HTTP Module#
The core HTTP module implements the basic functionality of an HTTP server: this includes defining server blocks, configuring locations for request routing, serving static files and controlling access, configuring redirects, supporting keep-alive connections, and managing request and response headers.
The other modules in this section extend this functionality, allowing you to
flexibly configure and optimize the HTTP server for various scenarios and
requirements. If disabled, redirects issued by Angie will be relative. See also server_name_in_redirect and port_in_redirect directives. Enables or disables the use of asynchronous file I/O (AIO) on FreeBSD and Linux: On FreeBSD, AIO can be used starting from FreeBSD 4.3. Prior to FreeBSD 11.0, AIO can either be linked statically into a kernel: or loaded dynamically as a kernel loadable module: On Linux, AIO can be used starting from kernel version 2.6.22. Also, it is necessary to enable directio, or otherwise reading will be blocking: On Linux, directio can only be used for reading blocks that are aligned on 512-byte boundaries (or 4K for XFS). File's unaligned end is read in blocking mode. The same holds true for byte range requests and for FLV requests not from the beginning of a file: reading of unaligned data at the beginning and end of a file will be blocking. When both AIO and sendfile are enabled on Linux, AIO is used for files that are larger than or equal to the size specified in the directio directive, while sendfile is used for files of smaller sizes or when directio is disabled: Finally, files can be read and send using multi-threading, without blocking a worker process: Read and send file operations are offloaded to threads of the specified pool. If the pool name is omitted, the pool with the name "default" is used. The pool name can also be set with variables: By default, multi-threading is disabled, it should be enabled with the --with-threads configuration parameter. Currently, multi-threading is compatible only with the epoll, kqueue and eventport methods. Multi-threaded sending of files is only supported on Linux. See also the sendfile directive. If aio is enabled, specifies whether it is used for writing files. Currently, this only works when using aio threads and is limited to writing temporary files with data received from proxied servers. Defines a replacement for the specified location. For example, with the following configuration: on request of The path value can contain variables, except $document_root and $realpath_root. If alias is used inside a location defined with a regular expression then such regular expression should contain captures and alias should refer to these captures, for example: When location matches the last part of the directive's value: it is better to use the root directive instead: Delays processing of unauthorized requests with 401 response code to prevent
timing attacks when access is limited by password or by
the result of subrequest. The directive controls the redirection behavior
when a prefix location ends with a slash: Here, a request for The value Default http, server, location Allows disabling chunked transfer encoding in HTTP/1.1. It may come in handy when using a software failing to support chunked encoding despite the standard's requirement. Default http, server, location Sets buffer size for reading client request body. In case the request body is larger than the buffer, the whole body or only its part is written to a temporary file. By default, buffer size is equal to two memory pages. This is 8K on x86, other 32-bit platforms, and x86-64. It is usually 16K on other 64-bit platforms. Default http, server, location Determines whether Angie should save the entire client request body into a file. This directive can be used during debugging, or when using the $request_body_file variable, or the $r->request_body_file method of the module Perl. When set to the value on, temporary files are not removed after request processing. temporary files are not removed after request processing will cause the temporary files left after request processing to be removed Default http, server, location Determines whether Angie should save the entire client request body in a single buffer. The directive is recommended when using the $request_body variable, to save the number of copy operations involved. Default http, server, location Defines a directory for storing temporary files holding client request bodies. Up to three-level subdirectory hierarchy can be used under the specified directory. For example, in the following configuration a path to a temporary file might look like this: Defines a timeout for reading client request body. The timeout is set only for a period between two successive read operations, not for the transmission of the whole request body. If a client does not transmit anything within this time, the request is terminated with the 408 (Request Time-out) error. Sets buffer size for reading client request header. For most requests, a buffer of 1K bytes is enough. However, if a request includes long cookies, or comes from a WAP client, it may not fit into 1K. If a request line or a request header field does not fit into this buffer then larger buffers, configured by the large_client_header_buffers directive, are allocated. If the directive is specified on the server level, the value from the default server can be used. Details are provided in the Virtual server selection section. Defines a timeout for reading client request header. If a client does not transmit the entire header within this time, the request is terminated with the 408 (Request Time-out) error. Sets the maximum allowed size of the client request body. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. Please be aware that browsers cannot correctly display this error. disables checking of client request body size Allows accurate tuning of per-connection memory allocations. This directive has minimal impact on performance and should not generally be used. By default: 32-bit platforms 64-bit platforms Defines the default MIME type of a response. Mapping of file name extensions to MIME types can be set with the types directive. Enables the use of the O_DIRECT flag (FreeBSD, Linux), the F_NOCACHE flag (macOS), or the directio() function (Solaris), when reading files that are larger than or equal to the specified size. The directive automatically disables the use of sendfile for a given request. It can be useful for serving large files: or when using aio on Linux. Sets the alignment for directio. In most cases, a 512-byte alignment is enough. However, when using XFS under Linux, it needs to be increased to 4K. Default http, server, location Determines how symbolic links should be treated when opening files: Symbolic links in the pathname are allowed and not checked. This is the default behavior. If any component of the pathname is a symbolic link, access to a file is denied. Access to a file is denied if any component of the pathname is a symbolic link, and the link and object that the link points to have different owners. When checking symbolic links (parameters Example: This directive is only available on systems that have the Warning Parameters On systems that do not support opening of directories only for search, to use these parameters it is required that worker processes have read permissions for all directories being checked. Note The AutoIndex, Random Index and DAV modules currently ignore this directive. Defines the URI that will be shown for the specified errors. A uri value can contain variables. Example: This causes an internal redirect to the specified uri with the client request method changed to "GET" (for all methods other than "GET" and "HEAD"). Furthermore, it is possible to change the response code to another using the =response syntax, for example: If an error response is processed by a proxied server or a FastCGI/uwsgi/SCGI/gRPC server, and the server may return different response codes (e.g., 200, 302, 401 or 404), it is possible to respond with the code it returns: If there is no need to change URI and method during internal redirection it is possible to pass error processing into a named location: Note If uri processing leads to an error, the status code of the last occurred error is returned to the client. It is also possible to use URL redirects for error processing: In this case, by default, the response code 302 is returned to the client. It can only be changed to one of the redirect status codes (301, 302, 303, 307, and 308). Enables or disables automatic generation of the "ETag" response header field for static resources. Provides the configuration file context in which the HTTP server directives are specified. Default http, server, location Specifies how to compare modification time of a response with the time in the If-Modified-Since request header field: the response is always considered modified exact match modification time of the response is less than or equal to the time in the If-Modified-Since request header field. Controls whether header fields with invalid names should be ignored. Valid names are composed of English letters, digits, hyphens, and possibly underscores (as controlled by the ref:underscores_in_headers directive). If the directive is specified on the server level, the value from the default server can be used. Specifies that a given location can only be used for internal requests. For external requests, the client error 404 (Not Found) is returned. Internal requests are the following: requests redirected by the error_page, index, random_index and try_files directives; requests redirected by the X-Accel-Redirect response header field from an upstream server; subrequests formed by the include virtual command of the http_ssi module, by the http_addition module
directives, and by auth_request and mirror
directives; requests changed by the rewrite directive. Example: Note There is a limit of 10 internal redirects per request to prevent request processing cycles that can occur in incorrect configurations. If this limit is reached, the error 500 (Internal Server Error) is returned. In such cases, the rewrite or internal redirection cycle message can be seen in the error log. Default http, server, location Disables keep-alive connections with misbehaving browsers. The browser parameters specify which browsers will be affected. enables keep-alive connections with all browsers disables keep-alive connections with old versions of MSIE, once a POST request is received disables keep-alive connections with Safari and Safari-like browsers on macOS and macOS-like operating systems Sets the maximum number of requests that can be served through one keep-alive connection. After the maximum number of requests are made, the connection is closed. Closing connections periodically is necessary to free per-connection memory allocations. Therefore, using too high maximum number of requests could result in excessive memory usage and not recommended. Limits the maximum time during which requests can be processed through one keep-alive connection. After this time is reached, the connection is closed following the subsequent request processing. Default http, server, location sets a timeout during which a keep-alive client connection will stay open on the server side disables keep-alive client connections The optional second parameter sets a value in the "Keep-Alive: timeout=time" response header field. Two parameters may differ. The "Keep-Alive: timeout=time" header field is recognized by Mozilla and Konqueror. MSIE closes keep-alive connections by itself in about 60 seconds. Default http, server Sets the maximum number and size of buffers used for reading large client request header. A request line cannot exceed the size of one buffer, or the 414 (Request-URI Too Large) error is returned to the client. A request header field cannot exceed the size of one buffer as well, or the 400 (Bad Request) error is returned to the client. Buffers are allocated only on demand. By default, the buffer size is equal to 8K bytes. If after the end of request processing a connection is transitioned into the keep-alive state, these buffers are released. If the directive is specified on the server level, the value from the default server can be used. Limits allowed HTTP methods inside a location. The method can be one of the
following: Note This example will limit access to all methods,
except Limits the rate of response transmission to a client. The rate is specified in bytes per second. The zero value disables rate limiting. The limit is set per a request, and so if a client simultaneously opens two connections, the overall rate will be twice as much as the specified limit. Parameter value can contain variables. It may be useful in cases where rate should be limited depending on a certain condition: Rate limit can also be set in the $limit_rate variable, however, this method is not recommended: Rate limit can also be set in the "X-Accel-Limit-Rate" header field of a proxied server response. This capability can be disabled using the proxy_ignore_headers, fastcgi_ignore_headers, uwsgi_ignore_headers and scgi_ignore_headers directives. Sets the initial amount after which the further transmission of a response to a client will be rate limited. Parameter value can contain variables. Example: Controls how Angie closes client connections. instructs Angie to wait for and process additional data from a client before fully closing a connection, but only if heuristics suggests that a client may be sending more data. will cause Angie to unconditionally wait for and process additional client data. tells Angie to never wait for more data and close the connection immediately. This behavior breaks the protocol and should not be used under normal circumstances. To control closing HTTP/2 connections, the directive must be specified on the server level. When lingering_close is in effect, this directive specifies the maximum time during which Angie will process (read and ignore) additional data coming from a client. After that, the connection will be closed, even if there will be more data. When lingering_close is in effect,
the directive specifies the maximum waiting time for more client data to arrive.
If data are not received during this time, the connection is closed.
Otherwise, the data are read and ignored,
and Angie starts waiting for more data again.
This "wait-read-ignore" cycle is repeated
no longer than specified by the lingering_time directive. During a graceful shutdown, keepalive connections from clients are closed only
if they remain inactive for at least the duration of Default server Sets the address and port for listen socket, or the path for a UNIX domain socket on which the server will accept requests. Both address and port, or only address or only port can be specified. An address may also be a hostname, for example: IPv6 addresses are specified in square brackets: UNIX domain sockets are specified with the If only address is given, the port 80 is used. If the directive is not present then either *:80 is used if Angie runs with the superuser privileges, or *:8000 otherwise. The server with this parameter specified
will be the default server for the given address:port pair
(together they form a listening socket). If there are no directives with the allows specifying that all connections accepted on this port should work in SSL mode. This allows for a more compact configuration for the server that handles both HTTP and HTTPS requests. configures the port to accept HTTP/2 connections. Normally, for this to work the ssl parameter should be specified as well, but Angie can also be configured to accept HTTP/2 connections without SSL. Deprecated since version 1.2.0. Use the http2 directive instead. configures the port to accept QUIC connections.
To use this option,
Angie must have the HTTP3 module
enabled and configured.
With allows specifying that all connections accepted on this port should use the PROXY protocol. The listen directive can have several additional parameters specific to socket-related system calls. These parameters can be specified in any listen directive, but only once for a given address:port pair. this parameter sets the associated routing table, FIB (the SO_SETFIB option) for the listening socket. This currently works only on FreeBSD. enables "TCP Fast Open" for the listening socket and limits the maximum length for the queue of connections that have not yet completed the three-way handshake. Caution Do not enable this feature unless the server can handle receiving the same SYN packet with data more than once. sets the sets the receive buffer size (the sets the send buffer size (the sets the name of accept filter (the instructs to use a deferred instructs to make a separate this parameter determines (via the this parameter instructs to create an individual listening socket for
each worker process (using the Caution Inappropriate use of this option may have its security implications. Configures the "TCP keepalive" behavior for the listening socket. if this parameter is omitted then the operating system's settings will be in effect for the socket the the Some operating systems support setting of TCP keepalive parameters on a
per-socket basis using the will set the idle timeout (TCP_KEEPIDLE) to 30 minutes, leave the probe interval (TCP_KEEPINTVL) at its system default, and set the probes count (TCP_KEEPCNT) to 10 probes. Example: Sets the configuration depending on whether the request URI matches
any of the matching expressions. The matching is performed against a normalized URI, after decoding the text
encoded in the "%XX" form, resolving references to relative path components "."
and "..", and possible compression of two or more
adjacent slashes into a single slash. A location can either be defined by a prefix string, or by a regular
expression. Regular expressions are specified with the preceding modifier: Case-insensitive matching Case-sensitive matching To find a location that matches a request, Angie first checks the
locations defined with prefix strings (known as prefix locations).
Among them, the location with the longest matching prefix is selected and
tentatively stored. Note For case-insensitive operating systems such as macOS, prefix string matching
is case insensitive.
However, matching is limited to single-byte locales. Then, regex-based locations are evaluated in order of their appearance in the
configuration file. Their evaluation stops at the first match, and the
corresponding configuration is used.
If no matching regex location is found,
Angie uses the configuration of the tentatively stored prefix location. With some exceptions mentioned below,
location blocks can be nested. Regex locations may define capture groups
that can later be used with other directives. If the matching prefix location uses the ^~ modifier,
regex locations aren't checked. Also, the = modifier enables exact URI matching mode for a location;
if an exact match is found, the lookup stops.
For example, if / requests are frequent,
defining Example: A an a an and a Note If a prefix With an exact URI-matching location, redirection isn't applied: The @ prefix defines a named location.
Such locations aren't used for regular request processing,
but instead can be used for request redirection.
They cannot be nested and cannot contain nested locations. Several location contexts that define identical configuration blocks
can be compacted by listing all their matching expressions in a single
location with a single configuration block.
That's called a combined location. Suppose that configurations A, D, and E from the previous example
define identical configurations; you can combine them into one location: A named location can also be a part of the combination: Caution A combined location can't have a space between the matching expression
and its modifier.
Proper form: Note Currently, a combined Enables or disables logging of errors about not found files into error_log. Enables or disables logging of subrequests into access_log. Sets the maximum number of client request header fields allowed.
If this limit is exceeded, a When this directive is set at the server level,
the value from the default server may be applied.
For more information, refer to the Virtual server selection section. Limits the maximum allowed number of ranges in byte-range requests. Requests that exceed the limit are processed as if there were no byte ranges specified. By default, the number of ranges is not limited. disables the byte-range support completely Enables or disables compression of two or more adjacent slashes in a URI into a single slash. Note that compression is essential for the correct matching of prefix string and regular expression locations. Without it, the and might be processed as a static file. So it gets converted to Turning the compression off can become necessary if a URI contains base64-encoded names, since base64 uses the "/" character internally. However, for security considerations, it is better to avoid turning the compression off. If the directive is specified on the server level, the value from the default server can be used. Enables or disables adding comments to responses for MSIE clients with status greater than 400 to increase the response size to 512 bytes. Enables or disables issuing refreshes instead of redirects for MSIE clients. Default http, server, location Configures a cache that can store: open file descriptors, their sizes and modification times; information on existence of directories; file lookup errors, such as "file not found", "no read permission", and so on. Caching of errors should be enabled separately by the open_file_cache_errors directive. sets the maximum number of elements in the cache; on cache overflow the least recently used (LRU) elements are removed; defines a time after which an element is removed from the cache if it has not been accessed during this time; By default, it is set to 60 seconds. disables the cache. Example: Default http, server, location Enables or disables caching of file lookup errors by open_file_cache. Default http, server, location Sets the minimum number of file accesses during the period configured by the inactive parameter of the open_file_cache directive, required for a file descriptor to remain open in the cache. Sets a time after which open_file_cache elements should be validated. Sets the number and size of the buffers used for reading a response from a disk. Enables or disables specifying the port in absolute redirects issued by Angie. The use of the primary server name in redirects is controlled by the server_name_in_redirect directive. If possible, the transmission of client data will be postponed until Angie has at least size bytes of data to send. disables postponing data transmission Sets the amount of pre-reading for the kernel when working with file. On Linux, the posix_fadvise(0, 0, 0, POSIX_FADV_SEQUENTIAL) system call is used, and so the size parameter is ignored. Enables or disables doing several redirects using the error_page directive. The number of such redirects is limited. Allows accurate tuning of per-request memory allocations. This directive has minimal impact on performance and should not generally be used. Default http, server, location Enables or disables resetting timed out connections and connections closed with the non-standard code 444. The reset is performed as follows. Before closing a socket, the SO_LINGER option is set on it with a timeout value of 0. When the socket is closed, TCP RST is sent to the client, and all memory occupied by this socket is released. This helps avoid keeping an already closed socket with filled buffers in a FIN_WAIT1 state for a long time. Note timed out keep-alive connections are closed normally. Default — http, server, location, upstream Configures name servers used to resolve names of upstream servers into addresses, for example: The address can be specified as a domain name or IP address, with an optional port. If port is not specified, the port 53 is used. Name servers are queried in a round-robin fashion. By default, Angie caches answers using the TTL value of a response. optional parameter allows overriding cached entry validity By default, Angie will look up both IPv4 and IPv6 addresses while resolving. disables looking up of IPv4 addresses disables looking up of IPv6 addresses optional parameter;
enables the collection of DNS server request and response metrics
(/status/resolvers/<zone>)
in the specified zone. Tip To prevent DNS spoofing, it is recommended configuring DNS servers in a properly secured trusted local network. Tip When running in Docker, use its internal DNS server address such as Sets a timeout for name resolution, for example: Sets the root directory for requests. For example, with the following configuration The The path value can contain variables, except $document_root and $realpath_root. A path to the file is constructed by merely adding a URI to the value of the root directive. If a URI has to be modified, the alias directive should be used. Allows access if all (all) or at least one (any) of these modules allow
access: Access, Auth Basic, or Auth Request. If the directive is set to a non-zero value, Angie will try to minimize the number of send operations on client sockets by using either NOTE_LOWAT flag of the ref:kqueue method or the SO_SNDLOWAT socket option. In both cases the specified size is used. Sets a timeout for transmitting a response to the client. The timeout is set only between two successive write operations, not for the transmission of the whole response. If the client does not receive anything within this time, the connection is closed. Enables or disables the use of sendfile(). aio can be used to pre-load data for sendfile(): In this configuration, sendfile() is called with the SF_NODISKIO flag which causes it not to block on disk I/O, but, instead, report back that the data are not in memory. Angie then initiates an asynchronous data load by reading one byte. On the first read, the FreeBSD kernel loads the first 128K bytes of a file into memory, although next reads will only load data in 16K chunks. This can be changed using the read_ahead directive. Limits the amount of data that can be transferred in a single sendfile() call. Without the limit, one fast connection may seize the worker process entirely. Sets configuration for a virtual server. There is no clear separation between IP-based (based on the IP address) and name-based (based on the "Host" request header field) virtual servers. Instead, the listen directives describe all addresses and ports that should accept connections for the server, and the server_name directive lists all server names. Example configurations are provided in the How Angie processes a request document. Sets names of a virtual server, for example: The first name becomes the primary server name. Server names can include an asterisk ("*") replacing the first or last part of a name: Such names are called wildcard names. The first two of the names mentioned above can be combined in one: It is also possible to use regular expressions in server names, preceding the name with a tilde ("~"): Regular expressions can contain captures that can later be used in other directives: Named captures in regular expressions create variables
that can later be used in other directives: Note If the directive is set to $hostname,
the hostname of the web server is used. You can also specify an empty server name ( When searching for a virtual server by name,
that is mateched by multiple options
(for example, both a wildcard and a regular expression),
the first matching option will be selected in the following priority order: exact name; longest name with a wildcard at the beginning, such as longest name with a wildcard at the end, such as the first matching regular expression (in the order of appearance),
including an empty name. Attention To make Default http, server, location Enables or disables the use of the primary server name, specified by the server_name directive, in absolute redirects issued by Angie. the primary server name, specified by the server_name directive the name from the "Host" request header field is used. If this field is not present, the IP address of the server is used. The use of a port in redirects is controlled by the port_in_redirect directive. Default http Sets the bucket size for the server names hash tables. The default value depends on the size of the processor's cache line. The details of setting up hash tables are provided in a separate document. Sets the maximum size of the server names hash tables. The details of setting up hash tables are provided in a separate document. Enables or disables emitting Angie version
on error pages and in the Added in version 1.1.0: PRO In Angie PRO, if the directive sets a string, which may also contain variables,
the error pages and the Default — server, location, if in location Allocates a shared memory zone to collect metrics for
/status/http/location_zones/<zone> and /status/http/server_zones/<zone>. Multiple The single-value zone syntax aggregates all metrics for its context
in the same shared memory zone: The alternative syntax uses the folowing parameters: key A string with variables,
whose value determines the grouping of requests in the zone.
All requests producing identical values after substitution
are grouped together.
If substitution yields an empty value, metrics aren't updated. zone The name of the shared memory zone. count (optional) The maximum number of separate groups for collecting metrics.
If new key values would exceed this limit,
they are grouped under zone instead. The default value is 1. In the following example,
all requests sharing the same The resulting metrics are thus split between individual hosts in the API output. Default http, server, location Sets the size of the buffer used for storing the response body of a subrequest.
By default, the buffer size is equal to one memory page. This is either
Note The directive is applicable only for subrequests with response bodies saved into memory. For example, such subrequests are created by SSI. Enables or disables the use of the TCP_NODELAY option. The option is enabled when a connection is transitioned into the keep-alive state. Additionally, it is enabled on SSL connections, for unbuffered proxying, and for WebSocket proxying. Enables or disables the use of the TCP_NOPUSH socket option on FreeBSD or the TCP_CORK socket option on Linux. The options are enabled only when sendfile is used. Enabling the option allows sending the response header and the beginning of a file in one packet, on Linux and FreeBSD 4.*; sending a file in full packets. Checks the existence of files in the specified order and uses the first found file for request processing; the processing is performed in the current context. The path to a file is constructed from the file parameter according to the root and alias directives. It is possible to check directory's existence by specifying a slash at the end of a name, e.g. $uri/. If none of the files were found, an internal redirect to the uri specified in the last parameter is made. For example: The last parameter can also point to a named location, as shown in examples below. The last parameter can also be a code: In the following example, the try_files directive is equivalent to And here, try_files checks the existence of the PHP file before passing the request to the FastCGI server. Default http, server, location Maps file name extensions to MIME types of responses. Extensions are case-insensitive. Several extensions can be mapped to one type, for example: A sufficiently full mapping table is distributed with Angie in the To make a particular location emit the "application/octet-stream" MIME type for all requests, the following configuration can be used: Sets the bucket size for the types hash tables. The details of setting up hash tables are provided in a separate document. Sets the maximum size of the types hash tables. The details of setting up hash tables are provided in a separate document. Enables or disables the use of underscores in client request header fields. When the use of underscores is disabled, request header fields whose names contain underscores are marked as invalid and become subject to the ignore_invalid_headers directive. If the directive is specified on the server level, the value from the default server can be used. Sets the bucket size for the variables hash table. The details of setting up hash tables are provided in a separate document. Sets the maximum size of the variables hash table. The details of setting up hash tables are provided in a separate document. The Angie version argument with the specified name in the request line arguments in the request line client address in a binary form, value's length is always 4 bytes for IPv4 addresses or 16 bytes for IPv6 addresses number of bytes sent to a client, not counting the response header; this variable is compatible with the "%B" parameter of the mod_log_config Apache module number of bytes sent to a client connection serial number current number of requests made through a connection connection time in seconds with a milliseconds resolution "Content-Length" request header field "Content-Type" request header field same as $uri n this order of precedence: host name from the request line, or host name from the "Host" request header field, or the server name matching a request host name arbitrary request header field; the name is the field name converted to lower case with dashes replaced by underscores on if connection operates in SSL mode, or an empty string otherwise ?, if a request line has arguments, or an empty string otherwise setting this variable enables response rate limiting; see limit_rate current time in seconds with the milliseconds resolution PID of the worker process p if request was pipelined, . otherwise Client address from the PROXY protocol header. The PROXY protocol must be previously enabled by setting the proxy_protocol parameter in the listen directive. Client port from the PROXY protocol header. The PROXY protocol must be previously enabled by setting the proxy_protocol parameter in the listen directive. Server address from the PROXY protocol header. The PROXY protocol must be previously enabled by setting the proxy_protocol parameter in the listen directive. Server port from the PROXY protocol header. The PROXY protocol must be previously enabled by setting the proxy_protocol parameter in the listen directive. TLV from the PROXY Protocol header. The name can be a TLV type or its numeric value. In the latter case, the value is hexadecimal and should be prefixed with 0x: SSL TLVs can also be accessed by TLV type name or its numeric value, both prefixed by The following TLV type names are supported: alpn (0x01) - upper layer protocol used over the connection authority (0x02) - host name value passed by the client unique_id (0x05) - unique connection id netns (0x30) - name of the namespace ssl (0x20) - binary SSL TLV structure The following SSL TLV type names are supported: ssl_version (0x21) - SSL version used in client connection ssl_cn (0x22) - SSL certificate Common Name ssl_cipher (0x23) - name of the used cipher ssl_sig_alg (0x24) - algorithm used to sign the certificate ssl_key_alg (0x25) - public-key algorithm Also, the following special SSL TLV type name is supported: ssl_verify - client SSL certificate verification result, 0 if the client presented a certificate and it was successfully verified, non-zero otherwise. The PROXY protocol must be previously enabled by setting the proxy_protocol parameter in the listen directive. same as $args an absolute pathname corresponding to the root or alias directive's value for the current request, with all symbolic links resolved to real paths client address client port user name supplied with the Basic authentication full original request line Request body. The variable's value is made available in locations processed by the proxy_pass, fastcgi_pass, uwsgi_pass and scgi_pass directives when the request body was read to a memory buffer. Name of a temporary file with the request body. At the end of processing, the file needs to be removed. To always write the request body to a file, client_body_in_file_only needs to be enabled. When the name of a temporary file is passed in a proxied request or in a request to a FastCGI/uwsgi/SCGI server, passing the request body should be disabled by the proxy_pass_request_body off, fastcgi_pass_request_body off, uwsgi_pass_request_body off or scgi_pass_request_body off directives, respectively. "OK" if a request has completed, or an empty string otherwise file path for the current request, based on the root or alias directives, and the request URI unique request identifier generated from 16 random bytes, in hexadecimal request length (including request line, header, and request body) request method, usually request processing time in seconds with a milliseconds resolution; time elapsed since the first bytes were read from the client full original request URI (with arguments) request scheme, "http" or "https" arbitrary response header field; the name is the field name converted to lower case with dashes replaced by underscores arbitrary field sent at the end of the response; the name is the field name converted to lower case with dashes replaced by underscores The address of the server which accepted a request.
Computing the variable's value usually requires one system call.
To avoid it, the listen directives must specify addresses and use the name of the server which accepted a request port of the server which accepted a request request protocol, usually "HTTP/1.0", "HTTP/1.1", or "HTTP/2.0" response status local time in the ISO 8601 standard format local time in the Common Log Format information about the client TCP connection; available on systems that support the Current URI in the request, normalized.
The value of Directives#
absolute_redirect#
aio#
location /video/ {
aio on;
output_buffers 1 64k;
}
options VFS_AIO
kldload aio
location /video/ {
aio on;
directio 512;
output_buffers 1 128k;
}
location /video/ {
sendfile on;
aio on;
directio 8m;
}
location /video/ {
sendfile on;
aio threads;
}
aio threads=pool$disk;
aio_write#
alias#
location /i/ {
alias /data/w3/images/;
}
/i/top.gif, the file /data/w3/images/top.gif will be sent.location ~ ^/users/(.+\.(?:gif|jpe?g|png))$ {
alias /data/w3/images/$1;
}
location /images/ {
alias /data/w3/images/;
}
location /images/ {
root /data/w3;
}
auth_delay#
auto_redirect#
location /prefix/ {
auto_redirect on;
}
/prefix causes a redirect to /prefix/.on explicitly enables redirection,
while off disables it.
When set to default, redirection is enabled only
if the location processes requests with api, proxy_pass,
fastcgi_pass, uwsgi_pass, scgi_pass, memcached_pass,
or grpc_pass.chunked_transfer_encoding#
chunked_transfer_encoding on | off;chunked_transfer_encoding on;client_body_buffer_size#
client_body_buffer_size size;client_body_buffer_size 8k|16k;client_body_in_file_only#
client_body_in_file_only on | clean | off;client_body_in_file_only off;oncleanclient_body_in_single_buffer#
client_body_in_single_buffer on | off;client_body_in_single_buffer off;client_body_temp_path#
client_body_temp_path path [level1 [level2 [level3]]];client_body_temp_path client_body_temp;
(the path depends on the --http-proxy-temp-path build option)client_body_temp_path /spool/angie/client_temp 1 2;
/spool/angie/client_temp/7/45/00000123457
client_body_timeout#
client_header_buffer_size#
client_header_timeout#
client_max_body_size#
0connection_pool_size#
256 (bytes)512 (bytes)default_type#
directio#
directio 4m;
directio_alignment#
disable_symlinks#
disable_symlinks off;disable_symlinks on | if_not_owner [from=part];disable_symlinks off;offonif_not_ownerfrom=parton and if_not_owner), all components of the pathname are normally checked. Checking of symbolic links in the initial part of the pathname may be avoided by specifying additionally the from=part parameter. In this case, symbolic links are checked only from the pathname component that follows the specified initial part. If the value is not an initial part of the pathname checked, the whole pathname is checked as if this parameter was not specified at all. If the value matches the whole file name, symbolic links are not checked. The parameter value can contain variables.disable_symlinks on from=$document_root;
openat() and fstatat() interfaces. Such systems include modern versions of FreeBSD, Linux, and Solaris.on and if_not_owner add a processing overhead.error_page#
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
error_page 404 =200 /empty.gif;
error_page 404 = /404.php;
location / {
error_page 404 = @fallback;
}
location @fallback {
proxy_pass http://backend;
}
error_page 403 http://example.com/forbidden.html;
error_page 404 =301 http://example.com/notfound.html;
etag#
http#
if_modified_since#
if_modified_since off | exact | before;if_modified_since exact;offexactbeforeignore_invalid_headers#
internal#
error_page 404 /404.html;
location = /404.html {
internal;
}
keepalive_disable#
keepalive_disable none | browser ...;keepalive_disable msie6;nonemsie6safarikeepalive_requests#
keepalive_time#
keepalive_timeout#
keepalive_timeout timeout [header_timeout];keepalive_timeout 75s;timeout0large_client_header_buffers#
large_client_header_buffers number size;large_client_header_buffers 4 8k;limit_except#
GET, HEAD, POST, PUT, DELETE,
MKCOL, COPY, MOVE, OPTIONS, PROPFIND,
PROPPATCH, LOCK, UNLOCK or PATCH. Allowing the
GET method also enabled the HEAD method. Access to other methods
can be limited using the directives from Access and
Auth Basic modules:limit_except GET {
allow 192.168.1.0/32;
deny all;
}
GET and HEAD.limit_rate#
map $slow $rate {
1 4k;
2 8k;
}
limit_rate $rate;
server {
if ($slow) {
set $limit_rate 4k;
}
}
limit_rate_after#
location /flv/ {
flv;
limit_rate_after 500k;
limit_rate 50k;
}
lingering_close#
onalwaysofflingering_time#
lingering_timeout#
lingering_timeout.listen#
listen address[:port] [default_server] [ssl] [http2 | quic] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on | off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];listen port [default_server] [ssl] [http2 | quic] [proxy_protocol] [setfib=number] [fastopen=number] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [ipv6only=on | off] [reuseport] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];listen unix:path [default_server] [ssl] [http2 | quic] [proxy_protocol] [backlog=number] [rcvbuf=size] [sndbuf=size] [accept_filter=filter] [deferred] [bind] [so_keepalive=on|off|[keepidle]:[keepintvl]:[keepcnt]];listen *:80 | *:8000;listen 127.0.0.1:8000;
listen 127.0.0.1;
listen 8000;
listen *:8000;
listen localhost:8000;
listen [::]:8000;
listen [::1];
unix: prefix:listen unix:/var/run/angie.sock;
default_serverdefault_server parameter,
the default server for the listening socket
will be the first server in the configuration that serves this socket.sslhttp2quicquic set,
you can also specify reuseport
so multiple worker processes can be used.proxy_protocolsetfib=numberfastopen=numberbacklog=numberbacklog parameter in the listen() call that
limits the maximum length for the queue of pending connections. By
default, backlog is set to -1 on FreeBSD, DragonFly BSD, and macOS, and
to 511 on other platforms.rcvbuf=sizeSO_RCVBUF option) for the
listening socket.sndbuf=sizeSO_SNDBUF option) for the
listening socket.accept_filter=filterSO_ACCEPTFILTER option) for
the listening socket that filters incoming connections before passing
them to accept(). This works only on FreeBSD and NetBSD 5.0+.
Possible values are dataready and httpready.deferredaccept() (the
TCP_DEFER_ACCEPT socket option) on Linux.bindbind() call for a given address:port
pair. This is useful because if there are several listen
directives with the same port but different addresses, and one of the
listen directives listens on all addresses for the given
port (*:port), Angie will bind() only to
*:port. It should be noted that the getsockname() system
call will be made in this case to determine the address that accepted the
connection. If the setfib, fastopen, backlog,
rcvbuf, sndbuf, accept_filter, deferred,
ipv6only, reuseport or so_keepalive parameters
are used then for a given address:port pair a separate bind()
call will always be made.ipv6only=on | offIPV6_V6ONLY socket option)
whether an IPv6 socket listening on a wildcard address [::] will accept
only IPv6 connections or both IPv6 and IPv4 connections. This parameter
is turned on by default. It can only be set once on start.reuseportSO_REUSEPORT socket option on
Linux 3.9+ and DragonFly BSD, or SO_REUSEPORT_LB on FreeBSD 12+),
allowing a kernel to distribute incoming connections between worker
processes. This currently works only on Linux 3.9+, DragonFly BSD, and
FreeBSD 12+.so_keepalive=on | off | [keepidle]:[keepintvl]:[keepcnt]''onSO_KEEPALIVE option is turned on for the socketoffSO_KEEPALIVE option is turned off for the socketTCP_KEEPIDLE, TCP_KEEPINTVL, and
TCP_KEEPCNT socket options. On such systems (currently, Linux 2.4+,
NetBSD 5+, and FreeBSD 9.0-STABLE), they can be configured using the
keepidle, keepintvl, and keepcnt parameters. One or two
parameters may be omitted, in which case the system default setting for the
corresponding socket option will be in effect. For example,so_keepalive=30m::10
listen 127.0.0.1 default_server accept_filter=dataready backlog=1024;
location#
~*~location =/ speeds up their processing
because the lookup stops at the exact match.
Obviously, such locations can't contain nested locations.location =/ {
#configuration A
}
location / {
#configuration B
}
location /documents/ {
#configuration C
}
location ^~/images/ {
#configuration D
}
location ~*\.(gif|jpg|jpeg)$ {
#configuration E
}
/ request matches configuration A,/index.html request matches configuration B,/documents/document.html request matches configuration C,/images/1.gif request matches configuration D,/documents/1.jpg request matches configuration E.location ends with a slash character and
auto_redirect is enabled, the following occurs:
When a request arrives with the URI that has no trailing slash
but otherwise matches the prefix exactly, a permanent 301 code redirect
is returned, pointing to the requested URI with the slash appended.location /user/ {
proxy_pass http://user.example.com;
}
location =/user {
proxy_pass http://login.example.com;
}
Combined locations#
location =/
^~/images/
~*\.(gif|jpg|jpeg)$ {
# general configuration
}
location =/
@named_combined {
#...
}
location ~*/match(ing|es|er)$ ....location cannot immediately contain neither
proxy_pass and similar directives with URI set, nor api or
alias. However, these directives can be used by locations nested
inside a combined location.log_not_found#
log_subrequest#
max_headers#
400 (Bad Request) error is returned.max_ranges#
0merge_slashes#
//scripts/one.php request would not matchlocation /scripts/ { }
/scripts/one.php.msie_padding#
msie_refresh#
open_file_cache#
open_file_cache off;open_file_cache max=N [inactive=time];open_file_cache off;maxinactiveoffopen_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
open_file_cache_errors#
open_file_cache_errors on | off;open_file_cache_errors off;open_file_cache_min_uses#
open_file_cache_min_uses number;open_file_cache_min_uses 1;open_file_cache_valid#
output_buffers#
port_in_redirect#
postpone_output#
0read_ahead#
recursive_error_pages#
request_pool_size#
reset_timedout_connection#
reset_timedout_connection on | off;reset_timedout_connection off;resolver#
resolver address ... [valid=time] [ipv4=on | off] [ipv6=on | off] [status_zone=zone];resolver 127.0.0.53 [::1]:5353;
validresolver 127.0.0.53 [::1]:5353 valid=30s;
ipv4=offipv6=offstatus_zone127.0.0.11.resolver_timeout#
resolver_timeout 5s;
root#
location /i/ {
root /data/w3;
}
/data/w3/i/top.gif file will be sent in response to the /i/top.gif request.satisfy#
location / {
satisfy any;
allow 192.168.1.0/32;
deny all;
auth_basic "closed site";
auth_basic_user_file conf/htpasswd;
}
send_lowat#
send_timeout#
sendfile#
location /video/ {
sendfile on;
tcp_nopush on;
aio on;
}
sendfile_max_chunk#
server#
server_name#
server {
server_name example.com www.example.com;
}
server {
server_name example.com *.example.com www.example.*;
}
server {
server_name .example.com;
}
server {
server_name ~^www\d+\.example\.com$ www.example.com;
}
server {
server_name ~^(www\.)?(.+)$;
location / {
root /sites/$2;
}
}
server {
server_name _;
location / {
root /sites/default;
}
}
server {
server_name ~^(www\.)?(?<domain>.+)$;
location / {
root /sites/$domain;
}
}
server {
server_name _;
location / {
root /sites/default;
}
}
""):server {
server_name www.example.com "";
}
*.example.com;mail.*;server_name work with TLS,
you need to terminate the TLS connection.
The directive matches the Host in an HTTP request,
so the handshake must be completed and the connection decrypted.server_name_in_redirect#
server_name_in_redirect on | off;server_name_in_redirect off;onoffserver_names_hash_bucket_size#
server_names_hash_bucket_size size;server_names_hash_bucket_size 32 | 64 | 128;server_names_hash_max_size#
server_tokens#
Server response header field.
The build parameter enables emitting the build name,
set by the respective configure parameter,
along with the version.Server response header field
will use the string's variable-interpolated value
instead of server name, version, and build name.
An empty string disables emitting the Server field.status_zone#
status_zone off | zone | key zone=zone[:count];server contexts
can share the same zone for data collection;
the special value off
disables data collection in nested location blocks.server {
listen 80;
server_name *.example.com;
status_zone single;
# ...
}
$host value
are grouped into the host_zone.
Metrics are tracked separately for each unique $host
until there are 10 metric groups.
Once this limit is reached,
any additional $host values are included under the host_zone:server {
listen 80;
server_name *.example.com;
status_zone $host zone=host_zone:10;
location / {
proxy_pass http://example.com;
}
}
subrequest_output_buffer_size#
subrequest_output_buffer_size size;subrequest_output_buffer_size 4k | 8k;4K or 8K, depending on a platform. It can be made smaller,
however.tcp_nodelay#
tcp_nopush#
try_files#
location /images/ {
try_files $uri /images/default.gif;
}
location = /images/default.gif {
expires 30s;
}
location / {
try_files $uri $uri/index.html $uri.html =404;
}
location / {
try_files $uri $uri/ @drupal;
}
location / {
error_page 404 = @drupal;
log_not_found off;
}
location ~ \.php$ {
try_files $uri @drupal;
fastcgi_pass ...;
fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name;
# ...
}
Example in proxying Mongrel:
location / {
try_files /system/maintenance.html
$uri $uri/index.html $uri.html
@mongrel;
}
location @mongrel {
proxy_pass http://mongrel;
}
Example for Drupal/FastCGI:
location / {
try_files $uri $uri/ @drupal;
}
location ~ \.php$ {
try_files $uri @drupal;
fastcgi_pass ...;
fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param QUERY_STRING $args;
# ... other fastcgi_param
}
location @drupal {
fastcgi_pass ...;
fastcgi_param SCRIPT_FILENAME /path/to/index.php;
fastcgi_param SCRIPT_NAME /index.php;
fastcgi_param QUERY_STRING q=$uri&$args;
# ... other fastcgi_param
}
Example for Wordpress and Joomla:
location / {
try_files $uri $uri/ @wordpress;
}
location ~ \.php$ {
try_files $uri @wordpress;
fastcgi_pass ...;
fastcgi_param SCRIPT_FILENAME /path/to$fastcgi_script_name;
# ... other fastcgi_param
}
location @wordpress {
fastcgi_pass ...;
fastcgi_param SCRIPT_FILENAME /path/to/index.php;
# ... other fastcgi_param
}
types#
types { ... }types text/html html; image/gif gif; image/jpeg jpg;types {
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
}
conf/mime.types file.location /download/ {
types { }
default_type application/octet-stream;
}
types_hash_bucket_size#
types_hash_max_size#
underscores_in_headers#
variables_hash_bucket_size#
variables_hash_max_size#
Built-in Variables#
http_core module supports built-in variables with names matching the
Apache Server variables. First of all, these are variables representing client
request header fields, such as $http_user_agent, $http_cookie,
and so on. Also, there are other variables:$angie_version#$arg_<name>#$args#$binary_remote_addr#$body_bytes_sent#$bytes_sent#$connection#$connection_requests#$connection_time#$content_length#$content_type#$document_root#$document_uri#$host#$hostname#$http_<name>#$https#$is_args#$limit_rate#$msec#$pid#$pipe#$proxy_protocol_addr#$proxy_protocol_port#$proxy_protocol_server_addr#$proxy_protocol_server_port#$proxy_protocol_tlv_<name>#$proxy_protocol_tlv_alpn
$proxy_protocol_tlv_0x01
ssl_:$proxy_protocol_tlv_ssl_version
$proxy_protocol_tlv_ssl_0x21
$query_string#$realpath_root#$remote_addr#$remote_port#$remote_user#$request#$request_body#$request_body_file#$request_completion#$request_filename#$request_id#$request_length#$request_method#GET or POST$request_time#$request_uri#$scheme#$sent_http_<name>#$sent_trailer_<name>#$server_addr#bind parameter.$server_name#$server_port#$server_protocol#$status#$time_iso8601#$time_local#$tcpinfo_rtt, $tcpinfo_rttvar, $tcpinfo_snd_cwnd, $tcpinfo_rcv_space#TCP_INFO socket option$uri#$uri may change during request processing, e.g. when doing internal redirects, or when using index files