Ngemva konyaka wentuthuko
Ukuthuthukiswa okuphawuleka kakhulu okwengezwe ngesikhathi sokuthuthukiswa kwegatsha elikhuphuka nomfula elingu-1.15.x:
- Kwengezwe amandla okusebenzisa okuguquguqukayo ' kuziqondiso
ssl_isitifiketi 'ΠΈ'ssl_certificate_key ', engasetshenziswa ukulayisha izitifiketi ngokuguquguqukayo; - Kwengezwe ikhono lokulayisha izitifiketi ze-SSL nokhiye abayimfihlo kusuka kokuguquguqukayo ngaphandle kokusebenzisa amafayela aphakathi;
- Emgqeni "
umfula Β» isiqondiso esisha senziwe Β«Okungahleliwe ", ngosizo ongakwazi ukuhlela ukulinganisa komthwalo ngokukhetha okungahleliwe kweseva ukuze udlulisele uxhumano; - Kumojula
ngx_stream_ssl_preread okuguquguqukayo kwenziwe$ssl_preread_protocol ,
ecacisa inguqulo ephezulu kakhulu yephrothokholi ye-SSL/TLS esekelwa iklayenti. Okuguquguqukayo kuvumeladala ukucupha ukuze ufinyelele usebenzisa izivumelwano ezihlukahlukene nge-SSL nangaphandle kwayo ngembobo yenethiwekhi eyodwa lapho ubamba ithrafikhi usebenzisa i-http kanye namamojula okusakaza. Isibonelo, ukuhlela ukufinyelela nge-SSH ne-HTTPS ngembobo eyodwa, imbobo 443 ingadluliselwa ngokuzenzakalelayo ku-SSH, kodwa uma inguqulo ye-SSL ichazwa, dlulisela ku-HTTPS. - Okuhlukile okusha kwengezwe kumojula yomfula "
$upstream_bytes_sent ", ebonisa inani lamabhayithi adluliselwe kuseva yeqembu; - Ukuze module
Ukusakaza phakathi neseshini eyodwa, ikhono lokucubungula idathagram ye-UDP eminingana engenayo evela kuklayenti lengeziwe; - Umyalelo "
izicelo_zommeleli ", icacisa inani lama-datagrams atholwe kuklayenti, lapho kufinyelelwa khona lapho kususwa ukubophezela phakathi kweklayenti nesikhathi esikhona se-UDP. Ngemva kokuthola inombolo eshiwo yama-datagram, idathagram elandelayo etholwe kuklayenti elifanayo iqala iseshini entsha; - Umyalelo wokulalela manje unamandla okucacisa ububanzi bembobo;
- Umyalelo owengeziwe "
ssl_early_data Β»ukuvumela imodi0-RTT uma usebenzisa i-TLSv1.3, ekuvumela ukuthi ulondoloze amapharamitha wokuxhuma we-TLS okwaxoxiswane ngawo ngaphambilini futhi wehlise inani lama-RTT ukuya ku-2 lapho uqalisa kabusha uxhumano olusungulwe ngaphambilini; - Iziqondiso ezintsha zengeziwe ukuze kulungiselelwe ukugcinwa kokuphila kokuxhumana okuphumayo (ukunika amandla noma ukukhubaza inketho ye-SO_KEEPALIVE yamasokhethi):
- Β«
i-proxy_socket_keepalive " - ilungiselela ukuziphatha kwe-"TCP keepalive" ekuxhumekeni okuphumayo kuseva elibamba; - Β«
fastcgi_socket_keepalive " - ilungiselela ukuziphatha kwe-"TCP keepalive" ekuxhumekeni okuphumayo kuseva ye-FastCGI; - Β«
grpc_socket_keepalive " - ilungiselela ukuziphatha kwe-"TCP keepalive" ekuxhumekeni okuphumayo kuseva ye-gRPC; - Β«
memcached_socket_keepalive " - ilungiselela ukuziphatha kwe-"TCP keepalive" ekuxhumekeni okuphumayo kuseva egcinwe kwi-memcached; - Β«
scgi_socket_keepalive " - ilungiselela ukuziphatha kwe-"TCP keepalive" ekuxhumekeni okuphumayo kuseva ye-SCGI; - Β«
uwsgi_socket_keepalive " - ilungiselela "TCP keepalive" ukuziphatha koxhumano oluphumayo kuseva ye-uwsgi.
- Β«
- Kumyalelo "
limit_req" wengeze ipharamitha entsha βukubambezelekaβ, ebeka umkhawulo okuthi ngemva kwalokho izicelo ezingafuneki zibambezeleke; - Iziqondiso ezintsha "keepalive_timeout" kanye "keepalive_requests" zengezwe ebhulokhini "ekhuphukayo" ukuze kubekwe imikhawulo ye-Keepalive;
- Umyalelo we-"ssl" wehlisiwe, esikhundleni sawo yipharamitha ye-"ssl" kumyalelo othi "lalela". Izitifiketi ze-SSL ezingekho manje sezitholwa esigabeni sokuhlola ukucushwa lapho kusetshenziswa isiyalelo esithi "lalela" ngepharamitha ye-"ssl" kuzilungiselelo;
- Uma usebenzisa i-reset_timedout_connection Direction, ukuxhumana manje kuvalwe ngekhodi engu-444 uma isikhathi sokuvala siphela;
- Amaphutha e-SSL "isicelo se-http", "isicelo sommeleli we-https", "iphrothokholi engasekelwe" kanye "nenguqulo iphansi kakhulu" manje aboniswa kulogi nezinga elithi "ulwazi" esikhundleni sokuthi "crit";
- Ukwesekwa okwengeziwe kwendlela yokuvota kumasistimu e-Windows uma usebenzisa i-Windows Vista futhi kamuva;
- Amathuba wokusebenzisa
I-TLSv1.3 lapho wakha ngomtapo wezincwadi we-BoringSSL, hhayi nje i-OpenSSL.
Source: opennet.ru