You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -261,7 +261,7 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`. A
261
261
| <aname="log-format"></a>deis-router | deployment |[router.deis.io/nginx.logFormat](#log-format)|`"[$time_iso8601] - $app_name - $remote_addr - $remote_user - $status - "$request" - $bytes_sent - "$http_referer" - "$http_user_agent" - "$server_name" - $upstream_addr - $http_host - $upstream_response_time - $request_time"`| Nginx access log format. **Warning:** if you change this to a non-default value, log parsing in monitoring subsystem will be broken. Use this parameter if you completely understand what you're doing. |
262
262
| <aname="ssl-enforce"></a>deis-router | deployment |[router.deis.io/nginx.ssl.enforce](#ssl-enforce)|`"false"`| Whether to respond with a 301 for all HTTP requests with a permanent redirect to the HTTPS equivalent address. |
| <a name="ssl-ciphers"></a>deis-router | deployment | [router.deis.io/nginx.ssl.ciphers](#ssl-ciphers) | `"[TLS_AES_128_GCM_SHA256|TLS_CHACHA20_POLY1305_SHA256]:TLS_AES_256_GCM_SHA384:[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-ECDSA-CHACHA20-POLY1305-OLD]:[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305-OLD]:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"` | nginx `ssl_ciphers`. The default ciphers are taken from the intermediate compatibility section in the [Mozilla Wiki on Security/Server Side TLS](https://wiki.mozilla.org/Security/Server_Side_TLS). If the value is set to the empty string, OpenSSL's default ciphers are used. In _all_ cases, server side cipher preferences (order matters) are used, but equal preference groups can be used to relax that. |
264
+
| <a name="ssl-ciphers"></a>deis-router | deployment | [router.deis.io/nginx.ssl.ciphers](#ssl-ciphers) | `"[TLS_AES_128_GCM_SHA256\|TLS_CHACHA20_POLY1305_SHA256]:TLS_AES_256_GCM_SHA384:[ECDHE-ECDSA-AES128-GCM-SHA256\|ECDHE-ECDSA-CHACHA20-POLY1305\|ECDHE-ECDSA-CHACHA20-POLY1305-OLD]:[ECDHE-RSA-AES128-GCM-SHA256\|ECDHE-RSA-CHACHA20-POLY1305\|ECDHE-RSA-CHACHA20-POLY1305-OLD]:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"` | nginx `ssl_ciphers`. The default ciphers are taken from the intermediate compatibility section in the [Mozilla Wiki on Security/Server Side TLS](https://wiki.mozilla.org/Security/Server_Side_TLS). If the value is set to the empty string, OpenSSL's default ciphers are used. In _all_ cases, server side cipher preferences (order matters) are used, but equal preference groups can be used to relax that. |
| <aname="ssl-session-timeout"></a>deis-router | deployment |[router.deis.io/nginx.ssl.sessionTimeout](#ssl-session-timeout)|`"10m"`| nginx `ssl_session_timeout` expressed in units `ms`, `s`, `m`, `h`, `d`, `w`, `M`, or `y`. |
267
267
| <aname="ssl-use-session-tickets"></a>deis-router | deployment |[router.deis.io/nginx.ssl.useSessionTickets](#ssl-use-session-tickets)|`"true"`| Whether to use [TLS session tickets](http://tools.ietf.org/html/rfc5077) for session resumption without server-side state. |
@@ -270,7 +270,7 @@ _Note that Kubernetes annotation maps are all of Go type `map[string]string`. A
270
270
| <aname="ssl-hsts-max-age"></a>deis-router | deployment |[router.deis.io/nginx.ssl.hsts.maxAge](#ssl-hsts-max-age)|`"10886400"`| Maximum number of seconds user agents should observe HSTS rewrites. |
271
271
| <aname="ssl-hsts-include-sub-domains"></a>deis-router | deployment |[router.deis.io/nginx.ssl.hsts.includeSubDomains](#ssl-hsts-include-sub-domains)|`"false"`| Whether to enforce HSTS for subsequent requests to all subdomains of the original request. |
272
272
| <aname="ssl-hsts-preload"></a>deis-router | deployment |[router.deis.io/nginx.ssl.hsts.preload](#ssl-hsts-preload)|`"false"`| Whether to allow the domain to be included in the HSTS preload list. |
273
-
| <aname="ssl-early-data-methods"></a>deis-router | deployment |[router.deis.io/nginx.ssl.earlyDataMethods](#ssl-early-data-methods)| `"GET|HEAD|OPTIONS"` | enables nginx `ssl_early_data` (TLS 1.3 0-RTT) for the listes HTTP methods (set to `""` to disable, valid methods: `"GET|HEAD|POST|PUT|DELETE|PATCH|OPTIONS"`). Unsafe or non-idempotent methods should be avoided, to prevent replay attacks. The header `Early-Data: 1` is forwarded to apps, when Early Data is used and they can reply with HTTP status 425 to block it, causing the client to retry without Early-Data. Requires "TLSv1.3" in `"protocols"` to work.|
273
+
| <aname="ssl-early-data-methods"></a>deis-router | deployment |[router.deis.io/nginx.ssl.earlyDataMethods](#ssl-early-data-methods)|`"GET\|HEAD\|OPTIONS"`| enables nginx `ssl_early_data` (TLS 1.3 0-RTT) for the listes HTTP methods (set to `""` to disable, valid methods: `"GET\|HEAD\|POST\|PUT\|DELETE\|PATCH\|OPTIONS"`). Unsafe or non-idempotent methods should be avoided, to prevent replay attacks. The header `Early-Data: 1` is forwarded to apps, when Early Data is used and they can reply with HTTP status 425 to block it, causing the client to retry without Early-Data. Requires "TLSv1.3" in `"protocols"` to work.|
274
274
| <aname="proxy-buffers-enabled"></a>deis-router | deployment |[router.deis.io/nginx.proxyBuffers.enabled](#proxy-buffers-enabled)|`"false"`| Whether to enabled proxy buffering for all applications (this can be overridden on an application basis). |
275
275
| <aname="proxy-buffers-number"></a>deis-router | deployment |[router.deis.io/nginx.proxyBuffers.number](#proxy-buffers-number)|`"8"`|`number` argument to the nginx `proxy_buffers` directive for all applications (this can be overridden on an application basis). |
276
276
| <aname="proxy-buffers-size"></a>deis-router | deployment |[router.deis.io/nginx.proxyBuffers.size](#proxy-buffers-size)|`"4k"`|`size` argument to the nginx `proxy_buffers` directive expressed in bytes (no suffix), kilobytes (suffixes `k` and `K`), or megabytes (suffixes `m` and `M`). This setting applies to all applications, but can be overridden on an application basis. |
0 commit comments