Module ngx_http_core_module
Planning your ingress-nginx migration? Start here:
kubernetes.nginx.org
Module ngx_http_core_module
Directives
absolute_redirect
aio
aio_write
alias
auth_delay
chunked_transfer_encoding
client_body_buffer_size
client_body_in_file_only
client_body_in_single_buffer
client_body_temp_path
client_body_timeout
client_header_buffer_size
client_header_timeout
client_max_body_size
connection_pool_size
default_type
directio
directio_alignment
disable_symlinks
early_hints
error_page
etag
http
if_modified_since
ignore_invalid_headers
internal
keepalive_disable
keepalive_min_timeout
keepalive_requests
keepalive_time
keepalive_timeout
large_client_header_buffers
limit_except
limit_rate
limit_rate_after
lingering_close
lingering_time
lingering_timeout
listen
location
log_not_found
log_subrequest
max_headers
max_ranges
merge_slashes
msie_padding
msie_refresh
open_file_cache
open_file_cache_errors
open_file_cache_min_uses
open_file_cache_valid
output_buffers
port_in_redirect
postpone_output
read_ahead
recursive_error_pages
request_pool_size
reset_timedout_connection
resolver
resolver_timeout
root
satisfy
send_lowat
send_timeout
sendfile
sendfile_max_chunk
server
server_name
server_name_in_redirect
server_names_hash_bucket_size
server_names_hash_max_size
server_tokens
subrequest_output_buffer_size
tcp_nodelay
tcp_nopush
try_files
types
types_hash_bucket_size
types_hash_max_size
underscores_in_headers
variables_hash_bucket_size
variables_hash_max_size
Embedded Variables
Directives
Syntax:
absolute_redirect
on
off
Default:
absolute_redirect on;
Context:
http
server
location
This directive appeared in version 1.11.8.
If disabled, redirects issued by nginx will be relative.
See also
server_name_in_redirect
and
port_in_redirect
directives.
Syntax:
aio
on
off
threads
pool
];
Default:
aio off;
Context:
http
server
location
This directive appeared in version 0.8.11.
Enables or disables the use of asynchronous file I/O (AIO)
on FreeBSD and Linux:
location /video/ {
aio on;
output_buffers 1 64k;
On FreeBSD, AIO can be used starting from FreeBSD 4.3.
Prior to FreeBSD 11.0,
AIO can either be linked statically into a kernel:
options VFS_AIO
or loaded dynamically as a kernel loadable module:
kldload aio
On Linux, AIO can be used starting from kernel version 2.6.22.
Also, it is necessary to enable
directio
or otherwise reading will be blocking:
location /video/ {
aio on;
directio 512;
output_buffers 1 128k;
On Linux,
directio
can only be used for reading blocks that are aligned on 512-byte
boundaries (or 4K for XFS).
File’s unaligned end is read in blocking mode.
The same holds true for byte range requests and for FLV requests
not from the beginning of a file: reading of unaligned data at the
beginning and end of a file will be blocking.
When both AIO and
sendfile
are enabled on Linux,
AIO is used for files that are larger than or equal to
the size specified in the
directio
directive,
while
sendfile
is used for files of smaller sizes
or when
directio
is disabled.
location /video/ {
sendfile on;
aio on;
directio 8m;
Finally, files can be read and
sent
using multi-threading (1.7.11),
without blocking a worker process:
location /video/ {
sendfile on;
aio threads;
Read and send file operations are offloaded to threads of the specified
pool
If the pool name is omitted,
the pool with the name “
default
” is used.
The pool name can also be set with variables:
aio threads=pool$disk;
By default, multi-threading is disabled, it should be
enabled with the
--with-threads
configuration parameter.
Currently, multi-threading is compatible only with the
epoll
kqueue
and
eventport
methods.
Multi-threaded sending of files is only supported on Linux.
See also the
sendfile
directive.
Syntax:
aio_write
on
off
Default:
aio_write off;
Context:
http
server
location
This directive appeared in version 1.9.13.
If
aio
is enabled, specifies whether it is used for writing files.
Currently, this only works when using
aio threads
and is limited to writing temporary files
with data received from proxied servers.
Syntax:
alias
path
Default:
Context:
location
Defines a replacement for the specified location.
For example, with the following configuration
location /i/ {
alias /data/w3/images/;
on request of
/i/top.gif
”, the file
/data/w3/images/top.gif
will be sent.
The
path
value can contain variables,
except
$document_root
and
$realpath_root
If
alias
is used inside a location defined
with a regular expression then such regular expression should
contain captures and
alias
should refer to
these captures (0.7.40), for example:
location ~ ^/users/(.+\.(?:gif|jpe?g|png))$ {
alias /data/w3/images/$1;
When location matches the last part of the directive’s value:
location /images/ {
alias /data/w3/images/;
it is better to use the
root
directive instead:
location /images/ {
root /data/w3;
Syntax:
auth_delay
time
Default:
auth_delay 0s;
Context:
http
server
location
This directive appeared in version 1.17.10.
Delays processing of unauthorized requests with 401 response code
to prevent timing attacks when access is limited by
password
, by the
result of subrequest
or by
JWT
Syntax:
chunked_transfer_encoding
on
off
Default:
chunked_transfer_encoding on;
Context:
http
server
location
Allows disabling chunked transfer encoding in HTTP/1.1.
It may come in handy when using a software failing to support
chunked encoding despite the standard’s requirement.
Syntax:
client_body_buffer_size
size
Default:
client_body_buffer_size 8k|16k;
Context:
http
server
location
Sets buffer size for reading client request body.
In case the request body is larger than the buffer,
the whole body or only its part is written to a
temporary file
By default, buffer size is equal to two memory pages.
This is 8K on x86, other 32-bit platforms, and x86-64.
It is usually 16K on other 64-bit platforms.
Syntax:
client_body_in_file_only
on
clean
off
Default:
client_body_in_file_only off;
Context:
http
server
location
Determines whether nginx should save the entire client request body
into a file.
This directive can be used during debugging, or when using the
$request_body_file
variable, or the
$r->request_body_file
method of the module
ngx_http_perl_module
When set to the value
on
, temporary files are not
removed after request processing.
The value
clean
will cause the temporary files
left after request processing to be removed.
Syntax:
client_body_in_single_buffer
on
off
Default:
client_body_in_single_buffer off;
Context:
http
server
location
Determines whether nginx should save the entire client request body
in a single buffer.
The directive is recommended when using the
$request_body
variable, to save the number of copy operations involved.
Syntax:
client_body_temp_path
path
level1
level2
level3
]]];
Default:
client_body_temp_path client_body_temp;
Context:
http
server
location
Defines a directory for storing temporary files holding client request bodies.
Up to three-level subdirectory hierarchy can be used under the specified
directory.
For example, in the following configuration
client_body_temp_path /spool/nginx/client_temp 1 2;
a path to a temporary file might look like this:
/spool/nginx/client_temp/7/45/00000123457
Syntax:
client_body_timeout
time
Default:
client_body_timeout 60s;
Context:
http
server
location
Defines a timeout for reading client request body.
The timeout is set only for a period between two successive read operations,
not for the transmission of the whole request body.
If a client does not transmit anything within this time, the
request is terminated with the
408 (Request Time-out)
error.
Syntax:
client_header_buffer_size
size
Default:
client_header_buffer_size 1k;
Context:
http
server
Sets buffer size for reading client request header.
For most requests, a buffer of 1K bytes is enough.
However, if a request includes long cookies, or comes from a WAP client,
it may not fit into 1K.
If a request line or a request header field does not fit into
this buffer then larger buffers, configured by the
large_client_header_buffers
directive,
are allocated.
If the directive is specified on the
server
level,
the value from the default server can be used.
Details are provided in the
Virtual
server selection
” section.
Syntax:
client_header_timeout
time
Default:
client_header_timeout 60s;
Context:
http
server
Defines a timeout for reading client request header.
If a client does not transmit the entire header within this time, the
request is terminated with the
408 (Request Time-out)
error.
Syntax:
client_max_body_size
size
Default:
client_max_body_size 1m;
Context:
http
server
location
Sets the maximum allowed size of the client request body.
If the size in a request exceeds the configured value, the
413 (Request Entity Too Large)
error is returned to the client.
Please be aware that
browsers cannot correctly display
this error.
Setting
size
to 0 disables checking of client
request body size.
Syntax:
connection_pool_size
size
Default:
connection_pool_size 256|512;
Context:
http
server
Allows accurate tuning of per-connection memory allocations.
This directive has minimal impact on performance
and should not generally be used.
By default, the size is equal to
256 bytes on 32-bit platforms and 512 bytes on 64-bit platforms.
Prior to version 1.9.8, the default value was 256 on all platforms.
Syntax:
default_type
mime-type
Default:
default_type text/plain;
Context:
http
server
location
Defines the default MIME type of a response.
Mapping of file name extensions to MIME types can be set
with the
types
directive.
Syntax:
directio
size
off
Default:
directio off;
Context:
http
server
location
This directive appeared in version 0.7.7.
Enables the use of
the
O_DIRECT
flag (FreeBSD, Linux),
the
F_NOCACHE
flag (macOS),
or the
directio()
function (Solaris),
when reading files that are larger than or equal to
the specified
size
The directive automatically disables (0.7.15) the use of
sendfile
for a given request.
It can be useful for serving large files:
directio 4m;
or when using
aio
on Linux.
Syntax:
directio_alignment
size
Default:
directio_alignment 512;
Context:
http
server
location
This directive appeared in version 0.8.11.
Sets the alignment for
directio
In most cases, a 512-byte alignment is enough.
However, when using XFS under Linux, it needs to be increased to 4K.
Syntax:
disable_symlinks
off
disable_symlinks
on
if_not_owner
from
part
];
Default:
disable_symlinks off;
Context:
http
server
location
This directive appeared in version 1.1.15.
Determines how symbolic links should be treated when opening files:
off
Symbolic links in the pathname are allowed and not checked.
This is the default behavior.
on
If any component of the pathname is a symbolic link,
access to a file is denied.
if_not_owner
Access to a file is denied if any component of the pathname
is a symbolic link, and the link and object that the link
points to have different owners.
from
part
When checking symbolic links
(parameters
on
and
if_not_owner
),
all components of the pathname are normally checked.
Checking of symbolic links in the initial part of the pathname
may be avoided by specifying additionally the
from
part
parameter.
In this case, symbolic links are checked only from
the pathname component that follows the specified initial part.
If the value is not an initial part of the pathname checked, the whole
pathname is checked as if this parameter was not specified at all.
If the value matches the whole file name,
symbolic links are not checked.
The parameter value can contain variables.
Example:
disable_symlinks on from=$document_root;
This directive is only available on systems that have the
openat()
and
fstatat()
interfaces.
Such systems include modern versions of FreeBSD, Linux, and Solaris.
Parameters
on
and
if_not_owner
add a processing overhead.
On systems that do not support opening of directories only for search,
to use these parameters it is required that worker processes
have read permissions for all directories being checked.
The
ngx_http_autoindex_module
ngx_http_random_index_module
and
ngx_http_dav_module
modules currently ignore this directive.
Syntax:
early_hints
string
...;
Default:
Context:
http
server
location
This directive appeared in version 1.29.0.
Defines conditions under which
the 103 (Early Hints) response
will be passed to a client.
If at least one value of the string parameters is not empty and is not
equal to “0” then the response will be passed:
map $http_sec_fetch_mode $early_hints {
navigate $http2$http3;
server {
...
location / {
early_hints $early_hints;
proxy_pass http://example.com;
Syntax:
error_page
code
...
response
]]
uri
Default:
Context:
http
server
location
if in location
Defines the URI that will be shown for the specified errors.
uri
value can contain variables.
Example:
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
This causes an internal redirect to the specified
uri
with the client request method changed to “
GET
(for all methods other than
GET
” and “
HEAD
”).
Furthermore, it is possible to change the response code to another
using the “
response
” syntax, for example:
error_page 404 =200 /empty.gif;
If an error response is processed by a proxied server
or a FastCGI/uwsgi/SCGI/gRPC server,
and the server may return different response codes (e.g., 200, 302, 401
or 404), it is possible to respond with the code it returns:
error_page 404 = /404.php;
If there is no need to change URI and method during internal redirection
it is possible to pass error processing into a named location:
location / {
error_page 404 = @fallback;
location @fallback {
proxy_pass http://backend;
If
uri
processing leads to an error,
the status code of the last occurred error is returned to the client.
It is also possible to use URL redirects for error processing:
error_page 403 http://example.com/forbidden.html;
error_page 404 =301 http://example.com/notfound.html;
In this case, by default, the response code 302 is returned to the client.
It can only be changed to one of the redirect status
codes (301, 302, 303, 307, and 308).
The code 307 was not treated as a redirect until versions 1.1.16 and 1.0.13.
The code 308 was not treated as a redirect until version 1.13.0.
These directives are inherited from the previous configuration level
if and only if there are no
error_page
directives
defined on the current level.
Syntax:
etag
on
off
Default:
etag on;
Context:
http
server
location
This directive appeared in version 1.3.3.
Enables or disables automatic generation of the “ETag”
response header field for static resources.
Syntax:
http
{ ... }
Default:
Context:
main
Provides the configuration file context in which the HTTP server directives
are specified.
Syntax:
if_modified_since
off
exact
before
Default:
if_modified_since exact;
Context:
http
server
location
This directive appeared in version 0.7.24.
Specifies how to compare modification time of a response
with the time in the
“If-Modified-Since”
request header field:
off
the response is always considered modified (0.7.34);
exact
exact match;
before
modification time of the response is
less than or equal to the time in the “If-Modified-Since”
request header field.
Syntax:
ignore_invalid_headers
on
off
Default:
ignore_invalid_headers on;
Context:
http
server
Controls whether header fields with invalid names should be ignored.
Valid names are composed of English letters, digits, hyphens, and possibly
underscores (as controlled by the
underscores_in_headers
directive).
If the directive is specified on the
server
level,
the value from the default server can be used.
Details are provided in the
Virtual
server selection
” section.
Syntax:
internal
Default:
Context:
location
Specifies that a given location can only be used for internal requests.
For external requests, the client error
404 (Not Found)
is returned.
Internal requests are the following:
requests redirected by the
error_page
index
internal_redirect
random_index
, and
try_files
directives;
requests redirected by the “X-Accel-Redirect”
response header field from an upstream server;
subrequests formed by the
include virtual
command of the
ngx_http_ssi_module
module, by the
ngx_http_addition_module
module directives, and by
auth_request
and
mirror
directives;
requests changed by the
rewrite
directive.
Example:
error_page 404 /404.html;
location = /404.html {
internal;
There is a limit of 10 internal redirects per request to prevent
request processing cycles that can occur in incorrect configurations.
If this limit is reached, the error
500 (Internal Server Error) is returned.
In such cases, the “rewrite or internal redirection cycle” message
can be seen in the error log.
Syntax:
keepalive_disable
none
browser
...;
Default:
keepalive_disable msie6;
Context:
http
server
location
Disables keep-alive connections with misbehaving browsers.
The
browser
parameters specify which
browsers will be affected.
The value
msie6
disables keep-alive connections
with old versions of MSIE, once a POST request is received.
The value
safari
disables keep-alive connections
with Safari and Safari-like browsers on macOS and macOS-like
operating systems.
The value
none
enables keep-alive connections
with all browsers.
Prior to version 1.1.18, the value
safari
matched
all Safari and Safari-like browsers on all operating systems, and
keep-alive connections with them were disabled by default.
Syntax:
keepalive_min_timeout
timeout
Default:
keepalive_min_timeout 0;
Context:
http
server
location
This directive appeared in version 1.27.4.
Sets a timeout during which a keep-alive
client connection will not be closed on the server side
for connection reuse or on graceful shutdown of worker processes.
Syntax:
keepalive_requests
number
Default:
keepalive_requests 1000;
Context:
http
server
location
This directive appeared in version 0.8.0.
Sets the maximum number of requests that can be
served through one keep-alive connection.
After the maximum number of requests are made, the connection is closed.
Closing connections periodically is necessary to free
per-connection memory allocations.
Therefore, using too high maximum number of requests
could result in excessive memory usage and not recommended.
Prior to version 1.19.10, the default value was 100.
Syntax:
keepalive_time
time
Default:
keepalive_time 1h;
Context:
http
server
location
This directive appeared in version 1.19.10.
Limits the maximum time during which
requests can be processed through one keep-alive connection.
After this time is reached, the connection is closed
following the subsequent request processing.
Syntax:
keepalive_timeout
timeout
header_timeout
];
Default:
keepalive_timeout 75s;
Context:
http
server
location
The first parameter sets a timeout during which a keep-alive
client connection will stay open on the server side.
The zero value disables keep-alive client connections.
The optional second parameter sets a value in the
“Keep-Alive: timeout=
time
response header field.
Two parameters may differ.
The
“Keep-Alive: timeout=
time
header field is recognized by Mozilla and Konqueror.
MSIE closes keep-alive connections by itself in about 60 seconds.
Syntax:
large_client_header_buffers
number
size
Default:
large_client_header_buffers 4 8k;
Context:
http
server
Sets the maximum
number
and
size
of
buffers used for reading large client request header.
A request line cannot exceed the size of one buffer, or the
414 (Request-URI Too Large)
error is returned to the client.
A request header field cannot exceed the size of one buffer as well, or the
400 (Bad Request)
error is returned to the client.
Buffers are allocated only on demand.
By default, the buffer size is equal to 8K bytes.
If after the end of request processing a connection is transitioned
into the keep-alive state, these buffers are released.
If the directive is specified on the
server
level,
the value from the default server can be used.
Details are provided in the
Virtual
server selection
” section.
Syntax:
limit_except
method
... { ... }
Default:
Context:
location
Limits allowed HTTP methods inside a location.
The
method
parameter can be one of the following:
GET
HEAD
POST
PUT
DELETE
MKCOL
COPY
MOVE
OPTIONS
PROPFIND
PROPPATCH
LOCK
UNLOCK
or
PATCH
Allowing the
GET
method makes the
HEAD
method also allowed.
Access to other methods can be limited using the
ngx_http_access_module
ngx_http_auth_basic_module
and
ngx_http_auth_jwt_module
(1.13.10)
modules directives:
limit_except GET {
allow 192.168.1.0/32;
deny all;
Please note that this will limit access to all methods
except
GET and HEAD.
Syntax:
limit_rate
rate
Default:
limit_rate 0;
Context:
http
server
location
if in location
Limits the rate of response transmission to a client.
The
rate
is specified in bytes per second.
The zero value disables rate limiting.
The limit is set per a request, and so if a client simultaneously opens
two connections, the overall rate will be twice as much
as the specified limit.
Parameter value can contain variables (1.17.0).
It may be useful in cases where rate should be limited
depending on a certain condition:
map $slow $rate {
1 4k;
2 8k;
limit_rate $rate;
Rate limit can also be set in the
$limit_rate
variable,
however, since version 1.17.0, this method is not recommended:
server {
if ($slow) {
set $limit_rate 4k;
...
Rate limit can also be set in the
“X-Accel-Limit-Rate” header field of a proxied server response.
This capability can be disabled using the
proxy_ignore_headers
fastcgi_ignore_headers
uwsgi_ignore_headers
and
scgi_ignore_headers
directives.
Syntax:
limit_rate_after
size
Default:
limit_rate_after 0;
Context:
http
server
location
if in location
This directive appeared in version 0.8.0.
Sets the initial amount after which the further transmission
of a response to a client will be rate limited.
Parameter value can contain variables (1.17.0).
Example:
location /flv/ {
flv;
limit_rate_after 500k;
limit_rate 50k;
Syntax:
lingering_close
off
on
always
Default:
lingering_close on;
Context:
http
server
location
This directive appeared in versions 1.1.0 and 1.0.6.
Controls how nginx closes client connections.
The default value “
on
” instructs nginx to
wait for
and
process
additional data from a client
before fully closing a connection, but only
if heuristics suggests that a client may be sending more data.
The value “
always
” will cause nginx to unconditionally
wait for and process additional client data.
The value “
off
” tells nginx to never wait for
more data and close the connection immediately.
This behavior breaks the protocol and should not be used under normal
circumstances.
To control closing
HTTP/2
connections,
the directive must be specified on the
server
level (1.19.1).
Syntax:
lingering_time
time
Default:
lingering_time 30s;
Context:
http
server
location
When
lingering_close
is in effect,
this directive specifies the maximum time during which nginx
will process (read and ignore) additional data coming from a client.
After that, the connection will be closed, even if there will be
more data.
Syntax:
lingering_timeout
time
Default:
lingering_timeout 5s;
Context:
http
server
location
When
lingering_close
is in effect, this directive specifies
the maximum waiting time for more client data to arrive.
If data are not received during this time, the connection is closed.
Otherwise, the data are read and ignored, and nginx starts waiting
for more data again.
The “wait-read-ignore” cycle is repeated, but no longer than specified by the
lingering_time
directive.
Syntax:
listen
address
[:
port
default_server
ssl
http2
quic
proxy_protocol
setfib
number
fastopen
number
backlog
number
rcvbuf
size
sndbuf
size
accept_filter
filter
deferred
bind
ipv6only
on
off
reuseport
multipath
so_keepalive
on
off
|[
keepidle
]:[
keepintvl
]:[
keepcnt
]];
listen
port
default_server
ssl
http2
quic
proxy_protocol
setfib
number
fastopen
number
backlog
number
rcvbuf
size
sndbuf
size
accept_filter
filter
deferred
bind
ipv6only
on
off
reuseport
multipath
so_keepalive
on
off
|[
keepidle
]:[
keepintvl
]:[
keepcnt
]];
listen
unix:
path
default_server
ssl
http2
quic
proxy_protocol
backlog
number
rcvbuf
size
sndbuf
size
accept_filter
filter
deferred
bind
so_keepalive
on
off
|[
keepidle
]:[
keepintvl
]:[
keepcnt
]];
Default:
listen *:80 | *:8000;
Context:
server
Sets the
address
and
port
for IP,
or the
path
for a UNIX-domain socket on which
the server will accept requests.
Both
address
and
port
or only
address
or only
port
can be specified.
An
address
may also be a hostname, for example:
listen 127.0.0.1:8000;
listen 127.0.0.1;
listen 8000;
listen *:8000;
listen localhost:8000;
IPv6 addresses (0.7.36) are specified in square brackets:
listen [::]:8000;
listen [::1];
UNIX-domain sockets (0.8.21) are specified with the “
unix:
prefix:
listen unix:/var/run/nginx.sock;
If only
address
is given, the port 80 is used.
If the directive is not present then either
*:80
is used
if nginx runs with the superuser privileges, or
*:8000
otherwise.
The
default_server
parameter, if present,
will cause the server to become the default server for the specified
address
port
pair.
If none of the directives have the
default_server
parameter then the first server with the
address
port
pair will be
the default server for this pair.
In versions prior to 0.8.21 this parameter is named simply
default
The
ssl
parameter (0.7.14) allows specifying that all
connections accepted on this port should work in SSL mode.
This allows for a more compact
configuration
for the server that
handles both HTTP and HTTPS requests.
The
http2
parameter (1.9.5) configures the port to accept
HTTP/2
connections.
Normally, for this to work the
ssl
parameter should be
specified as well, but nginx can also be configured to accept HTTP/2
connections without SSL.
The parameter is deprecated,
the
http2
directive
should be used instead.
The
quic
parameter (1.25.0) configures the port to accept
QUIC
connections.
The
proxy_protocol
parameter (1.5.12)
allows specifying that all connections accepted on this port should use the
PROXY
protocol
The PROXY protocol version 2 is supported since version 1.13.11.
The
listen
directive
can have several additional parameters specific to socket-related system calls.
These parameters can be specified in any
listen
directive, but only once for a given
address
port
pair.
In versions prior to 0.8.21, they could only be
specified in the
listen
directive together with the
default
parameter.
setfib
number
this parameter (0.8.44) sets the associated routing table, FIB
(the
SO_SETFIB
option) for the listening socket.
This currently works only on FreeBSD.
fastopen
number
enables
TCP Fast Open
for the listening socket (1.5.8) and
limits
the maximum length for the queue of connections that have not yet completed
the three-way handshake.
Do not enable this feature unless the server can handle
receiving the
same SYN packet with data
more than once.
backlog
number
sets the
backlog
parameter in the
listen()
call that limits
the maximum length for the queue of pending connections.
By default,
backlog
is set to -1 on FreeBSD, DragonFly BSD, and macOS,
and to 511 on other platforms.
rcvbuf
size
sets the receive buffer size
(the
SO_RCVBUF
option) for the listening socket.
sndbuf
size
sets the send buffer size
(the
SO_SNDBUF
option) for the listening socket.
accept_filter
filter
sets the name of accept filter
(the
SO_ACCEPTFILTER
option) for the listening socket
that filters incoming connections before passing them to
accept()
This works only on FreeBSD and NetBSD 5.0+.
Possible values are
dataready
and
httpready
deferred
instructs to use a deferred
accept()
(the
TCP_DEFER_ACCEPT
socket option) on Linux.
bind
instructs to make a separate
bind()
call for a given
address
port
pair.
This is useful because if there are several
listen
directives with the same port but different addresses, and one of the
listen
directives listens on all addresses
for the given port (
*:
port
), nginx
will
bind()
only to
*:
port
It should be noted that the
getsockname()
system call will be
made in this case to determine the address that accepted the connection.
If the
setfib
fastopen
backlog
rcvbuf
sndbuf
accept_filter
deferred
ipv6only
reuseport
multipath
or
so_keepalive
parameters
are used then for a given
address
port
pair
a separate
bind()
call will always be made.
ipv6only
on
off
this parameter (0.7.42) determines
(via the
IPV6_V6ONLY
socket option)
whether an IPv6 socket listening on a wildcard address
[::]
will accept only IPv6 connections or both IPv6 and IPv4 connections.
This parameter is turned on by default.
It can only be set once on start.
Prior to version 1.3.4,
if this parameter was omitted then the operating system’s settings were
in effect for the socket.
reuseport
this parameter (1.9.1) instructs to create an individual listening socket
for each worker process
(using the
SO_REUSEPORT
socket option on Linux 3.9+ and DragonFly BSD,
or
SO_REUSEPORT_LB
on FreeBSD 12+), allowing a kernel
to distribute incoming connections between worker processes.
This currently works only on Linux 3.9+, DragonFly BSD,
and FreeBSD 12+ (1.15.1).
Inappropriate use of this option may have its security
implications
multipath
this parameter (1.29.7) configures the
Multipath TCP
protocol (
IPPROTO_MPTCP
) for the listening socket.
This currently works only on Linux 5.6+.
Adding or removing this parameter will also enable
the
SO_REUSEPORT
socket option, which may have its security
implications
so_keepalive
on
off
|[
keepidle
]:[
keepintvl
]:[
keepcnt
this parameter (1.1.11) configures the “TCP keepalive” behavior
for the listening socket.
If this parameter is omitted then the operating system’s settings will be
in effect for the socket.
If it is set to the value “
on
”, the
SO_KEEPALIVE
option is turned on for the socket.
If it is set to the value “
off
”, the
SO_KEEPALIVE
option is turned off for the socket.
Some operating systems support setting of TCP keepalive parameters on
a per-socket basis using the
TCP_KEEPIDLE
TCP_KEEPINTVL
, and
TCP_KEEPCNT
socket options.
On such systems
(currently, Linux, NetBSD, Dragonfly, FreeBSD, and macOS),
they can be configured
using the
keepidle
keepintvl
, and
keepcnt
parameters.
One or two parameters may be omitted, in which case the system default setting
for the corresponding socket option will be in effect.
For example,
so_keepalive=30m::10
will set the idle timeout (
TCP_KEEPIDLE
) to 30 minutes,
leave the probe interval (
TCP_KEEPINTVL
) at its system default,
and set the probes count (
TCP_KEEPCNT
) to 10 probes.
Example:
listen 127.0.0.1 default_server accept_filter=dataready backlog=1024;
Syntax:
location
~*
^~
uri
{ ... }
location
name
{ ... }
Default:
Context:
server
location
Sets configuration depending on a request URI.
The matching is performed against a normalized URI,
after decoding the text encoded in the “
%XX
” form,
resolving references to relative path components “
and “
..
”, and possible
compression
of two or more
adjacent slashes into a single slash.
A location can either be defined by a prefix string, or by a regular expression.
Regular expressions are specified with the preceding
~*
” modifier (for case-insensitive matching), or the
” modifier (for case-sensitive matching).
To find location matching a given request, nginx first checks
locations defined using the prefix strings (prefix locations).
Among them, the location with the longest matching
prefix is selected and remembered.
Then regular expressions are checked, in the order of their appearance
in the configuration file.
The search of regular expressions terminates on the first match,
and the corresponding configuration is used.
If no match with a regular expression is found then the
configuration of the prefix location remembered earlier is used.
location
blocks can be nested, with some exceptions
mentioned below.
For case-insensitive operating systems such as macOS and Cygwin,
matching with prefix strings ignores a case (0.7.7).
However, comparison is limited to one-byte locales.
Regular expressions can contain captures (0.7.40) that can later
be used in other directives.
If the longest matching prefix location has the “
^~
” modifier
then regular expressions are not checked.
Also, using the “
” modifier it is possible to define
an exact match of URI and location.
If an exact match is found, the search terminates.
For example, if a “
” request happens frequently,
defining “
location = /
” will speed up the processing
of these requests, as search terminates right after the first
comparison.
Such a location cannot obviously contain nested locations.
In versions from 0.7.1 to 0.8.41, if a request matched the prefix
location without the “
” and “
^~
modifiers, the search also terminated and regular expressions were
not checked.
Let’s illustrate the above by an example:
location = / {
[ configuration A ]
location / {
[ configuration B ]
location /documents/ {
[ configuration C ]
location ^~ /images/ {
[ configuration D ]
location ~* \.(gif|jpg|jpeg)$ {
[ configuration E ]
The “
” request will match configuration A,
the “
/index.html
” request will match configuration B,
the “
/documents/document.html
” request will match
configuration C,
the “
/images/1.gif
” request will match configuration D, and
the “
/documents/1.jpg
” request will match configuration E.
The “
” prefix defines a named location.
Such a location is not used for a regular request processing, but instead
used for request redirection.
They cannot be nested, and cannot contain nested locations.
If a location is defined by a prefix string that ends with the slash character,
and requests are processed by one of
proxy_pass
fastcgi_pass
uwsgi_pass
scgi_pass
memcached_pass
, or
grpc_pass
then the special processing is performed.
In response to a request with URI equal to this string,
but without the trailing slash,
a permanent redirect with the code 301 will be returned to the requested URI
with the slash appended.
If this is not desired, an exact match of the URI and location could be
defined like this:
location /user/ {
proxy_pass http://user.example.com;
location = /user {
proxy_pass http://login.example.com;
Syntax:
log_not_found
on
off
Default:
log_not_found on;
Context:
http
server
location
Enables or disables logging of errors about not found files into
error_log
Syntax:
log_subrequest
on
off
Default:
log_subrequest off;
Context:
http
server
location
Enables or disables logging of subrequests into
access_log
Syntax:
max_headers
number
Default:
max_headers 1000;
Context:
http
server
This directive appeared in version 1.29.8.
Sets the maximum allowed number of header lines in requests.
If this limit is reached, the error
400 (Bad Request)
is returned.
Syntax:
max_ranges
number
Default:
Context:
http
server
location
This directive appeared in version 1.1.2.
Limits the maximum allowed number of ranges in byte-range requests.
Requests that exceed the limit are processed as if there were no
byte ranges specified.
By default, the number of ranges is not limited.
The zero value disables the byte-range support completely.
Syntax:
merge_slashes
on
off
Default:
merge_slashes on;
Context:
http
server
Enables or disables compression of two or more adjacent slashes
in a URI into a single slash.
Note that compression is essential for the correct matching of prefix string
and regular expression locations.
Without it, the “
//scripts/one.php
” request would not match
location /scripts/ {
...
and might be processed as a static file.
So it gets converted to “
/scripts/one.php
”.
Turning the compression
off
can become necessary if a URI
contains base64-encoded names, since base64 uses the “
character internally.
However, for security considerations, it is better to avoid turning
the compression off.
If the directive is specified on the
server
level,
the value from the default server can be used.
Details are provided in the
Virtual
server selection
” section.
Syntax:
msie_padding
on
off
Default:
msie_padding on;
Context:
http
server
location
Enables or disables adding comments to responses for MSIE clients with status
greater than 400 to increase the response size to 512 bytes.
Syntax:
msie_refresh
on
off
Default:
msie_refresh off;
Context:
http
server
location
Enables or disables issuing refreshes instead of redirects for MSIE clients.
Syntax:
open_file_cache
off
open_file_cache
max
inactive
time
];
Default:
open_file_cache off;
Context:
http
server
location
Configures a cache that can store:
open file descriptors, their sizes and modification times;
information on existence of directories;
file lookup errors, such as “file not found”, “no read permission”,
and so on.
Caching of errors should be enabled separately by the
open_file_cache_errors
directive.
The directive has the following parameters:
max
sets the maximum number of elements in the cache;
on cache overflow the least recently used (LRU) elements are removed;
inactive
defines a time after which an element is removed from the cache
if it has not been accessed during this time;
by default, it is 60 seconds;
off
disables the cache.
Example:
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
Syntax:
open_file_cache_errors
on
off
Default:
open_file_cache_errors off;
Context:
http
server
location
Enables or disables caching of file lookup errors by
open_file_cache
Syntax:
open_file_cache_min_uses
number
Default:
open_file_cache_min_uses 1;
Context:
http
server
location
Sets the minimum
number
of file accesses during
the period configured by the
inactive
parameter
of the
open_file_cache
directive, required for a file
descriptor to remain open in the cache.
Syntax:
open_file_cache_valid
time
Default:
open_file_cache_valid 60s;
Context:
http
server
location
Sets a time after which
open_file_cache
elements should be validated.
Syntax:
output_buffers
number
size
Default:
output_buffers 2 32k;
Context:
http
server
location
Sets the
number
and
size
of the
buffers used for reading a response from a disk.
Prior to version 1.9.5, the default value was 1 32k.
Syntax:
port_in_redirect
on
off
Default:
port_in_redirect on;
Context:
http
server
location
Enables or disables specifying the port in
absolute
redirects issued by nginx.
The use of the primary server name in redirects is controlled by
the
server_name_in_redirect
directive.
Syntax:
postpone_output
size
Default:
postpone_output 1460;
Context:
http
server
location
If possible, the transmission of client data will be postponed until
nginx has at least
size
bytes of data to send.
The zero value disables postponing data transmission.
Syntax:
read_ahead
size
Default:
read_ahead 0;
Context:
http
server
location
Sets the amount of pre-reading for the kernel when working with file.
On Linux, the
posix_fadvise(0, 0, 0, POSIX_FADV_SEQUENTIAL)
system call is used, and so the
size
parameter is ignored.
On FreeBSD, the
fcntl(O_READAHEAD,
size
system call, supported since FreeBSD 9.0-CURRENT, is used.
FreeBSD 7 has to be
patched
Syntax:
recursive_error_pages
on
off
Default:
recursive_error_pages off;
Context:
http
server
location
Enables or disables doing several redirects using the
error_page
directive.
The number of such redirects is
limited
Syntax:
request_pool_size
size
Default:
request_pool_size 4k;
Context:
http
server
Allows accurate tuning of per-request memory allocations.
This directive has minimal impact on performance
and should not generally be used.
Syntax:
reset_timedout_connection
on
off
Default:
reset_timedout_connection off;
Context:
http
server
location
Enables or disables resetting timed out connections
and connections
closed
with the non-standard code 444 (1.15.2).
The reset is performed as follows.
Before closing a socket, the
SO_LINGER
option is set on it with a timeout value of 0.
When the socket is closed, TCP RST is sent to the client, and all memory
occupied by this socket is released.
This helps avoid keeping an already closed socket with filled buffers
in a FIN_WAIT1 state for a long time.
It should be noted that timed out keep-alive connections are
closed normally.
Syntax:
resolver
address
...
valid
time
ipv4
on
off
ipv6
on
off
status_zone
zone
];
Default:
Context:
http
server
location
Configures name servers used to resolve names of upstream servers
into addresses, for example:
resolver 127.0.0.1 [::1]:5353;
The address can be specified as a domain name or IP address,
with an optional port (1.3.1, 1.2.2).
If port is not specified, the port 53 is used.
Name servers are queried in a round-robin fashion.
Before version 1.1.7, only a single name server could be configured.
Specifying name servers using IPv6 addresses is supported
starting from versions 1.3.1 and 1.2.2.
By default, nginx will look up both IPv4 and IPv6 addresses while resolving.
If looking up of IPv4 or IPv6 addresses is not desired,
the
ipv4=off
(1.23.1) or
the
ipv6=off
parameter can be specified.
Resolving of names into IPv6 addresses is supported
starting from version 1.5.8.
By default, nginx caches answers using the TTL value of a response.
An optional
valid
parameter allows overriding it:
resolver 127.0.0.1 [::1]:5353 valid=30s;
Before version 1.1.9, tuning of caching time was not possible,
and nginx always cached answers for the duration of 5 minutes.
To prevent DNS spoofing, it is recommended
configuring DNS servers in a properly secured trusted local network.
The optional
status_zone
parameter (1.17.1)
enables
collection
of DNS server statistics of requests and responses
in the specified
zone
The parameter is available as part of our
commercial subscription
Syntax:
resolver_timeout
time
Default:
resolver_timeout 30s;
Context:
http
server
location
Sets a timeout for name resolution, for example:
resolver_timeout 5s;
Syntax:
root
path
Default:
root html;
Context:
http
server
location
if in location
Sets the root directory for requests.
For example, with the following configuration
location /i/ {
root /data/w3;
The
/data/w3/i/top.gif
file will be sent in response to
the “
/i/top.gif
” request.
The
path
value can contain variables,
except
$document_root
and
$realpath_root
A path to the file is constructed by merely adding a URI to the value
of the
root
directive.
If a URI has to be modified, the
alias
directive should be used.
Syntax:
satisfy
all
any
Default:
satisfy all;
Context:
http
server
location
Allows access if all (
all
) or at least one
any
) of the
ngx_http_access_module
ngx_http_auth_basic_module
ngx_http_auth_request_module
ngx_http_auth_jwt_module
(1.13.10),
or
ngx_http_auth_oidc_module
(1.27.4)
modules allow access.
Example:
location / {
satisfy any;
allow 192.168.1.0/32;
deny all;
auth_basic "closed site";
auth_basic_user_file conf/htpasswd;
Syntax:
send_lowat
size
Default:
send_lowat 0;
Context:
http
server
location
If the directive is set to a non-zero value, nginx will try to minimize
the number of send operations on client sockets by using either
NOTE_LOWAT
flag of the
kqueue
method
or the
SO_SNDLOWAT
socket option.
In both cases the specified
size
is used.
This directive is ignored on Linux, Solaris, and Windows.
Syntax:
send_timeout
time
Default:
send_timeout 60s;
Context:
http
server
location
Sets a timeout for transmitting a response to the client.
The timeout is set only between two successive write operations,
not for the transmission of the whole response.
If the client does not receive anything within this time,
the connection is closed.
Syntax:
sendfile
on
off
Default:
sendfile off;
Context:
http
server
location
if in location
Enables or disables the use of
sendfile()
Starting from nginx 0.8.12 and FreeBSD 5.2.1,
aio
can be used to pre-load data
for
sendfile()
location /video/ {
sendfile on;
tcp_nopush on;
aio on;
In this configuration,
sendfile()
is called with
the
SF_NODISKIO
flag which causes it not to block on disk I/O,
but, instead, report back that the data are not in memory.
nginx then initiates an asynchronous data load by reading one byte.
On the first read, the FreeBSD kernel loads the first 128K bytes
of a file into memory, although next reads will only load data in 16K chunks.
This can be changed using the
read_ahead
directive.
Before version 1.7.11, pre-loading could be enabled with
aio sendfile;
Syntax:
sendfile_max_chunk
size
Default:
sendfile_max_chunk 2m;
Context:
http
server
location
Limits the amount of data that can be
transferred in a single
sendfile()
call.
Without the limit, one fast connection may seize the worker process entirely.
Prior to version 1.21.4, by default there was no limit.
Syntax:
server
{ ... }
Default:
Context:
http
Sets configuration for a virtual server.
There is no clear separation between IP-based (based on the IP address)
and name-based (based on the “Host” request header field)
virtual servers.
Instead, the
listen
directives describe all
addresses and ports that should accept connections for the server, and the
server_name
directive lists all server names.
Example configurations are provided in the
How nginx processes a request
” document.
Syntax:
server_name
name
...;
Default:
server_name "";
Context:
server
Sets names of a virtual server, for example:
server {
server_name example.com www.example.com;
The first name becomes the primary server name.
Server names can include an asterisk (“
”)
replacing the first or last part of a name:
server {
server_name example.com *.example.com www.example.*;
Such names are called wildcard names.
The first two of the names mentioned above can be combined in one:
server {
server_name .example.com;
It is also possible to use regular expressions in server names,
preceding the name with a tilde (“
”):
server {
server_name www.example.com ~^www\d+\.example\.com$;
Regular expressions can contain captures (0.7.40) that can later
be used in other directives:
server {
server_name ~^(www\.)?(.+)$;
location / {
root /sites/$2;
server {
server_name _;
location / {
root /sites/default;
Named captures in regular expressions create variables (0.8.25)
that can later be used in other directives:
server {
server_name ~^(www\.)?(?
location / {
root /sites/$domain;
server {
server_name _;
location / {
root /sites/default;
If the directive’s parameter is set to “
$hostname
” (0.9.4), the
machine’s hostname is inserted.
It is also possible to specify an empty server name (0.7.11):
server {
server_name www.example.com "";
It allows this server to process requests without the “Host”
header field — instead of the default server — for the given address:port pair.
This is the default setting.
Before 0.8.48, the machine’s hostname was used by default.
The search is performed in the following order of priority
and terminates on the first matching variant:
the exact name
the longest wildcard name starting with an asterisk,
e.g. “
*.example.com
the longest wildcard name ending with an asterisk,
e.g. “
mail.*
the first matching regular expression
(in order of appearance in the configuration file)
Detailed description of server names is provided in a separate
Server names
document.
Syntax:
server_name_in_redirect
on
off
Default:
server_name_in_redirect off;
Context:
http
server
location
Enables or disables the use of the primary server name, specified by the
server_name
directive,
in
absolute
redirects issued by nginx.
When the use of the primary server name is disabled, the name from the
“Host” request header field is used.
If this field is not present, the IP address of the server is used.
The use of a port in redirects is controlled by
the
port_in_redirect
directive.
Syntax:
server_names_hash_bucket_size
size
Default:
server_names_hash_bucket_size 32|64|128;
Context:
http
Sets the bucket size for the server names hash tables.
The default value depends on the size of the processor’s cache line.
The details of setting up hash tables are provided in a separate
document
Syntax:
server_names_hash_max_size
size
Default:
server_names_hash_max_size 512;
Context:
http
Sets the maximum
size
of the server names hash tables.
The details of setting up hash tables are provided in a separate
document
Syntax:
server_tokens
on
off
build
string
Default:
server_tokens on;
Context:
http
server
location
Enables or disables emitting nginx version on error pages and in the
“Server” response header field.
The
build
parameter (1.11.10) enables emitting
build name
along with nginx version.
Additionally, as part of our
commercial subscription
starting from version 1.9.13
the signature on error pages and
the “Server” response header field value
can be set explicitly using the
string
with variables.
An empty string disables the emission of the “Server” field.
Syntax:
subrequest_output_buffer_size
size
Default:
subrequest_output_buffer_size 4k|8k;
Context:
http
server
location
This directive appeared in version 1.13.10.
Sets the
size
of the buffer used for
storing the response body of a subrequest.
By default, the buffer size is equal to one memory page.
This is either 4K or 8K, depending on a platform.
It can be made smaller, however.
The directive is applicable only for subrequests
with response bodies saved into memory.
For example, such subrequests are created by
SSI
Syntax:
tcp_nodelay
on
off
Default:
tcp_nodelay on;
Context:
http
server
location
Enables or disables the use of the
TCP_NODELAY
option.
The option is enabled when a connection is transitioned into the
keep-alive state.
Additionally, it is enabled on SSL connections,
for unbuffered proxying,
and for
WebSocket
proxying.
Syntax:
tcp_nopush
on
off
Default:
tcp_nopush off;
Context:
http
server
location
Enables or disables the use of
the
TCP_NOPUSH
socket option on FreeBSD
or the
TCP_CORK
socket option on Linux.
The options are enabled only when
sendfile
is used.
Enabling the option allows
sending the response header and the beginning of a file in one packet,
on Linux and FreeBSD 4.*;
sending a file in full packets.
Syntax:
try_files
file
...
uri
try_files
file
... =
code
Default:
Context:
server
location
Checks the existence of files in the specified order and uses
the first found file for request processing; the processing
is performed in the current context.
The path to a file is constructed from the
file
parameter
according to the
root
and
alias
directives.
It is possible to check directory’s existence by specifying
a slash at the end of a name, e.g. “
$uri/
”.
If none of the files were found, an internal redirect to the
uri
specified in the last parameter is made.
For example:
location /images/ {
try_files $uri /images/default.gif;
location = /images/default.gif {
expires 30s;
The last parameter can also point to a named location,
as shown in examples below.
Starting from version 0.7.51, the last parameter can also be a
code
location / {
try_files $uri $uri/index.html $uri.html =404;
Example in proxying Mongrel:
location / {
try_files /system/maintenance.html
$uri $uri/index.html $uri.html
@mongrel;
location @mongrel {
proxy_pass http://mongrel;
Example for Drupal/FastCGI:
location / {
try_files $uri $uri/ @drupal;
location ~ \.php$ {
try_files $uri @drupal;
fastcgi_pass ...;
fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param QUERY_STRING $args;
... other fastcgi_param's
location @drupal {
fastcgi_pass ...;
fastcgi_param SCRIPT_FILENAME /path/to/index.php;
fastcgi_param SCRIPT_NAME /index.php;
fastcgi_param QUERY_STRING q=$uri&$args;
... other fastcgi_param's
In the following example,
location / {
try_files $uri $uri/ @drupal;
the
try_files
directive is equivalent to
location / {
error_page 404 = @drupal;
log_not_found off;
And here,
location ~ \.php$ {
try_files $uri @drupal;
fastcgi_pass ...;
fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name;
...
try_files
checks the existence of the PHP file
before passing the request to the FastCGI server.
Example for Wordpress and Joomla:
location / {
try_files $uri $uri/ @wordpress;
location ~ \.php$ {
try_files $uri @wordpress;
fastcgi_pass ...;
fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name;
... other fastcgi_param's
location @wordpress {
fastcgi_pass ...;
fastcgi_param SCRIPT_FILENAME /path/to/index.php;
... other fastcgi_param's
Syntax:
types
{ ... }
Default:
types {
text/html html;
image/gif gif;
image/jpeg jpg;
Context:
http
server
location
Maps file name extensions to MIME types of responses.
Extensions are case-insensitive.
Several extensions can be mapped to one type, for example:
types {
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
A sufficiently full mapping table is distributed with nginx in the
conf/mime.types
file.
To make a particular location emit the
application/octet-stream
MIME type for all requests, the following configuration can be used:
location /download/ {
types { }
default_type application/octet-stream;
Syntax:
types_hash_bucket_size
size
Default:
types_hash_bucket_size 64;
Context:
http
server
location
Sets the bucket size for the types hash tables.
The details of setting up hash tables are provided in a separate
document
Prior to version 1.5.13,
the default value depended on the size of the processor’s cache line.
Syntax:
types_hash_max_size
size
Default:
types_hash_max_size 1024;
Context:
http
server
location
Sets the maximum
size
of the types hash tables.
The details of setting up hash tables are provided in a separate
document
Syntax:
underscores_in_headers
on
off
Default:
underscores_in_headers off;
Context:
http
server
Enables or disables the use of underscores in client request header fields.
When the use of underscores is disabled, request header fields whose names
contain underscores are
marked as invalid and become subject to the
ignore_invalid_headers
directive.
If the directive is specified on the
server
level,
the value from the default server can be used.
Details are provided in the
Virtual
server selection
” section.
Syntax:
variables_hash_bucket_size
size
Default:
variables_hash_bucket_size 64;
Context:
http
Sets the bucket size for the variables hash table.
The details of setting up hash tables are provided in a separate
document
Syntax:
variables_hash_max_size
size
Default:
variables_hash_max_size 1024;
Context:
http
Sets the maximum
size
of the variables hash table.
The details of setting up hash tables are provided in a separate
document
Prior to version 1.5.13, the default value was 512.
Embedded Variables
The
ngx_http_core_module
module supports embedded variables
with names matching the Apache Server variables.
First of all, these are variables representing client request header
fields, such as
$http_user_agent
$http_cookie
and so on.
Also there are other variables:
$arg_
name
argument
name
in the request line
$args
arguments in the request line
$binary_remote_addr
client address in a binary form, value’s length is always 4 bytes
for IPv4 addresses or 16 bytes for IPv6 addresses
$body_bytes_sent
number of bytes sent to a client, not counting the response header;
this variable is compatible with the “
%B
” parameter of the
mod_log_config
Apache module
$bytes_sent
number of bytes sent to a client (1.3.8, 1.2.5)
$connection
connection serial number (1.3.8, 1.2.5)
$connection_requests
current number of requests made through a connection (1.3.8, 1.2.5)
$connection_time
connection time in seconds with a milliseconds resolution (1.19.10)
$content_length
“Content-Length” request header field
$content_type
“Content-Type” request header field
$cookie_
name
the
name
$document_root
root
or
alias
directive’s value
for the current request
$document_uri
same as
$uri
$host
in this order of precedence:
host name from the request line, or
host name from the “Host” request header field, or
the server name matching a request
$hostname
host name
$http_
name
arbitrary request header field;
the last part of a variable name is the field name converted
to lower case with dashes replaced by underscores
$https
on
if connection operates in SSL mode,
or an empty string otherwise
$is_args
” if a request line has arguments,
or an empty string otherwise
$is_request_port
” if
$request_port
is non-empty,
or an empty string otherwise (1.29.3)
$limit_rate
setting this variable enables response rate limiting;
see
limit_rate
$msec
current time in seconds with the milliseconds resolution (1.3.9, 1.2.6)
$nginx_version
nginx version
$pid
PID of the worker process
$pipe
” if request was pipelined, “
otherwise (1.3.12, 1.2.7)
$proxy_protocol_addr
client address from the PROXY protocol header (1.5.12)
The PROXY protocol must be previously enabled by setting the
proxy_protocol
parameter
in the
listen
directive.
$proxy_protocol_port
client port from the PROXY protocol header (1.11.0)
The PROXY protocol must be previously enabled by setting the
proxy_protocol
parameter
in the
listen
directive.
$proxy_protocol_server_addr
server address from the PROXY protocol header (1.17.6)
The PROXY protocol must be previously enabled by setting the
proxy_protocol
parameter
in the
listen
directive.
$proxy_protocol_server_port
server port from the PROXY protocol header (1.17.6)
The PROXY protocol must be previously enabled by setting the
proxy_protocol
parameter
in the
listen
directive.
$proxy_protocol_tlv_
name
TLV from the PROXY Protocol header (1.23.2).
The
name
can be a TLV type name or its numeric value.
In the latter case, the value is hexadecimal
and should be prefixed with
0x
$proxy_protocol_tlv_alpn
$proxy_protocol_tlv_0x01
SSL TLVs can also be accessed by TLV type name
or its numeric value,
both prefixed by
ssl_
$proxy_protocol_tlv_ssl_version
$proxy_protocol_tlv_ssl_0x21
The following TLV type names are supported:
alpn
0x01
) -
upper layer protocol used over the connection
authority
0x02
) -
host name value passed by the client
unique_id
0x05
) -
unique connection id
netns
0x30
) -
name of the namespace
ssl
0x20
) -
binary SSL TLV structure
The following SSL TLV type names are supported:
ssl_version
0x21
) -
SSL version used in client connection
ssl_cn
0x22
) -
SSL certificate Common Name
ssl_cipher
0x23
) -
name of the used cipher
ssl_sig_alg
0x24
) -
algorithm used to sign the certificate
ssl_key_alg
0x25
) -
public-key algorithm
Also, the following special SSL TLV type name is supported:
ssl_verify
client SSL certificate verification result,
if the client presented a certificate
and it was successfully verified,
non-zero otherwise.
The PROXY protocol must be previously enabled by setting the
proxy_protocol
parameter
in the
listen
directive.
$query_string
same as
$args
$realpath_root
an absolute pathname corresponding to the
root
or
alias
directive’s value
for the current request,
with all symbolic links resolved to real paths
$remote_addr
client address
$remote_port
client port
$remote_user
user name supplied with the Basic authentication
$request
full original request line
$request_body
request body
The variable’s value is made available in locations
processed by the
proxy_pass
fastcgi_pass
uwsgi_pass
and
scgi_pass
directives when the request body was read to
memory buffer
$request_body_file
name of a temporary file with the request body
At the end of processing, the file needs to be removed.
To always write the request body to a file,
client_body_in_file_only
needs to be enabled.
When the name of a temporary file is passed in a proxied request
or in a request to a FastCGI/uwsgi/SCGI server,
passing the request body should be disabled by the
proxy_pass_request_body off
fastcgi_pass_request_body off
uwsgi_pass_request_body off
, or
scgi_pass_request_body off
directives, respectively.
$request_completion
OK
” if a request has completed,
or an empty string otherwise
$request_filename
file path for the current request, based on the
root
or
alias
directives, and the request URI
$request_id
unique request identifier
generated from 16 random bytes, in hexadecimal (1.11.0)
$request_length
request length (including request line, header, and request body)
(1.3.12, 1.2.7)
$request_method
request method, usually
GET
” or “
POST
$request_port
in this order of precedence:
port number from the
URI
authority component, or
port number from the “Host” request header field (1.29.3)
$request_time
request processing time in seconds with a milliseconds resolution
(1.3.9, 1.2.6);
time elapsed since the first bytes were read from the client
$request_uri
full original request URI (with arguments)
$scheme
request scheme, “
http
” or “
https
$sent_http_
name
arbitrary response header field;
the last part of a variable name is the field name converted
to lower case with dashes replaced by underscores
$sent_trailer_
name
arbitrary field sent at the end of the response (1.13.2);
the last part of a variable name is the field name converted
to lower case with dashes replaced by underscores
$server_addr
an address of the server which accepted a request
Computing a value of this variable usually requires one system call.
To avoid a system call, the
listen
directives
must specify addresses and use the
bind
parameter.
$server_name
name of the server which accepted a request
$server_port
port of the server which accepted a request
$server_protocol
request protocol, usually
HTTP/1.0
”,
HTTP/1.1
”,
HTTP/2.0
”,
or
HTTP/3.0
$status
response status (1.3.2, 1.2.2)
$tcpinfo_rtt
$tcpinfo_rttvar
$tcpinfo_snd_cwnd
$tcpinfo_rcv_space
information about the client TCP connection; available on systems
that support the
TCP_INFO
socket option
$time_iso8601
local time in the ISO 8601 standard format (1.3.12, 1.2.7)
$time_local
local time in the Common Log Format (1.3.12, 1.2.7)
$uri
current URI in request,
normalized
The value of
$uri
may change during request processing,
e.g. when doing internal redirects, or when using index files.