown version

(UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/stream/zone_sync/

Supported methods:

• GET - Return sync status of a node

Returns synchronization status of a cluster node.

Possible responses:

– 200 - Success, returns Stream Zone Sync Node

– 404 - Unknown version (UnknownVersion), returns Error

/resolvers/

Supported methods:

• GET - Return status for all resolver zones

Returns status information for each resolver zone.

Request parameters:

fields (string, optional)

Limits which ﬁelds of resolvers statistics will be output.

Possible responses:

– 200 - Success, returns a collection of ”Resolver Zone” objects

for all resolvers

– 404 - Unknown version (UnknownVersion), returns Error

/resolvers/{resolverZoneName}

Parameters common for all methods:

resolverZoneName (string, required)

The name of a resolver zone.

Supported methods:

• GET - Return statistics of a resolver zone

Returns statistics stored in a particular resolver zone.

Request parameters:

Nginx, Inc. p.87 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

fields (string, optional)

Limits which ﬁelds of the resolver zone will be output (requests,

responses, or both).

Possible responses:

– 200 - Success, returns Resolver Zone

– 404 - Resolver zone not found (ResolverZoneNotFound),

unknown version (UnknownVersion), returns Error

DELETE - Reset statistics for a resolver zone.

Resets statistics in a particular resolver zone.

Possible responses:

• – 204 - Success

– 404 - Resolver zone not found (ResolverZoneNotFound),

unknown version (UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/ssl

Supported methods:

• GET - Return SSL statistics

Returns SSL statistics.

Request parameters:

fields (string, optional)

Limits which ﬁelds of SSL statistics will be output.

Possible responses:

– 200 - Success, returns SSL

– 404 - Unknown version (UnknownVersion), returns Error

DELETE - Reset SSL statistics

Resets counters of SSL handshakes and session reuses.

Possible responses:

• – 204 - Success

– 404 - Unknown version (UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

/workers/

Supported methods:

• GET - Return statistics for all worker processes

Returns statistics for all worker processes such as accepted, dropped,

active, idle connections, total and current requests.

Request parameters:

fields (string, optional)

Limits which ﬁelds of worker process statistics will be output.

Nginx, Inc. p.88 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

Possible responses:

– 200 - Success, returns a collection of ”Worker process” objects

for all workers

– 404 - Worker not found (WorkerNotFound), unknown version

(UnknownVersion), returns Error

/workers/{workerId}

Parameters common for all methods:

workerId (string, required)

The ID of the worker process.

Supported methods:

• GET - Return status of a worker process

Returns status of a particular worker process.

Possible responses:

– 200 - Success, returns Worker process

– 404 - Worker not found (WorkerNotFound), unknown version

(UnknownVersion), returns Error

DELETE - Reset statistics for a worker process.

Resets statistics of accepted, dropped, active, idle connections, as

well as total and current requests.

Possible responses:

• – 204 - Success

– 404 - Worker not found (WorkerNotFound), unknown version

(UnknownVersion), returns Error

– 405 - Method disabled (MethodDisabled), returns Error

2.4.6 Response Objects

• nginx:

General information about nginx:

version (string)

Version of nginx.

build (string)

Name of nginx build.

address (string)

The address of the server that accepted status request.

generation (integer)

The total number of conﬁguration reloads.

load_timestamp (string)

Time of the last reload of conﬁguration, in the ISO 8601 format

with millisecond resolution.

Nginx, Inc. p.89 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

timestamp (string)

Current time in the ISO 8601 format with millisecond resolution.

pid (integer)

The ID of the worker process that handled status request.

ppid (integer)

The ID of the master process that started the worker process.

Example:

{

"nginx" : {

"version" : "1.21.6",

"build" : "nginx-plus-r27",

"address" : "206.251.255.64",

"generation" : 6,

"load_timestamp" : "2022-06-28T11:15:44.467Z",

"timestamp" : "2022-06-28T09:26:07.305Z",

"pid" : 32212,

"ppid" : 32210

}

• Processes:

respawned (integer)

The total number of abnormally terminated and respawned child

processes.

Example:

{

"respawned" : 0

}

• Connections:

The number of accepted, dropped, active, and idle connections.

accepted (integer)

The total number of accepted client connections.

dropped (integer)

The total number of dropped client connections.

active (integer)

The current number of active client connections.

idle (integer)

The current number of idle client connections.

Example:

{

"accepted" : 4968119,

"dropped" : 0,

"active" : 5,

Nginx, Inc. p.90 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

"idle" : 117

}

• SSL:

handshakes (integer)

The total number of successful SSL handshakes.

handshakes_failed (integer)

The total number of failed SSL handshakes.

session_reuses (integer)

The total number of session reuses during SSL handshake.

no_common_protocol (integer)

The number of SSL handshakes failed because of no common

protocol.

no_common_cipher (integer)

The number of SSL handshakes failed because of no shared cipher.

handshake_timeout (integer)

The number of SSL handshakes failed because of a timeout.

peer_rejected_cert (integer)

The number of failed SSL handshakes when nginx presented the

certiﬁcate to the client but it was rejected with a corresponding

alert message.

verify_failures

SSL certiﬁcate veriﬁcation errors

no_cert (integer)

A client did not provide the required certiﬁcate.

expired_cert (integer)

An expired or not yet valid certiﬁcate was presented by a client.

revoked_cert (integer)

A revoked certiﬁcate was presented by a client.

hostname_mismatch (integer)

Server’s certiﬁcate doesn’t match the hostname.

other (integer)

Other SSL certiﬁcate veriﬁcation errors.

Example:

{

"handshakes" : 79572,

"handshakes_failed" : 21025,

"session_reuses" : 15762,

"no_common_protocol" : 4,

"no_common_cipher" : 2,

"handshake_timeout" : 0,

"peer_rejected_cert" : 0,

"verify_failures" : {

"no_cert" : 0,

"expired_cert" : 2,

"revoked_cert" : 1,

"hostname_mismatch" : 2,

Nginx, Inc. p.91 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

"other" : 1

}

• Shared memory zone with slab allocator:

Shared memory zone with slab allocator

pages

The number of free and used memory pages.

used (integer)

The current number of used memory pages.

free (integer)

The current number of free memory pages.

slots

Status data for memory slots (8, 16, 32, 64, 128, etc.)

A collection of ”Memory Slot” objects

Example:

{

"pages" : {

"used" : 1143,

"free" : 2928

"slots" : {

"8" : {

"used" : 0,

"free" : 0,

"reqs" : 0,

"fails" : 0

"16" : {

"used" : 0,

"free" : 0,

"reqs" : 0,

"fails" : 0

"32" : {

"used" : 0,

"free" : 0,

"reqs" : 0,

"fails" : 0

"64" : {

"used" : 1,

"free" : 63,

"reqs" : 1,

"fails" : 0

"128" : {

"used" : 0,

"free" : 0,

"reqs" : 0,

"fails" : 0

"256" : {

"used" : 18078,

"free" : 178,

"reqs" : 1635736,

"fails" : 0

}

Nginx, Inc. p.92 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

}

• Memory Slot:

used (integer)

The current number of used memory slots.

free (integer)

The current number of free memory slots.

reqs (integer)

The total number of attempts to allocate memory of speciﬁed size.

fails (integer)

The number of unsuccessful attempts to allocate memory of

speciﬁed size.

HTTP Requests:

• total (integer)

The total number of client requests.

current (integer)

The current number of client requests.

Example:

{

"total" : 10624511,

"current" : 4

}

• HTTP Server Zone:

processing (integer)

The number of client requests that are currently being processed.

requests (integer)

The total number of client requests received from clients.

responses

The total number of responses sent to clients, the number of

responses with status codes “1xx”, “2xx”, “3xx”, “4xx”, and“5xx”,

and the number of responses per each status code.

1xx (integer)

The number of responses with “1xx” status codes.

2xx (integer)

The number of responses with “2xx” status codes.

3xx (integer)

The number of responses with “3xx” status codes.

4xx (integer)

The number of responses with “4xx” status codes.

Nginx, Inc. p.93 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

5xx (integer)

The number of responses with “5xx” status codes.

codes

The number of responses per each status code.

codeNumber (integer)

The number of responses with this particular status code.

total (integer)

The total number of responses sent to clients.

discarded (integer)

The total number of requests completed without sending a response.

received (integer)

The total number of bytes received from clients.

sent (integer)

The total number of bytes sent to clients.

ssl

handshakes (integer)

The total number of successful SSL handshakes.

handshakes_failed (integer)

The total number of failed SSL handshakes.

session_reuses (integer)

The total number of session reuses during SSL handshake.

no_common_protocol (integer)

The number of SSL handshakes failed because of no common

protocol.

no_common_cipher (integer)

The number of SSL handshakes failed because of no shared

cipher.

handshake_timeout (integer)

The number of SSL handshakes failed because of a timeout.

peer_rejected_cert (integer)

The number of failed SSL handshakes when nginx presented the

certiﬁcate to the client but it was rejected with a corresponding

alert message.

verify_failures

SSL certiﬁcate veriﬁcation errors

no_cert (integer)

A client did not provide the required certiﬁcate.

expired_cert (integer)

An expired or not yet valid certiﬁcate was presented by a

client.

revoked_cert (integer)

A revoked certiﬁcate was presented by a client.

other (integer)

Other SSL certiﬁcate veriﬁcation errors.

Nginx, Inc. p.94 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

Example:

{

"processing" : 1,

"requests" : 706690,

"responses" : {

"1xx" : 0,

"2xx" : 699482,

"3xx" : 4522,

"4xx" : 907,

"5xx" : 266,

"codes" : {

"200" : 699482,

"301" : 4522,

"404" : 907,

"503" : 266

"total" : 705177

"discarded" : 1513,

"received" : 172711587,

"sent" : 19415530115,

"ssl" : {

"handshakes" : 104303,

"handshakes_failed" : 1421,

"session_reuses" : 54645,

"no_common_protocol" : 4,

"no_common_cipher" : 2,

"handshake_timeout" : 0,

"peer_rejected_cert" : 0,

"verify_failures" : {

"no_cert" : 0,

"expired_cert" : 2,

"revoked_cert" : 1,

"other" : 1

}

• HTTP Location Zone:

requests (integer)

The total number of client requests received from clients.

responses

The total number of responses sent to clients, the number of

responses with status codes “1xx”, “2xx”, “3xx”, “4xx”, and“5xx”,

and the number of responses per each status code.

1xx (integer)

The number of responses with “1xx” status codes.

2xx (integer)

The number of responses with “2xx” status codes.

3xx (integer)

The number of responses with “3xx” status codes.

4xx (integer)

The number of responses with “4xx” status codes.

5xx (integer)

The number of responses with “5xx” status codes.

Nginx, Inc. p.95 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

codes

The number of responses per each status code.

codeNumber (integer)

The number of responses with this particular status code.

total (integer)

The total number of responses sent to clients.

discarded (integer)

The total number of requests completed without sending a response.

received (integer)

The total number of bytes received from clients.

sent (integer)

The total number of bytes sent to clients.

Example:

{

"requests" : 706690,

"responses" : {

"1xx" : 0,

"2xx" : 699482,

"3xx" : 4522,

"4xx" : 907,

"5xx" : 266,

"codes" : {

"200" : 112674,

"301" : 4522,

"404" : 2504,

"503" : 266

"total" : 705177

"discarded" : 1513,

"received" : 172711587,

"sent" : 19415530115

}

• HTTP Cache:

size (integer)

The current size of the cache.

max_size (integer)

The limit on the maximum size of the cache speciﬁed in the

conﬁguration.

cold (boolean)

A boolean value indicating whether the “cache loader” process is

still loading data from disk into the cache.

hit

responses (integer)

The total number of valid responses read from the cache.

bytes (integer)

The total number of bytes read from the cache.

stale

Nginx, Inc. p.96 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

responses (integer)

The total number of expired responses read from the cache

(see proxy cache use stale and other “

_cache_use_stale”

directives).

bytes (integer)

The total number of bytes read from the cache.

updating

responses (integer)

The total number of expired responses read from the cache while

responses were being updated (see proxy cache use stale and

other “

_cache_use_stale” directives).

bytes (integer)

The total number of bytes read from the cache.

revalidated

responses (integer)

The total number of expired and revalidated responses read

from the cache (see proxy cache revalidate and other “

cache_revalidate” directives.

bytes (integer)

The total number of bytes read from the cache.

miss

responses (integer)

The total number of responses not found in the cache.

bytes (integer)

The total number of bytes read from the proxied server.

responses_written (integer)

The total number of responses written to the cache.

bytes_written (integer)

The total number of bytes written to the cache.

expired

responses (integer)

The total number of expired responses not taken from the cache.

bytes (integer)

The total number of bytes read from the proxied server.

responses_written (integer)

The total number of responses written to the cache.

bytes_written (integer)

The total number of bytes written to the cache.

bypass

responses (integer)

The total number of responses not looked up in the cache

due to the proxy cache bypass and other “

_cache_bypass”

directives.

bytes (integer)

Nginx, Inc. p.97 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

The total number of bytes read from the proxied server.

responses_written (integer)

The total number of responses written to the cache.

bytes_written (integer)

The total number of bytes written to the cache.

Example:

{

"size" : 530915328,

"max_size" : 536870912,

"cold" : false,

"hit" : {

"responses" : 254032,

"bytes" : 6685627875

"stale" : {

"responses" : 0,

"bytes" : 0

"updating" : {

"responses" : 0,

"bytes" : 0

"revalidated" : {

"responses" : 0,

"bytes" : 0

"miss" : {

"responses" : 1619201,

"bytes" : 53841943822

"expired" : {

"responses" : 45859,

"bytes" : 1656847080,

"responses_written" : 44992,

"bytes_written" : 1641825173

"bypass" : {

"responses" : 200187,

"bytes" : 5510647548,

"responses_written" : 200173,

"bytes_written" : 44992

}

• HTTP Connections Limiting:

passed (integer)

The total number of connections that were neither limited nor

accounted as limited.

rejected (integer)

The total number of connections that were rejected.

rejected_dry_run (integer)

The total number of connections accounted as rejected in the dry

run mode.

Example:

Nginx, Inc. p.98 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

{

"passed" : 15,

"rejected" : 0,

"rejected_dry_run" : 2

}

• HTTP Requests Rate Limiting:

passed (integer)

The total number of requests that were neither limited nor

accounted as limited.

delayed (integer)

The total number of requests that were delayed.

rejected (integer)

The total number of requests that were rejected.

delayed_dry_run (integer)

The total number of requests accounted as delayed in the dry run

mode.

rejected_dry_run (integer)

The total number of requests accounted as rejected in the dry run

mode.

Example:

{

"passed" : 15,

"delayed" : 4,

"rejected" : 0,

"delayed_dry_run" : 1,

"rejected_dry_run" : 2

}

• HTTP Upstream:

peers

An array of:

id (integer)

The ID of the server.

server (string)

An address of the server.

service (string)

The service parameter value of the server directive.

name (string)

The name of the server speciﬁed in the server directive.

backup (boolean)

A boolean value indicating whether the server is a backup

server.

Nginx, Inc. p.99 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

weight (integer)

Weight of the server.

state (string)

Current state, which may be one of“up”, “draining”,“down”,

“unavail”, “checking”, and “unhealthy”.

active (integer)

The current number of active connections.

ssl

handshakes (integer)

The total number of successful SSL handshakes.

handshakes_failed (integer)

The total number of failed SSL handshakes.

session_reuses (integer)

The total number of session reuses during SSL handshake.

no_common_protocol (integer)

The number of SSL handshakes failed because of no

common protocol.

handshake_timeout (integer)

The number of SSL handshakes failed because of a timeout.

peer_rejected_cert (integer)

The number of failed SSL handshakes when nginx presented

the certiﬁcate to the upstream server but it was rejected

with a corresponding alert message.

verify_failures

SSL certiﬁcate veriﬁcation errors

expired_cert (integer)

An expired or not yet valid certiﬁcate was presented by

an upstream server.

revoked_cert (integer)

A revoked certiﬁcate was presented by an upstream

server.

hostname_mismatch (integer)

Server’s certiﬁcate doesn’t match the hostname.

other (integer)

Other SSL certiﬁcate veriﬁcation errors.

max_conns (integer)

The max conns limit for the server.

requests (integer)

The total number of client requests forwarded to this server.

responses

1xx (integer)

The number of responses with “1xx” status codes.

2xx (integer)

The number of responses with “2xx” status codes.

3xx (integer)

Nginx, Inc. p.100 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

The number of responses with “3xx” status codes.

4xx (integer)

The number of responses with “4xx” status codes.

5xx (integer)

The number of responses with “5xx” status codes.

codes

The number of responses per each status code.

codeNumber (integer)

The number of responses with this particular status code.

total (integer)

The total number of responses obtained from this server.

sent (integer)

The total number of bytes sent to this server.

received (integer)

The total number of bytes received from this server.

fails (integer)

The total number of unsuccessful attempts to communicate

with the server.

unavail (integer)

How many times the server became unavailable for client

requests (state “unavail”) due to the number of unsuccessful

attempts reaching the max

fails threshold.

health_checks

checks (integer)

The total number of health check requests made.

fails (integer)

The number of failed health checks.

unhealthy (integer)

How many times the server became unhealthy (state

“unhealthy”).

last_passed (boolean)

Boolean indicating if the last health check request was

successful and passed tests.

downtime (integer)

Total time the server was in the “unavail”, “checking”, and

“unhealthy” states.

downstart (string)

The time when the server became “unavail”, “checking”,

or “unhealthy”, in the ISO 8601 format with millisecond

resolution.

selected (string)

The time when the server was last selected to process a request,

in the ISO 8601 format with millisecond resolution.

header_time (integer)

The average time to get the response header from the server.

Nginx, Inc. p.101 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

response_time (integer)

The average time to get the full response from the server.

keepalive (integer)

The current number of idle keepalive connections.

zombies (integer)

The current number of servers removed from the group but still

processing active client requests.

zone (string)

The name of the shared memory zone that keeps the group’s

conﬁguration and run-time state.

queue

For the requests queue, the following data are provided:

size (integer)

The current number of requests in the queue.

max_size (integer)

The maximum number of requests that can be in the queue at

the same time.

overflows (integer)

The total number of requests rejected due to the queue overﬂow.

Example:

{

"upstream_backend" : {

"peers" : [

{

"id" : 0,

"server" : "10.0.0.1:8088",

"name" : "10.0.0.1:8088",

"backup" : false,

"weight" : 5,

"state" : "up",

"active" : 0,

"ssl" : {

"handshakes" : 620311,

"handshakes_failed" : 3432,

"session_reuses" : 36442,

"no_common_protocol" : 4,

"handshake_timeout" : 0,

"peer_rejected_cert" : 0,

"verify_failures" : {

"expired_cert" : 2,

"revoked_cert" : 1,

"hostname_mismatch" : 2,

"other" : 1

}

"max_conns" : 20,

"requests" : 667231,

"header_time" : 20,

"response_time" : 36,

"responses" : {

"1xx" : 0,

"2xx" : 666310,

"3xx" : 0,

"4xx" : 915,

"5xx" : 6,

"codes" : {

Nginx, Inc. p.102 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

"200" : 666310,

"404" : 915,

"503" : 6

"total" : 667231

"sent" : 251946292,

"received" : 19222475454,

"fails" : 0,

"unavail" : 0,

"health_checks" : {

"checks" : 26214,

"fails" : 0,

"unhealthy" : 0,

"last_passed" : true

"downtime" : 0,

"downstart" : "2022-06-28T11:09:21.602Z",

"selected" : "2022-06-28T15:01:25.000Z"

{

"id" : 1,

"server" : "10.0.0.1:8089",

"name" : "10.0.0.1:8089",

"backup" : true,

"weight" : 1,

"state" : "unhealthy",

"active" : 0,

"max_conns" : 20,

"requests" : 0,

"responses" : {

"1xx" : 0,

"2xx" : 0,

"3xx" : 0,

"4xx" : 0,

"5xx" : 0,

"codes" : {

"total" : 0

"sent" : 0,

"received" : 0,

"fails" : 0,

"unavail" : 0,

"health_checks" : {

"checks" : 26284,

"fails" : 26284,

"unhealthy" : 1,

"last_passed" : false

"downtime" : 262925617,

"downstart" : "2022-06-28T11:09:21.602Z",

"selected" : "2022-06-28T15:01:25.000Z"

}

"keepalive" : 0,

"zombies" : 0,

"zone" : "upstream_backend"

}

• HTTP Upstream Server:

Dynamically conﬁgurable parameters of an HTTP upstream server:

id (integer)

Nginx, Inc. p.103 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

The ID of the HTTP upstream server. The ID is assigned

automatically and cannot be changed.

server (string)

Same as the address parameter of the HTTP upstream server.

When adding a server, it is possible to specify it as a domain name.

In this case, changes of the IP addresses that correspond to a domain

name will be monitored and automatically applied to the upstream

conﬁguration without the need of restarting nginx. This requires

the resolver directive in the “http” block. See also the resolve

parameter of the HTTP upstream server.

service (string)

Same as the service parameter of the HTTP upstream server. This

parameter cannot be changed.

weight (integer)

Same as the weight parameter of the HTTP upstream server.

max_conns (integer)

Same as the max conns parameter of the HTTP upstream server.

max_fails (integer)

Same as the max fails parameter of the HTTP upstream server.

fail_timeout (string)

Same as the fail timeout parameter of the HTTP upstream server.

slow_start (string)

Same as the slow

start parameter of the HTTP upstream server.

route (string)

Same as the route parameter of the HTTP upstream server.

backup (boolean)

When true, adds a backup server. This parameter cannot be

changed.

down (boolean)

Same as the down parameter of the HTTP upstream server.

drain (boolean)

Same as the drain parameter of the HTTP upstream server.

parent (string)

Parent server ID of the resolved server. The ID is assigned

automatically and cannot be changed.

host (string)

Hostname of the resolved server. The hostname is assigned

automatically and cannot be changed.

Example:

{

"id" : 1,

"server" : "10.0.0.1:8089",

"weight" : 4,

"max_conns" : 0,

"max_fails" : 0,

"fail_timeout" : "10s",

Nginx, Inc. p.104 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

"slow_start" : "10s",

"route" : "",

"backup" : true,

"down" : true

}

• HTTP Keyval Shared Memory Zone:

Contents of an HTTP keyval shared memory zone when using the GET

method.

Example:

{

"key1" : "value1",

"key2" : "value2",

"key3" : "value3"

}

• HTTP Keyval Shared Memory Zone:

Contents of an HTTP keyval shared memory zone when using the POST

or PATCH methods.

Example:

{

"key1" : "value1",

"key2" : "value2",

"key3" : {

"value" : "value3",

"expire" : 30000

}

• Stream Server Zone:

processing (integer)

The number of client connections that are currently being processed.

connections (integer)

The total number of connections accepted from clients.

sessions

The total number of completed sessions, and the number of sessions

completed with status codes “2xx”, “4xx”, or “5xx”.

2xx (integer)

The total number of sessions completed with status codes

“2xx”.

4xx (integer)

The total number of sessions completed with status codes

“4xx”.

5xx (integer)

The total number of sessions completed with status codes

“5xx”.

Nginx, Inc. p.105 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

total (integer)

The total number of completed client sessions.

discarded (integer)

The total number of connections completed without creating a

session.

received (integer)

The total number of bytes received from clients.

sent (integer)

The total number of bytes sent to clients.

ssl

handshakes (integer)

The total number of successful SSL handshakes.

handshakes_failed (integer)

The total number of failed SSL handshakes.

session_reuses (integer)

The total number of session reuses during SSL handshake.

no_common_protocol (integer)

The number of SSL handshakes failed because of no common

protocol.

no_common_cipher (integer)

The number of SSL handshakes failed because of no shared

cipher.

handshake_timeout (integer)

The number of SSL handshakes failed because of a timeout.

peer_rejected_cert (integer)

The number of failed SSL handshakes when nginx presented the

certiﬁcate to the client but it was rejected with a corresponding

alert message.

verify_failures

SSL certiﬁcate veriﬁcation errors

no_cert (integer)

A client did not provide the required certiﬁcate.

expired_cert (integer)

An expired or not yet valid certiﬁcate was presented by a

client.

revoked_cert (integer)

A revoked certiﬁcate was presented by a client.

other (integer)

Other SSL certiﬁcate veriﬁcation errors.

Example:

{

"dns" : {

"processing" : 1,

"connections" : 155569,

"sessions" : {

Nginx, Inc. p.106 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

"2xx" : 155564,

"4xx" : 0,

"5xx" : 0,

"total" : 155569

"discarded" : 0,

"received" : 4200363,

"sent" : 20489184,

"ssl" : {

"handshakes" : 76455,

"handshakes_failed" : 432,

"session_reuses" : 28770,

"no_common_protocol" : 4,

"no_common_cipher" : 2,

"handshake_timeout" : 0,

"peer_rejected_cert" : 0,

"verify_failures" : {

"no_cert" : 0,

"expired_cert" : 2,

"revoked_cert" : 1,

"other" : 1

}

• Stream Connections Limiting:

passed (integer)

The total number of connections that were neither limited nor

accounted as limited.

rejected (integer)

The total number of connections that were rejected.

rejected_dry_run (integer)

The total number of connections accounted as rejected in the dry

run mode.

Example:

{

"passed" : 15,

"rejected" : 0,

"rejected_dry_run" : 2

}

• Stream Upstream:

peers

An array of:

id (integer)

The ID of the server.

server (string)

An address of the server.

service (string)

The service parameter value of the server directive.

Nginx, Inc. p.107 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

name (string)

The name of the server speciﬁed in the server directive.

backup (boolean)

A boolean value indicating whether the server is a backup

server.

weight (integer)

Weight of the server.

state (string)

Current state, which may be one of “up”, “down”, “unavail”,

“checking”, or “unhealthy”.

active (integer)

The current number of connections.

ssl

handshakes (integer)

The total number of successful SSL handshakes.

handshakes_failed (integer)

The total number of failed SSL handshakes.

session_reuses (integer)

The total number of session reuses during SSL handshake.

no_common_protocol (integer)

The number of SSL handshakes failed because of no

common protocol.

handshake_timeout (integer)

The number of SSL handshakes failed because of a timeout.

peer_rejected_cert (integer)

The number of failed SSL handshakes when nginx presented

the certiﬁcate to the upstream server but it was rejected

with a corresponding alert message.

verify_failures

SSL certiﬁcate veriﬁcation errors

expired_cert (integer)

An expired or not yet valid certiﬁcate was presented by

an upstream server.

revoked_cert (integer)

A revoked certiﬁcate was presented by an upstream

server.

hostname_mismatch (integer)

Server’s certiﬁcate doesn’t match the hostname.

other (integer)

Other SSL certiﬁcate veriﬁcation errors.

max_conns (integer)

The max conns limit for the server.

connections (integer)

The total number of client connections forwarded to this server.

connect_time (integer)

Nginx, Inc. p.108 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

The average time to connect to the upstream server.

first_byte_time (integer)

The average time to receive the ﬁrst byte of data.

response_time (integer)

The average time to receive the last byte of data.

sent (integer)

The total number of bytes sent to this server.

received (integer)

The total number of bytes received from this server.

fails (integer)

The total number of unsuccessful attempts to communicate

with the server.

unavail (integer)

How many times the server became unavailable for client

connections (state “unavail”) due to the number of

unsuccessful attempts reaching the max fails threshold.

health_checks

checks (integer)

The total number of health check requests made.

fails (integer)

The number of failed health checks.

unhealthy (integer)

How many times the server became unhealthy (state

“unhealthy”).

last_passed (boolean)

Boolean indicating whether the last health check request

was successful and passed tests.

downtime (integer)

Total time the server was in the “unavail”, “checking”, and

“unhealthy” states.

downstart (string)

The time when the server became “unavail”, “checking”,

or “unhealthy”, in the ISO 8601 format with millisecond

resolution.

selected (string)

The time when the server was last selected to process a

connection, in the ISO 8601 format with millisecond resolution.

zombies (integer)

The current number of servers removed from the group but still

processing active client connections.

zone (string)

The name of the shared memory zone that keeps the group’s

conﬁguration and run-time state.

Example:

Nginx, Inc. p.109 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

{

"dns" : {

"peers" : [

{

"id" : 0,

"server" : "10.0.0.1:12347",

"name" : "10.0.0.1:12347",

"backup" : false,

"weight" : 5,

"state" : "up",

"active" : 0,

"ssl" : {

"handshakes" : 200,

"handshakes_failed" : 4,

"session_reuses" : 189,

"no_common_protocol" : 4,

"handshake_timeout" : 0,

"peer_rejected_cert" : 0,

"verify_failures" : {

"expired_cert" : 2,

"revoked_cert" : 1,

"hostname_mismatch" : 2,

"other" : 1

}

"max_conns" : 50,

"connections" : 667231,

"sent" : 251946292,

"received" : 19222475454,

"fails" : 0,

"unavail" : 0,

"health_checks" : {

"checks" : 26214,

"fails" : 0,

"unhealthy" : 0,

"last_passed" : true

"downtime" : 0,

"downstart" : "2022-06-28T11:09:21.602Z",

"selected" : "2022-06-28T15:01:25.000Z"

{

"id" : 1,

"server" : "10.0.0.1:12348",

"name" : "10.0.0.1:12348",

"backup" : true,

"weight" : 1,

"state" : "unhealthy",

"active" : 0,

"max_conns" : 50,

"connections" : 0,

"sent" : 0,

"received" : 0,

"fails" : 0,

"unavail" : 0,

"health_checks" : {

"checks" : 26284,

"fails" : 26284,

"unhealthy" : 1,

"last_passed" : false

"downtime" : 262925617,

"downstart" : "2022-06-28T11:09:21.602Z",

"selected" : "2022-06-28T15:01:25.000Z"

}

"zombies" : 0,

"zone" : "dns"

}

Nginx, Inc. p.110 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

}

• Stream Upstream Server:

Dynamically conﬁgurable parameters of a stream upstream server:

id (integer)

The ID of the stream upstream server. The ID is assigned

automatically and cannot be changed.

server (string)

Same as the address parameter of the stream upstream server.

When adding a server, it is possible to specify it as a domain name.

In this case, changes of the IP addresses that correspond to a domain

name will be monitored and automatically applied to the upstream

conﬁguration without the need of restarting nginx. This requires

the resolver directive in the “stream” block. See also the resolve

parameter of the stream upstream server.

service (string)

Same as the service parameter of the stream upstream server. This

parameter cannot be changed.

weight (integer)

Same as the weight parameter of the stream upstream server.

max_conns (integer)

Same as the max conns parameter of the stream upstream server.

max_fails (integer)

Same as the max

fails parameter of the stream upstream server.

fail_timeout (string)

Same as the fail timeout parameter of the stream upstream server.

slow_start (string)

Same as the slow start parameter of the stream upstream server.

backup (boolean)

When true, adds a backup server. This parameter cannot be

changed.

down (boolean)

Same as the down parameter of the stream upstream server.

parent (string)

Parent server ID of the resolved server. The ID is assigned

automatically and cannot be changed.

host (string)

Hostname of the resolved server. The hostname is assigned

automatically and cannot be changed.

Example:

{

"id" : 0,

"server" : "10.0.0.1:12348",

"weight" : 1,

Nginx, Inc. p.111 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

"max_conns" : 0,

"max_fails" : 1,

"fail_timeout" : "10s",

"slow_start" : 0,

"backup" : false,

"down" : false

}

• Stream Keyval Shared Memory Zone:

Contents of a stream keyval shared memory zone when using the GET

method.

Example:

{

"key1" : "value1",

"key2" : "value2",

"key3" : "value3"

}

• Stream Keyval Shared Memory Zone:

Contents of a stream keyval shared memory zone when using the POST

or PATCH methods.

Example:

{

"key1" : "value1",

"key2" : "value2",

"key3" : {

"value" : "value3",

"expire" : 30000

}

• Stream Zone Sync Node:

zones

Synchronization information per each shared memory zone.

A collection of ”Sync Zone” objects

status

Synchronization information per node in a cluster.

bytes_in (integer)

The number of bytes received by this node.

msgs_in (integer)

The number of messages received by this node.

msgs_out (integer)

The number of messages sent by this node.

bytes_out (integer)

The number of bytes sent by this node.

nodes_online (integer)

The number of peers this node is connected to.

Nginx, Inc. p.112 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

Example:

{

"zones" : {

"zone1" : {

"records_pending" : 2061,

"records_total" : 260575

"zone2" : {

"records_pending" : 0,

"records_total" : 14749

}

"status" : {

"bytes_in" : 1364923761,

"msgs_in" : 337236,

"msgs_out" : 346717,

"bytes_out" : 1402765472,

"nodes_online" : 15

}

• Sync Zone:

Synchronization status of a shared memory zone.

records_pending (integer)

The number of records that need to be sent to the cluster.

records_total (integer)

The total number of records stored in the shared memory zone.

Resolver Zone:

Statistics of DNS requests and responses per particular resolver zone.

• requests

name (integer)

The total number of requests to resolve names to addresses.

srv (integer)

The total number of requests to resolve SRV records.

addr (integer)

The total number of requests to resolve addresses to names.

responses

noerror (integer)

The total number of successful responses.

formerr (integer)

The total number of FORMERR (Format error) responses.

servfail (integer)

The total number of SERVFAIL (Server failure) re-

sponses.

nxdomain (integer)

The total number of NXDOMAIN (Host not found)

responses.

Nginx, Inc. p.113 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

notimp (integer)

The total number of NOTIMP (Unimplemented) responses.

refused (integer)

The total number of REFUSED (Operation refused)

responses.

timedout (integer)

The total number of timed out requests.

unknown (integer)

The total number of requests completed with an unknown error.

Example:

{

"resolver_zone1" : {

"requests" : {

"name" : 25460,

"srv" : 130,

"addr" : 2580

"responses" : {

"noerror" : 26499,

"formerr" : 0,

"servfail" : 3,

"nxdomain" : 0,

"notimp" : 0,

"refused" : 0,

"timedout" : 243,

"unknown" : 478

}

• Worker process:

The number of requests and connections handled by the worker processes.

id (integer)

The ID of the worker process.

pid (integer)

The PID identiﬁer of the worker process used by the operating

system.

connections

The number of accepted, dropped, active, and idle connections per

worker process.

accepted (integer)

The total number of client connections accepted by the worker

process.

dropped (integer)

The total number of client connections dropped by the worker

process.

active (integer)

The current number of active client connections that are

currently being handled by the worker process.

Nginx, Inc. p.114 of 542

CHAPTER 2. HTTP SERVER MODULES 2.4. MODULE NGX HTTP API MODULE

idle (integer)

The number of idle client connections that are currently being

handled by the worker process.

http

requests

The total number of client requests handled by the worker

process.

total (integer)

The total number of responses sent to clients by the worker

process.

current (integer)

The number of responses that are currently being sent to

clients by the worker process.

Example:

{

"id" : 0,

"pid" : 32212,

"connections" : {

"accepted" : 1,

"dropped" : 0,

"active" : 1,

"idle" : 0

"http" : {

"requests" : {

"total" : 15,

"current" : 1

}

• Error:

nginx error object.

error

status (integer)

HTTP error code.

text (string)

Error description.

code (string)

Internal nginx error code.

request_id (string)

The ID of the request, equals the value of the $request id variable.

href (string)

Link to reference documentation.

Nginx, Inc. p.115 of 542

CHAPTER 2. HTTP SERVER MODULES 2.5. MODULE NGX HTTP AUTH BASIC MODULE

2.5 Module ngx http auth basic module

2.5.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 116

2.5.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 116

2.5.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 116

auth basic . . . . . . . . . . . . . . . . . . . . . . . . . . 116

auth basic user ﬁle . . . . . . . . . . . . . . . . . . . . . 116

2.5.1 Summary

The ngx_http_auth_basic_module module allows limiting access to

resources by validating the user name and password using the “HTTP Basic

Authentication” protocol.

Access can also be limited by address, by the result of subrequest, or

by JWT. Simultaneous limitation of access by address and by password is

controlled by the satisfy directive.

2.5.2 Example Conﬁguration

location / {

auth_basic "closed site";

auth_basic_user_file conf/htpasswd;

}

2.5.3 Directives

auth basic

Syntax: auth_basic string | off;

Default off

Context: http, server, location, limit except

Enables validation of user name and password using the “HTTP Basic

Authentication” protocol. The speciﬁed parameter is used as a realm.

Parameter value can contain variables (1.3.10, 1.2.7). The special value off

cancels the eﬀect of the auth_basic directive inherited from the previous

conﬁguration level.

auth basic user ﬁle

Syntax: auth_basic_user_file ﬁle;

Default —

Context: http, server, location, limit except

Speciﬁes a ﬁle that keeps user names and passwords, in the following format:

# comment

name1:password1

name2:password2:comment

Nginx, Inc. p.116 of 542

CHAPTER 2. HTTP SERVER MODULES 2.5. MODULE NGX HTTP AUTH BASIC MODULE

name3:password3

The ﬁle name can contain variables.

The following password types are supported:

• encrypted with the crypt function; can be generated using the

“htpasswd” utility from the Apache HTTP Server distribution or the

“openssl passwd” command;

• hashed with the Apache variant of the MD5-based password algorithm

(apr1); can be generated with the same tools;

• speciﬁed by the “{scheme}data” syntax (1.0.3+) as described in RFC

2307; currently implemented schemes include PLAIN (an example one,

should not be used), SHA (1.3.13) (plain SHA-1 hashing, should not be

used) and SSHA (salted SHA-1 hashing, used by some software packages,

notably OpenLDAP and Dovecot).

Support for SHA scheme was added only to aid in migration from other

web servers. It should not be used for new passwords, since unsalted

SHA-1 hashing that it employs is vulnerable to rainbow table attacks.

Nginx, Inc. p.117 of 542

CHAPTER 2. HTTP SERVER MODULES 2.6. MODULE NGX HTTP AUTH JWT MODULE

2.6 Module ngx http auth jwt module

2.6.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 118

2.6.2 Supported Algorithms . . . . . . . . . . . . . . . . . . . 118

2.6.3 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 119

2.6.4 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 119

auth jwt . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

auth jwt claim set . . . . . . . . . . . . . . . . . . . . . 119

auth jwt header set . . . . . . . . . . . . . . . . . . . . 120

auth jwt key cache . . . . . . . . . . . . . . . . . . . . . 120

auth jwt key ﬁle . . . . . . . . . . . . . . . . . . . . . . 120

auth jwt key request . . . . . . . . . . . . . . . . . . . . 121

auth jwt leeway . . . . . . . . . . . . . . . . . . . . . . . 121

auth jwt type . . . . . . . . . . . . . . . . . . . . . . . . 122

auth jwt require . . . . . . . . . . . . . . . . . . . . . . 122

2.6.5 Embedded Variables . . . . . . . . . . . . . . . . . . . . 122

2.6.1 Summary

The ngx_http_auth_jwt_module module (1.11.3) implements client

authorization by validating the provided JSON Web Token (JWT) using the

speciﬁed keys. The module supports JSON Web Signature (JWS), JSON Web

Encryption (JWE) (1.19.7), and Nested JWT (1.21.0). The module can be

used for OpenID Connect authentication.

The module may be combined with other access modules, such as

ngx http access module, ngx http auth basic module, and ngx http auth -

request module, via the satisfy directive.

This module is available as part of our commercial subscription.

2.6.2 Supported Algorithms

The module supports the following JSON Web Algorithms.

JWS algorithms:

• HS256, HS384, HS512

• RS256, RS384, RS512

• ES256, ES384, ES512

• EdDSA (Ed25519 and Ed448 signatures) (1.15.7)

Prior to version 1.13.7, only HS256, RS256, ES256 algorithms were

supported.

JWE content encryption algorithms (1.19.7):

Nginx, Inc. p.118 of 542

CHAPTER 2. HTTP SERVER MODULES 2.6. MODULE NGX HTTP AUTH JWT MODULE

• A128CBC-HS256, A192CBC-HS384, A256CBC-HS512

• A128GCM, A192GCM, A256GCM

JWE key management algorithms (1.19.9):

• A128KW, A192KW, A256KW

• A128GCMKW, A192GCMKW, A256GCMKW

• dir - direct use of a shared symmetric key as the content encryption key

• RSA-OAEP, RSA-OAEP-256, RSA-OAEP-384, RSA-OAEP-512

(1.21.0)

2.6.3 Example Conﬁguration

location / {

auth_jwt "closed site";

auth_jwt_key_file conf/keys.json;

}

2.6.4 Directives

auth jwt

Syntax: auth_jwt string [token=$variable] | off;

Default off

Context: http, server, location, limit except

Enables validation of JSON Web Token. The speciﬁed string is used as a

realm. Parameter value can contain variables.

The optional token parameter speciﬁes a variable that contains JSON

Web Token. By default, JWT is passed in the Authorization header as a

Bearer Token. JWT may be also passed as a cookie or a part of a query string:

auth_jwt "closed site" token=$cookie_auth_token;

The special value off cancels the eﬀect of the auth_jwt directive

inherited from the previous conﬁguration level.

auth jwt claim set

Syntax: auth_jwt_claim_set $variable name . . . ;

Default —

Context: http

This directive appeared in version 1.11.10.

Sets the variable to a JWT claim parameter identiﬁed by key names. Name

matching starts from the top level of the JSON tree. For arrays, the variable

keeps a list of array elements separated by commas.

Nginx, Inc. p.119 of 542

CHAPTER 2. HTTP SERVER MODULES 2.6. MODULE NGX HTTP AUTH JWT MODULE

auth_jwt_claim_set $email info e-mail;

auth_jwt_claim_set $job info "job title";

Prior to version 1.13.7, only one key name could be speciﬁed, and the

result was undeﬁned for arrays.

Variable values for tokens encrypted with JWE are available only after

decryption which occurs during the Access phase.

auth jwt header set

Syntax: auth_jwt_header_set $variable name . . . ;

Default —

Context: http

This directive appeared in version 1.11.10.

Sets the variable to a JOSE header parameter identiﬁed by key names.

Name matching starts from the top level of the JSON tree. For arrays, the

variable keeps a list of array elements separated by commas.

Prior to version 1.13.7, only one key name could be speciﬁed, and the

result was undeﬁned for arrays.

auth jwt key cache

Syntax: auth_jwt_key_cache time;

Default 0

Context: http, server, location

This directive appeared in version 1.21.4.

Enables or disables caching of keys obtained from a ﬁle or from a subrequest,

and sets caching time for them. Caching of keys obtained from variables is not

supported. By default, caching of keys is disabled.

auth jwt key ﬁle

Syntax: auth_jwt_key_file ﬁle;

Default —

Context: http, server, location, limit except

Speciﬁes a ﬁle in JSON Web Key Set format for validating JWT signature.

Parameter value can contain variables.

Several auth_jwt_key_file directives can be speciﬁed on the same

level (1.21.1):

auth_jwt_key_file conf/keys.json;

auth_jwt_key_file conf/key.jwk;

Nginx, Inc. p.120 of 542

CHAPTER 2. HTTP SERVER MODULES 2.6. MODULE NGX HTTP AUTH JWT MODULE

If at least one of the speciﬁed keys cannot be loaded or processed, nginx

will return the 500 Internal Server Error error.

auth jwt key request

Syntax: auth_jwt_key_request uri;

Default —

Context: http, server, location, limit except

This directive appeared in version 1.15.6.

Allows retrieving a JSON Web Key Set ﬁle from a subrequest for validating

JWT signature and sets the URI where the subrequest will be sent to.

Parameter value can contain variables. To avoid validation overhead, it is

recommended to cache the key ﬁle:

proxy_cache_path /data/nginx/cache levels=1 keys_zone=foo:10m;

server {

...

location / {

auth_jwt "closed site";

auth_jwt_key_request /jwks_uri;

}

location = /jwks_uri {

internal;

proxy_cache foo;

proxy_pass http://idp.example.com/keys;

}

Several auth_jwt_key_request directives can be speciﬁed on the same

level (1.21.1):

auth_jwt_key_request /jwks_uri;

auth_jwt_key_request /jwks2_uri;

If at least one of the speciﬁed keys cannot be loaded or processed, nginx

will return the 500 Internal Server Error error.

auth jwt leeway

Syntax: auth_jwt_leeway time;

Default 0s

Context: http, server, location

This directive appeared in version 1.13.10.

Sets the maximum allowable leeway to compensate clock skew when

verifying the exp and nbf JWT claims.

Nginx, Inc. p.121 of 542

CHAPTER 2. HTTP SERVER MODULES 2.6. MODULE NGX HTTP AUTH JWT MODULE

auth jwt type

Syntax: auth_jwt_type signed | encrypted | nested;

Default signed

Context: http, server, location, limit except

This directive appeared in version 1.19.7.

Speciﬁes which type of JSON Web Token to expect: JWS (signed), JWE

(encrypted), or signed and then encrypted Nested JWT (nested) (1.21.0).

auth jwt require

Syntax: auth_jwt_require $value . . . [error=401 | 403] ;

Default —

Context: http, server, location, limit except

This directive appeared in version 1.21.2.

Speciﬁes additional checks for JWT validation. The value can contain text,

variables, and their combination, and must start with a variable (1.21.7). The

authentication will succeed only if all the values are not empty and are not

equal to “0”.

map $jwt_claim_iss $valid_jwt_iss {

"good" 1;

}

...

auth_jwt_require $valid_jwt_iss;

If any of the checks fails, the 401 error code is returned. The optional

error parameter (1.21.7) allows redeﬁning the error code to 403.

2.6.5 Embedded Variables

The ngx_http_auth_jwt_module module supports embedded vari-

ables:

$jwt header name

returns the value of a speciﬁed JOSE header

$jwt claim name

returns the value of a speciﬁed JWT claim

For nested claims and claims including a dot (“.”), the value of the

variable cannot be evaluated; the auth jwt claim set directive should

be used instead.

Variable values for tokens encrypted with JWE are available only after

decryption which occurs during the Access phase.

$jwt payload

returns the decrypted top-level payload of nested or encrypted

tokens (1.21.2). For nested tokens returns the enclosed JWS token. For

encrypted tokens returns JSON with claims.

Nginx, Inc. p.122 of 542

CHAPTER 2. HTTP SERVER MODULES 2.7. MODULE NGX HTTP AUTH REQUEST MODULE

2.7 Module ngx http auth request module

2.7.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 123

2.7.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 123

2.7.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 123

auth request . . . . . . . . . . . . . . . . . . . . . . . . . 123

auth request set . . . . . . . . . . . . . . . . . . . . . . 124

2.7.1 Summary

The ngx_http_auth_request_module module (1.5.4+) implements

client authorization based on the result of a subrequest. If the subrequest

returns a 2xx response code, the access is allowed. If it returns 401 or 403, the

access is denied with the corresponding error code. Any other response code

returned by the subrequest is considered an error.

For the 401 error, the client also receives the WWW-Authenticate header

from the subrequest response.

This module is not built by default, it should be enabled with the

--with-http_auth_request_module conﬁguration parameter.

The module may be combined with other access modules, such as ngx -

http access module, ngx http auth basic module, and ngx http auth jwt -

module, via the satisfy directive.

Before version 1.7.3, responses to authorization subrequests could not be

cached (using proxy cache, proxy store, etc.).

2.7.2 Example Conﬁguration

location /private/ {

auth_request /auth;

...

}

location = /auth {

proxy_pass ...

proxy_pass_request_body off;

proxy_set_header Content-Length "";

proxy_set_header X-Original-URI $request_uri;

}

2.7.3 Directives

auth request

Syntax: auth_request uri | off;

Default off

Context: http, server, location

Nginx, Inc. p.123 of 542

CHAPTER 2. HTTP SERVER MODULES 2.7. MODULE NGX HTTP AUTH REQUEST MODULE

Enables authorization based on the result of a subrequest and sets the URI

to which the subrequest will be sent.

auth request set

Syntax: auth_request_set $variable value;

Default —

Context: http, server, location

Sets the request variable to the given value after the authorization request

completes. The value may contain variables from the authorization request,

such as $upstream http *.

Nginx, Inc. p.124 of 542

CHAPTER 2. HTTP SERVER MODULES 2.8. MODULE NGX HTTP AUTOINDEX MODULE

2.8 Module ngx http autoindex module

2.8.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 125

2.8.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 125

2.8.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 125

autoindex . . . . . . . . . . . . . . . . . . . . . . . . . . 125

autoindex exact size . . . . . . . . . . . . . . . . . . . . 125

autoindex format . . . . . . . . . . . . . . . . . . . . . . 125

autoindex localtime . . . . . . . . . . . . . . . . . . . . . 126

2.8.1 Summary

The ngx_http_autoindex_module module processes requests ending

with the slash character (‘/’) and produces a directory listing. Usually a

request is passed to the ngx_http_autoindex_module module when the

ngx http index module module cannot ﬁnd an index ﬁle.

2.8.2 Example Conﬁguration

location / {

autoindex on;

}

2.8.3 Directives

autoindex

Syntax: autoindex on | off;

Default off

Context: http, server, location

Enables or disables the directory listing output.

autoindex exact size

Syntax: autoindex_exact_size on | off;

Default on

Context: http, server, location

For the HTML format, speciﬁes whether exact ﬁle sizes should be output in

the directory listing, or rather rounded to kilobytes, megabytes, and gigabytes.

autoindex format

Syntax: autoindex_format html | xml | json | jsonp;

Default html

Context: http, server, location

This directive appeared in version 1.7.9.

Nginx, Inc. p.125 of 542

CHAPTER 2. HTTP SERVER MODULES 2.8. MODULE NGX HTTP AUTOINDEX MODULE

Sets the format of a directory listing.

When the JSONP format is used, the name of a callback function is set

with the callback request argument. If the argument is missing or has an

empty value, then the JSON format is used.

The XML output can be transformed using the ngx http xslt module

module.

autoindex localtime

Syntax: autoindex_localtime on | off;

Default off

Context: http, server, location

For the HTML format, speciﬁes whether times in the directory listing

should be output in the local time zone or UTC.

Nginx, Inc. p.126 of 542

CHAPTER 2. HTTP SERVER MODULES 2.9. MODULE NGX HTTP BROWSER MODULE

2.9 Module ngx http browser module

2.9.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 127

2.9.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 127

2.9.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 128

ancient browser . . . . . . . . . . . . . . . . . . . . . . . 128

ancient browser value . . . . . . . . . . . . . . . . . . . 128

modern browser . . . . . . . . . . . . . . . . . . . . . . . 128

modern browser value . . . . . . . . . . . . . . . . . . . 128

2.9.1 Summary

The ngx_http_browser_module module creates variables whose

values depend on the value of the User-Agent request header ﬁeld:

$modern browser

equals the value set by the modern browser value directive, if a browser

was identiﬁed as modern;

$ancient browser

equals the value set by the ancient browser value directive, if a browser

was identiﬁed as ancient;

$msie

equals “1” if a browser was identiﬁed as MSIE of any version.

2.9.2 Example Conﬁguration

Choosing an index ﬁle:

modern_browser_value "modern.";

modern_browser msie 5.5;

modern_browser gecko 1.0.0;

modern_browser opera 9.0;

modern_browser safari 413;

modern_browser konqueror 3.0;

index index.${modern_browser}html index.html;

Redirection for old browsers:

modern_browser msie 5.0;

modern_browser gecko 0.9.1;

modern_browser opera 8.0;

modern_browser safari 413;

modern_browser konqueror 3.0;

modern_browser unlisted;

ancient_browser Links Lynx netscape4;

if ($ancient_browser) {

rewrite ^ /ancient.html;

}

Nginx, Inc. p.127 of 542

CHAPTER 2. HTTP SERVER MODULES 2.9. MODULE NGX HTTP BROWSER MODULE

2.9.3 Directives

ancient browser

Syntax: ancient_browser string . . . ;

Default —

Context: http, server, location

If any of the speciﬁed substrings is found in the User-Agent request

header ﬁeld, the browser will be considered ancient. The special string

“netscape4” corresponds to the regular expression “ˆMozilla/[1-4]”.

ancient browser value

Syntax: ancient_browser_value string;

Default 1

Context: http, server, location

Sets a value for the $ancient browser variables.

modern browser

Syntax: modern_browser browser version;

Syntax: modern_browser unlisted;

Default —

Context: http, server, location

Speciﬁes a version starting from which a browser is considered modern. A

browser can be any one of the following: msie, gecko (browsers based on

Mozilla), opera, safari, or konqueror.

Versions can be speciﬁed in the following formats: X, X.X, X.X.X, or

X.X.X.X. The maximum values for each of the format are 4000, 4000.99,

4000.99.99, and 4000.99.99.99, respectively.

The special value unlisted speciﬁes to consider a browser as modern if

it was not listed by the modern_browser and ancient browser directives.

Otherwise such a browser is considered ancient. If a request does not provide

the User-Agent ﬁeld in the header, the browser is treated as not being listed.

modern browser value

Syntax: modern_browser_value string;

Default 1

Context: http, server, location

Sets a value for the $modern browser variables.

Nginx, Inc. p.128 of 542

CHAPTER 2. HTTP SERVER MODULES 2.10. MODULE NGX HTTP CHARSET MODULE

2.10 Module ngx http charset module

2.10.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 129

2.10.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 129

2.10.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 129

charset . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

charset map . . . . . . . . . . . . . . . . . . . . . . . . . 130

charset types . . . . . . . . . . . . . . . . . . . . . . . . 131

override charset . . . . . . . . . . . . . . . . . . . . . . . 131

source charset . . . . . . . . . . . . . . . . . . . . . . . . 131

2.10.1 Summary

The ngx_http_charset_module module adds the speciﬁed charset

to the Content-Type response header ﬁeld. In addition, the module can

convert data from one charset to another, with some limitations:

• conversion is performed one way — from server to client,

• only single-byte charsets can be converted

• or single-byte charsets to/from UTF-8.

2.10.2 Example Conﬁguration

include conf/koi-win;

charset windows-1251;

source_charset koi8-r;

2.10.3 Directives

charset

Syntax: charset charset | off;

Default off

Context: http, server, location, if in location

Adds the speciﬁed charset to the Content-Type response header ﬁeld.

If this charset is diﬀerent from the charset speciﬁed in the source charset

directive, a conversion is performed.

The parameter off cancels the addition of charset to the Content-Type

response header ﬁeld.

A charset can be deﬁned with a variable:

charset $charset;

Nginx, Inc. p.129 of 542

CHAPTER 2. HTTP SERVER MODULES 2.10. MODULE NGX HTTP CHARSET MODULE

In such a case, all possible values of a variable need to be present in the

conﬁguration at least once in the form of the charset map, charset, or source -

charset directives. For utf-8, windows-1251, and koi8-r charsets, it is

suﬃcient to include the ﬁles conf/koi-win, conf/koi-utf, and conf¬

/win-utf into conﬁguration. For other charsets, simply making a ﬁctitious

conversion table works, for example:

charset_map iso-8859-5 _ { }

In addition, a charset can be set in the X-Accel-Charset response

header ﬁeld. This capability can be disabled using the proxy ignore headers,

fastcgi ignore headers, uwsgi ignore headers, scgi ignore headers, and grpc -

ignore headers directives.

charset map

Syntax: charset_map charset1 charset2 { . . . }

Default —

Context: http

Describes the conversion table from one charset to another. A reverse

conversion table is built using the same data. Character codes are given in

hexadecimal. Missing characters in the range 80-FF are replaced with “?”.

When converting from UTF-8, characters missing in a one-byte charset are

replaced with “&#XXXX;”.

Example:

charset_map koi8-r windows-1251 {

C0 FE ; # small yu

C1 E0 ; # small a

C2 E1 ; # small b

C3 F6 ; # small ts

...

}

When describing a conversion table to UTF-8, codes for the UTF-8 charset

should be given in the second column, for example:

charset_map koi8-r utf-8 {

C0 D18E ; # small yu

C1 D0B0 ; # small a

C2 D0B1 ; # small b

C3 D186 ; # small ts

...

}

Full conversion tables from koi8-r to windows-1251, and from koi8-r

and windows-1251 to utf-8 are provided in the distribution ﬁles conf/¬

koi-win, conf/koi-utf, and conf/win-utf.

Nginx, Inc. p.130 of 542

CHAPTER 2. HTTP SERVER MODULES 2.10. MODULE NGX HTTP CHARSET MODULE

charset types

Syntax: charset_types mime-type . . . ;

Default text/html text/xml text/plain text/vnd.wap.wml

application/javascript application/rss+xml

Context: http, server, location

This directive appeared in version 0.7.9.

Enables module processing in responses with the speciﬁed MIME types in

addition to “text/html”. The special value “

” matches any MIME type

(0.8.29).

Until version 1.5.4, “application/x-javascript” was used as the

default MIME type instead of “application/javascript”.

override charset

Syntax: override_charset on | off;

Default off

Context: http, server, location, if in location

Determines whether a conversion should be performed for answers received

from a proxied or a FastCGI/uwsgi/SCGI/gRPC server when the answers

already carry a charset in the Content-Type response header ﬁeld. If

conversion is enabled, a charset speciﬁed in the received response is used as a

source charset.

It should be noted that if a response is received in a subrequest then the

conversion from the response charset to the main request charset is always

performed, regardless of the override_charset directive setting.

source charset

Syntax: source_charset charset;

Default —

Context: http, server, location, if in location

Deﬁnes the source charset of a response. If this charset is diﬀerent from

the charset speciﬁed in the charset directive, a conversion is performed.

Nginx, Inc. p.131 of 542

CHAPTER 2. HTTP SERVER MODULES 2.11. MODULE NGX HTTP DAV MODULE

2.11 Module ngx http dav module

2.11.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 132

2.11.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 132

2.11.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 132

create full put path . . . . . . . . . . . . . . . . . . . . . 132

dav access . . . . . . . . . . . . . . . . . . . . . . . . . . 133

dav methods . . . . . . . . . . . . . . . . . . . . . . . . 133

min delete depth . . . . . . . . . . . . . . . . . . . . . . 133

2.11.1 Summary

The ngx_http_dav_module module is intended for ﬁle management

automation via the WebDAV protocol. The module processes HTTP and

WebDAV methods PUT, DELETE, MKCOL, COPY, and MOVE.

This module is not built by default, it should be enabled with the

--with-http_dav_module conﬁguration parameter.

WebDAV clients that require additional WebDAV methods to operate will

not work with this module.

2.11.2 Example Conﬁguration

location / {

root /data/www;

client_body_temp_path /data/client_temp;

dav_methods PUT DELETE MKCOL COPY MOVE;

create_full_put_path on;

dav_access group:rw all:r;

limit_except GET {

allow 192.168.1.0/32;

deny all;

}

2.11.3 Directives

create full put path

Syntax: create_full_put_path on | off;

Default off

Context: http, server, location

The WebDAV speciﬁcation only allows creating ﬁles in already existing

directories. This directive allows creating all needed intermediate directories.

Nginx, Inc. p.132 of 542

CHAPTER 2. HTTP SERVER MODULES 2.11. MODULE NGX HTTP DAV MODULE

dav access

Syntax: dav_access users:permissions . . . ;

Default user:rw

Context: http, server, location

Sets access permissions for newly created ﬁles and directories, e.g.:

dav_access user:rw group:rw all:r;

If any group or all access permissions are speciﬁed then user

permissions may be omitted:

dav_access group:rw all:r;

dav methods

Syntax: dav_methods off | method . . . ;

Default off

Context: http, server, location

Allows the speciﬁed HTTP and WebDAV methods. The parameter off

denies all methods processed by this module. The following methods are

supported: PUT, DELETE, MKCOL, COPY, and MOVE.

A ﬁle uploaded with the PUT method is ﬁrst written to a temporary ﬁle,

and then the ﬁle is renamed. Starting from version 0.8.9, temporary ﬁles and

the persistent store can be put on diﬀerent ﬁle systems. However, be aware

that in this case a ﬁle is copied across two ﬁle systems instead of the cheap

renaming operation. It is thus recommended that for any given location both

saved ﬁles and a directory holding temporary ﬁles, set by the client body -

temp path directive, are put on the same ﬁle system.

When creating a ﬁle with the PUT method, it is possible to specify the

modiﬁcation date by passing it in the Date header ﬁeld.

min delete depth

Syntax: min_delete_depth number;

Default 0

Context: http, server, location

Allows the DELETE method to remove ﬁles provided that the number of

elements in a request path is not less than the speciﬁed number. For example,

the directive

min_delete_depth 4;

allows removing ﬁles on requests

/users/00/00/name

/users/00/00/name/pic.jpg

Nginx, Inc. p.133 of 542

CHAPTER 2. HTTP SERVER MODULES 2.11. MODULE NGX HTTP DAV MODULE

/users/00/00/page.html

and denies the removal of

/users/00/00

Nginx, Inc. p.134 of 542

CHAPTER 2. HTTP SERVER MODULES 2.12. MODULE NGX HTTP EMPTY GIF MODULE

2.12 Module ngx http empty gif module

2.12.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 135

2.12.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 135

2.12.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 135

empty gif . . . . . . . . . . . . . . . . . . . . . . . . . . 135

2.12.1 Summary

The ngx_http_empty_gif_module module emits single-pixel trans-

parent GIF.

2.12.2 Example Conﬁguration

location = /_.gif {

empty_gif;

}

2.12.3 Directives

empty gif

Syntax: empty_gif;

Default —

Context: location

Turns on module processing in a surrounding location.

Nginx, Inc. p.135 of 542

CHAPTER 2. HTTP SERVER MODULES 2.13. MODULE NGX HTTP F4F MODULE

2.13 Module ngx http f4f module

2.13.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 136

2.13.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 136

2.13.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 136

f4f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

f4f buﬀer size . . . . . . . . . . . . . . . . . . . . . . . . 136

2.13.1 Summary

The ngx_http_f4f_module module provides server-side support for

Adobe HTTP Dynamic Streaming (HDS).

This module implements handling of HTTP Dynamic Streaming requests

in the “/videoSeg1-Frag1” form — extracting the needed fragment from

the videoSeg1.f4f ﬁle using the videoSeg1.f4x index ﬁle. This module

is an alternative to the Adobe’s f4f module (HTTP Origin Module) for Apache.

Usual pre-processing with Adobe’s f4fpackager is required, see relevant

documentation for details.

This module is available as part of our commercial subscription.

2.13.2 Example Conﬁguration

location /video/ {

f4f;

...

}

2.13.3 Directives

f4f

Syntax: f4f;

Default —

Context: location

Turns on module processing in the surrounding location.

f4f buﬀer size

Syntax: f4f_buffer_size size;

Default 512k

Context: http, server, location

Sets the size of the buﬀer used for reading the .f4x index ﬁle.

Nginx, Inc. p.136 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

2.14 Module ngx http fastcgi module

2.14.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 138

2.14.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 138

2.14.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 138

fastcgi bind . . . . . . . . . . . . . . . . . . . . . . . . . 138

fastcgi buﬀer size . . . . . . . . . . . . . . . . . . . . . . 139

fastcgi buﬀering . . . . . . . . . . . . . . . . . . . . . . . 139

fastcgi buﬀers . . . . . . . . . . . . . . . . . . . . . . . . 139

fastcgi busy buﬀers size . . . . . . . . . . . . . . . . . . 140

fastcgi cache . . . . . . . . . . . . . . . . . . . . . . . . . 140

fastcgi cache background update . . . . . . . . . . . . . 140

fastcgi cache bypass . . . . . . . . . . . . . . . . . . . . 140

fastcgi cache key . . . . . . . . . . . . . . . . . . . . . . 141

fastcgi cache lock . . . . . . . . . . . . . . . . . . . . . . 141

fastcgi cache lock age . . . . . . . . . . . . . . . . . . . 141

fastcgi cache lock timeout . . . . . . . . . . . . . . . . . 141

fastcgi cache max range oﬀset . . . . . . . . . . . . . . . 142

fastcgi cache methods . . . . . . . . . . . . . . . . . . . 142

fastcgi cache min uses . . . . . . . . . . . . . . . . . . . 142

fastcgi cache path . . . . . . . . . . . . . . . . . . . . . 142

fastcgi cache purge . . . . . . . . . . . . . . . . . . . . . 144

fastcgi cache revalidate . . . . . . . . . . . . . . . . . . . 145

fastcgi cache use stale . . . . . . . . . . . . . . . . . . . 145

fastcgi cache valid . . . . . . . . . . . . . . . . . . . . . 146

fastcgi catch stderr . . . . . . . . . . . . . . . . . . . . . 146

fastcgi connect timeout . . . . . . . . . . . . . . . . . . 147

fastcgi force ranges . . . . . . . . . . . . . . . . . . . . . 147

fastcgi hide header . . . . . . . . . . . . . . . . . . . . . 147

fastcgi ignore client abort . . . . . . . . . . . . . . . . . 147

fastcgi ignore headers . . . . . . . . . . . . . . . . . . . 148

fastcgi index . . . . . . . . . . . . . . . . . . . . . . . . . 148

fastcgi intercept errors . . . . . . . . . . . . . . . . . . . 148

fastcgi keep conn . . . . . . . . . . . . . . . . . . . . . . 149

fastcgi limit rate . . . . . . . . . . . . . . . . . . . . . . 149

fastcgi max temp ﬁle size . . . . . . . . . . . . . . . . . 149

fastcgi next upstream . . . . . . . . . . . . . . . . . . . 149

fastcgi next upstream timeout . . . . . . . . . . . . . . . 150

fastcgi next upstream tries . . . . . . . . . . . . . . . . . 151

fastcgi no cache . . . . . . . . . . . . . . . . . . . . . . . 151

fastcgi param . . . . . . . . . . . . . . . . . . . . . . . . 151

fastcgi pass . . . . . . . . . . . . . . . . . . . . . . . . . 152

fastcgi pass header . . . . . . . . . . . . . . . . . . . . . 152

fastcgi pass request body . . . . . . . . . . . . . . . . . 152

fastcgi pass request headers . . . . . . . . . . . . . . . . 153

fastcgi read timeout . . . . . . . . . . . . . . . . . . . . 153

Nginx, Inc. p.137 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

fastcgi request buﬀering . . . . . . . . . . . . . . . . . . 153

fastcgi send lowat . . . . . . . . . . . . . . . . . . . . . . 153

fastcgi send timeout . . . . . . . . . . . . . . . . . . . . 154

fastcgi socket keepalive . . . . . . . . . . . . . . . . . . . 154

fastcgi split path info . . . . . . . . . . . . . . . . . . . 154

fastcgi store . . . . . . . . . . . . . . . . . . . . . . . . . 154

fastcgi store access . . . . . . . . . . . . . . . . . . . . . 155

fastcgi temp ﬁle write size . . . . . . . . . . . . . . . . . 156

fastcgi temp path . . . . . . . . . . . . . . . . . . . . . . 156

2.14.4 Parameters Passed to a FastCGI Server . . . . . . . . . . 156

2.14.5 Embedded Variables . . . . . . . . . . . . . . . . . . . . 156

2.14.1 Summary

The ngx_http_fastcgi_module module allows passing requests to a

FastCGI server.

2.14.2 Example Conﬁguration

location / {

fastcgi_pass localhost:9000;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /home/www/scripts/php$fastcgi_script_name;

fastcgi_param QUERY_STRING $query_string;

fastcgi_param REQUEST_METHOD $request_method;

fastcgi_param CONTENT_TYPE $content_type;

fastcgi_param CONTENT_LENGTH $content_length;

}

2.14.3 Directives

fastcgi bind

Syntax: fastcgi_bind address [transparent] | off;

Default —

Context: http, server, location

This directive appeared in version 0.8.22.

Makes outgoing connections to a FastCGI server originate from the

speciﬁed local IP address with an optional port (1.11.2). Parameter value can

contain variables (1.3.12). The special value off (1.3.12) cancels the eﬀect of

the fastcgi_bind directive inherited from the previous conﬁguration level,

which allows the system to auto-assign the local IP address and port.

The transparent parameter (1.11.0) allows outgoing connections to a

FastCGI server originate from a non-local IP address, for example, from a real

IP address of a client:

fastcgi_bind $remote_addr transparent;

Nginx, Inc. p.138 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

In order for this parameter to work, it is usually necessary to run nginx

worker processes with the superuser privileges. On Linux it is not required

(1.13.8) as if the transparent parameter is speciﬁed, worker processes

inherit the CAP_NET_RAW capability from the master process. It is also

necessary to conﬁgure kernel routing table to intercept network traﬃc from

the FastCGI server.

fastcgi buﬀer size

Syntax: fastcgi_buffer_size size;

Default 4k|8k

Context: http, server, location

Sets the size of the buﬀer used for reading the ﬁrst part of the response

received from the FastCGI server. This part usually contains a small response

header. By default, the buﬀer size is equal to one memory page. This is either

4K or 8K, depending on a platform. It can be made smaller, however.

fastcgi buﬀering

Syntax: fastcgi_buffering on | off;

Default on

Context: http, server, location

This directive appeared in version 1.5.6.

Enables or disables buﬀering of responses from the FastCGI server.

When buﬀering is enabled, nginx receives a response from the FastCGI

server as soon as possible, saving it into the buﬀers set by the fastcgi buﬀer -

size and fastcgi buﬀers directives. If the whole response does not ﬁt into

memory, a part of it can be saved to a temporary ﬁle on the disk. Writing

to temporary ﬁles is controlled by the fastcgi max temp ﬁle size and fastcgi -

temp ﬁle write size directives.

When buﬀering is disabled, the response is passed to a client synchronously,

immediately as it is received. nginx will not try to read the whole response

from the FastCGI server. The maximum size of the data that nginx can receive

from the server at a time is set by the fastcgi buﬀer size directive.

Buﬀering can also be enabled or disabled by passing “yes” or “no” in the

X-Accel-Buffering response header ﬁeld. This capability can be disabled

using the fastcgi ignore headers directive.

fastcgi buﬀers

Syntax: fastcgi_buffers number size;

Default 8 4k|8k

Context: http, server, location

Sets the number and size of the buﬀers used for reading a response from

the FastCGI server, for a single connection. By default, the buﬀer size is equal

to one memory page. This is either 4K or 8K, depending on a platform.

Nginx, Inc. p.139 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

fastcgi busy buﬀers size

Syntax: fastcgi_busy_buffers_size size;

Default 8k|16k

Context: http, server, location

When buﬀering of responses from the FastCGI server is enabled, limits the

total size of buﬀers that can be busy sending a response to the client while the

response is not yet fully read. In the meantime, the rest of the buﬀers can be

used for reading the response and, if needed, buﬀering part of the response to

a temporary ﬁle. By default, size is limited by the size of two buﬀers set by

the fastcgi buﬀer size and fastcgi buﬀers directives.

fastcgi

cache

Syntax: fastcgi_cache zone | off;

Default off

Context: http, server, location

Deﬁnes a shared memory zone used for caching. The same zone can be

used in several places. Parameter value can contain variables (1.7.9). The off

parameter disables caching inherited from the previous conﬁguration level.

fastcgi cache background update

Syntax: fastcgi_cache_background_update on | off;

Default off

Context: http, server, location

This directive appeared in version 1.11.10.

Allows starting a background subrequest to update an expired cache item,

while a stale cached response is returned to the client. Note that it is necessary

to allow the usage of a stale cached response when it is being updated.

fastcgi cache bypass

Syntax: fastcgi_cache_bypass string . . . ;

Default —

Context: http, server, location

Deﬁnes conditions under which the response will not be taken from a cache.

If at least one value of the string parameters is not empty and is not equal to

“0” then the response will not be taken from the cache:

fastcgi_cache_bypass $cookie_nocache $arg_nocache$arg_comment;

fastcgi_cache_bypass $http_pragma $http_authorization;

Can be used along with the fastcgi no cache directive.

Nginx, Inc. p.140 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

fastcgi cache key

Syntax: fastcgi_cache_key string;

Default —

Context: http, server, location

Deﬁnes a key for caching, for example

fastcgi_cache_key localhost:9000$request_uri;

fastcgi cache lock

Syntax: fastcgi_cache_lock on | off;

Default off

Context: http, server, location

This directive appeared in version 1.1.12.

When enabled, only one request at a time will be allowed to populate a new

cache element identiﬁed according to the fastcgi cache key directive by passing

a request to a FastCGI server. Other requests of the same cache element will

either wait for a response to appear in the cache or the cache lock for this

element to be released, up to the time set by the fastcgi cache lock timeout

directive.

fastcgi cache lock age

Syntax: fastcgi_cache_lock_age time;

Default 5s

Context: http, server, location

This directive appeared in version 1.7.8.

If the last request passed to the FastCGI server for populating a new cache

element has not completed for the speciﬁed time, one more request may be

passed to the FastCGI server.

fastcgi cache lock timeout

Syntax: fastcgi_cache_lock_timeout time;

Default 5s

Context: http, server, location

This directive appeared in version 1.1.12.

Sets a timeout for fastcgi cache lock. When the time expires, the request

will be passed to the FastCGI server, however, the response will not be cached.

Before 1.7.8, the response could be cached.

Nginx, Inc. p.141 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

fastcgi cache max range oﬀset

Syntax: fastcgi_cache_max_range_offset number;

Default —

Context: http, server, location

This directive appeared in version 1.11.6.

Sets an oﬀset in bytes for byte-range requests. If the range is beyond the

oﬀset, the range request will be passed to the FastCGI server and the response

will not be cached.

fastcgi cache methods

Syntax: fastcgi_cache_methods GET | HEAD | POST . . . ;

Default GET HEAD

Context: http, server, location

This directive appeared in version 0.7.59.

If the client request method is listed in this directive then the response will

be cached. “GET” and “HEAD” methods are always added to the list, though

it is recommended to specify them explicitly. See also the fastcgi no cache

directive.

fastcgi cache min uses

Syntax: fastcgi_cache_min_uses number;

Default 1

Context: http, server, location

Sets the number of requests after which the response will be cached.

fastcgi cache path

Syntax: fastcgi_cache_path path [levels=levels]

[use_temp_path=on|off] keys_zone=name:size [inactive=time]

[max_size=size] [min_free=size] [manager_files=number]

[manager_sleep=time] [manager_threshold=time]

[loader_files=number] [loader_sleep=time]

[loader_threshold=time] [purger=on|off]

[purger_files=number] [purger_sleep=time]

[purger_threshold=time];

Default —

Context: http

Sets the path and other parameters of a cache. Cache data are stored in

ﬁles. Both the key and ﬁle name in a cache are a result of applying the MD5

function to the proxied URL.

The levels parameter deﬁnes hierarchy levels of a cache: from 1 to 3,

each level accepts values 1 or 2. For example, in the following conﬁguration

Nginx, Inc. p.142 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

fastcgi_cache_path /data/nginx/cache levels=1:2 keys_zone=one:10m;

ﬁle names in a cache will look like this:

/data/nginx/cache/c/29/b7f54b2df7773722d382f4809d65029c

A cached response is ﬁrst written to a temporary ﬁle, and then the ﬁle is

renamed. Starting from version 0.8.9, temporary ﬁles and the cache can be put

on diﬀerent ﬁle systems. However, be aware that in this case a ﬁle is copied

across two ﬁle systems instead of the cheap renaming operation. It is thus

recommended that for any given location both cache and a directory holding

temporary ﬁles are put on the same ﬁle system. A directory for temporary ﬁles

is set based on the use_temp_path parameter (1.7.10). If this parameter

is omitted or set to the value on, the directory set by the fastcgi temp -

path directive for the given location will be used. If the value is set to off,

temporary ﬁles will be put directly in the cache directory.

In addition, all active keys and information about data are stored in a

shared memory zone, whose name and size are conﬁgured by the keys_zone

parameter. One megabyte zone can store about 8 thousand keys.

As part of commercial subscription, the shared memory zone also stores

extended cache information, thus, it is required to specify a larger zone size

for the same number of keys. For example, one megabyte zone can store

about 4 thousand keys.

Cached data that are not accessed during the time speciﬁed by the

inactive parameter get removed from the cache regardless of their freshness.

By default, inactive is set to 10 minutes.

The special “cache manager” process monitors the maximum cache size set

by the max_size parameter, and the minimum amount of free space set by the

min_free (1.19.1) parameter on the ﬁle system with cache. When the size

is exceeded or there is not enough free space, it removes the least recently

used data. The data is removed in iterations conﬁgured by manager_-

files, manager_threshold, and manager_sleep parameters (1.11.5).

During one iteration no more than manager_files items are deleted (by

default, 100). The duration of one iteration is limited by the manager_-

threshold parameter (by default, 200 milliseconds). Between iterations,

a pause conﬁgured by the manager_sleep parameter (by default, 50

milliseconds) is made.

A minute after the start the special “cache loader” process is activated. It

loads information about previously cached data stored on ﬁle system into a

cache zone. The loading is also done in iterations. During one iteration no

more than loader_files items are loaded (by default, 100). Besides, the

duration of one iteration is limited by the loader_threshold parameter

(by default, 200 milliseconds). Between iterations, a pause conﬁgured by the

loader_sleep parameter (by default, 50 milliseconds) is made.

Nginx, Inc. p.143 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

Additionally, the following parameters are available as part of our

commercial subscription:

purger=on|off

Instructs whether cache entries that match a wildcard key will be

removed from the disk by the cache purger (1.7.12). Setting the

parameter to on (default is off) will activate the “cache purger” process

that permanently iterates through all cache entries and deletes the entries

that match the wildcard key.

purger_files=number

Sets the number of items that will be scanned during one iteration

(1.7.12). By default, purger_files is set to 10.

purger_threshold=number

Sets the duration of one iteration (1.7.12). By default, purger_-

threshold is set to 50 milliseconds.

purger_sleep=number

Sets a pause between iterations (1.7.12). By default, purger_sleep is

set to 50 milliseconds.

In versions 1.7.3, 1.7.7, and 1.11.10 cache header format has been changed.

Previously cached responses will be considered invalid after upgrading to a

newer nginx version.

fastcgi cache purge

Syntax: fastcgi_cache_purgestring . . . ;

Default —

Context: http, server, location

This directive appeared in version 1.5.7.

Deﬁnes conditions under which the request will be considered a cache purge

request. If at least one value of the string parameters is not empty and

is not equal to “0” then the cache entry with a corresponding cache key is

removed. The result of successful operation is indicated by returning the 204

No Content response.

If the cache key of a purge request ends with an asterisk (“

”), all cache

entries matching the wildcard key will be removed from the cache. However,

these entries will remain on the disk until they are deleted for either inactivity,

or processed by the cache purger (1.7.12), or a client attempts to access them.

Example conﬁguration:

fastcgi_cache_path /data/nginx/cache keys_zone=cache_zone:10m;

map $request_method $purge_method {

PURGE 1;

default 0;

}

server {

...

Nginx, Inc. p.144 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

location / {

fastcgi_pass backend;

fastcgi_cache cache_zone;

fastcgi_cache_key $uri;

fastcgi_cache_purge $purge_method;

}

This functionality is available as part of our commercial subscription.

fastcgi cache revalidate

Syntax: fastcgi_cache_revalidate on | off;

Default off

Context: http, server, location

This directive appeared in version 1.5.7.

Enables revalidation of expired cache items using conditional requests with

the If-Modified-Since and If-None-Match header ﬁelds.

fastcgi cache use stale

Syntax: fastcgi_cache_use_stale error | timeout | invalid_header

http_429 | off . . . ;

Default off

Context: http, server, location

Determines in which cases a stale cached response can be used when an

error occurs during communication with the FastCGI server. The directive’s

parameters match the parameters of the fastcgi next upstream directive.

The error parameter also permits using a stale cached response if a

FastCGI server to process a request cannot be selected.

Additionally, the updating parameter permits using a stale cached

response if it is currently being updated. This allows minimizing the number

of accesses to FastCGI servers when updating cached data.

Using a stale cached response can also be enabled directly in the response

header for a speciﬁed number of seconds after the response became stale

(1.11.10). This has lower priority than using the directive parameters.

• The “stale-while-revalidate” extension of the Cache-Control header

ﬁeld permits using a stale cached response if it is currently being updated.

• The “stale-if-error” extension of the Cache-Control header ﬁeld

permits using a stale cached response in case of an error.

To minimize the number of accesses to FastCGI servers when populating a

new cache element, the fastcgi cache lock directive can be used.

Nginx, Inc. p.145 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

fastcgi cache valid

Syntax: fastcgi_cache_valid [code . . . ] time;

Default —

Context: http, server, location

Sets caching time for diﬀerent response codes. For example, the following

directives

fastcgi_cache_valid 200 302 10m;

fastcgi_cache_valid 404 1m;

set 10 minutes of caching for responses with codes 200 and 302 and 1 minute

for responses with code 404.

If only caching time is speciﬁed

fastcgi_cache_valid 5m;

then only 200, 301, and 302 responses are cached.

In addition, the any parameter can be speciﬁed to cache any responses:

fastcgi_cache_valid 200 302 10m;

fastcgi_cache_valid 301 1h;

fastcgi_cache_valid any 1m;

Parameters of caching can also be set directly in the response header. This

has higher priority than setting of caching time using the directive.

• The X-Accel-Expires header ﬁeld sets caching time of a response in

seconds. The zero value disables caching for a response. If the value

starts with the @ preﬁx, it sets an absolute time in seconds since Epoch,

up to which the response may be cached.

• If the header does not include the X-Accel-Expires ﬁeld, parameters

of caching may be set in the header ﬁelds Expires or Cache-Control.

• If the header includes the Set-Cookie ﬁeld, such a response will not

be cached.

• If the header includes the Vary ﬁeld with the special value “

”, such a

response will not be cached (1.7.7). If the header includes the Vary ﬁeld

with another value, such a response will be cached taking into account

the corresponding request header ﬁelds (1.7.7).

Processing of one or more of these response header ﬁelds can be disabled using

the fastcgi ignore headers directive.

fastcgi catch stderr

Syntax: fastcgi_catch_stderr string;

Default —

Context: http, server, location

Nginx, Inc. p.146 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

Sets a string to search for in the error stream of a response received from

a FastCGI server. If the string is found then it is considered that the FastCGI

server has returned an invalid response. This allows handling application errors

in nginx, for example:

location /php/ {

fastcgi_pass backend:9000;

...

fastcgi_catch_stderr "PHP Fatal error";

fastcgi_next_upstream error timeout invalid_header;

}

fastcgi connect timeout

Syntax: fastcgi_connect_timeout time;

Default 60s

Context: http, server, location

Deﬁnes a timeout for establishing a connection with a FastCGI server. It

should be noted that this timeout cannot usually exceed 75 seconds.

fastcgi force ranges

Syntax: fastcgi_force_ranges on | off;

Default off

Context: http, server, location

This directive appeared in version 1.7.7.

Enables byte-range support for both cached and uncached responses from

the FastCGI server regardless of the Accept-Ranges ﬁeld in these responses.

fastcgi hide header

Syntax: fastcgi_hide_header ﬁeld;

Default —

Context: http, server, location

By default, nginx does not pass the header ﬁelds Status and

X-Accel-... from the response of a FastCGI server to a client. The

fastcgi_hide_header directive sets additional ﬁelds that will not be

passed. If, on the contrary, the passing of ﬁelds needs to be permitted, the

fastcgi pass header directive can be used.

fastcgi ignore client abort

Syntax: fastcgi_ignore_client_abort on | off;

Default off

Context: http, server, location

Determines whether the connection with a FastCGI server should be closed

when a client closes the connection without waiting for a response.

Nginx, Inc. p.147 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

fastcgi ignore headers

Syntax: fastcgi_ignore_headers ﬁeld . . . ;

Default —

Context: http, server, location

Disables processing of certain response header ﬁelds from

the FastCGI server. The following ﬁelds can be ignored:

X-Accel-Redirect, X-Accel-Expires, X-Accel-Limit-Rate

(1.1.6), X-Accel-Buffering (1.1.6), X-Accel-Charset (1.1.6),

Expires, Cache-Control, Set-Cookie (0.8.44), and Vary (1.7.7).

If not disabled, processing of these header ﬁelds has the following eﬀect:

• X-Accel-Expires, Expires, Cache-Control, Set-Cookie, and

Vary set the parameters of response caching;

• X-Accel-Redirect performs an internal redirect to the speciﬁed URI;

• X-Accel-Limit-Rate sets the rate limit for transmission of a

response to a client;

• X-Accel-Buffering enables or disables buﬀering of a response;

• X-Accel-Charset sets the desired charset of a response.

fastcgi index

Syntax: fastcgi_index name;

Default —

Context: http, server, location

Sets a ﬁle name that will be appended after a URI that ends with a slash, in

the value of the $fastcgi script name variable. For example, with these settings

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /home/www/scripts/php$fastcgi_script_name;

and the“/page.php” request, the SCRIPT_FILENAME parameter will be

equal to“/home/www/scripts/php/page.php”, and with the “/” request

it will be equal to “/home/www/scripts/php/index.php”.

fastcgi intercept errors

Syntax: fastcgi_intercept_errors on | off;

Default off

Context: http, server, location

Determines whether FastCGI server responses with codes greater than or

equal to 300 should be passed to a client or be intercepted and redirected to

nginx for processing with the error page directive.

Nginx, Inc. p.148 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

fastcgi keep conn

Syntax: fastcgi_keep_conn on | off;

Default off

Context: http, server, location

This directive appeared in version 1.1.4.

By default, a FastCGI server will close a connection right after sending

the response. However, when this directive is set to the value on, nginx will

instruct a FastCGI server to keep connections open. This is necessary, in

particular, for keepalive connections to FastCGI servers to function.

fastcgi limit rate

Syntax: fastcgi_limit_rate rate;

Default 0

Context: http, server, location

This directive appeared in version 1.7.7.

Limits the speed of reading the response from the FastCGI server. The

rate is speciﬁed in bytes per second. The zero value disables rate limiting. The

limit is set per a request, and so if nginx simultaneously opens two connections

to the FastCFI server, the overall rate will be twice as much as the speciﬁed

limit. The limitation works only if buﬀering of responses from the FastCGI

server is enabled.

fastcgi max temp ﬁle size

Syntax: fastcgi_max_temp_file_size size;

Default 1024m

Context: http, server, location

When buﬀering of responses from the FastCGI server is enabled, and the

whole response does not ﬁt into the buﬀers set by the fastcgi buﬀer size and

fastcgi buﬀers directives, a part of the response can be saved to a temporary

ﬁle. This directive sets the maximum size of the temporary ﬁle. The size of

data written to the temporary ﬁle at a time is set by the fastcgi temp ﬁle -

write size directive.

The zero value disables buﬀering of responses to temporary ﬁles.

This restriction does not apply to responses that will be cached or stored

on disk.

fastcgi next upstream

Syntax: fastcgi_next_upstream error | timeout | invalid_header |

non_idempotent | off . . . ;

Default error timeout

Context: http, server, location

Nginx, Inc. p.149 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

Speciﬁes in which cases a request should be passed to the next server:

error

an error occurred while establishing a connection with the server, passing

a request to it, or reading the response header;

timeout

a timeout has occurred while establishing a connection with the server,

passing a request to it, or reading the response header;

invalid_header

a server returned an empty or invalid response;

http_500

a server returned a response with the code 500;

http_503

a server returned a response with the code 503;

http_403

a server returned a response with the code 403;

http_404

a server returned a response with the code 404;

http_429

a server returned a response with the code 429 (1.11.13);

non_idempotent

normally, requests with a non-idempotent method (POST, LOCK, PATCH)

are not passed to the next server if a request has been sent to an

upstream server (1.9.13); enabling this option explicitly allows retrying

such requests;

off

disables passing a request to the next server.

One should bear in mind that passing a request to the next server is only

possible if nothing has been sent to a client yet. That is, if an error or timeout

occurs in the middle of the transferring of a response, ﬁxing this is impossible.

The directive also deﬁnes what is considered an unsuccessful attempt of

communication with a server. The cases of error, timeout and invalid_-

header are always considered unsuccessful attempts, even if they are not

speciﬁed in the directive. The cases of http_500, http_503, and http_-

429 are considered unsuccessful attempts only if they are speciﬁed in the

directive. The cases of http_403 and http_404 are never considered

unsuccessful attempts.

Passing a request to the next server can be limited by the number of tries

and by time.

fastcgi next upstream timeout

Syntax: fastcgi_next_upstream_timeout time;

Default 0

Context: http, server, location

This directive appeared in version 1.7.5.

Nginx, Inc. p.150 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

Limits the time during which a request can be passed to the next server.

The 0 value turns oﬀ this limitation.

fastcgi next upstream tries

Syntax: fastcgi_next_upstream_tries number;

Default 0

Context: http, server, location

This directive appeared in version 1.7.5.

Limits the number of possible tries for passing a request to the next server.

The 0 value turns oﬀ this limitation.

fastcgi no cache

Syntax: fastcgi_no_cache string . . . ;

Default —

Context: http, server, location

Deﬁnes conditions under which the response will not be saved to a cache.

If at least one value of the string parameters is not empty and is not equal to

“0” then the response will not be saved:

fastcgi_no_cache $cookie_nocache $arg_nocache$arg_comment;

fastcgi_no_cache $http_pragma $http_authorization;

Can be used along with the fastcgi cache bypass directive.

fastcgi param

Syntax: fastcgi_param parameter value [if_not_empty];

Default —

Context: http, server, location

Sets a parameter that should be passed to the FastCGI server. The

value can contain text, variables, and their combination. These directives

are inherited from the previous conﬁguration level if and only if there are no

fastcgi_param directives deﬁned on the current level.

The following example shows the minimum required settings for PHP:

fastcgi_param SCRIPT_FILENAME /home/www/scripts/php$fastcgi_script_name;

fastcgi_param QUERY_STRING $query_string;

The SCRIPT_FILENAME parameter is used in PHP for determining the

script name, and the QUERY_STRING parameter is used to pass request

parameters.

For scripts that process POST requests, the following three parameters are

also required:

fastcgi_param REQUEST_METHOD $request_method;

fastcgi_param CONTENT_TYPE $content_type;

Nginx, Inc. p.151 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

fastcgi_param CONTENT_LENGTH $content_length;

If PHP was built with the --enable-force-cgi-redirect conﬁgu-

ration parameter, the REDIRECT_STATUS parameter should also be passed

with the value “200”:

fastcgi_param REDIRECT_STATUS 200;

If the directive is speciﬁed with if_not_empty (1.1.11) then such a

parameter will be passed to the server only if its value is not empty:

fastcgi_param HTTPS $https if_not_empty;

fastcgi pass

Syntax: fastcgi_pass address;

Default —

Context: location, if in location

Sets the address of a FastCGI server. The address can be speciﬁed as a

domain name or IP address, and a port:

fastcgi_pass localhost:9000;

or as a UNIX-domain socket path:

fastcgi_pass unix:/tmp/fastcgi.socket;

If a domain name resolves to several addresses, all of them will be used

in a round-robin fashion. In addition, an address can be speciﬁed as a server

group.

Parameter value can contain variables. In this case, if an address is speciﬁed

as a domain name, the name is searched among the described server groups,

and, if not found, is determined using a resolver.

fastcgi pass header

Syntax: fastcgi_pass_header ﬁeld;

Default —

Context: http, server, location

Permits passing otherwise disabled header ﬁelds from a FastCGI server to

a client.

fastcgi pass request body

Syntax: fastcgi_pass_request_body on | off;

Default on

Context: http, server, location

Nginx, Inc. p.152 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

Indicates whether the original request body is passed to the FastCGI server.

See also the fastcgi pass request headers directive.

fastcgi pass request headers

Syntax: fastcgi_pass_request_headers on | off;

Default on

Context: http, server, location

Indicates whether the header ﬁelds of the original request are passed to the

FastCGI server. See also the fastcgi pass request body directive.

fastcgi read timeout

Syntax: fastcgi_read_timeout time;

Default 60s

Context: http, server, location

Deﬁnes a timeout for reading a response from the FastCGI server. The

timeout is set only between two successive read operations, not for the

transmission of the whole response. If the FastCGI server does not transmit

anything within this time, the connection is closed.

fastcgi request buﬀering

Syntax: fastcgi_request_buffering on | off;

Default on

Context: http, server, location

This directive appeared in version 1.7.11.

Enables or disables buﬀering of a client request body.

When buﬀering is enabled, the entire request body is read from the client

before sending the request to a FastCGI server.

When buﬀering is disabled, the request body is sent to the FastCGI server

immediately as it is received. In this case, the request cannot be passed to the

next server if nginx already started sending the request body.

fastcgi send lowat

Syntax: fastcgi_send_lowat size;

Default 0

Context: http, server, location

If the directive is set to a non-zero value, nginx will try to minimize the

number of send operations on outgoing connections to a FastCGI server by

using either NOTE_LOWAT ﬂag of the kqueue method, or the SO_SNDLOWAT

socket option, with the speciﬁed size.

This directive is ignored on Linux, Solaris, and Windows.

Nginx, Inc. p.153 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

fastcgi send timeout

Syntax: fastcgi_send_timeout time;

Default 60s

Context: http, server, location

Sets a timeout for transmitting a request to the FastCGI server. The

timeout is set only between two successive write operations, not for the

transmission of the whole request. If the FastCGI server does not receive

anything within this time, the connection is closed.

fastcgi socket keepalive

Syntax: fastcgi_socket_keepalive on | off;

Default off

Context: http, server, location

This directive appeared in version 1.15.6.

Conﬁgures the “TCP keepalive” behavior for outgoing connections to a

FastCGI server. By default, the operating system’s settings are in eﬀect for

the socket. If the directive is set to the value “on”, the SO_KEEPALIVE socket

option is turned on for the socket.

fastcgi split path info

Syntax: fastcgi_split_path_info regex;

Default —

Context: location

Deﬁnes a regular expression that captures a value for the $fastcgi path info

variable. The regular expression should have two captures: the ﬁrst becomes

a value of the $fastcgi script name variable, the second becomes a value of the

$fastcgi path info variable. For example, with these settings

location ~ ^(.+\.php)(.

)$ {

fastcgi_split_path_info ^(.+\.php)(.

)$;

fastcgi_param SCRIPT_FILENAME /path/to/php$fastcgi_script_name;

fastcgi_param PATH_INFO $fastcgi_path_info;

and the“/show.php/article/0001”request, the SCRIPT_FILENAME

parameter will be equal to “/path/to/php/show.php”, and the PATH_-

INFO parameter will be equal to “/article/0001”.

fastcgi store

Syntax: fastcgi_store on | off | string;

Default off

Context: http, server, location

Enables saving of ﬁles to a disk. The on parameter saves ﬁles with paths

corresponding to the directives alias or root. The off parameter disables

Nginx, Inc. p.154 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

saving of ﬁles. In addition, the ﬁle name can be set explicitly using the string

with variables:

fastcgi_store /data/www$original_uri;

The modiﬁcation time of ﬁles is set according to the received

Last-Modified response header ﬁeld. The response is ﬁrst written to a

temporary ﬁle, and then the ﬁle is renamed. Starting from version 0.8.9,

temporary ﬁles and the persistent store can be put on diﬀerent ﬁle systems.

However, be aware that in this case a ﬁle is copied across two ﬁle systems

instead of the cheap renaming operation. It is thus recommended that for any

given location both saved ﬁles and a directory holding temporary ﬁles, set by

the fastcgi temp path directive, are put on the same ﬁle system.

This directive can be used to create local copies of static unchangeable ﬁles,

e.g.:

location /images/ {

root /data/www;

error_page 404 = /fetch$uri;

}

location /fetch/ {

internal;

fastcgi_pass backend:9000;

...

fastcgi_store on;

fastcgi_store_access user:rw group:rw all:r;

fastcgi_temp_path /data/temp;

alias /data/www/;

}

fastcgi store access

Syntax: fastcgi_store_access users:permissions . . . ;

Default user:rw

Context: http, server, location

Sets access permissions for newly created ﬁles and directories, e.g.:

fastcgi_store_access user:rw group:rw all:r;

If any group or all access permissions are speciﬁed then user

permissions may be omitted:

fastcgi_store_access group:rw all:r;

Nginx, Inc. p.155 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

fastcgi temp ﬁle write size

Syntax: fastcgi_temp_file_write_size size;

Default 8k|16k

Context: http, server, location

Limits the size of data written to a temporary ﬁle at a time, when buﬀering

of responses from the FastCGI server to temporary ﬁles is enabled. By default,

size is limited by two buﬀers set by the fastcgi buﬀer size and fastcgi buﬀers

directives. The maximum size of a temporary ﬁle is set by the fastcgi max -

temp ﬁle size directive.

fastcgi temp path

Syntax: fastcgi_temp_path path [level1 [level2 [level3]]];

Default fastcgi_temp

Context: http, server, location

Deﬁnes a directory for storing temporary ﬁles with data received from

FastCGI servers. Up to three-level subdirectory hierarchy can be used

underneath the speciﬁed directory. For example, in the following conﬁguration

fastcgi_temp_path /spool/nginx/fastcgi_temp 1 2;

a temporary ﬁle might look like this:

/spool/nginx/fastcgi_temp/7/45/00000123457

See also the use_temp_path parameter of the fastcgi cache path

directive.

2.14.4 Parameters Passed to a FastCGI Server

HTTP request header ﬁelds are passed to a FastCGI server as parameters.

In applications and scripts running as FastCGI servers, these parameters

are usually made available as environment variables. For example, the

User-Agent header ﬁeld is passed as the HTTP_USER_AGENT parameter.

In addition to HTTP request header ﬁelds, it is possible to pass arbitrary

parameters using the fastcgi param directive.

2.14.5 Embedded Variables

The ngx_http_fastcgi_module module supports embedded variables

that can be used to set parameters using the fastcgi param directive:

$fastcgi script name

request URI or, if a URI ends with a slash, request URI with an

index ﬁle name conﬁgured by the fastcgi index directive appended to it.

Nginx, Inc. p.156 of 542

CHAPTER 2. HTTP SERVER MODULES 2.14. MODULE NGX HTTP FASTCGI MODULE

This variable can be used to set the SCRIPT_FILENAME and PATH_-

TRANSLATED parameters that determine the script name in PHP. For

example, for the “/info/” request with the following directives

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /home/www/scripts/php$fastcgi_script_name;

the SCRIPT_FILENAME parameter will be equal to “/home/www/

scripts/php/info/index.php”.

When using the fastcgi split path info directive, the $fastcgi script name

variable equals the value of the ﬁrst capture set by the directive.

$fastcgi path info

the value of the second capture set by the fastcgi split path info

directive. This variable can be used to set the PATH_INFO parameter.

Nginx, Inc. p.157 of 542

CHAPTER 2. HTTP SERVER MODULES 2.15. MODULE NGX HTTP FLV MODULE

2.15 Module ngx http ﬂv module

2.15.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 158

2.15.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 158

2.15.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 158

ﬂv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

2.15.1 Summary

The ngx_http_flv_module module provides pseudo-streaming server-

side support for Flash Video (FLV) ﬁles.

It handles requests with the start argument in the request URI’s query

string specially, by sending back the contents of a ﬁle starting from the

requested byte oﬀset and with the prepended FLV header.

This module is not built by default, it should be enabled with the

--with-http_flv_module conﬁguration parameter.

2.15.2 Example Conﬁguration

location ~ \.flv$ {

flv;

}

2.15.3 Directives

ﬂv

Syntax: flv;

Default —

Context: location

Turns on module processing in a surrounding location.

Nginx, Inc. p.158 of 542

CHAPTER 2. HTTP SERVER MODULES 2.16. MODULE NGX HTTP GEO MODULE

2.16 Module ngx http geo module

2.16.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 159

2.16.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 159

2.16.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 159

geo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

2.16.1 Summary

The ngx_http_geo_module module creates variables with values

depending on the client IP address.

2.16.2 Example Conﬁguration

geo $geo {

default 0;

127.0.0.1 2;

192.168.1.0/24 1;

10.1.0.0/16 1;

::1 2;

2001:0db8::/32 1;

}

2.16.3 Directives

geo

Syntax: geo [$address] $variable { . . . }

Default —

Context: http

Describes the dependency of values of the speciﬁed variable on the client

IP address. By default, the address is taken from the $remote addr variable,

but it can also be taken from another variable (0.7.27), for example:

geo $arg_remote_addr $geo {

...;

}

Since variables are evaluated only when used, the mere existence of even

a large number of declared “geo” variables does not cause any extra costs for

request processing.

If the value of a variable does not represent a valid IP address then the

“255.255.255.255” address is used.

Addresses are speciﬁed either as preﬁxes in CIDR notation (including

individual addresses) or as ranges (0.7.23).

Nginx, Inc. p.159 of 542

CHAPTER 2. HTTP SERVER MODULES 2.16. MODULE NGX HTTP GEO MODULE

IPv6 preﬁxes are supported starting from versions 1.3.10 and 1.2.7.

The following special parameters are also supported:

delete

deletes the speciﬁed network (0.7.23).

default

a value set to the variable if the client address does not match any of

the speciﬁed addresses. When addresses are speciﬁed in CIDR notation,

“0.0.0.0/0” and “::/0” can be used instead of default. When

default is not speciﬁed, the default value will be an empty string.

include

includes a ﬁle with addresses and values. There can be several inclusions.

proxy

deﬁnes trusted addresses (0.8.7, 0.7.63). When a request comes from a

trusted address, an address from the X-Forwarded-For request header

ﬁeld will be used instead. In contrast to the regular addresses, trusted

addresses are checked sequentially.

Trusted IPv6 addresses are supported starting from versions 1.3.0 and

1.2.1.

proxy_recursive

enables recursive address search (1.3.0, 1.2.1). If recursive search is

disabled then instead of the original client address that matches one of

the trusted addresses, the last address sent in X-Forwarded-For will

be used. If recursive search is enabled then instead of the original client

address that matches one of the trusted addresses, the last non-trusted

address sent in X-Forwarded-For will be used.

ranges

indicates that addresses are speciﬁed as ranges (0.7.23). This parameter

should be the ﬁrst. To speed up loading of a geo base, addresses should

be put in ascending order.

Example:

geo $country {

default ZZ;

include conf/geo.conf;

delete 127.0.0.0/16;

proxy 192.168.100.0/24;

proxy 2001:0db8::/32;

127.0.0.0/24 US;

127.0.0.1/32 RU;

10.1.0.0/16 RU;

192.168.1.0/24 UK;

}

The conf/geo.conf ﬁle could contain the following lines:

Nginx, Inc. p.160 of 542

CHAPTER 2. HTTP SERVER MODULES 2.16. MODULE NGX HTTP GEO MODULE

10.2.0.0/16 RU;

192.168.2.0/24 RU;

A value of the most speciﬁc match is used. For example, for the 127.0.0.1

address the value “RU” will be chosen, not “US”.

Example with ranges:

geo $country {

ranges;

default ZZ;

127.0.0.0-127.0.0.0 US;

127.0.0.1-127.0.0.1 RU;

127.0.0.1-127.0.0.255 US;

10.1.0.0-10.1.255.255 RU;

192.168.1.0-192.168.1.255 UK;

}

Nginx, Inc. p.161 of 542

CHAPTER 2. HTTP SERVER MODULES 2.17. MODULE NGX HTTP GEOIP MODULE

2.17 Module ngx http geoip module

2.17.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 162

2.17.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 162

2.17.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 162

geoip country . . . . . . . . . . . . . . . . . . . . . . . . 162

geoip city . . . . . . . . . . . . . . . . . . . . . . . . . . 163

geoip org . . . . . . . . . . . . . . . . . . . . . . . . . . 164

geoip proxy . . . . . . . . . . . . . . . . . . . . . . . . . 164

geoip proxy recursive . . . . . . . . . . . . . . . . . . . . 164

2.17.1 Summary

The ngx_http_geoip_module module (0.8.6+) creates variables with

values depending on the client IP address, using the precompiled MaxMind

databases.

When using the databases with IPv6 support (1.3.12, 1.2.7), IPv4 addresses

are looked up as IPv4-mapped IPv6 addresses.

This module is not built by default, it should be enabled with the

--with-http_geoip_module conﬁguration parameter.

This module requires the MaxMind GeoIP library.

2.17.2 Example Conﬁguration

http {

geoip_country GeoIP.dat;

geoip_city GeoLiteCity.dat;

geoip_proxy 192.168.100.0/24;

geoip_proxy 2001:0db8::/32;

geoip_proxy_recursive on;

...

2.17.3 Directives

geoip country

Syntax: geoip_country ﬁle;

Default —

Context: http

Speciﬁes a database used to determine the country depending on the client

IP address. The following variables are available when using this database:

$geoip country code

two-letter country code, for example, “RU”, “US”.

$geoip country code3

three-letter country code, for example, “RUS”, “USA”.

Nginx, Inc. p.162 of 542

CHAPTER 2. HTTP SERVER MODULES 2.17. MODULE NGX HTTP GEOIP MODULE

$geoip country name

country name, for example, “Russian Federation”, “United

States”.

geoip city

Syntax: geoip_city ﬁle;

Default —

Context: http

Speciﬁes a database used to determine the country, region, and city

depending on the client IP address. The following variables are available when

using this database:

$geoip area code

telephone area code (US only).

This variable may contain outdated information since the corresponding

database ﬁeld is deprecated.

$geoip city continent code

two-letter continent code, for example, “EU”, “NA”.

$geoip city country code

two-letter country code, for example, “RU”, “US”.

$geoip city country code3

three-letter country code, for example, “RUS”, “USA”.

$geoip city country name

country name, for example, “Russian Federation”, “United

States”.

$geoip dma code

DMA region code in US (also known as “metro code”), according to the

geotargeting in Google AdWords API.

$geoip latitude

latitude.

$geoip longitude

longitude.

$geoip region

two-symbol country region code (region, territory, state, province, federal

land and the like), for example, “48”, “DC”.

$geoip region name

country region name (region, territory, state, province, federal land and

the like), for example, “Moscow City”, “District of Columbia”.

$geoip city

city name, for example, “Moscow”, “Washington”.

$geoip postal code

postal code.

Nginx, Inc. p.163 of 542

CHAPTER 2. HTTP SERVER MODULES 2.17. MODULE NGX HTTP GEOIP MODULE

geoip org

Syntax: geoip_org ﬁle;

Default —

Context: http

This directive appeared in version 1.0.3.

Speciﬁes a database used to determine the organization depending on the

client IP address. The following variable is available when using this database:

$geoip org

organization name, for example, “The University of Melbourne”.

geoip proxy

Syntax: geoip_proxy address | CIDR;

Default —

Context: http

This directive appeared in versions 1.3.0 and 1.2.1.

Deﬁnes trusted addresses. When a request comes from a trusted address,

an address from the X-Forwarded-For request header ﬁeld will be used

instead.

geoip proxy recursive

Syntax: geoip_proxy_recursive on | off;

Default off

Context: http

This directive appeared in versions 1.3.0 and 1.2.1.

If recursive search is disabled then instead of the original client address

that matches one of the trusted addresses, the last address sent in

X-Forwarded-For will be used. If recursive search is enabled then instead

of the original client address that matches one of the trusted addresses, the

last non-trusted address sent in X-Forwarded-For will be used.

Nginx, Inc. p.164 of 542

CHAPTER 2. HTTP SERVER MODULES 2.18. MODULE NGX HTTP GRPC MODULE

2.18 Module ngx http grpc module

2.18.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 165

2.18.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 165

2.18.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 166

grpc bind . . . . . . . . . . . . . . . . . . . . . . . . . . 166

grpc buﬀer size . . . . . . . . . . . . . . . . . . . . . . . 166

grpc connect timeout . . . . . . . . . . . . . . . . . . . . 166

grpc hide header . . . . . . . . . . . . . . . . . . . . . . 167

grpc ignore headers . . . . . . . . . . . . . . . . . . . . . 167

grpc intercept errors . . . . . . . . . . . . . . . . . . . . 167

grpc next upstream . . . . . . . . . . . . . . . . . . . . . 167

grpc next upstream timeout . . . . . . . . . . . . . . . . 168

grpc next upstream tries . . . . . . . . . . . . . . . . . . 169

grpc pass . . . . . . . . . . . . . . . . . . . . . . . . . . 169

grpc pass header . . . . . . . . . . . . . . . . . . . . . . 169

grpc read timeout . . . . . . . . . . . . . . . . . . . . . 170

grpc send timeout . . . . . . . . . . . . . . . . . . . . . 170

grpc set header . . . . . . . . . . . . . . . . . . . . . . . 170

grpc socket keepalive . . . . . . . . . . . . . . . . . . . . 170

grpc ssl certiﬁcate . . . . . . . . . . . . . . . . . . . . . 171

grpc ssl certiﬁcate key . . . . . . . . . . . . . . . . . . . 171

grpc ssl ciphers . . . . . . . . . . . . . . . . . . . . . . . 171

grpc ssl conf command . . . . . . . . . . . . . . . . . . . 171

grpc ssl crl . . . . . . . . . . . . . . . . . . . . . . . . . 172

grpc ssl name . . . . . . . . . . . . . . . . . . . . . . . . 172

grpc ssl password ﬁle . . . . . . . . . . . . . . . . . . . . 172

grpc ssl protocols . . . . . . . . . . . . . . . . . . . . . . 172

grpc ssl server name . . . . . . . . . . . . . . . . . . . . 172

grpc ssl session reuse . . . . . . . . . . . . . . . . . . . . 173

grpc ssl trusted certiﬁcate . . . . . . . . . . . . . . . . . 173

grpc ssl verify . . . . . . . . . . . . . . . . . . . . . . . . 173

grpc ssl verify depth . . . . . . . . . . . . . . . . . . . . 173

2.18.1 Summary

The ngx_http_grpc_module module allows passing requests to a gRPC

server (1.13.10). The module requires the ngx http v2 module module.

2.18.2 Example Conﬁguration

server {

listen 9000;

http2 on;

location / {

grpc_pass 127.0.0.1:9000;

Nginx, Inc. p.165 of 542

CHAPTER 2. HTTP SERVER MODULES 2.18. MODULE NGX HTTP GRPC MODULE

}

2.18.3 Directives

grpc bind

Syntax: grpc_bind address [transparent ] | off;

Default —

Context: http, server, location

Makes outgoing connections to a gRPC server originate from the speciﬁed

local IP address with an optional port. Parameter value can contain variables.

The special value off cancels the eﬀect of the grpc_bind directive inherited

from the previous conﬁguration level, which allows the system to auto-assign

the local IP address and port.

The transparent parameter allows outgoing connections to a gRPC

server originate from a non-local IP address, for example, from a real IP address

of a client:

grpc_bind $remote_addr transparent;

In order for this parameter to work, it is usually necessary to run nginx

worker processes with the superuser privileges. On Linux it is not required as if

the transparent parameter is speciﬁed, worker processes inherit the CAP_-

NET_RAW capability from the master process. It is also necessary to conﬁgure

kernel routing table to intercept network traﬃc from the gRPC server.

grpc buﬀer size

Syntax: grpc_buffer_size size;

Default 4k|8k

Context: http, server, location

Sets the size of the buﬀer used for reading the response received from the

gRPC server. The response is passed to the client synchronously, as soon as it

is received.

grpc connect timeout

Syntax: grpc_connect_timeout time;

Default 60s

Context: http, server, location

Deﬁnes a timeout for establishing a connection with a gRPC server. It

should be noted that this timeout cannot usually exceed 75 seconds.

Nginx, Inc. p.166 of 542

CHAPTER 2. HTTP SERVER MODULES 2.18. MODULE NGX HTTP GRPC MODULE

grpc hide header

Syntax: grpc_hide_header ﬁeld;

Default —

Context: http, server, location

By default, nginx does not pass the header ﬁelds Date, Server, and

X-Accel-... from the response of a gRPC server to a client. The grpc_-

hide_header directive sets additional ﬁelds that will not be passed. If, on

the contrary, the passing of ﬁelds needs to be permitted, the grpc pass header

directive can be used.

grpc ignore headers

Syntax: grpc_ignore_headers ﬁeld . . . ;

Default —

Context: http, server, location

Disables processing of certain response header ﬁelds from the gRPC

server. The following ﬁelds can be ignored: X-Accel-Redirect and

X-Accel-Charset.

If not disabled, processing of these header ﬁelds has the following eﬀect:

• X-Accel-Redirect performs an internal redirect to the speciﬁed URI;

• X-Accel-Charset sets the desired charset of a response.

grpc intercept errors

Syntax: grpc_intercept_errors on | off;

Default off

Context: http, server, location

Determines whether gRPC server responses with codes greater than or

equal to 300 should be passed to a client or be intercepted and redirected to

nginx for processing with the error page directive.

grpc next upstream

Syntax: grpc_next_upstream error | timeout | invalid_header |

http_404 | http_429 | non_idempotent | off . . . ;

Default error timeout

Context: http, server, location

Speciﬁes in which cases a request should be passed to the next server:

error

an error occurred while establishing a connection with the server, passing

a request to it, or reading the response header;

Nginx, Inc. p.167 of 542

CHAPTER 2. HTTP SERVER MODULES 2.18. MODULE NGX HTTP GRPC MODULE

timeout

a timeout has occurred while establishing a connection with the server,

passing a request to it, or reading the response header;

invalid_header

a server returned an empty or invalid response;

http_500

a server returned a response with the code 500;

http_502

a server returned a response with the code 502;

http_503

a server returned a response with the code 503;

http_504

a server returned a response with the code 504;

http_403

a server returned a response with the code 403;

http_404

a server returned a response with the code 404;

http_429

a server returned a response with the code 429;

non_idempotent

normally, requests with a non-idempotent method (POST, LOCK, PATCH)

are not passed to the next server if a request has been sent to an upstream

server; enabling this option explicitly allows retrying such requests;

off

disables passing a request to the next server.

One should bear in mind that passing a request to the next server is only

possible if nothing has been sent to a client yet. That is, if an error or timeout

occurs in the middle of the transferring of a response, ﬁxing this is impossible.

The directive also deﬁnes what is considered an unsuccessful attempt of

communication with a server. The cases of error, timeout and invalid_-

header are always considered unsuccessful attempts, even if they are not

speciﬁed in the directive. The cases of http_500, http_502, http_503,

http_504, and http_429 are considered unsuccessful attempts only if they

are speciﬁed in the directive. The cases of http_403 and http_404 are

never considered unsuccessful attempts.

Passing a request to the next server can be limited by the number of tries

and by time.

grpc next upstream timeout

Syntax: grpc_next_upstream_timeout time;

Default 0

Context: http, server, location

Limits the time during which a request can be passed to the next server.

The 0 value turns oﬀ this limitation.

Nginx, Inc. p.168 of 542

CHAPTER 2. HTTP SERVER MODULES 2.18. MODULE NGX HTTP GRPC MODULE

grpc next upstream tries

Syntax: grpc_next_upstream_tries number;

Default 0

Context: http, server, location

Limits the number of possible tries for passing a request to the next server.

The 0 value turns oﬀ this limitation.

grpc pass

Syntax: grpc_pass address;

Default —

Context: location, if in location

Sets the gRPC server address. The address can be speciﬁed as a domain

name or IP address, and a port:

grpc_pass localhost:9000;

or as a UNIX-domain socket path:

grpc_pass unix:/tmp/grpc.socket;

Alternatively, the “grpc://” scheme can be used:

grpc_pass grpc://127.0.0.1:9000;

To use gRPC over SSL, the “grpcs://” scheme should be used:

grpc_pass grpcs://127.0.0.1:443;

If a domain name resolves to several addresses, all of them will be used

in a round-robin fashion. In addition, an address can be speciﬁed as a server

group.

Parameter value can contain variables (1.17.8). In this case, if an address is

speciﬁed as a domain name, the name is searched among the described server

groups, and, if not found, is determined using a resolver.

grpc pass header

Syntax: grpc_pass_header ﬁeld;

Default —

Context: http, server, location

Permits passing otherwise disabled header ﬁelds from a gRPC server to a

client.

Nginx, Inc. p.169 of 542

CHAPTER 2. HTTP SERVER MODULES 2.18. MODULE NGX HTTP GRPC MODULE

grpc read timeout

Syntax: grpc_read_timeout time;

Default 60s

Context: http, server, location

Deﬁnes a timeout for reading a response from the gRPC server. The

timeout is set only between two successive read operations, not for the

transmission of the whole response. If the gRPC server does not transmit

anything within this time, the connection is closed.

grpc send timeout

Syntax: grpc_send_timeout time;

Default 60s

Context: http, server, location

Sets a timeout for transmitting a request to the gRPC server. The timeout

is set only between two successive write operations, not for the transmission

of the whole request. If the gRPC server does not receive anything within this

time, the connection is closed.

grpc set header

Syntax: grpc_set_header ﬁeld value;

Default Content-Length $content_length

Context: http, server, location

Allows redeﬁning or appending ﬁelds to the request header passed to the

gRPC server. The value can contain text, variables, and their combinations.

These directives are inherited from the previous conﬁguration level if and only

if there are no grpc_set_header directives deﬁned on the current level.

If the value of a header ﬁeld is an empty string then this ﬁeld will not be

passed to a gRPC server:

grpc_set_header Accept-Encoding "";

grpc socket keepalive

Syntax: grpc_socket_keepalive on | off;

Default off

Context: http, server, location

This directive appeared in version 1.15.6.

Conﬁgures the “TCP keepalive” behavior for outgoing connections to a

gRPC server. By default, the operating system’s settings are in eﬀect for the

socket. If the directive is set to the value “on”, the SO_KEEPALIVE socket

option is turned on for the socket.

Nginx, Inc. p.170 of 542

CHAPTER 2. HTTP SERVER MODULES 2.18. MODULE NGX HTTP GRPC MODULE

grpc ssl certiﬁcate

Syntax: grpc_ssl_certificate ﬁle;

Default —

Context: http, server, location

Speciﬁes a ﬁle with the certiﬁcate in the PEM format used for

authentication to a gRPC SSL server.

Since version 1.21.0, variables can be used in the ﬁle name.

grpc ssl certiﬁcate key

Syntax: grpc_ssl_certificate_key ﬁle;

Default —

Context: http, server, location

Speciﬁes a ﬁle with the secret key in the PEM format used for

authentication to a gRPC SSL server.

The value engine:name:id can be speciﬁed instead of the ﬁle, which loads

a secret key with a speciﬁed id from the OpenSSL engine name.

Since version 1.21.0, variables can be used in the ﬁle name.

grpc ssl ciphers

Syntax: grpc_ssl_ciphers ciphers;

Default DEFAULT

Context: http, server, location

Speciﬁes the enabled ciphers for requests to a gRPC SSL server. The

ciphers are speciﬁed in the format understood by the OpenSSL library.

The full list can be viewed using the “openssl ciphers” command.

grpc ssl conf command

Syntax: grpc_ssl_conf_command name value;

Default —

Context: http, server, location

This directive appeared in version 1.19.4.

Sets arbitrary OpenSSL conﬁguration commands when establishing a

connection with the gRPC SSL server.

The directive is supported when using OpenSSL 1.0.2 or higher.

Several grpc_ssl_conf_command directives can be speciﬁed on the

same level. These directives are inherited from the previous conﬁguration level

if and only if there are no grpc_ssl_conf_command directives deﬁned on

the current level.

Nginx, Inc. p.171 of 542

CHAPTER 2. HTTP SERVER MODULES 2.18. MODULE NGX HTTP GRPC MODULE

Note that conﬁguring OpenSSL directly might result in unexpected

behavior.

grpc ssl crl

Syntax: grpc_ssl_crl ﬁle;

Default —

Context: http, server, location

Speciﬁes a ﬁle with revoked certiﬁcates (CRL) in the PEM format used to

verify the certiﬁcate of the gRPC SSL server.

grpc ssl name

Syntax: grpc_ssl_name name;

Default host from grpc_pass

Context: http, server, location

Allows overriding the server name used to verify the certiﬁcate of the gRPC

SSL server and to be passed through SNI when establishing a connection with

the gRPC SSL server.

By default, the host part from grpc pass is used.

grpc ssl password ﬁle

Syntax: grpc_ssl_password_file ﬁle;

Default —

Context: http, server, location

Speciﬁes a ﬁle with passphrases for secret keys where each passphrase is

speciﬁed on a separate line. Passphrases are tried in turn when loading the

key.

grpc ssl protocols

Syntax: grpc_ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1]

[TLSv1.2] [TLSv1.3];

Default TLSv1 TLSv1.1 TLSv1.2 TLSv1.3

Context: http, server, location

Enables the speciﬁed protocols for requests to a gRPC SSL server.

The TLSv1.3 parameter is used by default since 1.23.4.

grpc ssl server name

Syntax: grpc_ssl_server_name on | off;

Default off

Context: http, server, location

Nginx, Inc. p.172 of 542

CHAPTER 2. HTTP SERVER MODULES 2.18. MODULE NGX HTTP GRPC MODULE

Enables or disables passing of the server name through TLS Server Name

Indication extension (SNI, RFC 6066) when establishing a connection with the

gRPC SSL server.

grpc ssl session reuse

Syntax: grpc_ssl_session_reuse on | off;

Default on

Context: http, server, location

Determines whether SSL sessions can be reused when working with

the gRPC server. If the errors “SSL3_GET_FINISHED:digest check

failed” appear in the logs, try disabling session reuse.

grpc ssl trusted certiﬁcate

Syntax: grpc_ssl_trusted_certificate ﬁle;

Default —

Context: http, server, location

Speciﬁes a ﬁle with trusted CA certiﬁcates in the PEM format used to

verify the certiﬁcate of the gRPC SSL server.

grpc ssl verify

Syntax: grpc_ssl_verify on | off;

Default off

Context: http, server, location

Enables or disables veriﬁcation of the gRPC SSL server certiﬁcate.

grpc ssl verify depth

Syntax: grpc_ssl_verify_depth number;

Default 1

Context: http, server, location

Sets the veriﬁcation depth in the gRPC SSL server certiﬁcates chain.

Nginx, Inc. p.173 of 542

CHAPTER 2. HTTP SERVER MODULES 2.19. MODULE NGX HTTP GUNZIP MODULE

2.19 Module ngx http gunzip module

2.19.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 174

2.19.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 174

2.19.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 174

gunzip . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

gunzip buﬀers . . . . . . . . . . . . . . . . . . . . . . . . 174

2.19.1 Summary

The ngx_http_gunzip_module module is a ﬁlter that decompresses

responses with “Content-Encoding: gzip” for clients that do not

support“gzip”encoding method. The module will be useful when it is desirable

to store data compressed to save space and reduce I/O costs.

This module is not built by default, it should be enabled with the

--with-http_gunzip_module conﬁguration parameter.

2.19.2 Example Conﬁguration

location /storage/ {

gunzip on;

...

}

2.19.3 Directives

gunzip

Syntax: gunzip on | off;

Default off

Context: http, server, location

Enables or disables decompression of gzipped responses for clients that lack

gzip support. If enabled, the following directives are also taken into account

when determining if clients support gzip: gzip http version, gzip proxied, and

gzip disable. See also the gzip vary directive.

gunzip buﬀers

Syntax: gunzip_buffers number size;

Default 32 4k|16 8k

Context: http, server, location

Sets the number and size of buﬀers used to decompress a response. By

default, the buﬀer size is equal to one memory page. This is either 4K or 8K,

depending on a platform.

Nginx, Inc. p.174 of 542

CHAPTER 2. HTTP SERVER MODULES 2.20. MODULE NGX HTTP GZIP MODULE

2.20 Module ngx http gzip module

2.20.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 175

2.20.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 175

2.20.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 175

gzip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

gzip buﬀers . . . . . . . . . . . . . . . . . . . . . . . . . 176

gzip comp level . . . . . . . . . . . . . . . . . . . . . . . 176

gzip disable . . . . . . . . . . . . . . . . . . . . . . . . . 176

gzip http version . . . . . . . . . . . . . . . . . . . . . . 176

gzip min length . . . . . . . . . . . . . . . . . . . . . . . 176

gzip proxied . . . . . . . . . . . . . . . . . . . . . . . . . 177

gzip types . . . . . . . . . . . . . . . . . . . . . . . . . . 177

gzip vary . . . . . . . . . . . . . . . . . . . . . . . . . . 178

2.20.4 Embedded Variables . . . . . . . . . . . . . . . . . . . . 178

2.20.1 Summary

The ngx_http_gzip_module module is a ﬁlter that compresses

responses using the “gzip” method. This often helps to reduce the size of

transmitted data by half or even more.

When using the SSL/TLS protocol, compressed responses may be subject

to BREACH attacks.

2.20.2 Example Conﬁguration

gzip on;

gzip_min_length 1000;

gzip_proxied expired no-cache no-store private auth;

gzip_types text/plain application/xml;

The $gzip ratio variable can be used to log the achieved compression ratio.

2.20.3 Directives

gzip

Syntax: gzip on | off;

Default off

Context: http, server, location, if in location

Enables or disables gzipping of responses.

Nginx, Inc. p.175 of 542

CHAPTER 2. HTTP SERVER MODULES 2.20. MODULE NGX HTTP GZIP MODULE

gzip buﬀers

Syntax: gzip_buffers number size;

Default 32 4k|16 8k

Context: http, server, location

Sets the number and size of buﬀers used to compress a response. By default,

the buﬀer size is equal to one memory page. This is either 4K or 8K, depending

on a platform.

Until version 0.7.28, four 4K or 8K buﬀers were used by default.

gzip comp level

Syntax: gzip_comp_level level;

Default 1

Context: http, server, location

Sets a gzip compression level of a response. Acceptable values are in the

range from 1 to 9.

gzip disable

Syntax: gzip_disable regex . . . ;

Default —

Context: http, server, location

This directive appeared in version 0.6.23.

Disables gzipping of responses for requests with User-Agent header ﬁelds

matching any of the speciﬁed regular expressions.

The special mask “msie6” (0.7.12) corresponds to the regular expression

“MSIE [4-6]\.”, but works faster. Starting from version 0.8.11, “MSIE

6.0; ...SV1” is excluded from this mask.

gzip http version

Syntax: gzip_http_version 1.0 | 1.1;

Default 1.1

Context: http, server, location

Sets the minimum HTTP version of a request required to compress a

response.

gzip min length

Syntax: gzip_min_length length;

Default 20

Context: http, server, location

Sets the minimum length of a response that will be gzipped. The length is

determined only from the Content-Length response header ﬁeld.

Nginx, Inc. p.176 of 542

CHAPTER 2. HTTP SERVER MODULES 2.20. MODULE NGX HTTP GZIP MODULE

gzip proxied

no_last_modified | no_etag | auth | any . . . ;

Default off

Context: http, server, location

Enables or disables gzipping of responses for proxied requests depending on

the request and response. The fact that the request is proxied is determined

by the presence of the Via request header ﬁeld. The directive accepts multiple

parameters:

off

disables compression for all proxied requests, ignoring other parameters;

expired

enables compression if a response header includes the Expires ﬁeld

with a value that disables caching;

no-cache

enables compression if a response header includes the Cache-Control

ﬁeld with the “no-cache” parameter;

no-store

enables compression if a response header includes the Cache-Control

ﬁeld with the “no-store” parameter;

private

enables compression if a response header includes the Cache-Control

ﬁeld with the “private” parameter;

no_last_modified

enables compression if a response header does not include the

Last-Modified ﬁeld;

no_etag

enables compression if a response header does not include the ETag ﬁeld;

auth

enables compression if a request header includes the Authorization

ﬁeld;

any

enables compression for all proxied requests.

gzip types

Syntax: gzip_types mime-type . . . ;

Default text/html

Context: http, server, location

Enables gzipping of responses for the speciﬁed MIME types in addition

to “text/html”. The special value “

” matches any MIME type (0.8.29).

Responses with the “text/html” type are always compressed.

Nginx, Inc. p.177 of 542

CHAPTER 2. HTTP SERVER MODULES 2.20. MODULE NGX HTTP GZIP MODULE

gzip vary

Syntax: gzip_vary on | off;

Default off

Context: http, server, location

Enables or disables inserting the Vary: Accept-Encoding response

header ﬁeld if the directives gzip, gzip static, or gunzip are active.

2.20.4 Embedded Variables

$gzip ratio

achieved compression ratio, computed as the ratio between the original

and compressed response sizes.

Nginx, Inc. p.178 of 542

CHAPTER 2. HTTP SERVER MODULES 2.21. MODULE NGX HTTP GZIP STATIC MODULE

2.21 Module ngx http gzip static module

2.21.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 179

2.21.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 179

2.21.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 179

gzip static . . . . . . . . . . . . . . . . . . . . . . . . . . 179

2.21.1 Summary

The ngx_http_gzip_static_module module allows sending precom-

pressed ﬁles with the “.gz” ﬁlename extension instead of regular ﬁles.

This module is not built by default, it should be enabled with the

--with-http_gzip_static_module conﬁguration parameter.

2.21.2 Example Conﬁguration

gzip_static on;

gzip_proxied expired no-cache no-store private auth;

2.21.3 Directives

gzip static

Syntax: gzip_static on | off | always;

Default off

Context: http, server, location

Enables (“on”) or disables (“off”) checking the existence of precompressed

ﬁles. The following directives are also taken into account: gzip http version,

gzip proxied, gzip disable, and gzip vary.

With the “always” value (1.3.6), gzipped ﬁle is used in all cases, without

checking if the client supports it. It is useful if there are no uncompressed ﬁles

on the disk anyway or the ngx http gunzip module is used.

The ﬁles can be compressed using the gzip command, or any other

compatible one. It is recommended that the modiﬁcation date and time of

original and compressed ﬁles be the same.

Nginx, Inc. p.179 of 542

CHAPTER 2. HTTP SERVER MODULES 2.22. MODULE NGX HTTP HEADERS MODULE

2.22 Module ngx http headers module

2.22.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 180

2.22.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 180

2.22.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 180

add header . . . . . . . . . . . . . . . . . . . . . . . . . 180

add trailer . . . . . . . . . . . . . . . . . . . . . . . . . . 180

expires . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

2.22.1 Summary

The ngx_http_headers_module module allows adding the Expires

and Cache-Control header ﬁelds, and arbitrary ﬁelds, to a response header.

2.22.2 Example Conﬁguration

expires 24h;

expires modified +24h;

expires @24h;

expires 0;

expires -1;

expires epoch;

expires $expires;

add_header Cache-Control private;

2.22.3 Directives

add header

Syntax: add_header name value [always];

Default —

Context: http, server, location, if in location

Adds the speciﬁed ﬁeld to a response header provided that the response

code equals 200, 201 (1.3.10), 204, 206, 301, 302, 303, 304, 307 (1.1.16, 1.0.13),

or 308 (1.13.0). Parameter value can contain variables.

There could be several add_header directives. These directives are

inherited from the previous conﬁguration level if and only if there are no add_-

header directives deﬁned on the current level.

If the always parameter is speciﬁed (1.7.5), the header ﬁeld will be added

regardless of the response code.

add trailer

Syntax: add_trailer name value [always];

Default —

Context: http, server, location, if in location

This directive appeared in version 1.13.2.

Nginx, Inc. p.180 of 542

CHAPTER 2. HTTP SERVER MODULES 2.22. MODULE NGX HTTP HEADERS MODULE

Adds the speciﬁed ﬁeld to the end of a response provided that the response

code equals 200, 201, 206, 301, 302, 303, 307, or 308. Parameter value can

contain variables.

There could be several add_trailer directives. These directives are

inherited from the previous conﬁguration level if and only if there are no add_-

trailer directives deﬁned on the current level.

If the always parameter is speciﬁed the speciﬁed ﬁeld will be added

regardless of the response code.

expires

Syntax: expires [modified] time;

Syntax: expires epoch | max | off;

Default off

Context: http, server, location, if in location

Enables or disables adding or modifying the Expires and

Cache-Control response header ﬁelds provided that the response code

equals 200, 201 (1.3.10), 204, 206, 301, 302, 303, 304, 307 (1.1.16, 1.0.13), or

308 (1.13.0). The parameter can be a positive or negative time.

The time in the Expires ﬁeld is computed as a sum of the current time

and time speciﬁed in the directive. If the modified parameter is used (0.7.0,

0.6.32) then the time is computed as a sum of the ﬁle’s modiﬁcation time and

the time speciﬁed in the directive.

In addition, it is possible to specify a time of day using the“@” preﬁx (0.7.9,

0.6.34):

expires @15h30m;

The contents of the Cache-Control ﬁeld depends on the sign of the

speciﬁed time:

• time is negative — Cache-Control: no-cache.

• time is positive or zero — Cache-Control: max-age=t, where t is

a time speciﬁed in the directive, in seconds.

The epoch parameter sets Expires to the value “Thu, 01 Jan 1970

00:00:01 GMT”, and Cache-Control to “no-cache”.

The max parameter sets Expires to the value “Thu, 31 Dec 2037

23:55:55 GMT”, and Cache-Control to 10 years.

The off parameter disables adding or modifying the Expires and

Cache-Control response header ﬁelds.

The last parameter value can contain variables (1.7.9):

map $sent_http_content_type $expires {

default off;

application/pdf 42d;

~image/ max;

}

Nginx, Inc. p.181 of 542

CHAPTER 2. HTTP SERVER MODULES 2.22. MODULE NGX HTTP HEADERS MODULE

expires $expires;

Nginx, Inc. p.182 of 542

CHAPTER 2. HTTP SERVER MODULES 2.23. MODULE NGX HTTP HLS MODULE

2.23 Module ngx http hls module

2.23.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 183

2.23.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 183

2.23.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 184

hls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

hls buﬀers . . . . . . . . . . . . . . . . . . . . . . . . . . 184

hls forward args . . . . . . . . . . . . . . . . . . . . . . . 184

hls fragment . . . . . . . . . . . . . . . . . . . . . . . . . 185

hls mp4 buﬀer size . . . . . . . . . . . . . . . . . . . . . 185

hls mp4 max buﬀer size . . . . . . . . . . . . . . . . . . 186

2.23.1 Summary

The ngx_http_hls_module module provides HTTP Live Streaming

(HLS) server-side support for MP4 and MOV media ﬁles. Such ﬁles typically

have the .mp4, .m4v, .m4a, .mov, or .qt ﬁlename extensions. The module

supports H.264 video codec, AAC and MP3 audio codecs.

For each media ﬁle, two URIs are supported:

• A playlist URI with the“.m3u8”ﬁlename extension. The URI can accept

optional arguments:

– “start” and “end” deﬁne playlist boundaries in seconds (1.9.0).

– “offset” shifts an initial playback position to the time oﬀset

in seconds (1.9.0). A positive value sets a time oﬀset from the

beginning of the playlist. A negative value sets a time oﬀset from

the end of the last fragment in the playlist.

– “len” deﬁnes the fragment length in seconds.

• A fragment URI with the “.ts” ﬁlename extension. The URI can accept

optional arguments:

– “start” and “end” deﬁne fragment boundaries in seconds.

This module is available as part of our commercial subscription.

2.23.2 Example Conﬁguration

location / {

hls;

hls_fragment 5s;

hls_buffers 10 10m;

hls_mp4_buffer_size 1m;

hls_mp4_max_buffer_size 5m;

root /var/video/;

}

Nginx, Inc. p.183 of 542

CHAPTER 2. HTTP SERVER MODULES 2.23. MODULE NGX HTTP HLS MODULE

With this conﬁguration, the following URIs are supported for the “/var¬

/video/test.mp4” ﬁle:

http://hls.example.com/test.mp4.m3u8?offset=1.000&start=1.000&end=2.200

http://hls.example.com/test.mp4.m3u8?len=8.000

http://hls.example.com/test.mp4.ts?start=1.000&end=2.200

2.23.3 Directives

hls

Syntax: hls;

Default —

Context: location

Turns on HLS streaming in the surrounding location.

hls buﬀers

Syntax: hls_buffers number size;

Default 8 2m

Context: http, server, location

Sets the maximum number and size of buﬀers that are used for reading and

writing data frames.

hls forward args

Syntax: hls_forward_args on | off;

Default off

Context: http, server, location

This directive appeared in version 1.5.12.

Adds arguments from a playlist request to URIs of fragments. This may

be useful for performing client authorization at the moment of requesting a

fragment, or when protecting an HLS stream with the ngx http secure link -

module module.

For example, if a client requests a playlist http://example.com/hls/

test.mp4.m3u8?a=1&b=2, the arguments a=1 and b=2 will be added to

URIs of fragments after the arguments start and end:

#EXTM3U

#EXT-X-VERSION:3

#EXT-X-TARGETDURATION:15

#EXT-X-PLAYLIST-TYPE:VOD

#EXTINF:9.333,

test.mp4.ts?start=0.000&end=9.333&a=1&b=2

#EXTINF:7.167,

test.mp4.ts?start=9.333&end=16.500&a=1&b=2

#EXTINF:5.416,

test.mp4.ts?start=16.500&end=21.916&a=1&b=2

#EXTINF:5.500,

test.mp4.ts?start=21.916&end=27.416&a=1&b=2

Nginx, Inc. p.184 of 542

CHAPTER 2. HTTP SERVER MODULES 2.23. MODULE NGX HTTP HLS MODULE

#EXTINF:15.167,

test.mp4.ts?start=27.416&end=42.583&a=1&b=2

#EXTINF:9.626,

test.mp4.ts?start=42.583&end=52.209&a=1&b=2

#EXT-X-ENDLIST

If an HLS stream is protected with the ngx http secure link module

module, $uri should not be used in the secure link md5 expression because

this will cause errors when requesting the fragments. Base URI should be used

instead of $uri ($hls uri in the example):

http {

...

map $uri $hls_uri {

~^(?<base_uri>.

).m3u8$ $base_uri;

~^(?<base_uri>.

).ts$ $base_uri;

default $uri;

}

server {

...

location /hls/ {

hls;

hls_forward_args on;

alias /var/videos/;

secure_link $arg_md5,$arg_expires;

secure_link_md5 "$secure_link_expires$hls_uri$remote_addr secret";

if ($secure_link = "") {

return 403;

}

if ($secure_link = "0") {

return 410;

}

hls fragment

Syntax: hls_fragment time;

Default 5s

Context: http, server, location

Deﬁnes the default fragment length for playlist URIs requested without the

“len” argument.

hls mp4 buﬀer size

Syntax: hls_mp4_buffer_size size;

Default 512k

Context: http, server, location

Sets the initial size of the buﬀer used for processing MP4 and MOV ﬁles.

Nginx, Inc. p.185 of 542

CHAPTER 2. HTTP SERVER MODULES 2.23. MODULE NGX HTTP HLS MODULE

hls mp4 max buﬀer size

Syntax: hls_mp4_max_buffer_size size;

Default 10m

Context: http, server, location

During metadata processing, a larger buﬀer may become necessary. Its size

cannot exceed the speciﬁed size, or else nginx will return the server error 500

Internal Server Error, and log the following message:

"/some/movie/file.mp4" mp4 moov atom is too large:

12583268, you may want to increase hls_mp4_max_buffer_size

Nginx, Inc. p.186 of 542

CHAPTER 2. HTTP SERVER MODULES 2.24. MODULE NGX HTTP IMAGE FILTER MODULE

2.24 Module ngx http image ﬁlter module

2.24.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 187

2.24.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 187

2.24.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 188

image ﬁlter . . . . . . . . . . . . . . . . . . . . . . . . . 188

image ﬁlter buﬀer . . . . . . . . . . . . . . . . . . . . . . 189

image ﬁlter interlace . . . . . . . . . . . . . . . . . . . . 189

image ﬁlter jpeg quality . . . . . . . . . . . . . . . . . . 189

image ﬁlter sharpen . . . . . . . . . . . . . . . . . . . . 189

image ﬁlter transparency . . . . . . . . . . . . . . . . . . 189

image ﬁlter webp quality . . . . . . . . . . . . . . . . . . 190

2.24.1 Summary

The ngx_http_image_filter_module module (0.7.54+) is a ﬁlter

that transforms images in JPEG, GIF, PNG, and WebP formats.

This module is not built by default, it should be enabled with the

--with-http_image_filter_module conﬁguration parameter.

This module utilizes the libgd library. It is recommended to use the latest

available version of the library.

The WebP format support appeared in version 1.11.6. To transform

images in this format, the libgd library must be compiled with the WebP

support.

2.24.2 Example Conﬁguration

location /img/ {

proxy_pass http://backend;

image_filter resize 150 100;

image_filter rotate 90;

error_page 415 = /empty;

}

location = /empty {

empty_gif;

}

Nginx, Inc. p.187 of 542

CHAPTER 2. HTTP SERVER MODULES 2.24. MODULE NGX HTTP IMAGE FILTER MODULE

2.24.3 Directives

image ﬁlter

Syntax: image_filter off;

Syntax: image_filter test;

Syntax: image_filter size;

Syntax: image_filter rotate 90 | 180 | 270;

Syntax: image_filter resize width height;

Syntax: image_filter crop width height;

Default off

Context: location

Sets the type of transformation to perform on images:

off

turns oﬀ module processing in a surrounding location.

test

ensures that responses are images in either JPEG, GIF, PNG, or WebP

format. Otherwise, the 415 Unsupported Media Type error is

returned.

size

outputs information about images in a JSON format, e.g.:

{ "img" : { "width": 100, "height": 100, "type": "gif" } }

In case of an error, the output is as follows:

{}

rotate 90|180|270

rotates images counter-clockwise by the speciﬁed number of degrees.

Parameter value can contain variables. This mode can be used either

alone or along with the resize and crop transformations.

resize width height

proportionally reduces an image to the speciﬁed sizes. To reduce by

only one dimension, another dimension can be speciﬁed as “-”. In case

of an error, the server will return code 415 Unsupported Media

Type. Parameter values can contain variables. When used along with

the rotate parameter, the rotation happens after reduction.

crop width height

proportionally reduces an image to the larger side size and crops

extraneous edges by another side. To reduce by only one dimension,

another dimension can be speciﬁed as “-”. In case of an error, the server

will return code 415 Unsupported Media Type. Parameter values

can contain variables. When used along with the rotate parameter,

the rotation happens before reduction.

Nginx, Inc. p.188 of 542

CHAPTER 2. HTTP SERVER MODULES 2.24. MODULE NGX HTTP IMAGE FILTER MODULE

image ﬁlter buﬀer

Syntax: image_filter_buffer size;

Default 1M

Context: http, server, location

Sets the maximum size of the buﬀer used for reading images. When the

size is exceeded the server returns error 415 Unsupported Media Type.

image ﬁlter interlace

Syntax: image_filter_interlace on | off;

Default off

Context: http, server, location

This directive appeared in version 1.3.15.

If enabled, ﬁnal images will be interlaced. For JPEG, ﬁnal images will be

in “progressive JPEG” format.

image ﬁlter jpeg quality

Syntax: image_filter_jpeg_quality quality;

Default 75

Context: http, server, location

Sets the desired quality of the transformed JPEG images. Acceptable values

are in the range from 1 to 100. Lesser values usually imply both lower image

quality and less data to transfer. The maximum recommended value is 95.

Parameter value can contain variables.

image ﬁlter sharpen

Syntax: image_filter_sharpen percent;

Default 0

Context: http, server, location

Increases sharpness of the ﬁnal image. The sharpness percentage can

exceed 100. The zero value disables sharpening. Parameter value can contain

variables.

image ﬁlter transparency

Syntax: image_filter_transparency on|off;

Default on

Context: http, server, location

Deﬁnes whether transparency should be preserved when transforming

GIF images or PNG images with colors speciﬁed by a palette. The loss

of transparency results in images of a better quality. The alpha channel

transparency in PNG is always preserved.

Nginx, Inc. p.189 of 542

CHAPTER 2. HTTP SERVER MODULES 2.24. MODULE NGX HTTP IMAGE FILTER MODULE

image ﬁlter webp quality

Syntax: image_filter_webp_quality quality;

Default 80

Context: http, server, location

This directive appeared in version 1.11.6.

Sets the desired quality of the transformed WebP images. Acceptable values

are in the range from 1 to 100. Lesser values usually imply both lower image

quality and less data to transfer. Parameter value can contain variables.

Nginx, Inc. p.190 of 542

CHAPTER 2. HTTP SERVER MODULES 2.25. MODULE NGX HTTP INDEX MODULE

2.25 Module ngx http index module

2.25.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 191

2.25.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 191

2.25.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 191

index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

2.25.1 Summary

The ngx_http_index_module module processes requests ending with

the slash character (‘/’). Such requests can also be processed by the ngx -

http autoindex module and ngx http random index module modules.

2.25.2 Example Conﬁguration

location / {

index index.$geo.html index.html;

}

2.25.3 Directives

index

Syntax: index ﬁle . . . ;

Default index.html

Context: http, server, location

Deﬁnes ﬁles that will be used as an index. The ﬁle name can contain

variables. Files are checked in the speciﬁed order. The last element of the list

can be a ﬁle with an absolute path. Example:

index index.$geo.html index.0.html /index.html;

It should be noted that using an index ﬁle causes an internal redirect, and

the request can be processed in a diﬀerent location. For example, with the

following conﬁguration:

location = / {

index index.html;

}

location / {

...

}

a “/” request will actually be processed in the second location as “/

index.html”.

Nginx, Inc. p.191 of 542

CHAPTER 2. HTTP SERVER MODULES 2.26. MODULE NGX HTTP INT ... MODULE

2.26 Module ngx http internal redirect mod-

ule

2.26.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 192

2.26.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 192

2.26.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 192

internal redirect . . . . . . . . . . . . . . . . . . . . . . . 192

2.26.1 Summary

The ngx_http_internal_redirect_module module (1.23.4) allows

making an internal redirect. In contrast to rewriting URIs, the redirection

is made after checking request and connection processing limits, and access

limits.

This module is available as part of our commercial subscription.

2.26.2 Example Conﬁguration

limit_req_zone $jwt_claim_sub zone=jwt_sub:10m rate=1r/s;

server {

location / {

auth_jwt "realm";

auth_jwt_key_file key.jwk;

internal_redirect @rate_limited;

}

location @rate_limited {

internal;

limit_req zone=jwt_sub burst=10;

proxy_pass http://backend;

}

The example implements per-user rate limiting. Implementation without

internal redirect is vulnerable to DoS attacks by unsigned JWTs, as normally

the limit req check is performed before auth jwt check. Using internal redirect

allows reordering these checks.

2.26.3 Directives

internal redirect

Syntax: internal_redirect uri;

Default —

Context: server, location

Nginx, Inc. p.192 of 542

CHAPTER 2. HTTP SERVER MODULES 2.26. MODULE NGX HTTP INT ... MODULE

Sets the URI for internal redirection of the request. It is also possible to

use a named location instead of the URI. The uri value can contain variables.

If the uri value is empty, then the redirect will not be made.

Nginx, Inc. p.193 of 542

CHAPTER 2. HTTP SERVER MODULES 2.27. MODULE NGX HTTP JS MODULE

2.27 Module ngx http js module

2.27.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 194

2.27.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 194

2.27.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 196

js body ﬁlter . . . . . . . . . . . . . . . . . . . . . . . . 196

js content . . . . . . . . . . . . . . . . . . . . . . . . . . 197

js fetch buﬀer size . . . . . . . . . . . . . . . . . . . . . 197

js fetch ciphers . . . . . . . . . . . . . . . . . . . . . . . 197

js fetch max response buﬀer size . . . . . . . . . . . . . 197

js fetch protocols . . . . . . . . . . . . . . . . . . . . . . 198

js fetch timeout . . . . . . . . . . . . . . . . . . . . . . . 198

js fetch trusted certiﬁcate . . . . . . . . . . . . . . . . . 198

js fetch verify . . . . . . . . . . . . . . . . . . . . . . . . 198

js fetch verify depth . . . . . . . . . . . . . . . . . . . . 198

js header ﬁlter . . . . . . . . . . . . . . . . . . . . . . . 199

js import . . . . . . . . . . . . . . . . . . . . . . . . . . 199

js include . . . . . . . . . . . . . . . . . . . . . . . . . . 199

js path . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

js preload object . . . . . . . . . . . . . . . . . . . . . . 200

js set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

js shared dict zone . . . . . . . . . . . . . . . . . . . . . 201

js var . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

2.27.4 Request Argument . . . . . . . . . . . . . . . . . . . . . 202

2.27.1 Summary

The ngx_http_js_module module is used to implement location and

variable handlers in njs — a subset of the JavaScript language.

Download and install instructions are available here.

2.27.2 Example Conﬁguration

The example works since 0.4.0.

http {

js_import http.js;

js_set $foo http.foo;

js_set $summary http.summary;

js_set $hash http.hash;

resolver 10.0.0.1;

server {

listen 8000;

location / {

add_header X-Foo $foo;

js_content http.baz;

}

location = /summary {

Nginx, Inc. p.194 of 542

CHAPTER 2. HTTP SERVER MODULES 2.27. MODULE NGX HTTP JS MODULE

return 200 $summary;

}

location = /hello {

js_content http.hello;

}

# since 0.7.0

location = /fetch {

js_content http.fetch;

js_fetch_trusted_certificate /path/to/ISRG_Root_X1.pem;

}

# since 0.7.0

location = /crypto {

add_header Hash $hash;

return 200;

}

The http.js ﬁle:

function foo(r) {

r.log("hello from foo() handler");

return "foo";

}

function summary(r) {

var a, s, h;

s = "JS summary\n\n";

s += "Method: " + r.method + "\n";

s += "HTTP version: " + r.httpVersion + "\n";

s += "Host: " + r.headersIn.host + "\n";

s += "Remote Address: " + r.remoteAddress + "\n";

s += "URI: " + r.uri + "\n";

s += "Headers:\n";

for (h in r.headersIn) {

s += " header ’" + h + "’ is ’" + r.headersIn[h] + "’\n";

}

s += "Args:\n";

for (a in r.args) {

s += " arg ’" + a + "’ is ’" + r.args[a] + "’\n";

}

return s;

}

function baz(r) {

r.status = 200;

r.headersOut.foo = 1234;

r.headersOut[’Content-Type’] = "text/plain; charset=utf-8";

r.headersOut[’Content-Length’] = 15;

r.sendHeader();

r.send("nginx");

r.send("java");

r.send("script");

r.finish();

}

function hello(r) {

r.return(200, "Hello world!");

}

Nginx, Inc. p.195 of 542

CHAPTER 2. HTTP SERVER MODULES 2.27. MODULE NGX HTTP JS MODULE

// since 0.7.0

async function fetch(r) {

let results = await Promise.all([ngx.fetch(’https://nginx.org/’),

ngx.fetch(’https://nginx.org/en/’)]);

r.return(200, JSON.stringify(results, undefined, 4));

}

// since 0.7.0

async function hash(r) {

let hash = await crypto.subtle.digest(’SHA-512’, r.headersIn.host);

r.setReturnValue(Buffer.from(hash).toString(’hex’));

}

export default {foo, summary, baz, hello, fetch, hash};

2.27.3 Directives

js body ﬁlter

Syntax: js_body_filter function | module.function [buﬀer type=string |

buﬀer];

Default —

Context: location, if in location, limit except

This directive appeared in version 0.5.2.

Sets an njs function as a response body ﬁlter. The ﬁlter function is called

for each data chunk of a response body with the following arguments:

the HTTP request object

data

the incoming data chunk, may be a string or Buﬀer depending on the

buffer_type value, by default is a string.

flags

an object with the following properties:

last

a boolean value, true if data is a last buﬀer.

The ﬁlter function can pass its own modiﬁed version of the input data

chunk to the next body ﬁlter by calling r.sendBuffer(). For example, to

transform all the lowercase letters in the response body:

function filter(r, data, flags) {

r.sendBuffer(data.toLowerCase(), flags);

}

To stop ﬁltering (following data chunks will be passed to client without

calling js_body_filter), r.done() can be used.

If the ﬁlter function changes the length of the response body, then it is

required to clear out the Content-Length response header (if any) in js_-

header_filter to enforce chunked transfer encoding.

Nginx, Inc. p.196 of 542

CHAPTER 2. HTTP SERVER MODULES 2.27. MODULE NGX HTTP JS MODULE

As the js_body_filter handler returns its result immediately, it

supports only synchronous operations. Thus, asynchronous operations such

as r.subrequest() or setTimeout() are not supported.

The directive can be speciﬁed inside the if block since 0.7.7.

js content

Syntax: js_content function | module.function;

Default —

Context: location, if in location, limit except

Sets an njs function as a location content handler. Since 0.4.0, a module

function can be referenced.

The directive can be speciﬁed inside the if block since 0.7.7.

js fetch buﬀer size

Syntax: js_fetch_buffer_size size;

Default 16k

Context: http, server, location

This directive appeared in version 0.7.4.

Sets the size of the buﬀer used for reading and writing with Fetch API.

js fetch ciphers

Syntax: js_fetch_ciphers ciphers;

Default HIGH:!aNULL:!MD5

Context: http, server, location

This directive appeared in version 0.7.0.

Speciﬁes the enabled ciphers for HTTPS requests with Fetch API. The

ciphers are speciﬁed in the format understood by the OpenSSL library.

The full list can be viewed using the “openssl ciphers” command.

js fetch max response buﬀer size

Syntax: js_fetch_max_response_buffer_size size;

Default 1m

Context: http, server, location

This directive appeared in version 0.7.4.

Sets the maximum size of the response received with Fetch API.

Nginx, Inc. p.197 of 542

CHAPTER 2. HTTP SERVER MODULES 2.27. MODULE NGX HTTP JS MODULE

js fetch protocols

Syntax: js_fetch_protocols [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3];

Default TLSv1 TLSv1.1 TLSv1.2

Context: http, server, location

This directive appeared in version 0.7.0.

Enables the speciﬁed protocols for HTTPS requests with Fetch API.

js fetch timeout

Syntax: js_fetch_timeout time;

Default 60s

Context: http, server, location

This directive appeared in version 0.7.4.

Deﬁnes a timeout for reading and writing for Fetch API. The timeout is set

only between two successive read/write operations, not for the whole response.

If no data is transmitted within this time, the connection is closed.

js fetch trusted certiﬁcate

Syntax: js_fetch_trusted_certificate ﬁle;

Default —

Context: http, server, location

This directive appeared in version 0.7.0.

Speciﬁes a ﬁle with trusted CA certiﬁcates in the PEM format used to

verify the HTTPS certiﬁcate with Fetch API.

js fetch verify

Syntax: js_fetch_verify on | off;

Default on

Context: http, server, location

This directive appeared in version 0.7.4.

Enables or disables veriﬁcation of the HTTPS server certiﬁcate with Fetch

API.

js fetch verify depth

Syntax: js_fetch_verify_depth number;

Default 100

Context: http, server, location

This directive appeared in version 0.7.0.

Sets the veriﬁcation depth in the HTTPS server certiﬁcates chain with

Fetch API.

Nginx, Inc. p.198 of 542

CHAPTER 2. HTTP SERVER MODULES 2.27. MODULE NGX HTTP JS MODULE

js header ﬁlter

Syntax: js_header_filter function | module.function;

Default —

Context: location, if in location, limit except

This directive appeared in version 0.5.1.

Sets an njs function as a response header ﬁlter. The directive allows

changing arbitrary header ﬁelds of a response header.

As the js_header_filter handler returns its result immediately, it

supports only synchronous operations. Thus, asynchronous operations such

as r.subrequest() or setTimeout() are not supported.

The directive can be speciﬁed inside the if block since 0.7.7.

js import

Syntax: js_import module.js | export name from module.js;

Default —

Context: http, server, location

This directive appeared in version 0.4.0.

Imports a module that implements location and variable handlers in njs.

The export_name is used as a namespace to access module functions. If the

export_name is not speciﬁed, the module name will be used as a namespace.

js_import http.js;

Here, the module name http is used as a namespace while accessing

exports. If the imported module exports foo(), http.foo is used to refer

to it.

Several js_import directives can be speciﬁed.

The directive can be speciﬁed on the server and location level since

0.7.7.

js include

Syntax: js_include ﬁle;

Default —

Context: http

Speciﬁes a ﬁle that implements location and variable handlers in njs:

nginx.conf:

js_include http.js;

location /version {

js_content version;

}

Nginx, Inc. p.199 of 542

CHAPTER 2. HTTP SERVER MODULES 2.27. MODULE NGX HTTP JS MODULE

http.js:

function version(r) {

r.return(200, njs.version);

}

The directive was made obsolete in version 0.4.0 and was removed in version

0.7.1. The js import directive should be used instead.

js path

Syntax: js_path path;

Default —

Context: http, server, location

This directive appeared in version 0.3.0.

Sets an additional path for njs modules.

The directive can be speciﬁed on the server and location level since

0.7.7.

js preload object

Syntax: js_preload_object name.json | name from ﬁle.json;

Default —

Context: http, server, location

This directive appeared in version 0.7.8.

Preloads an immutable object at conﬁgure time. The name is used a name

of the global variable though which the object is available in njs code. If the

name is not speciﬁed, the ﬁle name will be used instead.

js_preload_object map.json;

Here, the map is used as a name while accessing the preloaded object.

Several js_preload_object directives can be speciﬁed.

js set

Syntax: js_set $variable function | module.function;

Default —

Context: http, server, location

Sets an njs function for the speciﬁed variable. Since 0.4.0, a module

function can be referenced.

The function is called when the variable is referenced for the ﬁrst time for

a given request. The exact moment depends on a phase at which the variable

is referenced. This can be used to perform some logic not related to variable

evaluation. For example, if the variable is referenced only in the log format

directive, its handler will not be executed until the log phase. This handler

can be used to do some cleanup right before the request is freed.

Nginx, Inc. p.200 of 542

CHAPTER 2. HTTP SERVER MODULES 2.27. MODULE NGX HTTP JS MODULE

As the js_set handler returns its result immediately, it supports

only synchronous operations. Thus, asynchronous operations such as

r.subrequest() or setTimeout() are not supported.

The directive can be speciﬁed on the server and location level since

0.7.7.

js shared dict zone

Syntax: js_shared_dict_zone zone=name:size [timeout=time]

[type=string|number] [evict];

Default —

Context: http

This directive appeared in version 0.8.0.

Sets the name and size of the shared memory zone that keeps the key-value

dictionary shared between worker processes.

By default the shared dictionary uses a string as a key and a value. The

optional type parameter allows redeﬁning the value type to number.

The optional timeout parameter sets the time after which all shared

dictionary entries are removed from the zone.

The optional evict parameter removes the oldest key-value pair when the

zone storage is exhausted.

Examples:

example.conf:

# Creates a 1Mb dictionary with string values,

# removes key-value pairs after 60 seconds of inactivity:

js_shared_dict_zone zone=foo:1M timeout=60s;

# Creates a 512Kb dictionary with string values,

# forcibly removes oldest key-value pairs when the zone is exhausted:

js_shared_dict_zone zone=bar:512K timeout=30s evict;

# Creates a 32Kb permanent dictionary with number values:

js_shared_dict_zone zone=num:32k type=number;

example.js:

function get(r) {

r.return(200, ngx.shared.foo.get(r.args.key));

}

function set(r) {

r.return(200, ngx.shared.foo.set(r.args.key, r.args.value));

}

function delete(r) {

r.return(200, ngx.shared.bar.delete(r.args.key));

}

function increment(r) {

r.return(200, ngx.shared.num.incr(r.args.key, 2));

}

Nginx, Inc. p.201 of 542

CHAPTER 2. HTTP SERVER MODULES 2.27. MODULE NGX HTTP JS MODULE

js var

Syntax: js_var $variable [value];

Default —

Context: http, server, location

This directive appeared in version 0.5.3.

Declares a writable variable. The value can contain text, variables, and

their combination. The variable is not overwritten after a redirect unlike

variables created with the set directive.

The directive can be speciﬁed on the server and location level since

0.7.7.

2.27.4 Request Argument

Each HTTP njs handler receives one argument, a request object.

Nginx, Inc. p.202 of 542

CHAPTER 2. HTTP SERVER MODULES 2.28. MODULE NGX HTTP KEYVAL MODULE

2.28 Module ngx http keyval module

2.28.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 203

2.28.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 203

2.28.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 203

keyval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

keyval zone . . . . . . . . . . . . . . . . . . . . . . . . . 204

2.28.1 Summary

The ngx_http_keyval_module module (1.13.3) creates variables with

values taken from key-value pairs managed by the API or a variable (1.15.10)

that can also be set with njs.

This module is available as part of our commercial subscription.

2.28.2 Example Conﬁguration

http {

keyval_zone zone=one:32k state=/var/lib/nginx/state/one.keyval;

keyval $arg_text $text zone=one;

...

server {

...

location / {

return 200 $text;

}

location /api {

api write=on;

}

2.28.3 Directives

keyval

Syntax: keyval key $variable zone=name;

Default —

Context: http

Creates a new $variable whose value is looked up by the key in the key-

value database. Matching rules are deﬁned by the type parameter of the

keyval_zone directive. The database is stored in a shared memory zone

speciﬁed by the zone parameter.

Nginx, Inc. p.203 of 542

CHAPTER 2. HTTP SERVER MODULES 2.28. MODULE NGX HTTP KEYVAL MODULE

keyval zone

Syntax: keyval_zone zone=name:size [state=ﬁle] [timeout=time]

[type=string|ip|prefix] [sync];

Default —

Context: http

Sets the name and size of the shared memory zone that keeps the key-value

database. Key-value pairs are managed by the API.

The optional state parameter speciﬁes a ﬁle that keeps the current state

of the key-value database in the JSON format and makes it persistent across

nginx restarts. Changing the ﬁle content directly should be avoided.

Examples:

keyval_zone zone=one:32k state=/var/lib/nginx/state/one.keyval; # path for

Linux

keyval_zone zone=one:32k state=/var/db/nginx/state/one.keyval; # path for

FreeBSD

The optional timeout parameter (1.15.0) sets the time after which key-

value pairs are removed from the zone.

The optional type parameter (1.17.1) activates an extra index optimized

for matching the key of a certain type and deﬁnes matching rules when

evaluating a keyval $variable.

The index is stored in the same shared memory zone and thus requires

additional storage.

type=string

default, no index is enabled; variable lookup is performed using exact

match of the record key and a search key

type=ip

the search key is the textual representation of IPv4 or IPv6 address or

CIDR range; to match a record key, the search key must belong to a

subnet speciﬁed by a record key or exactly match an IP address

type=prefix

variable lookup is performed using preﬁx match of a record key and a

search key (1.17.5); to match a record key, the record key must be a

preﬁx of the search key

The optional sync parameter (1.15.0) enables synchronization of the

shared memory zone. The synchronization requires the timeout parameter

to be set.

If the synchronization is enabled, removal of key-value pairs (no matter

one or all) will be performed only on a target cluster node. The same key-

value pairs on other cluster nodes will be removed upon timeout.

Nginx, Inc. p.204 of 542

CHAPTER 2. HTTP SERVER MODULES 2.29. MODULE NGX HTTP LIMIT CONN MODULE

2.29 Module ngx http limit conn module

2.29.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 205

2.29.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 205

2.29.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 205

limit conn . . . . . . . . . . . . . . . . . . . . . . . . . . 205

limit conn dry run . . . . . . . . . . . . . . . . . . . . . 206

limit conn log level . . . . . . . . . . . . . . . . . . . . . 206

limit conn status . . . . . . . . . . . . . . . . . . . . . . 207

limit conn zone . . . . . . . . . . . . . . . . . . . . . . . 207

limit zone . . . . . . . . . . . . . . . . . . . . . . . . . . 207

2.29.4 Embedded Variables . . . . . . . . . . . . . . . . . . . . 208

2.29.1 Summary

The ngx_http_limit_conn_module module is used to limit the

number of connections per the deﬁned key, in particular, the number of

connections from a single IP address.

Not all connections are counted. A connection is counted only if it has a

request being processed by the server and the whole request header has already

been read.

2.29.2 Example Conﬁguration

http {

limit_conn_zone $binary_remote_addr zone=addr:10m;

...

server {

...

location /download/ {

limit_conn addr 1;

}

2.29.3 Directives

limit conn

Syntax: limit_conn zone number;

Default —

Context: http, server, location

Sets the shared memory zone and the maximum allowed number of

connections for a given key value. When this limit is exceeded, the server

will return the error in reply to a request. For example, the directives

Nginx, Inc. p.205 of 542

CHAPTER 2. HTTP SERVER MODULES 2.29. MODULE NGX HTTP LIMIT CONN MODULE

limit_conn_zone $binary_remote_addr zone=addr:10m;

server {

location /download/ {

limit_conn addr 1;

}

allow only one connection per an IP address at a time.

In HTTP/2 and HTTP/3, each concurrent request is considered a separate

connection.

There could be several limit_conn directives. For example, the following

conﬁguration will limit the number of connections to the server per a client IP

and, at the same time, the total number of connections to the virtual server:

limit_conn_zone $binary_remote_addr zone=perip:10m;

limit_conn_zone $server_name zone=perserver:10m;

server {

...

limit_conn perip 10;

limit_conn perserver 100;

}

These directives are inherited from the previous conﬁguration level if and

only if there are no limit_conn directives deﬁned on the current level.

limit conn dry run

Syntax: limit_conn_dry_run on | off;

Default off

Context: http, server, location

This directive appeared in version 1.17.6.

Enables the dry run mode. In this mode, the number of connections is

not limited, however, in the shared memory zone, the number of excessive

connections is accounted as usual.

limit conn log level

Syntax: limit_conn_log_level info | notice | warn | error;

Default error

Context: http, server, location

This directive appeared in version 0.8.18.

Sets the desired logging level for cases when the server limits the number

of connections.

Nginx, Inc. p.206 of 542

CHAPTER 2. HTTP SERVER MODULES 2.29. MODULE NGX HTTP LIMIT CONN MODULE

limit conn status

Syntax: limit_conn_status code;

Default 503

Context: http, server, location

This directive appeared in version 1.3.15.

Sets the status code to return in response to rejected requests.

limit conn zone

Syntax: limit_conn_zone key zone=name:size;

Default —

Context: http

Sets parameters for a shared memory zone that will keep states for various

keys. In particular, the state includes the current number of connections. The

key can contain text, variables, and their combination. Requests with an empty

key value are not accounted.

Prior to version 1.7.6, a key could contain exactly one variable.

Usage example:

limit_conn_zone $binary_remote_addr zone=addr:10m;

Here, a client IP address serves as a key. Note that instead of $remote addr,

the $binary remote addr variable is used here. The $remote addr variable’s size

can vary from 7 to 15 bytes. The stored state occupies either 32 or 64 bytes

of memory on 32-bit platforms and always 64 bytes on 64-bit platforms. The

$binary remote addr variable’s size is always 4 bytes for IPv4 addresses or 16

bytes for IPv6 addresses. The stored state always occupies 32 or 64 bytes on

32-bit platforms and 64 bytes on 64-bit platforms. One megabyte zone can

keep about 32 thousand 32-byte states or about 16 thousand 64-byte states.

If the zone storage is exhausted, the server will return the error to all further

requests.

Additionally, as part of our commercial subscription, the status

information for each such shared memory zone can be obtained or reset with

the API since 1.17.7.

limit zone

Syntax: limit_zone name $variable size;

Default —

Context: http

This directive was made obsolete in version 1.1.8 and was removed in

version 1.7.6. An equivalent limit conn zone directive with a changed syntax

should be used instead:

Nginx, Inc. p.207 of 542

CHAPTER 2. HTTP SERVER MODULES 2.29. MODULE NGX HTTP LIMIT CONN MODULE

limit_conn_zone $variable zone=name:size;

2.29.4 Embedded Variables

$limit conn status

keeps the result of limiting the number of connections (1.17.6): PASSED,

REJECTED, or REJECTED_DRY_RUN

Nginx, Inc. p.208 of 542

CHAPTER 2. HTTP SERVER MODULES 2.30. MODULE NGX HTTP LIMIT REQ MODULE

2.30 Module ngx http limit req module

2.30.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 209

2.30.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 209

2.30.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 209

limit req . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

limit req dry run . . . . . . . . . . . . . . . . . . . . . . 210

limit req log level . . . . . . . . . . . . . . . . . . . . . . 210

limit req status . . . . . . . . . . . . . . . . . . . . . . . 211

limit req zone . . . . . . . . . . . . . . . . . . . . . . . . 211

2.30.4 Embedded Variables . . . . . . . . . . . . . . . . . . . . 212

2.30.1 Summary

The ngx_http_limit_req_module module (0.7.21) is used to limit

the request processing rate per a deﬁned key, in particular, the processing rate

of requests coming from a single IP address. The limitation is done using the

“leaky bucket” method.

2.30.2 Example Conﬁguration

http {

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

...

server {

...

location /search/ {

limit_req zone=one burst=5;

}

2.30.3 Directives

limit req

Syntax: limit_req zone=name [burst=number] [nodelay |

delay=number];

Default —

Context: http, server, location

Sets the shared memory zone and the maximum burst size of requests. If

the requests rate exceeds the rate conﬁgured for a zone, their processing is

delayed such that requests are processed at a deﬁned rate. Excessive requests

are delayed until their number exceeds the maximum burst size in which case

the request is terminated with an error. By default, the maximum burst size

is equal to zero. For example, the directives

Nginx, Inc. p.209 of 542

CHAPTER 2. HTTP SERVER MODULES 2.30. MODULE NGX HTTP LIMIT REQ MODULE

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

server {

location /search/ {

limit_req zone=one burst=5;

}

allow not more than 1 request per second at an average, with bursts not

exceeding 5 requests.

If delaying of excessive requests while requests are being limited is not

desired, the parameter nodelay should be used:

limit_req zone=one burst=5 nodelay;

The delay parameter (1.15.7) speciﬁes a limit at which excessive requests

become delayed. Default value is zero, i.e. all excessive requests are delayed.

There could be several limit_req directives. For example, the following

conﬁguration will limit the processing rate of requests coming from a single

IP address and, at the same time, the request processing rate by the virtual

server:

limit_req_zone $binary_remote_addr zone=perip:10m rate=1r/s;

limit_req_zone $server_name zone=perserver:10m rate=10r/s;

server {

...

limit_req zone=perip burst=5 nodelay;

limit_req zone=perserver burst=10;

}

These directives are inherited from the previous conﬁguration level if and

only if there are no limit_req directives deﬁned on the current level.

limit req dry run

Syntax: limit_req_dry_run on | off;

Default off

Context: http, server, location

This directive appeared in version 1.17.1.

Enables the dry run mode. In this mode, requests processing rate is not

limited, however, in the shared memory zone, the number of excessive requests

is accounted as usual.

limit req log level

Syntax: limit_req_log_level info | notice | warn | error;

Default error

Context: http, server, location

This directive appeared in version 0.8.18.

Nginx, Inc. p.210 of 542

CHAPTER 2. HTTP SERVER MODULES 2.30. MODULE NGX HTTP LIMIT REQ MODULE

Sets the desired logging level for cases when the server refuses to process

requests due to rate exceeding, or delays request processing. Logging level for

delays is one point less than for refusals; for example, if “limit_req_log_-

level notice” is speciﬁed, delays are logged with the info level.

limit req status

Syntax: limit_req_status code;

Default 503

Context: http, server, location

This directive appeared in version 1.3.15.

Sets the status code to return in response to rejected requests.

limit req zone

Syntax: limit_req_zone key zone=name:size rate=rate [sync];

Default —

Context: http

Sets parameters for a shared memory zone that will keep states for various

keys. In particular, the state stores the current number of excessive requests.

The key can contain text, variables, and their combination. Requests with an

empty key value are not accounted.

Prior to version 1.7.6, a key could contain exactly one variable.

Usage example:

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

Here, the states are kept in a 10 megabyte zone “one”, and an average

request processing rate for this zone cannot exceed 1 request per second.

A client IP address serves as a key. Note that instead of $remote addr, the

$binary remote addr variable is used here. The $binary remote addr variable’s

size is always 4 bytes for IPv4 addresses or 16 bytes for IPv6 addresses. The

stored state always occupies 64 bytes on 32-bit platforms and 128 bytes on 64-

bit platforms. One megabyte zone can keep about 16 thousand 64-byte states

or about 8 thousand 128-byte states.

If the zone storage is exhausted, the least recently used state is removed. If

even after that a new state cannot be created, the request is terminated with

an error.

The rate is speciﬁed in requests per second (r/s). If a rate of less than one

request per second is desired, it is speciﬁed in request per minute (r/m). For

example, half-request per second is 30r/m.

The sync parameter (1.15.3) enables synchronization of the shared

memory zone.

Nginx, Inc. p.211 of 542

CHAPTER 2. HTTP SERVER MODULES 2.30. MODULE NGX HTTP LIMIT REQ MODULE

The sync parameter is available as part of our commercial subscription.

Additionally, as part of our commercial subscription, the status

information for each such shared memory zone can be obtained or reset with

the API since 1.17.7.

2.30.4 Embedded Variables

$limit req status

keeps the result of limiting the request processing rate (1.17.6): PASSED,

DELAYED, REJECTED, DELAYED_DRY_RUN, or REJECTED_DRY_RUN

Nginx, Inc. p.212 of 542

CHAPTER 2. HTTP SERVER MODULES 2.31. MODULE NGX HTTP LOG MODULE

2.31 Module ngx http log module

2.31.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 213

2.31.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 213

2.31.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 213

access log . . . . . . . . . . . . . . . . . . . . . . . . . . 213

log format . . . . . . . . . . . . . . . . . . . . . . . . . . 215

open log ﬁle cache . . . . . . . . . . . . . . . . . . . . . 216

2.31.1 Summary

The ngx_http_log_module module writes request logs in the speciﬁed

format.

Requests are logged in the context of a location where processing ends.

It may be diﬀerent from the original location, if an internal redirect happens

during request processing.

2.31.2 Example Conﬁguration

log_format compression ’$remote_addr - $remote_user [$time_local] ’

’"$request" $status $bytes_sent ’

’"$http_referer" "$http_user_agent" "$gzip_ratio"’;

access_log /spool/logs/nginx-access.log compression buffer=32k;

2.31.3 Directives

access log

Syntax: access_log path [format [buffer=size] [gzip[=level]]

[flush=time] [if=condition]];

Syntax: access_log off;

Default logs/access.log combined

Context: http, server, location, if in location, limit except

Sets the path, format, and conﬁguration for a buﬀered log write. Several

logs can be speciﬁed on the same conﬁguration level. Logging to syslog can

be conﬁgured by specifying the “syslog:” preﬁx in the ﬁrst parameter. The

special value off cancels all access_log directives on the current level. If

the format is not speciﬁed then the predeﬁned “combined” format is used.

If either the buffer or gzip (1.3.10, 1.2.7) parameter is used, writes to

log will be buﬀered.

The buﬀer size must not exceed the size of an atomic write to a disk ﬁle.

For FreeBSD this size is unlimited.

When buﬀering is enabled, the data will be written to the ﬁle:

Nginx, Inc. p.213 of 542

CHAPTER 2. HTTP SERVER MODULES 2.31. MODULE NGX HTTP LOG MODULE

• if the next log line does not ﬁt into the buﬀer;

• if the buﬀered data is older than speciﬁed by the flush parameter

(1.3.10, 1.2.7);

• when a worker process is re-opening log ﬁles or is shutting down.

If the gzip parameter is used, then the buﬀered data will be compressed

before writing to the ﬁle. The compression level can be set between 1 (fastest,

less compression) and 9 (slowest, best compression). By default, the buﬀer

size is equal to 64K bytes, and the compression level is set to 1. Since the data

is compressed in atomic blocks, the log ﬁle can be decompressed or read by

“zcat” at any time.

Example:

access_log /path/to/log.gz combined gzip flush=5m;

For gzip compression to work, nginx must be built with the zlib library.

The ﬁle path can contain variables (0.7.6+), but such logs have some

constraints:

• the user whose credentials are used by worker processes should have

permissions to create ﬁles in a directory with such logs;

• buﬀered writes do not work;

• the ﬁle is opened and closed for each log write. However, since the

descriptors of frequently used ﬁles can be stored in a cache, writing to

the old ﬁle can continue during the time speciﬁed by the open log ﬁle -

cache directive’s valid parameter

• during each log write the existence of the request’s root directory is

checked, and if it does not exist the log is not created. It is thus a good

idea to specify both root and access_log on the same conﬁguration

level:

server {

root /spool/vhost/data/$host;

access_log /spool/vhost/logs/$host;

...

The if parameter (1.7.0) enables conditional logging. A request will not

be logged if the condition evaluates to “0” or an empty string. In the following

example, the requests with response codes 2xx and 3xx will not be logged:

map $status $loggable {

~^[23] 0;

default 1;

}

access_log /path/to/access.log combined if=$loggable;

Nginx, Inc. p.214 of 542

CHAPTER 2. HTTP SERVER MODULES 2.31. MODULE NGX HTTP LOG MODULE

log format

Syntax: log_format name [escape=default|json|none] string . . . ;

Default combined "..."

Context: http

Speciﬁes log format.

The escape parameter (1.11.8) allows setting json or default

characters escaping in variables, by default, default escaping is used. The

none value (1.13.10) disables escaping.

For default escaping, characters “"”, “\”, and other characters with

values less than 32 (0.7.0) or above 126 (1.1.6) are escaped as “\xXX”. If

the variable value is not found, a hyphen (“-”) will be logged.

For json escaping, all characters not allowed in JSON strings will be

escaped: characters “"” and “\” are escaped as “\"” and “\\”, characters with

values less than 32 are escaped as “\n”, “\r”, “\t”, “\b”, “\f”, or “\u00XX”.

The log format can contain common variables, and variables that exist only

at the time of a log write:

$bytes sent

the number of bytes sent to a client

$connection

connection serial number

$connection requests

the current number of requests made through a connection (1.1.18)

$msec

time in seconds with a milliseconds resolution at the time of the log write

$pipe

“p” if request was pipelined, “.” otherwise

$request length

request length (including request line, header, and request body)

$request time

request processing time in seconds with a milliseconds resolution; time

elapsed between the ﬁrst bytes were read from the client and the log

write after the last bytes were sent to the client

$status

response status

$time iso8601

local time in the ISO 8601 standard format

$time local

local time in the Common Log Format

In the modern nginx versions variables $status (1.3.2, 1.2.2), $bytes -

sent (1.3.8, 1.2.5), $connection (1.3.8, 1.2.5), $connection requests (1.3.8,

1.2.5), $msec (1.3.9, 1.2.6), $request time (1.3.9, 1.2.6), $pipe (1.3.12, 1.2.7),

$request length (1.3.12, 1.2.7), $time iso8601 (1.3.12, 1.2.7), and $time local

(1.3.12, 1.2.7) are also available as common variables.

Nginx, Inc. p.215 of 542

CHAPTER 2. HTTP SERVER MODULES 2.31. MODULE NGX HTTP LOG MODULE

Header lines sent to a client have the preﬁx “sent_http_”, for example,

$sent http content range.

The conﬁguration always includes the predeﬁned “combined” format:

log_format combined ’$remote_addr - $remote_user [$time_local] ’

’"$request" $status $body_bytes_sent ’

’"$http_referer" "$http_user_agent"’;

open log ﬁle cache

Syntax: open_log_file_cache max=N [inactive=time] [min_uses=N]

[valid=time];

Syntax: open_log_file_cache off;

Default off

Context: http, server, location

Deﬁnes a cache that stores the ﬁle descriptors of frequently used logs whose

names contain variables. The directive has the following parameters:

max

sets the maximum number of descriptors in a cache; if the cache becomes

full the least recently used (LRU) descriptors are closed

inactive

sets the time after which the cached descriptor is closed if there were no

access during this time; by default, 10 seconds

min_uses

sets the minimum number of ﬁle uses during the time deﬁned by the

inactive parameter to let the descriptor stay open in a cache; by

default, 1

valid

sets the time after which it should be checked that the ﬁle still exists

with the same name; by default, 60 seconds

off

disables caching

Usage example:

open_log_file_cache max=1000 inactive=20s valid=1m min_uses=2;

Nginx, Inc. p.216 of 542

CHAPTER 2. HTTP SERVER MODULES 2.32. MODULE NGX HTTP MAP MODULE

2.32 Module ngx http map module

2.32.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 217

2.32.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 217

2.32.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 217

map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

map hash bucket size . . . . . . . . . . . . . . . . . . . . 219

map hash max size . . . . . . . . . . . . . . . . . . . . . 219

2.32.1 Summary

The ngx_http_map_module module creates variables whose values

depend on values of other variables.

2.32.2 Example Conﬁguration

map $http_host $name {

hostnames;

default 0;

example.com 1;

.example.com 1;

example.org 2;

.example.org 2;

.example.net 3;

wap.

}

map $http_user_agent $mobile {

default 0;

"~Opera Mini" 1;

}

2.32.3 Directives

map

Syntax: map string $variable { . . . }

Default —

Context: http

Creates a new variable whose value depends on values of one or more of

the source variables speciﬁed in the ﬁrst parameter.

Before version 0.9.0 only a single variable could be speciﬁed in the ﬁrst

parameter.

Since variables are evaluated only when they are used, the mere

declaration even of a large number of “map” variables does not add any extra

costs to request processing.

Nginx, Inc. p.217 of 542

CHAPTER 2. HTTP SERVER MODULES 2.32. MODULE NGX HTTP MAP MODULE

Parameters inside the map block specify a mapping between source and

resulting values.

Source values are speciﬁed as strings or regular expressions (0.9.6).

Strings are matched ignoring the case.

A regular expression should either start from the “~” symbol for a case-

sensitive matching, or from the “~

” symbols (1.0.4) for case-insensitive

matching. A regular expression can contain named and positional captures

that can later be used in other directives along with the resulting variable.

If a source value matches one of the names of special parameters described

below, it should be preﬁxed with the “\” symbol.

The resulting value can contain text, variable (0.9.0), and their combination

(1.11.0).

The following special parameters are also supported:

default value

sets the resulting value if the source value matches none of the speciﬁed

variants. When default is not speciﬁed, the default resulting value

will be an empty string.

hostnames

indicates that source values can be hostnames with a preﬁx or suﬃx

mask:

.example.com 1;

example.

The following two records

example.com 1;

.example.com 1;

can be combined:

.example.com 1;

This parameter should be speciﬁed before the list of values.

include ﬁle

includes a ﬁle with values. There can be several inclusions.

volatile

indicates that the variable is not cacheable (1.11.7).

If the source value matches more than one of the speciﬁed variants, e.g.

both a mask and a regular expression match, the ﬁrst matching variant will be

chosen, in the following order of priority:

1. string value without a mask

2. longest string value with a preﬁx mask, e.g. “

.example.com”

3. longest string value with a suﬃx mask, e.g. “mail.

”

Nginx, Inc. p.218 of 542

CHAPTER 2. HTTP SERVER MODULES 2.32. MODULE NGX HTTP MAP MODULE

4. ﬁrst matching regular expression (in order of appearance in a

conﬁguration ﬁle)

5. default value

map hash bucket size

Syntax: map_hash_bucket_size size;

Default 32|64|128

Context: http

Sets the bucket size for the map variables hash tables. Default value

depends on the processor’s cache line size. The details of setting up hash

tables are provided in a separate document.

map hash max size

Syntax: map_hash_max_size size;

Default 2048

Context: http

Sets the maximum size of the map variables hash tables. The details of

setting up hash tables are provided in a separate document.

Nginx, Inc. p.219 of 542

CHAPTER 2. HTTP SERVER MODULES 2.33. MODULE NGX HTTP MEMCACHED MODULE

2.33 Module ngx http memcached module

2.33.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 220

2.33.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 220

2.33.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 220

memcached bind . . . . . . . . . . . . . . . . . . . . . . 220

memcached buﬀer size . . . . . . . . . . . . . . . . . . . 221

memcached connect timeout . . . . . . . . . . . . . . . . 221

memcached gzip ﬂag . . . . . . . . . . . . . . . . . . . . 221

memcached next upstream . . . . . . . . . . . . . . . . . 222

memcached next upstream timeout . . . . . . . . . . . . 222

memcached next upstream tries . . . . . . . . . . . . . . 222

memcached pass . . . . . . . . . . . . . . . . . . . . . . 223

memcached read timeout . . . . . . . . . . . . . . . . . . 223

memcached send timeout . . . . . . . . . . . . . . . . . 223

memcached socket keepalive . . . . . . . . . . . . . . . . 223

2.33.4 Embedded Variables . . . . . . . . . . . . . . . . . . . . 224

2.33.1 Summary

The ngx_http_memcached_module module is used to obtain responses

from a memcached server. The key is set in the $memcached key variable. A

response should be put in memcached in advance by means external to nginx.

2.33.2 Example Conﬁguration

server {

location / {

set $memcached_key "$uri?$args";

memcached_pass host:11211;

error_page 404 502 504 = @fallback;

}

location @fallback {

proxy_pass http://backend;

}

2.33.3 Directives

memcached bind

Syntax: memcached_bind address [transparent ] | off;

Default —

Context: http, server, location

This directive appeared in version 0.8.22.

Makes outgoing connections to a memcached server originate from the

speciﬁed local IP address with an optional port (1.11.2). Parameter value can

contain variables (1.3.12). The special value off (1.3.12) cancels the eﬀect

Nginx, Inc. p.220 of 542

CHAPTER 2. HTTP SERVER MODULES 2.33. MODULE NGX HTTP MEMCACHED MODULE

of the memcached_bind directive inherited from the previous conﬁguration

level, which allows the system to auto-assign the local IP address and port.

The transparent parameter (1.11.0) allows outgoing connections to a

memcached server originate from a non-local IP address, for example, from a

real IP address of a client:

memcached_bind $remote_addr transparent;

In order for this parameter to work, it is usually necessary to run nginx

worker processes with the superuser privileges. On Linux it is not required

(1.13.8) as if the transparent parameter is speciﬁed, worker processes

inherit the CAP_NET_RAW capability from the master process. It is also

necessary to conﬁgure kernel routing table to intercept network traﬃc from

the memcached server.

memcached buﬀer size

Syntax: memcached_buffer_size size;

Default 4k|8k

Context: http, server, location

Sets the size of the buﬀer used for reading the response received from the

memcached server. The response is passed to the client synchronously, as soon

as it is received.

memcached connect timeout

Syntax: memcached_connect_timeout time;

Default 60s

Context: http, server, location

Deﬁnes a timeout for establishing a connection with a memcached server.

It should be noted that this timeout cannot usually exceed 75 seconds.

memcached gzip ﬂag

Syntax: memcached_gzip_flag ﬂag;

Default —

Context: http, server, location

This directive appeared in version 1.3.6.

Enables the test for the ﬂag presence in the memcached server response

and sets the “Content-Encoding” response header ﬁeld to “gzip” if the

ﬂag is set.

Nginx, Inc. p.221 of 542

CHAPTER 2. HTTP SERVER MODULES 2.33. MODULE NGX HTTP MEMCACHED MODULE

memcached next upstream

Syntax: memcached_next_upstream error | timeout |

invalid_response | not_found | off . . . ;

Default error timeout

Context: http, server, location

Speciﬁes in which cases a request should be passed to the next server:

error

an error occurred while establishing a connection with the server, passing

a request to it, or reading the response header;

timeout

a timeout has occurred while establishing a connection with the server,

passing a request to it, or reading the response header;

invalid_response

a server returned an empty or invalid response;

not_found

a response was not found on the server;

off

disables passing a request to the next server.

One should bear in mind that passing a request to the next server is only

possible if nothing has been sent to a client yet. That is, if an error or timeout

occurs in the middle of the transferring of a response, ﬁxing this is impossible.

The directive also deﬁnes what is considered an unsuccessful attempt of

communication with a server. The cases of error, timeout and invalid_-

response are always considered unsuccessful attempts, even if they are not

speciﬁed in the directive. The case of not_found is never considered an

unsuccessful attempt.

Passing a request to the next server can be limited by the number of tries

and by time.

memcached next upstream timeout

Syntax: memcached_next_upstream_timeout time;

Default 0

Context: http, server, location

This directive appeared in version 1.7.5.

Limits the time during which a request can be passed to the next server.

The 0 value turns oﬀ this limitation.

memcached next upstream tries

Syntax: memcached_next_upstream_tries number;

Default 0

Context: http, server, location

This directive appeared in version 1.7.5.

Nginx, Inc. p.222 of 542

CHAPTER 2. HTTP SERVER MODULES 2.33. MODULE NGX HTTP MEMCACHED MODULE

Limits the number of possible tries for passing a request to the next server.

The 0 value turns oﬀ this limitation.

memcached pass

Syntax: memcached_pass address;

Default —

Context: location, if in location

Sets the memcached server address. The address can be speciﬁed as a

domain name or IP address, and a port:

memcached_pass localhost:11211;

or as a UNIX-domain socket path:

memcached_pass unix:/tmp/memcached.socket;

If a domain name resolves to several addresses, all of them will be used

in a round-robin fashion. In addition, an address can be speciﬁed as a server

group.

memcached read timeout

Syntax: memcached_read_timeout time;

Default 60s

Context: http, server, location

Deﬁnes a timeout for reading a response from the memcached server.

The timeout is set only between two successive read operations, not for the

transmission of the whole response. If the memcached server does not transmit

anything within this time, the connection is closed.

memcached send timeout

Syntax: memcached_send_timeout time;

Default 60s

Context: http, server, location

Sets a timeout for transmitting a request to the memcached server. The

timeout is set only between two successive write operations, not for the

transmission of the whole request. If the memcached server does not receive

anything within this time, the connection is closed.

memcached socket keepalive

Syntax: memcached_socket_keepalive on | off;

Default off

Context: http, server, location

This directive appeared in version 1.15.6.

Nginx, Inc. p.223 of 542

CHAPTER 2. HTTP SERVER MODULES 2.33. MODULE NGX HTTP MEMCACHED MODULE

Conﬁgures the “TCP keepalive” behavior for outgoing connections to a

memcached server. By default, the operating system’s settings are in eﬀect

for the socket. If the directive is set to the value “on”, the SO_KEEPALIVE

socket option is turned on for the socket.

2.33.4 Embedded Variables

$memcached key

Deﬁnes a key for obtaining response from a memcached server.

Nginx, Inc. p.224 of 542

CHAPTER 2. HTTP SERVER MODULES 2.34. MODULE NGX HTTP MIRROR MODULE

2.34 Module ngx http mirror module

2.34.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 225

2.34.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 225

2.34.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 225

mirror . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

mirror request body . . . . . . . . . . . . . . . . . . . . 225

2.34.1 Summary

The ngx_http_mirror_module module (1.13.4) implements mirroring

of an original request by creating background mirror subrequests. Responses

to mirror subrequests are ignored.

2.34.2 Example Conﬁguration

location / {

mirror /mirror;

proxy_pass http://backend;

}

location = /mirror {

internal;

proxy_pass http://test_backend$request_uri;

}

2.34.3 Directives

mirror

Syntax: mirror uri | off;

Default off

Context: http, server, location

Sets the URI to which an original request will be mirrored. Several mirrors

can be speciﬁed on the same conﬁguration level.

mirror request body

Syntax: mirror_request_body on | off;

Default on

Context: http, server, location

Indicates whether the client request body is mirrored. When

enabled, the client request body will be read prior to creating mirror

subrequests. In this case, unbuﬀered client request body proxying set by the

proxy request buﬀering, fastcgi request buﬀering, scgi request buﬀering, and

uwsgi request buﬀering directives will be disabled.

Nginx, Inc. p.225 of 542

CHAPTER 2. HTTP SERVER MODULES 2.34. MODULE NGX HTTP MIRROR MODULE

location / {

mirror /mirror;

mirror_request_body off;

proxy_pass http://backend;

}

location = /mirror {

internal;

proxy_pass http://log_backend;

proxy_pass_request_body off;

proxy_set_header Content-Length "";

proxy_set_header X-Original-URI $request_uri;

}

Nginx, Inc. p.226 of 542

CHAPTER 2. HTTP SERVER MODULES 2.35. MODULE NGX HTTP MP4 MODULE

2.35 Module ngx http mp4 module

2.35.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 227

2.35.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 228

2.35.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 228

mp4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

mp4 buﬀer size . . . . . . . . . . . . . . . . . . . . . . . 228

mp4 max buﬀer size . . . . . . . . . . . . . . . . . . . . 229

mp4 limit rate . . . . . . . . . . . . . . . . . . . . . . . 229

mp4 limit rate after . . . . . . . . . . . . . . . . . . . . 229

mp4 start key frame . . . . . . . . . . . . . . . . . . . . 229

2.35.1 Summary

The ngx_http_mp4_module module provides pseudo-streaming server-

side support for MP4 ﬁles. Such ﬁles typically have the .mp4, .m4v, or .m4a

ﬁlename extensions.

Pseudo-streaming works in alliance with a compatible media player. The

player sends an HTTP request to the server with the start time speciﬁed in the

query string argument (named simply start and speciﬁed in seconds), and

the server responds with the stream such that its start position corresponds to

the requested time, for example:

http://example.com/elephants_dream.mp4?start=238.88

This allows performing a random seeking at any time, or starting playback

in the middle of the timeline.

To support seeking, H.264-based formats store metadata in a so-called

“moov atom”. It is a part of the ﬁle that holds the index information for

the whole ﬁle.

To start playback, the player ﬁrst needs to read metadata. This is done

by sending a special request with the start=0 argument. A lot of encoding

software insert the metadata at the end of the ﬁle. This is suboptimal for

pseudo-streaming, because the player has to download the entire ﬁle before

starting playback. If the metadata are located at the beginning of the ﬁle,

it is enough for nginx to simply start sending back the ﬁle contents. If the

metadata are located at the end of the ﬁle, nginx must read the entire ﬁle and

prepare a new stream so that the metadata come before the media data. This

involves some CPU, memory, and disk I/O overhead, so it is a good idea to

prepare an original ﬁle for pseudo-streaming in advance, rather than having

nginx do this on every such request.

The module also supports the end argument of an HTTP request (1.5.13)

which sets the end point of playback. The end argument can be speciﬁed with

the start argument or separately:

http://example.com/elephants_dream.mp4?start=238.88&end=555.55

Nginx, Inc. p.227 of 542

CHAPTER 2. HTTP SERVER MODULES 2.35. MODULE NGX HTTP MP4 MODULE

For a matching request with a non-zero start or end argument, nginx

will read the metadata from the ﬁle, prepare the stream with the requested

time range, and send it to the client. This has the same overhead as described

above.

If the start argument points to a non-key video frame, the beginning of

such video will be broken. To ﬁx this issue, the video can be prepended with

the key frame before start point and with all intermediate frames between

them. These frames will be hidden from playback using an edit list (1.21.4).

If a matching request does not include the start and end arguments,

there is no overhead, and the ﬁle is sent simply as a static resource. Some

players also support byte-range requests, and thus do not require this module.

This module is not built by default, it should be enabled with the

--with-http_mp4_module conﬁguration parameter.

If a third-party mp4 module was previously used, it should be disabled.

A similar pseudo-streaming support for FLV ﬁles is provided by the ngx -

http ﬂv module module.

2.35.2 Example Conﬁguration

location /video/ {

mp4;

mp4_buffer_size 1m;

mp4_max_buffer_size 5m;

mp4_limit_rate on;

mp4_limit_rate_after 30s;

}

2.35.3 Directives

mp4

Syntax: mp4;

Default —

Context: location

Turns on module processing in a surrounding location.

mp4 buﬀer size

Syntax: mp4_buffer_size size;

Default 512K

Context: http, server, location

Sets the initial size of the buﬀer used for processing MP4 ﬁles.

Nginx, Inc. p.228 of 542

CHAPTER 2. HTTP SERVER MODULES 2.35. MODULE NGX HTTP MP4 MODULE

mp4 max buﬀer size

Syntax: mp4_max_buffer_size size;

Default 10M

Context: http, server, location

During metadata processing, a larger buﬀer may become necessary. Its size

cannot exceed the speciﬁed size, or else nginx will return the 500 Internal

Server Error server error, and log the following message:

"/some/movie/file.mp4" mp4 moov atom is too large:

12583268, you may want to increase mp4_max_buffer_size

mp4 limit rate

Syntax: mp4_limit_rate on | off | factor;

Default off

Context: http, server, location

Limits the rate of response transmission to a client. The rate is limited

based on the average bitrate of the MP4 ﬁle served. To calculate the rate, the

bitrate is multiplied by the speciﬁed factor. The special value“on”corresponds

to the factor of 1.1. The special value “off” disables rate limiting. The limit

is set per a request, and so if a client simultaneously opens two connections,

the overall rate will be twice as much as the speciﬁed limit.

This directive is available as part of our commercial subscription.

mp4 limit rate after

Syntax: mp4_limit_rate_after time;

Default 60s

Context: http, server, location

Sets the initial amount of media data (measured in playback time) after

which the further transmission of the response to a client will be rate limited.

This directive is available as part of our commercial subscription.

mp4 start key frame

Syntax: mp4_start_key_frame on | off;

Default off

Context: http, server, location

This directive appeared in version 1.21.4.

Forces output video to always start with a key video frame. If the start

argument does not point to a key frame, initial frames are hidden using an

mp4 edit list. Edit lists are supported by major players and browsers such as

Chrome, Safari, QuickTime and ﬀmpeg, partially supported by Firefox.

Nginx, Inc. p.229 of 542

CHAPTER 2. HTTP SERVER MODULES 2.36. MODULE NGX HTTP PERL MODULE

2.36 Module ngx http perl module

2.36.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 230

2.36.2 Known Issues . . . . . . . . . . . . . . . . . . . . . . . . 230

2.36.3 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 231

2.36.4 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 231

perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

perl modules . . . . . . . . . . . . . . . . . . . . . . . . 232

perl require . . . . . . . . . . . . . . . . . . . . . . . . . 232

perl set . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

2.36.5 Calling Perl from SSI . . . . . . . . . . . . . . . . . . . . 232

2.36.6 The $r Request Object Methods . . . . . . . . . . . . . . 232

2.36.1 Summary

The ngx_http_perl_module module is used to implement location and

variable handlers in Perl and insert Perl calls into SSI.

This module is not built by default, it should be enabled with the

--with-http_perl_module conﬁguration parameter.

This module requires Perl version 5.6.1 or higher. The C compiler should

be compatible with the one used to build Perl.

2.36.2 Known Issues

The module is experimental, caveat emptor applies.

In order for Perl to recompile the modiﬁed modules during recon-

ﬁguration, it should be built with the -Dusemultiplicity=yes or

-Dusethreads=yes parameters. Also, to make Perl leak less memory at

run time, it should be built with the -Dusemymalloc=no parameter. To

check the values of these parameters in an already built Perl (preferred values

are speciﬁed in the example), run:

$ perl -V:usemultiplicity -V:usemymalloc

usemultiplicity=’define’;

usemymalloc=’n’;

Note that after rebuilding Perl with the new -Dusemultiplicity=yes

or -Dusethreads=yes parameters, all binary Perl modules will have to be

rebuilt as well — they will just stop working with the new Perl.

There is a possibility that the main process and then worker processes

will grow in size after every reconﬁguration. If the main process grows to an

unacceptable size, the live upgrade procedure can be applied without changing

the executable ﬁle.

While the Perl module is performing a long-running operation, such as

resolving a domain name, connecting to another server, or querying a database,

other requests assigned to the current worker process will not be processed. It

Nginx, Inc. p.230 of 542

CHAPTER 2. HTTP SERVER MODULES 2.36. MODULE NGX HTTP PERL MODULE

is thus recommended to perform only such operations that have predictable

and short execution time, such as accessing the local ﬁle system.

2.36.3 Example Conﬁguration

http {

perl_modules perl/lib;

perl_require hello.pm;

perl_set $msie6 ’

sub {

my $r = shift;

my $ua = $r->header_in("User-Agent");

return "" if $ua =~ /Opera/;

return "1" if $ua =~ / MSIE [6-9]\.\d+/;

return "";

}

’;

server {

location / {

perl hello::handler;

}

The perl/lib/hello.pm module:

package hello;

use nginx;

sub handler {

my $r = shift;

$r->send_http_header("text/html");

return OK if $r->header_only;

$r->print("hello!\n<br/>");

if (-f $r->filename or -d _) {

$r->print($r->uri, " exists!\n");

}

return OK;

}

__END__

2.36.4 Directives

perl

Syntax: perl module::function|’sub { . . . }’;

Default —

Context: location, limit except

Nginx, Inc. p.231 of 542

CHAPTER 2. HTTP SERVER MODULES 2.36. MODULE NGX HTTP PERL MODULE

Sets a Perl handler for the given location.

perl modules

Syntax: perl_modules path;

Default —

Context: http

Sets an additional path for Perl modules.

perl require

Syntax: perl_require module;

Default —

Context: http

Deﬁnes the name of a module that will be loaded during each

reconﬁguration. Several perl_require directives can be present.

perl set

Syntax: perl_set $variable module::function|’sub { . . . }’;

Default —

Context: http

Installs a Perl handler for the speciﬁed variable.

2.36.5 Calling Perl from SSI

An SSI command calling Perl has the following format:

<!--# perl sub="module::function" arg="parameter1" arg="parameter2" ...

-->

2.36.6 The $r Request Object Methods

$r->args

returns request arguments.

$r->filename

returns a ﬁlename corresponding to the request URI.

$r->has_request_body(handler)

returns 0 if there is no body in a request. If there is a body, the speciﬁed

handler is set for the request and 1 is returned. After reading the request

body, nginx will call the speciﬁed handler. Note that the handler function

should be passed by reference. Example:

package hello;

use nginx;

Nginx, Inc. p.232 of 542

CHAPTER 2. HTTP SERVER MODULES 2.36. MODULE NGX HTTP PERL MODULE

sub handler {

my $r = shift;

if ($r->request_method ne "POST") {

return DECLINED;

}

if ($r->has_request_body(\&post)) {

return OK;

}

return HTTP_BAD_REQUEST;

}

sub post {

my $r = shift;

$r->send_http_header;

$r->print("request_body: \"", $r->request_body, "\"<br/>");

$r->print("request_body_file: \"", $r->request_body_file, "\"<br/>\n

");

return OK;

}

__END__

$r->allow_ranges

enables the use of byte ranges when sending responses.

$r->discard_request_body

instructs nginx to discard the request body.

$r->header_in(field)

returns the value of the speciﬁed client request header ﬁeld.

$r->header_only

determines whether the whole response or only its header should be sent

to the client.

$r->header_out(field, value)

sets a value for the speciﬁed response header ﬁeld.

$r->internal_redirect(uri)

does an internal redirect to the speciﬁed uri. An actual redirect happens

after the Perl handler execution is completed.

Since version 1.17.2, the method accepts escaped URIs and supports

redirections to named locations.

$r->log_error(errno, message)

writes the speciﬁed message into the error log. If errno is non-zero, an

error code and its description will be appended to the message.

$r->print(text, ...)

passes data to a client.

$r->request_body

returns the client request body if it has not been written to a temporary

ﬁle. To ensure that the client request body is in memory, its size should

Nginx, Inc. p.233 of 542

CHAPTER 2. HTTP SERVER MODULES 2.36. MODULE NGX HTTP PERL MODULE

be limited by client max body size, and a suﬃcient buﬀer size should be

set using client body buﬀer size.

$r->request_body_file

returns the name of the ﬁle with the client request body. After the

processing, the ﬁle should be removed. To always write a request body

to a ﬁle, client body in ﬁle only should be enabled.

$r->request_method

returns the client request HTTP method.

$r->remote_addr

returns the client IP address.

$r->flush

immediately sends data to the client.

$r->sendfile(name[, offset[, length]])

sends the speciﬁed ﬁle content to the client. Optional parameters specify

the initial oﬀset and length of the data to be transmitted. The actual

data transmission happens after the Perl handler has completed.

$r->send_http_header([type])

sends the response header to the client. The optional type parameter sets

the value of the Content-Type response header ﬁeld. If the value is

an empty string, the Content-Type header ﬁeld will not be sent.

$r->status(code)

sets a response code.

$r->sleep(milliseconds, handler)

sets the speciﬁed handler and stops request processing for the speciﬁed

time. In the meantime, nginx continues to process other requests. After

the speciﬁed time has elapsed, nginx will call the installed handler. Note

that the handler function should be passed by reference. In order to pass

data between handlers, $r->variable() should be used. Example:

package hello;

use nginx;

sub handler {

my $r = shift;

$r->discard_request_body;

$r->variable("var", "OK");

$r->sleep(1000, \&next);

return OK;

}

sub next {

my $r = shift;

$r->send_http_header;

$r->print($r->variable("var"));

return OK;

}

__END__

Nginx, Inc. p.234 of 542

CHAPTER 2. HTTP SERVER MODULES 2.36. MODULE NGX HTTP PERL MODULE

$r->unescape(text)

decodes a text encoded in the “%XX” form.

$r->uri

returns a request URI.

$r->variable(name[, value])

returns or sets the value of the speciﬁed variable. Variables are local to

each request.

Nginx, Inc. p.235 of 542

CHAPTER 2. HTTP SERVER MODULES 2.37. MODULE NGX HTTP PROXY MODULE

2.37 Module ngx http proxy module

2.37.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 237

2.37.2 Example Conﬁguration . . . . . . . . . . . . . . . . . . . 237

2.37.3 Directives . . . . . . . . . . . . . . . . . . . . . . . . . . 238

proxy bind . . . . . . . . . . . . . . . . . . . . . . . . . 238

proxy buﬀer size . . . . . . . . . . . . . . . . . . . . . . 238

proxy buﬀering . . . . . . . . . . . . . . . . . . . . . . . 238

proxy buﬀers . . . . . . . . . . . . . . . . . . . . . . . . 239

proxy busy buﬀers size . . . . . . . . . . . . . . . . . . . 239

proxy cache . . . . . . . . . . . . . . . . . . . . . . . . . 239

proxy cache background update . . . . . . . . . . . . . . 239

proxy cache bypass . . . . . . . . . . . . . . . . . . . . . 240

proxy cache convert head . . . . . . . . . . . . . . . . . 240

proxy cache key . . . . . . . . . . . . . . . . . . . . . . . 240

proxy cache lock . . . . . . . . . . . . . . . . . . . . . . 240

proxy cache lock age . . . . . . . . . . . . . . . . . . . . 241

proxy cache lock timeout . . . . . . . . . . . . . . . . . 241

proxy cache max range oﬀset . . . . . . . . . . . . . . . 241

proxy cache methods . . . . . . . . . . . . . . . . . . . . 241

proxy cache min uses . . . . . . . . . . . . . . . . . . . . 242

proxy cache path . . . . . . . . . . . . . . . . . . . . . . 242

proxy cache purge . . . . . . . . . . . . . . . . . . . . . 244

proxy cache revalidate . . . . . . . . . . . . . . . . . . . 244

proxy cache use stale . . . . . . . . . . . . . . . . . . . . 245

proxy cache valid . . . . . . . . . . . . . . . . . . . . . . 245

proxy connect timeout . . . . . . . . . . . . . . . . . . . 246

proxy cookie domain . . . . . . . . . . . . . . . . . . . . 246

proxy cookie ﬂags . . . . . . . . . . . . . . . . . . . . . . 247

proxy cookie path . . . . . . . . . . . . . . . . . . . . . 248

proxy force ranges . . . . . . . . . . . . . . . . . . . . . 248

proxy headers hash bucket size . . . . . . . . . . . . . . 249

proxy headers hash max size . . . . . . . . . . . . . . . 249

proxy hide header . . . . . . . . . . . . . . . . . . . . . 249

proxy http version . . . . . . . . . . . . . . . . . . . . . 249

proxy ignore client abort . . . . . . . . . . . . . . . . . . 249

proxy ignore headers . . . . . . . . . . . . . . . . . . . . 250

proxy intercept errors . . . . . . . . . . . . . . . . . . . 250

proxy limit rate . . . . . . . . . . . . . . . . . . . . . . . 250

proxy max temp ﬁle size . . . . . . . . . . . . . . . . . . 251

proxy method . . . . . . . . . . . . . . . . . . . . . . . . 251

proxy next upstream . . . . . . . . . . . . . . . . . . . . 251

proxy next upstream timeout . . . . . . . . . . . . . . . 252

proxy next upstream tries . . . . . . . . . . . . . . . . . 252

proxy no cache . . . . . . . . . . . . . . . . . . . . . . . 253

proxy pass . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Nginx, Inc. p.236 of 542

CHAPTER 2. HTTP SERVER MODULES 2.37. MODULE NGX HTTP PROXY MODULE

proxy pass header . . . . . . . . . . . . . . . . . . . . . 254

proxy pass request body . . . . . . . . . . . . . . . . . . 255

proxy pass request headers . . . . . . . . . . . . . . . . 255

proxy read timeout . . . . . . . . . . . . . . . . . . . . . 255

proxy redirect . . . . . . . . . . . . . . . . . . . . . . . . 255

proxy request buﬀering . . . . . . . . . . . . . . . . . . . 257

proxy send lowat . . . . . . . . . . . . . . . . . . . . . . 257

proxy send timeout . . . . . . . . . . . . . . . . . . . . . 257

proxy set body . . . . . . . . . . . . . . . . . . . . . . . 258

proxy set header . . . . . . . . . . . . . . . . . . . . . . 258

proxy socket keepalive . . . . . . . . . . . . . . . . . . . 259

proxy ssl certiﬁcate . . . . . . . . . . . . . . . . . . . . . 259

proxy ssl certiﬁcate key . . . . . . . . . . . . . . . . . . 259

proxy ssl ciphers . . . . . . . . . . . . . . . . . . . . . . 259

proxy ssl conf command . . . . . . . . . . . . . . . . . . 260

proxy ssl crl . . . . . . . . . . . . . . . . . . . . . . . . . 260

proxy ssl name . . . . . . . . . . . . . . . . . . . . . . . 260

proxy

ssl password ﬁle . . . . . . . . . . . . . . . . . . . 260

proxy ssl protocols . . . . . . . . . . . . . . . . . . . . . 261

proxy ssl server name . . . . . . . . . . . . . . . . . . . 261

proxy ssl session reuse . . . . . . . . . . . . . . . . . . . 261

proxy ssl trusted certiﬁcate . . . . . . . . . . . . . . . . 261

proxy ssl verify . . . . . . . . . . . . . . . . . . . . . . . 262

proxy ssl verify depth . . . . . . . . . . . . . . . . . . . 262

proxy store . . . . . . . . . . . . . . . . . . . . . . . . . 262

proxy store access . . . . . . . . . . . . . . . . . . . . . 263

proxy temp ﬁle write size . . . . . . . . . . . . . . . . . 263

proxy temp path . . . . . . . . . . . . . . . . . . . . . . 264

2.37.4 Embedded Variables . . . . . . . . . . . . . . . . . . . . 264

2.37.1 Summary

The ngx_http_proxy_module module allows passing requests to

another server.

2.37.2 Example Conﬁguration

location / {

proxy_pass http://localhost:8000;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

}

Nginx, Inc. p.237 of 542

CHAPTER 2. HTTP SERVER MODULES 2.37. MODULE NGX HTTP PROXY MODULE

2.37.3 Directives

proxy bind

Syntax: proxy_bind address [transparent] | off;

Default —

Context: http, server, location

This directive appeared in version 0.8.22.

Makes outgoing connections to a proxied server originate from the speciﬁed

local IP address with an optional port (1.11.2). Parameter value can contain

variables (1.3.12). The special value off (1.3.12) cancels the eﬀect of the

proxy_bind directive inherited from the previous conﬁguration level, which

allows the system to auto-assign the local IP address and port.

The transparent parameter (1.11.0) allows outgoing connections to a

proxied server originate from a non-local IP address, for example, from a real

IP address of a client:

proxy_bind $remote_addr transparent;

In order for this parameter to work, it is usually necessary to run nginx

worker processes with the superuser privileges. On Linux it is not required

(1.13.8) as if the transparent parameter is speciﬁed, worker processes

inherit the CAP_NET_RAW capability from the master process. It is also

necessary to conﬁgure kernel routing table to intercept network traﬃc from

the proxied server.

proxy buﬀer size

Syntax: proxy_buffer_size size;

Default 4k|8k

Context: http, server, location

Sets the size of the buﬀer used for reading the ﬁrst part of the response

received from the proxied server. This part usually contains a small response

header. By default, the buﬀer size is equal to one memory page. This is either

4K or 8K, depending on a platform. It can be made smaller, however.

proxy buﬀering

Syntax: proxy_buffering on | off;

Default on

Context: http, server, location

Enables or disables buﬀering of responses from the proxied server.

When buﬀering is enabled, nginx receives a response from the proxied server

as soon as possible, saving it into the buﬀers set by the proxy buﬀer size and

proxy buﬀers directives. If the whole response does not ﬁt into memory, a part

of it can be saved to a temporary ﬁle on the disk. Writing to temporary ﬁles

Nginx, Inc. p.238 of 542

CHAPTER 2. HTTP SERVER MODULES 2.37. MODULE NGX HTTP PROXY MODULE

is controlled by the proxy max temp ﬁle size and proxy temp ﬁle write size

directives.

When buﬀering is disabled, the response is passed to a client synchronously,

immediately as it is received. nginx will not try to read the whole response

from the proxied server. The maximum size of the data that nginx can receive

from the server at a time is set by the proxy buﬀer size directive.

Buﬀering can also be enabled or disabled by passing “yes” or “no” in the

X-Accel-Buffering response header ﬁeld. This capability can be disabled

using the proxy ignore headers directive.

proxy buﬀers

Syntax: proxy_buffers number size;

Default 8 4k|8k

Context: http, server, location

Sets the number and size of the buﬀers used for reading a response from

the proxied server, for a single connection. By default, the buﬀer size is equal

to one memory page. This is either 4K or 8K, depending on a platform.

proxy busy buﬀers size

Syntax: proxy_busy_buffers_size size;

Default 8k|16k

Context: http, server, location

When buﬀering of responses from the proxied server is enabled, limits the

total size of buﬀers that can be busy sending a response to the client while the

response is not yet fully read. In the meantime, the rest of the buﬀers can be

used for reading the response and, if needed, buﬀering part of the response to

a temporary ﬁle. By default, size is limited by the size of two buﬀers set by

the proxy buﬀer size and proxy buﬀers directives.

proxy cache

Syntax: proxy_cache zone | off;

Default off

Context: http, server, location

Deﬁnes a shared memory zone used for caching. The same zone can be

used in several places. Parameter value can contain variables (1.7.9). The off

parameter disables caching inherited from the previous conﬁguration level.

proxy cache background update

Syntax: proxy_cache_background_update on | off;

Default off

Context: http, server, location

This directive appeared in version 1.11.10.

Nginx, Inc. p.239 of 542

CHAPTER 2. HTTP SERVER MODULES 2.37. MODULE NGX HTTP PROXY MODULE

Allows starting a background subrequest to update an expired cache item,

while a stale cached response is returned to the client. Note that it is necessary

to allow the usage of a stale cached response when it is being updated.

proxy cache bypass

Syntax: proxy_cache_bypass string . . . ;

Default —

Context: http, server, location

Deﬁnes conditions under which the response will not be taken from a cache.

If at least one value of the string parameters is not empty and is not equal to

“0” then the response will not be taken from the cache:

proxy_cache_bypass $cookie_nocache $arg_nocache$arg_comment;

proxy_cache_bypass $http_pragma $http_authorization;

Can be used along with the proxy no cache directive.

proxy cache convert head

Syntax: proxy_cache_convert_head on | off;

Default on

Context: http, server, location

This directive appeared in version 1.9.7.

Enables or disables the conversion of the “HEAD” method to “GET” for

caching. When the conversion is disabled, the cache key should be conﬁgured

to include the $request method.

proxy cache key

Syntax: proxy_cache_key string;

Default $scheme$proxy_host$request_uri

Context: http, server, location

Deﬁnes a key for caching, for example

proxy_cache_key "$host$request_uri $cookie_user";

By default, the directive’s value is close to the string

proxy_cache_key $scheme$proxy_host$uri$is_args$args;

proxy cache lock

Syntax: proxy_cache_lock on | off;

Default off

Context: http, server, location

This directive appeared in version 1.1.12.

Nginx, Inc. p.240 of 542

CHAPTER 2. HTTP SERVER MODULES 2.37. MODULE NGX HTTP PROXY MODULE

When enabled, only one request at a time will be allowed to populate a new

cache element identiﬁed according to the proxy cache key directive by passing

a request to a proxied server. Other requests of the same cache element will

either wait for a response to appear in the cache or the cache lock for this

element to be released, up to the time set by the proxy cache lock timeout

directive.

proxy cache lock age

Syntax: proxy_cache_lock_age time;

Default 5s

Context: http, server, location

This directive appeared in version 1.7.8.

If the last request passed to the proxied server for populating a new cache

element has not completed for the speciﬁed time, one more request may be

passed to the proxied server.

proxy cache lock timeout

Syntax: proxy_cache_lock_timeout time;

Default 5s

Context: http, server, location

This directive appeared in version 1.1.12.

Sets a timeout for proxy cache lock. When the time expires, the request

will be passed to the proxied server, however, the response will not be cached.

Before 1.7.8, the response could be cached.

proxy cache max range oﬀset

Syntax: proxy_cache_max_range_offset number;

Default —

Context: http, server, location

This directive appeared in version 1.11.6.

Sets an oﬀset in bytes for byte-range requests. If the range is beyond the

oﬀset, the range request will be passed to the proxied server and the response

will not be cached.

proxy cache methods

Syntax: proxy_cache_methods GET | HEAD | POST . . . ;

Default GET HEAD

Context: http, server, location

This directive appeared in version 0.7.59.

If the client request method is listed in this directive then the response will

be cached. “GET” and “HEAD” methods are always added to the list, though

Nginx, Inc. p.241 of 542

CHAPTER 2. HTTP SERVER MODULES 2.37. MODULE NGX HTTP PROXY MODULE

it is recommended to specify them explicitly. See also the proxy no cache

directive.

proxy cache min uses

Syntax: proxy_cache_min_uses number;

Default 1

Context: http, server, location

Sets the number of requests after which the response will be cached.

proxy cache path

Syntax: proxy_cache_path path [levels=levels]

[use_temp_path=on|off] keys_zone=name:size [inactive=time]

[max_size=size] [min_free=size] [manager_files=number]

[manager_sleep=time] [manager_threshold=time]

[loader_files=number] [loader_sleep=time]

[loader_threshold=time] [purger=on|off]

[purger_files=number] [purger_sleep=time]

[purger_threshold=time];

Default —

Context: http

Sets the path and other parameters of a cache. Cache data are stored in

ﬁles. The ﬁle name in a cache is a result of applying the MD5 function to

the cache key. The levels parameter deﬁnes hierarchy levels of a cache:

from 1 to 3, each level accepts values 1 or 2. For example, in the following

conﬁguration

proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=one:10m;

ﬁle names in a cache will look like this:

/data/nginx/cache/c/29/b7f54b2df7773722d382f4809d65029c

A cached response is ﬁrst written to a temporary ﬁle, and then the ﬁle

is renamed. Starting from version 0.8.9, temporary ﬁles and the cache can

be put on diﬀerent ﬁle systems. However, be aware that in this case a ﬁle

is copied across two ﬁle systems instead of the cheap renaming operation. It

is thus recommended that for any given location both cache and a directory

holding temporary ﬁles are put on the same ﬁle system. The directory for

temporary ﬁles is set based on the use_temp_path parameter (1.7.10). If

this parameter is omitted or set to the value on, the directory set by the

proxy temp path directive for the given location will be used. If the value is

set to off, temporary ﬁles will be put directly in the cache directory.

In addition, all active keys and information about data are stored in a

shared memory zone, whose name and size are conﬁgured by the keys_zone

parameter. One megabyte zone can store about 8 thousand keys.

Nginx, Inc. p.242 of 542