Syntax: ssl_ciphers ciphers; Default: ssl_ciphers HIGH:!aNULL:!MD5; Context: stream, server Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library, for example: ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; The full list can be viewed using the “openssl ciphers” command.

Syntax: ssl_trusted_certificate file; Default: — Context: http, server This directive appeared in version 1.3.7. Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled. In contrast to the certificate set by ssl_client_certificate, the list of these certificates will not be sent to clients.

Syntax: proxy_ssl_certificate_key file; Default: — Context: stream, server Specifies a file with the secret key in the PEM format used for authentication to a proxied server.

Syntax: uwsgi_store_access users:permissions ...; Default: uwsgi_store_access user:rw; Context: http, server, location Sets access permissions for newly created files and directories, e.g.: uwsgi_store_access user:rw group:rw all:r; If any group or all access permissions are specified then user permissions may be omitted: uwsgi_store_access group:rw all:r;

Syntax: ssl_password_file file; Default: — Context: mail, server This directive appeared in version 1.7.3. Specifies a file with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key. Example: mail { ssl_password_file /etc/keys/global.pass; ... server { server_name mail1.example.com; ssl_certificate_key /etc/keys/first.key; } server { server_name mail2.

Syntax: gzip_disable regex ...; Default: — Context: http, server, location This directive appeared in version 0.6.23. Disables gzipping of responses for requests with “User-Agent” header fields matching any of the specified regular expressions. The special mask “msie6” (0.7.12) corresponds to the regular expression “MSIE [4-6]\.”, but works faster. Starting from version 0.8.11, “MSIE 6.0; ... SV1” is excluded from this mask.

Configuring HTTPS servers HTTPS server optimization SSL certificate chains A single HTTP/HTTPS server Name-based HTTPS servers An SSL certificate with several names Server Name Indication Compatibility To configure an HTTPS server, the ssl parameter must be enabled on listening sockets in the server block, and the locations of the server certificate and private key files should be specified: server { listen 443 ssl; server_name www.example.com; ssl_certific

Syntax: open_file_cache_errors on | off; Default: open_file_cache_errors off; Context: http, server, location Enables or disables caching of file lookup errors by open_file_cache.

Syntax: proxy_cache_methods GET | HEAD | POST ...; Default: proxy_cache_methods GET HEAD; Context: http, server, location This directive appeared in version 0.7.59. If the client request method is listed in this directive then the response will be cached. “GET” and “HEAD” methods are always added to the list, though it is recommended to specify them explicitly. See also the proxy_no_cache directive.

Syntax: proxy_ignore_client_abort on | off; Default: proxy_ignore_client_abort off; Context: http, server, location Determines whether the connection with a proxied server should be closed when a client closes the connection without waiting for a response.