Syntax: proxy_ssl_session_reuse on | off; Default: proxy_ssl_session_reuse on; Context: http, server, location Determines whether SSL sessions can be reused when working with the proxied server. If the errors “SSL3_GET_FINISHED:digest check failed” appear in the logs, try disabling session reuse.

Syntax: proxy_ssl_server_name on | off; Default: proxy_ssl_server_name off; Context: stream, server Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with the proxied server.

Syntax: proxy_ssl_server_name on | off; Default: proxy_ssl_server_name off; Context: http, server, location This directive appeared in version 1.7.0. Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with the proxied HTTPS server.

Syntax: proxy_ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; Default: proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Context: stream, server Enables the specified protocols for connections to a proxied server.

Syntax: proxy_ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; Default: proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Context: http, server, location This directive appeared in version 1.5.6. Enables the specified protocols for requests to a proxied HTTPS server.

Syntax: proxy_ssl_password_file file; Default: — Context: stream, server Specifies a file with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key.

Syntax: proxy_ssl_password_file file; Default: — Context: http, server, location This directive appeared in version 1.7.8. Specifies a file with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key.

Syntax: proxy_ssl_name name; Default: proxy_ssl_name host from proxy_pass; Context: stream, server Allows overriding the server name used to verify the certificate of the proxied server and to be passed through SNI when establishing a connection with the proxied server. The server name can also be specified using variables (1.11.3). By default, the host part of the proxy_pass address is used.

Syntax: proxy_ssl_name name; Default: proxy_ssl_name $proxy_host; Context: http, server, location This directive appeared in version 1.7.0. Allows overriding the server name used to verify the certificate of the proxied HTTPS server and to be passed through SNI when establishing a connection with the proxied HTTPS server. By default, the host part of the proxy_pass URL is used.

Syntax: proxy_ssl_crl file; Default: — Context: stream, server Specifies a file with revoked certificates (CRL) in the PEM format used to verify the certificate of the proxied server.