Signed HTTP Exchange (SXG) support for nginx. Nginx will convert responses from
the upstream application into SXG when client requests include the Accept: application/signed-exchange;v=b3 HTTP header with highest qvalue.
There are two options for installation: Debian package or build from source. See this article for more details.
If building from source and you have libsxg installed in a non-system
directory, edit config to add ngx_module_incs=path/to/include and add
-Lpath/to/lib to the existing ngx_module_libs, and launch nginx with
LD_LIBRARY_PATH=path/to/lib.
Nginx-SXG module requires configuration on nginx.
Activation flag of SXG module. This can be set or overriden inside server
and location directives.
on: Enable this plugin.off: Disable this plugin.
Default value is off.
Full path for the certificate file. The certificate requires all of the
conditions below to match. This and all below directives can only be set
inside server directives.
- Has
CanSignHttpExchangesextension. - Uses ECDSA256 or ECDSA384.
This directive is always required.
Full path for the private key for the certificate.
This directive is always required.
URL for CBOR encoded certificate file. The protocol must be https.
This directive is always required.
URL for the validity information file. It must be https and must be the same
origin with the website.
This directive is always required.
Maximum HTTP body size this module can generate SXG from. Default value is
67108864 (64 MiB).
An absolute path in which nginx will generate and serve the CBOR-encoded certificate file. But make sure that the OCSP responder for the certificate is accessible from your nginx server to get OCSP responses. This directive is optional.
The life-span of generated SXG file in seconds.
It must not be bigger than 604800 (1 week).
This directive is optional.
The default value is 86400 (1 day).
The hostname of fallback url of generated SXG file. This directive is optional. The default value is Host field parameter of HTTP request header.
load_module "modules/ngx_http_sxg_filter_module.so";
http {
upstream app {
server 127.0.0.1:3000;
}
include mime.types;
default_type application/octet-stream;
subrequest_output_buffer_size 4096k;
server {
listen 80;
server_name example.com;
sxg on;
sxg_certificate /path/to/certificate-ecdsa.pem;
sxg_certificate_key /path/to/private-key-ecdsa.key;
sxg_cert_url https://cdn.test.com/example.com.cert.cbor;
sxg_validity_url https://example.com/validity/resource.msg;
sxg_expiry_seconds 604800;
sxg_fallback_host example.com;
location / {
proxy_pass http://app;
}
}
}
nginx-sxg-module automatically includes signatures of subresources in its responses, allowing end users to prefetch it from distributor.
When finding link: rel="preload" entry in HTTP response header from upstream, this plugin will collect the specified resource to the upstream and append rel="allowed-alt-sxg";header-integrity="sha256-...." to the original HTTP response automatically.
This functionality is essential to subresource preloading for faster cross-site navigation.
- Preload URLs must be relative references
of the
path-absoluteform, such as:Link: </app.js>;rel=preload;as=script. - The
server_namemust match the externally-addressable host:port of the subresources. - Their responses must be no larger than the configured
subrequest_output_buffer_size. - Their responses must come from an upstream server, such as via
proxy_pass. The upstream may optionally be named viaupstream. - If using variables in
proxy_pass, use$uriinstead of$request_uri.
To ensure subresource prefetching works, verify that the header-integrity in:
curl -H 'Accept: application/signed-exchange;v=b3' https://url/of/page.html | dump-signedexchange -payload=false | grep Link:equals the value of:
curl -H 'Accept: application/signed-exchange;v=b3' https://url/of/subresource.jpg | dump-signedexchange -headerIntegrity