=encoding utf-8 =head1 NAME ngx_stream_proxy_module - Module ngx_stream_proxy_module =head1 The C module (1.9.0) allows proxying data streams over TCP, UDP (1.9.13), and UNIX-domain sockets. =head1 Example Configuration server { listen 127.0.0.1:12345; proxy_pass 127.0.0.1:8080; } server { listen 12345; proxy_connect_timeout 1s; proxy_timeout 1m; proxy_pass example.com:12345; } server { listen 53 udp; proxy_responses 1; proxy_timeout 20s; proxy_pass dns.example.com:53; } server { listen [::1]:12345; proxy_pass unix:/tmp/stream.socket; } =head1 Directives =head2 proxy_bind B proxy_bind I> [transparent] E C> B I B I This directive appeared in version 1.9.2. Makes outgoing connections to a proxied server originate from the specified local IP I>. Parameter value can contain variables (1.11.2). The special value C cancels the effect of the C directive inherited from the previous configuration level, which allows the system to auto-assign the local IP address. The C parameter (1.11.0) allows outgoing connections to a proxied server originate from a non-local IP address, for example, from a real IP address of a client: proxy_bind $remote_addr transparent; In order for this parameter to work, it is necessary to run nginx worker processes with the L privileges and configure kernel routing table to intercept network traffic from the proxied server. =head2 proxy_buffer_size B proxy_buffer_size I>> B I<16k> B I B I This directive appeared in version 1.9.4. Sets the I> of the buffer used for reading data from the proxied server. Also sets the I> of the buffer used for reading data from the client. =head2 proxy_connect_timeout B proxy_connect_timeout I>> B I<60s> B I B I Defines a timeout for establishing a connection with a proxied server. =head2 proxy_download_rate B proxy_download_rate I>> B I<0> B I B I This directive appeared in version 1.9.3. Limits the speed of reading the data from the proxied server. The I> is specified in bytes per second. The zero value disables rate limiting. The limit is set per a connection, so if nginx simultaneously opens two connections to the proxied server, the overall rate will be twice as much as the specified limit. =head2 proxy_next_upstream B proxy_next_upstream I E C> B I B I B I When a connection to the proxied server cannot be established, determines whether a client connection will be passed to the next server. Passing a connection to the next server can be limited by the number of tries and by time. =head2 proxy_next_upstream_timeout B proxy_next_upstream_timeout I>> B I<0> B I B I Limits the time allowed to pass a connection to the next server. The C<0> value turns off this limitation. =head2 proxy_next_upstream_tries B proxy_next_upstream_tries I>> B I<0> B I B I Limits the number of possible tries for passing a connection to the next server. The C<0> value turns off this limitation. =head2 proxy_pass B proxy_pass I>> B I Sets the address of a proxied server. The address can be specified as a domain name or IP address, and a port: proxy_pass localhost:12345; or as a UNIX-domain socket path: proxy_pass unix:/tmp/stream.socket; If a domain name resolves to several addresses, all of them will be used in a round-robin fashion. In addition, an address can be specified as a L. The address can also be specified using variables (1.11.3): proxy_pass $upstream; In this case, the server name is searched among the described L, and, if not found, is determined using a L. =head2 proxy_protocol B proxy_protocol I E C> B I B I B I This directive appeared in version 1.9.2. Enables the L for connections to a proxied server. =head2 proxy_responses B proxy_responses I>> B I B I This directive appeared in version 1.9.13. Sets the number of datagrams expected from the proxied server in response to the client request if the L protocol is used. By default, the number of datagrams is not limited: the response datagrams will be sent until the L value expires. =head2 proxy_ssl B proxy_ssl I E C> B I B I B I Enables the SSLETLS protocol for connections to a proxied server. =head2 proxy_ssl_certificate B proxy_ssl_certificate I>> B I B I Specifies a I> with the certificate in the PEM format used for authentication to a proxied server. =head2 proxy_ssl_certificate_key B proxy_ssl_certificate_key I>> B I B I Specifies a I> with the secret key in the PEM format used for authentication to a proxied server. =head2 proxy_ssl_ciphers B proxy_ssl_ciphers I>> B I B I B I Specifies the enabled ciphers for connections to a proxied server. The ciphers are specified in the format understood by the OpenSSL library. The full list can be viewed using the “C” command. =head2 proxy_ssl_crl B proxy_ssl_crl I>> B I B I Specifies a I> with revoked certificates (CRL) in the PEM format used to verify the certificate of the proxied server. =head2 proxy_ssl_name B proxy_ssl_name I>> B I B I B I Allows overriding the server name used to verify the certificate of the proxied server and to be passed through SNI when establishing a connection with the proxied server. The server name can also be specified using variables (1.11.3). By default, the host part of the L address is used. =head2 proxy_ssl_password_file B proxy_ssl_password_file I>> B I B I Specifies a I> with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key. =head2 proxy_ssl_server_name B proxy_ssl_server_name I E C> B I B I B I Enables or disables passing of the server name through L (SNI, RFC 6066) when establishing a connection with the proxied server. =head2 proxy_ssl_session_reuse B proxy_ssl_session_reuse I E C> B I B I B I Determines whether SSL sessions can be reused when working with the proxied server. If the errors “C” appear in the logs, try disabling session reuse. =head2 proxy_ssl_protocols B proxy_ssl_protocols I< [C] [C] [C] [C] [C]> B I B I B I Enables the specified protocols for connections to a proxied server. =head2 proxy_ssl_trusted_certificate B proxy_ssl_trusted_certificate I>> B I B I Specifies a I> with trusted CA certificates in the PEM format used to verify the certificate of the proxied server. =head2 proxy_ssl_verify B proxy_ssl_verify I E C> B I B I B I Enables or disables verification of the proxied server certificate. =head2 proxy_ssl_verify_depth B proxy_ssl_verify_depth I>> B I<1> B I B I Sets the verification depth in the proxied server certificates chain. =head2 proxy_timeout B proxy_timeout I>> B I<10m> B I B I Sets the I> between two successive read or write operations on client or proxied server connections. If no data is transmitted within this time, the connection is closed. =head2 proxy_upload_rate B proxy_upload_rate I>> B I<0> B I B I This directive appeared in version 1.9.3. Limits the speed of reading the data from the client. The I> is specified in bytes per second. The zero value disables rate limiting. The limit is set per a connection, so if the client simultaneously opens two connections, the overall rate will be twice as much as the specified limit.