/
README.html
739 lines (718 loc) · 32.1 KB
/
README.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Name</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:root@localhost" />
</head>
<body style="background-color: white">
<p><a name="__index__"></a></p>
<!-- INDEX BEGIN -->
<ul>
<li><a href="#name">Name</a></li>
<li><a href="#installation">Installation</a></li>
<li><a href="#synopsis">Synopsis</a></li>
<li><a href="#description">Description</a></li>
<li><a href="#directives">Directives</a></li>
<ul>
<li><a href="#ngx_tcp_moodule">ngx_tcp_moodule</a></li>
<ul>
<li><a href="#tcp">tcp</a></li>
<li><a href="#server">server</a></li>
<li><a href="#listen">listen</a></li>
<li><a href="#access_log">access_log</a></li>
<li><a href="#allow">allow</a></li>
<li><a href="#deny">deny</a></li>
<li><a href="#so_keepalive">so_keepalive</a></li>
<li><a href="#tcp_nodelay">tcp_nodelay</a></li>
<li><a href="#timeout">timeout</a></li>
<li><a href="#server_name">server_name</a></li>
<li><a href="#resolver">resolver</a></li>
<li><a href="#resolver_timeout">resolver_timeout</a></li>
</ul>
<li><a href="#ngx_tcp_upstream_module">ngx_tcp_upstream_module</a></li>
<ul>
<li><a href="#upstream">upstream</a></li>
<li><a href="#server">server</a></li>
<li><a href="#check">check</a></li>
<li><a href="#check_http_send">check_http_send</a></li>
<li><a href="#check_http_expect_alive">check_http_expect_alive</a></li>
<li><a href="#check_smtp_send">check_smtp_send</a></li>
<li><a href="#check_smtp_expect_alive">check_smtp_expect_alive</a></li>
<li><a href="#check_shm_size">check_shm_size</a></li>
<li><a href="#check_status">check_status</a></li>
<li><a href="#busyness">busyness</a></li>
<li><a href="#ip_hash">ip_hash</a></li>
</ul>
<li><a href="#ngx_tcp_proxy_module">ngx_tcp_proxy_module</a></li>
<ul>
<li><a href="#proxy_pass">proxy_pass</a></li>
<li><a href="#proxy_buffer">proxy_buffer</a></li>
<li><a href="#proxy_bind">proxy_bind</a></li>
<li><a href="#proxy_connect_timeout">proxy_connect_timeout</a></li>
<li><a href="#proxy_read_timeout">proxy_read_timeout</a></li>
<li><a href="#proxy_send_timeout">proxy_send_timeout</a></li>
</ul>
<li><a href="#ngx_tcp_websocket_module">ngx_tcp_websocket_module</a></li>
<ul>
<li><a href="#websocket_pass">websocket_pass</a></li>
<li><a href="#websocket_buffer">websocket_buffer</a></li>
<li><a href="#websocket_connect_timeout">websocket_connect_timeout</a></li>
<li><a href="#websocket_read_timeout">websocket_read_timeout</a></li>
<li><a href="#websocket_send_timeout">websocket_send_timeout</a></li>
</ul>
<li><a href="#ngx_tcp_ssl_module">ngx_tcp_ssl_module</a></li>
<ul>
<li><a href="#ssl">ssl</a></li>
<li><a href="#ssl_certificate">ssl_certificate</a></li>
<li><a href="#ssl_certificate_key">ssl_certificate_key</a></li>
<li><a href="#ssl_client_certificate">ssl_client_certificate</a></li>
<li><a href="#ssl_dhparam">ssl_dhparam</a></li>
<li><a href="#ssl_ciphers">ssl_ciphers</a></li>
<li><a href="#ssl_crl">ssl_crl</a></li>
<li><a href="#ssl_prefer_server_ciphers">ssl_prefer_server_ciphers</a></li>
<li><a href="#ssl_protocols">ssl_protocols</a></li>
<li><a href="#ssl_verify_client">ssl_verify_client</a></li>
<li><a href="#ssl_verify_depth">ssl_verify_depth</a></li>
<li><a href="#ssl_session_cache">ssl_session_cache</a></li>
<li><a href="#ssl_session_timeout">ssl_session_timeout</a></li>
</ul>
</ul>
<li><a href="#compatibility">Compatibility</a></li>
<li><a href="#notes">Notes</a></li>
<li><a href="#known_issues">Known Issues</a></li>
<li><a href="#changelogs">Changelogs</a></li>
<ul>
<li><a href="#v0_2_0">v0.2.0</a></li>
<li><a href="#v0_19">v0.19</a></li>
<li><a href="#v0_1">v0.1</a></li>
</ul>
<li><a href="#authors">Authors</a></li>
<li><a href="#copyright___license">Copyright & License</a></li>
</ul>
<!-- INDEX END -->
<hr />
<p>
</p>
<hr />
<h1><a name="name">Name</a></h1>
<p><strong>nginx_tcp_proxy_module</strong> - support TCP proxy with Nginx</p>
<p>
</p>
<hr />
<h1><a name="installation">Installation</a></h1>
<p>Download the latest stable version of the release tarball of this module from github (<a href="http://github.com/yaoweibin/nginx_tcp_proxy_module">http://github.com/yaoweibin/nginx_tcp_proxy_module</a>)</p>
<p>Grab the nginx source code from nginx.org (<a href="http://nginx.org/">http://nginx.org/</a>), for example, the version 1.2.1 (see nginx compatibility), and then build the source with this module:</p>
<pre>
$ wget '<a href="http://nginx.org/download/nginx-1.2.1.tar.gz">http://nginx.org/download/nginx-1.2.1.tar.gz</a>'
$ tar -xzvf nginx-1.2.1.tar.gz
$ cd nginx-1.2.1/
$ patch -p1 < /path/to/nginx_tcp_proxy_module/tcp.patch</pre>
<pre>
$ ./configure --add-module=/path/to/nginx_tcp_proxy_module</pre>
<pre>
$ make
$ make install</pre>
<p>
</p>
<hr />
<h1><a name="synopsis">Synopsis</a></h1>
<p>http {</p>
<pre>
server {
listen 80;</pre>
<pre>
location /status {
check_status;
}
}
}</pre>
<p>#You can also include tcp_proxy.conf file individually</p>
<p>#include /path/to/tcp_proxy.conf;</p>
<p>tcp {</p>
<pre>
upstream cluster {
# simple round-robin
server 192.168.0.1:80;
server 192.168.0.2:80;</pre>
<pre>
check interval=3000 rise=2 fall=5 timeout=1000;</pre>
<pre>
#check interval=3000 rise=2 fall=5 timeout=1000 type=ssl_hello;</pre>
<pre>
#check interval=3000 rise=2 fall=5 timeout=1000 type=http;
#check_http_send "GET / HTTP/1.0\r\n\r\n";
#check_http_expect_alive http_2xx http_3xx;
}</pre>
<pre>
server {
listen 8888;</pre>
<pre>
proxy_pass cluster;
}
}</pre>
<p>
</p>
<hr />
<h1><a name="description">Description</a></h1>
<p>This module actually include many modules: ngx_tcp_module, ngx_tcp_core_module, ngx_tcp_upstream_module, ngx_tcp_proxy_module, ngx_tcp_websocket_module, ngx_tcp_ssl_module, ngx_tcp_upstream_ip_hash_module. All these modules work together to support TCP proxy with Nginx. I also added other features: ip_hash, upstream server health check, status monitor.</p>
<p>The motivation of writing these modules is Nginx's high performance and robustness. At first, I developed this module just for general TCP proxy. And now, this module is frequently used in websocket reverse proxying.</p>
<p>Note, You can't use the same listening port with HTTP modules.</p>
<p>
</p>
<hr />
<h1><a name="directives">Directives</a></h1>
<p>
</p>
<h2><a name="ngx_tcp_moodule">ngx_tcp_moodule</a></h2>
<p>
</p>
<h3><a name="tcp">tcp</a></h3>
<p><strong>syntax:</strong> <em>tcp {...}</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>main</em></p>
<p><strong>description:</strong> All the tcp related directives are contained in the tcp block.</p>
<p><strong>ngx_tcp_core_moodule</strong></p>
<p>
</p>
<h3><a name="server">server</a></h3>
<p><strong>syntax:</strong> <em>server {...}</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>tcp</em></p>
<p><strong>description:</strong> All the specific server directives are contained in the server block.</p>
<p>
</p>
<h3><a name="listen">listen</a></h3>
<p><strong>syntax:</strong> <em>listen address:port [ bind | ssl | default]</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>server</em></p>
<p><strong>description:</strong> The same as listen (<a href="http://wiki.nginx.org/NginxMailCoreModule#listen">http://wiki.nginx.org/NginxMailCoreModule#listen</a>). The parameter of default means the default server if you have several server blocks with the same port.</p>
<p>
</p>
<h3><a name="access_log">access_log</a></h3>
<p><strong>syntax:</strong> <em>access_log path [buffer=size] | off</em></p>
<p><strong>default:</strong> <em>access_log logs/tcp_access.log</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> Set the access.log. Each record's format is like this:</p>
<p>log_time worker_process_pid client_ip host_ip accept_time upstream_ip bytes_read bytes_write</p>
<p>2011/08/02 06:19:07 [5972] 127.0.0.1 0.0.0.0:1982 2011/08/02 06:18:19 172.19.0.129:80 80 236305</p>
<ul>
<li>
<p><em>log_time</em>: The current time when writing this log. The log action is called when the proxy session is closed.</p>
</li>
<li>
<p><em>worker_process_pid</em>: the pid of worker process</p>
</li>
<li>
<p><em>client_ip</em>: the client ip</p>
</li>
<li>
<p><em>host_ip</em>: the server ip and port</p>
</li>
<li>
<p><em>accept_time</em>: the time when the server accepts client's connection</p>
</li>
<li>
<p><em>upstream_ip</em>: the upstream server's ip</p>
</li>
<li>
<p><em>bytes_read</em>: the bytes read from client</p>
</li>
<li>
<p><em>bytes_write</em>: the bytes written to client</p>
</li>
</ul>
<p>
</p>
<h3><a name="allow">allow</a></h3>
<p><strong>syntax:</strong> <em>allow [ address | CIDR | all ]</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>server</em></p>
<p><strong>description:</strong> Directive grants access for the network or addresses indicated.</p>
<p>
</p>
<h3><a name="deny">deny</a></h3>
<p><strong>syntax:</strong> <em>deny [ address | CIDR | all ]</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>server</em></p>
<p><strong>description:</strong> Directive grants access for the network or addresses indicated.</p>
<p>
</p>
<h3><a name="so_keepalive">so_keepalive</a></h3>
<p><strong>syntax:</strong> <em>so_keepalive on|off</em></p>
<p><strong>default:</strong> <em>off</em></p>
<p><strong>context:</strong> <em>main, server</em></p>
<p><strong>description:</strong> The same as so_keepalive (<a href="http://wiki.nginx.org/NginxMailCoreModule#so_keepalive">http://wiki.nginx.org/NginxMailCoreModule#so_keepalive</a>).</p>
<p>
</p>
<h3><a name="tcp_nodelay">tcp_nodelay</a></h3>
<p><strong>syntax:</strong> <em>tcp_nodelay on|off</em></p>
<p><strong>default:</strong> <em>on</em></p>
<p><strong>context:</strong> <em>main, server</em></p>
<p><strong>description:</strong> The same as tcp_nodelay (<a href="http://wiki.nginx.org/NginxHttpCoreModule#tcp_nodelay">http://wiki.nginx.org/NginxHttpCoreModule#tcp_nodelay</a>).</p>
<p>
</p>
<h3><a name="timeout">timeout</a></h3>
<p><strong>syntax:</strong> <em>timeout milliseconds</em></p>
<p><strong>default:</strong> <em>60000</em></p>
<p><strong>context:</strong> <em>main, server</em></p>
<p><strong>description:</strong> set the timeout value with clients.</p>
<p>
</p>
<h3><a name="server_name">server_name</a></h3>
<p><strong>syntax:</strong> <em>server_name name</em></p>
<p><strong>default:</strong> <em>The name of the host, obtained through gethostname()</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> The same as server_name (<a href="http://wiki.nginx.org/NginxMailCoreModule#server_name">http://wiki.nginx.org/NginxMailCoreModule#server_name</a>). You can specify several server name in different server block with the same port. They can be used in websocket module.</p>
<p>
</p>
<h3><a name="resolver">resolver</a></h3>
<p><strong>syntax:</strong> <em>resolver address</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> DNS server</p>
<p>
</p>
<h3><a name="resolver_timeout">resolver_timeout</a></h3>
<p><strong>syntax:</strong> <em>resolver_timeout time</em></p>
<p><strong>default:</strong> <em>30s</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> Resolver timeout in seconds.</p>
<p>
</p>
<h2><a name="ngx_tcp_upstream_module">ngx_tcp_upstream_module</a></h2>
<p>
</p>
<h3><a name="upstream">upstream</a></h3>
<p><strong>syntax:</strong> <em>upstream {...}</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>tcp</em></p>
<p><strong>description:</strong> All the upstream directives are contained in this block. The upstream server will be dispatched with round robin by default.</p>
<p>
</p>
<h3><a name="server">server</a></h3>
<p><strong>syntax:</strong> <em>server name [parameters]</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>upstream</em></p>
<p><strong>description:</strong> Most of the parameters are the same as server (<a href="http://wiki.nginx.org/NginxHttpUpstreamModule#server">http://wiki.nginx.org/NginxHttpUpstreamModule#server</a>). Default port is 80.</p>
<p>
</p>
<h3><a name="check">check</a></h3>
<p><strong>syntax:</strong> <em>check interval=milliseconds [fall=count] [rise=count] [timeout=milliseconds] [type=tcp|ssl_hello|smtp|mysql|pop3|imap]</em></p>
<p><strong>default:</strong> <em>none, if parameters omitted, default parameters are interval=30000 fall=5 rise=2 timeout=1000</em></p>
<p><strong>context:</strong> <em>upstream</em></p>
<p><strong>description:</strong> Add the health check for the upstream servers. At present, the check method is a simple tcp connect.</p>
<p>The parameters' meanings are:</p>
<ul>
<li>
<p><em>interval</em>: the check request's interval time.</p>
</li>
<li>
<p><em>fall</em>(fall_count): After fall_count check failures, the server is marked down.</p>
</li>
<li>
<p><em>rise</em>(rise_count): After rise_count check success, the server is marked up.</p>
</li>
<li>
<p><em>timeout</em>: the check request's timeout.</p>
</li>
<li>
<p><em>type</em>: the check protocol type:</p>
<ol>
<li>
<p><em>tcp</em> is a simple tcp socket connect and peek one byte.</p>
</li>
<li>
<p><em>ssl_hello</em> sends a client ssl hello packet and receives the server ssl hello packet.</p>
</li>
<li>
<p><em>http</em> sends a http request packet, receives and parses the http response to diagnose if the upstream server is alive.</p>
</li>
<li>
<p><em>smtp</em> sends a smtp request packet, receives and parses the smtp response to diagnose if the upstream server is alive. The response begins with '2' should be an OK response.</p>
</li>
<li>
<p><em>mysql</em> connects to the mysql server, receives the greeting response to diagnose if the upstream server is alive.</p>
</li>
<li>
<p><em>pop3</em> receives and parses the pop3 response to diagnose if the upstream server is alive. The response begins with '+' should be an OK response.</p>
</li>
<li>
<p><em>imap</em> connects to the imap server, receives the greeting response to diagnose if the upstream server is alive.</p>
</li>
</ol>
</ul>
<p>
</p>
<h3><a name="check_http_send">check_http_send</a></h3>
<p><strong>syntax:</strong> <em>check_http_send http_packet</em></p>
<p><strong>default:</strong> <em>``GET / HTTP/1.0\r\n\r\n''</em></p>
<p><strong>context:</strong> <em>upstream</em></p>
<p><strong>description:</strong> If you set the check type is http, then the check function will sends this http packet to check the upstream server.</p>
<p>
</p>
<h3><a name="check_http_expect_alive">check_http_expect_alive</a></h3>
<p><strong>syntax:</strong> <em>check_http_expect_alive [ http_2xx | http_3xx | http_4xx | http_5xx ]</em></p>
<p><strong>default:</strong> <em>http_2xx | http_3xx</em></p>
<p><strong>context:</strong> <em>upstream</em></p>
<p><strong>description:</strong> These status codes indicate the upstream server's http response is OK, the backend is alive.</p>
<p>
</p>
<h3><a name="check_smtp_send">check_smtp_send</a></h3>
<p><strong>syntax:</strong> <em>check_smtp_send smtp_packet</em></p>
<p><strong>default:</strong> <em>``HELO smtp.localdomain\r\n''</em></p>
<p><strong>context:</strong> <em>upstream</em></p>
<p><strong>description:</strong> If you set the check type is smtp, then the check function will sends this smtp packet to check the upstream server.</p>
<p>
</p>
<h3><a name="check_smtp_expect_alive">check_smtp_expect_alive</a></h3>
<p><strong>syntax:</strong> <em>check_smtp_expect_alive [smtp_2xx | smtp_3xx | smtp_4xx | smtp_5xx]</em></p>
<p><strong>default:</strong> <em>smtp_2xx</em></p>
<p><strong>context:</strong> <em>upstream</em></p>
<p><strong>description:</strong> These status codes indicate the upstream server's smtp response is OK, the backend is alive.</p>
<p>
</p>
<h3><a name="check_shm_size">check_shm_size</a></h3>
<p><strong>syntax:</strong> <em>check_shm_size size</em></p>
<p><strong>default:</strong> <em>(number_of_checked_upstream_blocks + 1) * pagesize</em></p>
<p><strong>context:</strong> <em>tcp</em></p>
<p><strong>description:</strong> If you store hundreds of servers in one upstream block, the shared memory for health check may be not enough, you can enlarged it by this directive.</p>
<p>
</p>
<h3><a name="check_status">check_status</a></h3>
<p><strong>syntax:</strong> <em>check_status</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>location</em></p>
<p><strong>description:</strong> Display the health checking servers' status by HTTP. This directive is set in the http block.</p>
<p>The table field meanings are:</p>
<ul>
<li>
<p><em>Index</em>: The server index in the check table</p>
</li>
<li>
<p><em>Name</em> : The upstream server name</p>
</li>
<li>
<p><em>Status</em>: The marked status of the server.</p>
</li>
<li>
<p><em>Busyness</em>: The number of connections which are connecting to the server.</p>
</li>
<li>
<p><em>Rise counts</em>: Count the successful checking</p>
</li>
<li>
<p><em>Fall counts</em>: Count the unsuccessful checking</p>
</li>
<li>
<p><em>Access counts</em>: Count the times accessing to this server</p>
</li>
<li>
<p><em>Check type</em>: The type of the check packet</p>
</li>
</ul>
<p><strong>ngx_tcp_upstream_busyness_module</strong></p>
<p>
</p>
<h3><a name="busyness">busyness</a></h3>
<p><strong>syntax:</strong> <em>busyness</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>upstream</em></p>
<p><strong>description:</strong> the upstream server will be dispatched by backend servers' busyness.</p>
<p><strong>ngx_tcp_upstream_ip_hash_module</strong></p>
<p>
</p>
<h3><a name="ip_hash">ip_hash</a></h3>
<p><strong>syntax:</strong> <em>ip_hash</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>upstream</em></p>
<p><strong>description:</strong> the upstream server will be dispatched by ip_hash.</p>
<p>
</p>
<h2><a name="ngx_tcp_proxy_module">ngx_tcp_proxy_module</a></h2>
<p>
</p>
<h3><a name="proxy_pass">proxy_pass</a></h3>
<p><strong>syntax:</strong> <em>proxy_pass host:port</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>server</em></p>
<p><strong>description:</strong> proxy the request to the backend server. Default port is 80.</p>
<p>
</p>
<h3><a name="proxy_buffer">proxy_buffer</a></h3>
<p><strong>syntax:</strong> <em>proxy_buffer size</em></p>
<p><strong>default:</strong> <em>4k</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> set the size of proxy buffer.</p>
<p>
</p>
<h3><a name="proxy_bind">proxy_bind</a></h3>
<p><strong>syntax:</strong> <em>proxy_bind address</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> Force outgoing connections to a proxied server to originate from the specified local IP address.</p>
<p>
</p>
<h3><a name="proxy_connect_timeout">proxy_connect_timeout</a></h3>
<p><strong>syntax:</strong> <em>proxy_connect_timeout miliseconds</em></p>
<p><strong>default:</strong> <em>60000</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> set the timeout value of connection to backends.</p>
<p>
</p>
<h3><a name="proxy_read_timeout">proxy_read_timeout</a></h3>
<p><strong>syntax:</strong> <em>proxy_read_timeout miliseconds</em></p>
<p><strong>default:</strong> <em>60000</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> set the timeout value of reading from backends.</p>
<p>
</p>
<h3><a name="proxy_send_timeout">proxy_send_timeout</a></h3>
<p><strong>syntax:</strong> <em>proxy_send_timeout miliseconds</em></p>
<p><strong>default:</strong> <em>60000</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> set the timeout value of sending to backends.</p>
<p>
</p>
<h2><a name="ngx_tcp_websocket_module">ngx_tcp_websocket_module</a></h2>
<p>
</p>
<h3><a name="websocket_pass">websocket_pass</a></h3>
<p><strong>syntax:</strong> <em>websocket_pass [path] host:port</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>server</em></p>
<p><strong>description:</strong> proxy the websocket request to the backend server. Default port is 80. You can specify several different paths in the same server block.</p>
<p>
</p>
<h3><a name="websocket_buffer">websocket_buffer</a></h3>
<p><strong>syntax:</strong> <em>websocket_buffer size</em></p>
<p><strong>default:</strong> <em>4k</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> set the size of proxy buffer.</p>
<p>
</p>
<h3><a name="websocket_connect_timeout">websocket_connect_timeout</a></h3>
<p><strong>syntax:</strong> <em>websocket_connect_timeout miliseconds</em></p>
<p><strong>default:</strong> <em>60000</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> set the timeout value of connection to backends.</p>
<p>
</p>
<h3><a name="websocket_read_timeout">websocket_read_timeout</a></h3>
<p><strong>syntax:</strong> <em>websocket_read_timeout miliseconds</em></p>
<p><strong>default:</strong> <em>60000</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> set the timeout value of reading from backends. Your timeout will be the minimum of this and the *timeout* parameter, so if you want a long timeout for your websockets, make sure to set both paramaters.</p>
<p>
</p>
<h3><a name="websocket_send_timeout">websocket_send_timeout</a></h3>
<p><strong>syntax:</strong> <em>websocket_send_timeout miliseconds</em></p>
<p><strong>default:</strong> <em>60000</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p><strong>description:</strong> set the timeout value of sending to backends.</p>
<p>
</p>
<h2><a name="ngx_tcp_ssl_module">ngx_tcp_ssl_module</a></h2>
<p>The default config file includes this ngx_tcp_ssl_module. If you want to just compile nginx without ngx_tcp_ssl_module, copy the ngx_tcp_proxy_module/config_without_ssl to ngx_tcp_proxy_module/config, reconfigrure and compile nginx.</p>
<p>
</p>
<h3><a name="ssl">ssl</a></h3>
<p><strong>syntax:</strong> <em>ssl [on|off] </em></p>
<p><strong>default:</strong> <em>ssl off</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>Enables SSL for a server.</p>
<p>
</p>
<h3><a name="ssl_certificate">ssl_certificate</a></h3>
<p><strong>syntax:</strong> <em>ssl_certificate file</em></p>
<p><strong>default:</strong> <em>ssl_certificate cert.pem</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>This directive specifies the file containing the certificate, in PEM format. This file can contain also other certificates and the server private key.</p>
<p>
</p>
<h3><a name="ssl_certificate_key">ssl_certificate_key</a></h3>
<p><strong>syntax:</strong> <em>ssl_certificate_key file</em></p>
<p><strong>default:</strong> <em>ssl_certificate_key cert.pem</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>This directive specifies the file containing the private key, in PEM format.</p>
<p>
</p>
<h3><a name="ssl_client_certificate">ssl_client_certificate</a></h3>
<p><strong>syntax:</strong> <em>ssl_client_certificate file</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>This directive specifies the file containing the CA (root) certificate, in PEM format, that is used for validating client certificates.</p>
<p>
</p>
<h3><a name="ssl_dhparam">ssl_dhparam</a></h3>
<p><strong>syntax:</strong> <em>ssl_dhparam file</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM format, utilized for exchanging session keys between server and client.</p>
<p>
</p>
<h3><a name="ssl_ciphers">ssl_ciphers</a></h3>
<p><strong>syntax:</strong> <em>ssl_ciphers openssl_cipherlist_spec</em></p>
<p><strong>default:</strong> <em>ssl_ciphers HIGH:!aNULL:!MD5</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>This directive describes the list of cipher suites the server supports for establishing a secure connection. Cipher suites are specified in the OpenSSL (<a href="http://openssl.org/docs/apps/ciphers.html">http://openssl.org/docs/apps/ciphers.html</a>) cipherlist format, for example:</p>
<p>ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;</p>
<p>The complete cipherlist supported by the currently installed version of OpenSSL in your platform can be obtained by issuing the command:
openssl ciphers</p>
<p>
</p>
<h3><a name="ssl_crl">ssl_crl</a></h3>
<p><strong>syntax:</strong> <em>ssl_crl file</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>This directive specifies the filename of a Certificate Revocation List, in PEM format, which is used to check the revocation status of certificates.</p>
<p>
</p>
<h3><a name="ssl_prefer_server_ciphers">ssl_prefer_server_ciphers</a></h3>
<p><strong>syntax:</strong> <em>ssl_prefer_server_ciphers [on|off] </em></p>
<p><strong>default:</strong> <em>ssl_prefer_server_ciphers off</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>The server requires that the cipher suite list for protocols SSLv3 and TLSv1 are to be preferred over the client supported cipher suite list.</p>
<p>
</p>
<h3><a name="ssl_protocols">ssl_protocols</a></h3>
<p><strong>syntax:</strong> <em>ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]</em></p>
<p><strong>default:</strong> <em>ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>This directive enables the protocol versions specified.</p>
<p>
</p>
<h3><a name="ssl_verify_client">ssl_verify_client</a></h3>
<p><strong>syntax:</strong> <em>ssl_verify_client on|off|optional</em></p>
<p><strong>default:</strong> <em>ssl_verify_client off</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>This directive enables the verification of the client identity. Parameter 'optional' checks the client identity using its certificate in case it was made available to the server.</p>
<p>
</p>
<h3><a name="ssl_verify_depth">ssl_verify_depth</a></h3>
<p><strong>syntax:</strong> <em>ssl_verify_depth number</em></p>
<p><strong>default:</strong> <em>ssl_verify_depth 1</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>This directive sets how deep the server should go in the client provided certificate chain in order to verify the client identity.</p>
<p>
</p>
<h3><a name="ssl_session_cache">ssl_session_cache</a></h3>
<p><strong>syntax:</strong> <em>ssl_session_cache off|none|builtin:size and/or shared:name:size</em></p>
<p><strong>default:</strong> <em>ssl_session_cache off</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>The directive sets the types and sizes of caches to store the SSL sessions.</p>
<p>The cache types are:</p>
<ul>
<li>
<p>off -- Hard off: nginx says explicitly to a client that sessions can not reused.</p>
</li>
<li>
<p>none -- Soft off: nginx says to a client that session can be resued, but nginx actually never reuses them. This is workaround for some mail clients as ssl_session_cache may be used in mail proxy as well as in HTTP server.</p>
</li>
<li>
<p>builtin -- the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions. Note: there appears to be a memory fragmentation issue using this method, please take that into consideration when using this. See ``References'' below.</p>
</li>
<li>
<p>shared -- the cache is shared between all worker processes. The size of the cache is assigned in bytes: 1 MB cache can contain roughly 4000 sessions. Each shared cache must be given an arbitrary name. A shared cache with a given name can be used in several virtual hosts.</p>
</li>
</ul>
<p>It's possible to use both types of cache &mdash; builtin and shared &mdash; simultaneously, for example:</p>
<p>ssl_session_cache builtin:1000 shared:SSL:10m;</p>
<p>Bear in mind however, that using only shared cache, i.e., without builtin, should be more effective.</p>
<p>
</p>
<h3><a name="ssl_session_timeout">ssl_session_timeout</a></h3>
<p><strong>syntax:</strong> <em>ssl_session_timeout time</em></p>
<p><strong>default:</strong> <em>ssl_session_timeout 5m</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
<p>This directive defines the maximum time during which the client can re-use the previously negotiated cryptographic parameters of the secure session that is stored in the SSL cache.</p>
<p>
</p>
<hr />
<h1><a name="compatibility">Compatibility</a></h1>
<ul>
<li>
<p>My test bed is 0.7.65+</p>
</li>
</ul>
<p>
</p>
<hr />
<h1><a name="notes">Notes</a></h1>
<p>The http_response_parse.rl and smtp_response_parse.rl are ragel (<a href="http://www.complang.org/ragel/">http://www.complang.org/ragel/</a>) scripts , you can edit the script and compile it like this:</p>
<pre>
$ ragel -G2 http_response_parse.rl
$ ragel -G2 smtp_response_parse.rl</pre>
<p>
</p>
<hr />
<h1><a name="known_issues">Known Issues</a></h1>
<ul>
<li>
<p>This module can't use the same listening port with the HTTP module.</p>
</li>
</ul>
<p>
</p>
<hr />
<h1><a name="changelogs">Changelogs</a></h1>
<p>
</p>
<h2><a name="v0_2_0">v0.2.0</a></h2>
<ul>
<li>
<p>add ssl proxy module</p>
</li>
<li>
<p>add websocket proxy module</p>
</li>
<li>
<p>add upstream busyness module</p>
</li>
<li>
<p>add tcp access log module</p>
</li>
</ul>
<p>
</p>
<h2><a name="v0_19">v0.19</a></h2>
<ul>
<li>
<p>add many check methods</p>
</li>
</ul>
<p>
</p>
<h2><a name="v0_1">v0.1</a></h2>
<ul>
<li>
<p>first release</p>
</li>
</ul>
<p>
</p>
<hr />
<h1><a name="authors">Authors</a></h1>
<p>Weibin <code>Yao(姚伟斌)</code> <em>yaoweibin at gmail dot com</em></p>
<p>
</p>
<hr />
<h1><a name="copyright___license">Copyright & License</a></h1>
<p>This README template copy from agentzh (<a href="http://github.com/agentzh">http://github.com/agentzh</a>).</p>
<p>I borrowed a lot of code from upstream and mail module from the nginx 0.7.* core. This part of code is copyrighted by Igor Sysoev. And the health check part is borrowed the design of Jack Lindamood's healthcheck module healthcheck_nginx_upstreams (<a href="http://github.com/cep21/healthcheck_nginx_upstreams">http://github.com/cep21/healthcheck_nginx_upstreams</a>);</p>
<p>This module is licensed under the BSD license.</p>
<p>Copyright (C) 2012 by Weibin Yao <<a href="mailto:yaoweibin@gmail.com">yaoweibin@gmail.com</a>>.</p>
<p>All rights reserved.</p>
<p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
<ul>
<li>
<p>Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.</p>
</li>
<li>
<p>Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.</p>
</li>
</ul>
<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
</body>
</html>