NGINX Configuration Directive Reference
Almost all the configuration directives for Zimbra NGINX Proxy are controlled by LDAP attributes, and in some cases, by LocalConfig values. To simplify the Proxy Configuration, the NGINX Proxy Configuration Generator reads these LDAP/LocalConfig values, and generates the Proxy configuration files. To allow more flexibility to the process of config generation, the Config Generator reads in a set of template files, substitutes certain keywords with the actual values from LDAP/LocalConfig, and generates the configuration files for use with NGINX.
Both, the Proxy configuration files, and the Proxy configuration templates, are hierarchical in nature, which means that a main, top-level configuration file or template, includes other configuration files or templates respectively. Refer to the NGINX Configuration Structure for the Proxy Configuration Inclusion Hierarchy
Configuration Keywords
core.cprefix
NGINX Keyword: core.cprefix Description: Common config file prefix Controlling Attribute: (none) Default Value: nginx.conf Config Text: nginx.conf How to modify: N/A
core.includes
NGINX Keyword: core.includes Description: Include directory (relative to ${core.workdir}/conf) containing sub-configuration files Controlling Attribute: (none) Default Value: nginx/includes Config Text: nginx/includes How to modify: N/A
core.tprefix
NGINX Keyword: core.tprefix Description: Common template file prefix Controlling Attribute: (none) Default Value: nginx.conf Config Text: nginx.conf How to modify: N/A
core.workdir
NGINX Keyword: core.workdir Description: Working Directory for NGINX worker processes Controlling Attribute: (none) Default Value: /opt/zimbra Config Text: /opt/zimbra How to modify: N/A
mail.:auth_http
NGINX Keyword: mail.:auth_http Description: List of mail route lookup handlers (i.e. servers for which zimbraReverseProxyLookupTarget is true) Controlling Attribute: zimbraReverseProxyLookupTarget Default Value: [] Current Value: [<server>:7072] Config Text: auth_http <server>:7072/service/extension/nginx-lookup; How to modify: zmprov ms <server> zimbraReverseProxyLookupTarget TRUE ; to add a server to route-lookup list zmprov ms <server> zimbraReverseProxyLookupTarget FALSE ; to remove a server from route-lookup list
mail.authwait
NGINX Keyword: mail.authwait Description: Time delay (ms) after which an incorrect POP/IMAP login attempt will be rejected Controlling Attribute: zimbraReverseProxyAuthWaitInterval Default Value: 10000 Config Text: 10000ms How to modify: zmprov mcf zimbraReverseProxyAuthWaitInterval 15s ; s=seconds, m=minutes, h=hours, d=days
mail.defaultrealm
NGINX Keyword: mail.defaultrealm Description: Default SASL realm used in case Kerberos principal does not contain realm information Controlling Attribute: zimbraReverseProxyDefaultRealm Default Value: Config Text: How to modify: zmprov ms <server> zimbraReverseProxyDefaultRealm MYREALM.COM
mail.dpasswd
NGINX Keyword: mail.dpasswd Description: Password for master credentials used by NGINX to log in to upstream for GSSAPI authentication Controlling Attribute: ldap_nginx_password Default Value: zmnginx Config Text: zmnginx How to modify: N/A
mail.enabled
NGINX Keyword: mail.enabled Description: Indicates whether Mail Proxy is enabled Controlling Attribute: zimbraReverseProxyMailEnabled Default Value: true Config Text: How to modify: zmprov ms <server> zimbraReverseProxyMailEnabled FALSE
mail.imap.authgssapi.enabled
NGINX Keyword: mail.imap.authgssapi.enabled Description: Whether SASL GSSAPI is enabled for IMAP Controlling Attribute: zimbraReverseProxyImapSaslGssapiEnabled Default Value: false Config Text: How to modify: zmprov ms <server> zimbraReverseProxyImapSaslGssapiEnabled TRUE
mail.imap.authplain.enabled
NGINX Keyword: mail.imap.authplain.enabled Description: Whether SASL PLAIN is enabled for IMAP Controlling Attribute: zimbraReverseProxyImapSaslPlainEnabled Default Value: true Config Text: How to modify: zmprov ms <server> zimbraReverseProxyImapSaslPlainEnabled FALSE
mail.imap.greeting
NGINX Keyword: mail.imap.greeting Description: Proxy IMAP banner message (contains build version if zimbraReverseProxyImapExposeVersionOnBanner is true) Controlling Attribute: zimbraReverseProxyPop3ExposeVersionOnBanner Default Value: Config Text: How to modify: zmprov ms zimbraReverseProxyPop3ExposeVersionOnBanner TRUE
mail.imap.literalauth
NGINX Keyword: mail.imap.literalauth Description: Whether NGINX uses literal strings for user name/password when logging in to upstream IMAP server - if false, NGINX uses quoted strings Controlling Attribute: (none) Default Value: true Config Text: on How to modify: N/A
mail.imap.port
NGINX Keyword: mail.imap.port Description: Mail Proxy IMAP Port Controlling Attribute: zimbraImapProxyBindPort Default Value: 143 Config Text: 143 How to modify: N/A
mail.imap.tls
NGINX Keyword: mail.imap.tls Description: TLS support for IMAP - can be on|off|only - on indicates TLS support present, off indicates TLS support absent, only indicates TLS is enforced on unsecure channel Controlling Attribute: zimbraReverseProxyImapStartTlsMode Default Value: only Config Text: on How to modify: N/A
mail.imapcapa
NGINX Keyword: mail.imapcapa Description: IMAP Capability List Controlling Attribute: zimbraReverseProxyImapEnabledCapability Default Value: [] Current Value: [ACL, BINARY, CATENATE, CHILDREN, CONDSTORE, ENABLE, ESEARCH, ESORT, I18NLEVEL=1, ID, IDLE, IMAP4rev1, LIST-EXTENDED, LITERAL+, MULTIAPPEND, NAMESPACE, QRESYNC, QUOTA, RIGHTS=ektx, SASL-IR, SEARCHRES, SORT, THREAD=ORDEREDSUBJECT, UIDPLUS, UNSELECT, WITHIN] Config Text: "ACL" "BINARY" "CATENATE" "CHILDREN" "CONDSTORE" "ENABLE" "ESEARCH" "ESORT" "I18NLEVEL=1" "ID" "IDLE" "IMAP4rev1" "LIST-EXTENDED" "LITERAL+" "MULTIAPPEND" "NAMESPACE" "QRESYNC" "QUOTA" "RIGHTS=ektx" "SASL-IR" "SEARCHRES" "SORT" "THREAD=ORDEREDSUBJECT" "UIDPLUS" "UNSELECT" "WITHIN" How to modify: N/A
mail.imapid
NGINX Keyword: mail.imapid Description: NGINX response to IMAP ID command Controlling Attribute: (none) Default Value: "NAME" "Zimbra" "VERSION" "5.0" "RELEASE" "zimbra" Current Value: "NAME" "Zimbra" "VERSION" "5.0" "RELEASE" "zimbra" Config Text: "NAME" "Zimbra" "VERSION" "5.0" "RELEASE" "zimbra" How to modify: N/A
mail.imaps.port
NGINX Keyword: mail.imaps.port Description: Mail Proxy IMAPS Port Controlling Attribute: zimbraImapSSLProxyBindPort Default Value: 993 Config Text: 993 How to modify: N/A
mail.ipmax
NGINX Keyword: mail.ipmax Description: IP Login Limit (Throttle) - 0 means infinity Controlling Attribute: zimbraReverseProxyIPLoginLimit Default Value: 0 Config Text: 0 How to modify: N/A
mail.iprej
NGINX Keyword: mail.iprej Description: Rejection message for IP throttle Controlling Attribute: zimbraReverseProxyIpThrottleMsg Default Value: Login rejected from this IP Config Text: Login rejected from this IP How to modify: N/A
mail.ipttl
NGINX Keyword: mail.ipttl Description: Time interval (ms) after which IP Login Counter is reset Controlling Attribute: zimbraReverseProxyIPLoginLimitTime Default Value: 3600000 Config Text: 3600000ms How to modify: N/A
mail.passerrors
NGINX Keyword: mail.passerrors Description: Indicates whether mail proxy will pass any protocol specific errors from the upstream server back to the downstream client Controlling Attribute: zimbraReverseProxyPassErrors Default Value: true Config Text: on How to modify: N/A
mail.pop3.authgssapi.enabled
NGINX Keyword: mail.pop3.authgssapi.enabled Description: Whether SASL GSSAPI is enabled for POP3 Controlling Attribute: zimbraReverseProxyPop3SaslGssapiEnabled Default Value: false Config Text: How to modify: N/A
mail.pop3.authplain.enabled
NGINX Keyword: mail.pop3.authplain.enabled Description: Whether SASL PLAIN is enabled for POP3 Controlling Attribute: zimbraReverseProxyPop3SaslPlainEnabled Default Value: true Config Text: How to modify: N/A
mail.pop3.greeting
NGINX Keyword: mail.pop3.greeting Description: Proxy POP3 banner message (contains build version if zimbraReverseProxyPop3ExposeVersionOnBanner is true) Controlling Attribute: zimbraReverseProxyPop3ExposeVersionOnBanner Default Value: Config Text: How to modify: N/A
mail.pop3.port
NGINX Keyword: mail.pop3.port Description: Mail Proxy POP3 Port Controlling Attribute: zimbraPop3ProxyBindPort Default Value: 110 Config Text: 110 How to modify: N/A
mail.pop3.tls
NGINX Keyword: mail.pop3.tls Description: TLS support for POP3 - can be on|off|only - on indicates TLS support present, off indicates TLS support absent, only indicates TLS is enforced on unsecure channel Controlling Attribute: zimbraReverseProxyPop3StartTlsMode Default Value: only Config Text: on How to modify: N/A
mail.pop3capa
NGINX Keyword: mail.pop3capa Description: POP3 Capability List Controlling Attribute: zimbraReverseProxyPop3EnabledCapability Default Value: [] Current Value: [EXPIRE 31 USER, TOP, UIDL, USER, XOIP] Config Text: "EXPIRE 31 USER" "TOP" "UIDL" "USER" "XOIP" How to modify: N/A
mail.pop3s.port
NGINX Keyword: mail.pop3s.port Description: Mail Proxy POP3S Port Controlling Attribute: zimbraPop3SSLProxyBindPort Default Value: 995 Config Text: 995 How to modify: N/A
mail.sasl_host_from_ip
NGINX Keyword: mail.sasl_host_from_ip Description: Whether to use incoming interface IP address to determine service principal name (if true, IP address is reverse mapped to DNS name, else host name of proxy is used) Controlling Attribute: krb5_service_principal_from_interface_address Default Value: false Config Text: off How to modify: N/A
mail.saslapp
NGINX Keyword: mail.saslapp Description: Application name used by NGINX to initialize SASL authentication Controlling Attribute: (none) Default Value: nginx Config Text: nginx How to modify: N/A
mail.ssl.cert
NGINX Keyword: mail.ssl.cert Description: Mail Proxy SSL certificate file Controlling Attribute: (none) Default Value: /opt/zimbra/conf/nginx.crt Config Text: /opt/zimbra/conf/nginx.crt How to modify: N/A
mail.ssl.ciphers
NGINX Keyword: mail.ssl.ciphers Description: Permitted ciphers for mail proxy Controlling Attribute: zimbraReverseProxySSLCiphers Default Value: !SSLv2:!MD5:HIGH Config Text: !SSLv2:!MD5:HIGH How to modify: N/A
mail.ssl.key
NGINX Keyword: mail.ssl.key Description: Mail Proxy SSL certificate key Controlling Attribute: (none) Default Value: /opt/zimbra/conf/nginx.key Config Text: /opt/zimbra/conf/nginx.key How to modify: N/A
mail.ssl.preferserverciphers
NGINX Keyword: mail.ssl.preferserverciphers Description: Requires protocols SSLv3 and TLSv1 server ciphers be preferred over the client's ciphers Controlling Attribute: (none) Default Value: true Config Text: on How to modify: N/A
mail.timeout
NGINX Keyword: mail.timeout Description: Time interval (ms) after which, if a POP/IMAP connection is inactive, it will be automatically disconnected Controlling Attribute: zimbraReverseProxyInactivityTimeout Default Value: 3600000 Config Text: 3600000ms How to modify: N/A
mail.upstream.imapid
NGINX Keyword: mail.upstream.imapid Description: Whether NGINX issues the IMAP ID command to the upstream server prior to logging in (audit purpose) Controlling Attribute: zimbraReverseProxySendImapId Default Value: true Config Text: on How to modify: N/A
mail.upstream.pop3xoip
NGINX Keyword: mail.upstream.pop3xoip Description: Whether NGINX issues the POP3 XOIP command to the upstream server prior to logging in (audit purpose) Controlling Attribute: zimbraReverseProxySendPop3Xoip Default Value: true Config Text: on How to modify: N/A
mail.usermax
NGINX Keyword: mail.usermax Description: User Login Limit (Throttle) - 0 means infinity Controlling Attribute: zimbraReverseProxyUserLoginLimit Default Value: 0 Config Text: 0 How to modify: N/A
mail.userrej
NGINX Keyword: mail.userrej Description: Rejection message for User throttle Controlling Attribute: zimbraReverseProxyUserThrottleMsg Default Value: Login rejected for this user Config Text: Login rejected for this user How to modify: N/A
mail.userttl
NGINX Keyword: mail.userttl Description: Time interval (ms) after which User Login Counter is reset Controlling Attribute: zimbraReverseProxyUserLoginLimitTime Default Value: 3600000 Config Text: 3600000ms How to modify: N/A
main.connections
NGINX Keyword: main.connections Description: Maximum number of simultaneous connections per worker process Controlling Attribute: zimbraReverseProxyWorkerConnections Default Value: 10240 Config Text: 10240 How to modify: N/A
main.group
NGINX Keyword: main.group Description: The group as which the worker processes will run Controlling Attribute: (none) Default Value: zimbra Config Text: zimbra How to modify: N/A
main.krb5keytab
NGINX Keyword: main.krb5keytab Description: Path to kerberos keytab file used for GSSAPI authentication Controlling Attribute: krb5_keytab Default Value: /opt/zimbra/conf/krb5.keytab Config Text: /opt/zimbra/conf/krb5.keytab How to modify: N/A
main.logfile
NGINX Keyword: main.logfile Description: Log file path (relative to ${core.workdir}) Controlling Attribute: (none) Default Value: log/nginx.log Config Text: log/nginx.log How to modify: N/A
main.loglevel
NGINX Keyword: main.loglevel Description: Log level - can be debug|info|notice|warn|error|crit Controlling Attribute: zimbraReverseProxyLogLevel Default Value: info Config Text: info How to modify: N/A
main.pidfile
NGINX Keyword: main.pidfile Description: PID file path (relative to ${core.workdir}) Controlling Attribute: (none) Default Value: log/nginx.pid Config Text: log/nginx.pid How to modify: N/A
main.user
NGINX Keyword: main.user Description: The user as which the worker processes will run Controlling Attribute: (none) Default Value: zimbra Config Text: zimbra How to modify: N/A
main.workers
NGINX Keyword: main.workers Description: Number of worker processes Controlling Attribute: zimbraReverseProxyWorkerProcesses Default Value: 4 Config Text: 4 How to modify: N/A
memcache.:servers
NGINX Keyword: memcache.:servers Description: List of known memcache servers (i.e. servers having imapproxy service enabled) Controlling Attribute: (none) Default Value: [] Current Value: [<server>:11211] Config Text: servers <server>:11211; How to modify: N/A
memcache.reconnect
NGINX Keyword: memcache.reconnect Description: Time (ms) after which NGINX will attempt to re-establish a broken connection to a memcache server Controlling Attribute: zimbraReverseProxyCacheReconnectInterval Default Value: 60000 Config Text: 60000ms How to modify: N/A
memcache.timeout
NGINX Keyword: memcache.timeout Description: Time (ms) given to a cache-fetch operation to complete Controlling Attribute: zimbraReverseProxyCacheFetchTimeout Default Value: 3000 Config Text: 3000ms How to modify: N/A
memcache.ttl
NGINX Keyword: memcache.ttl Description: Time interval (ms) for which cached entries remain in memcache Controlling Attribute: zimbraReverseProxyCacheEntryTTL Default Value: 3600000 Config Text: 3600000ms How to modify: N/A
memcache.unqual
NGINX Keyword: memcache.unqual Description: Deprecated - always set to false Controlling Attribute: (none) Default Value: false Config Text: off How to modify: N/A
web.:routehandlers
NGINX Keyword: web.:routehandlers Description: List of web route lookup handlers (i.e. servers for which zimbraReverseProxyLookupTarget is true) Controlling Attribute: zimbraReverseProxyLookupTarget Default Value: [] Current Value: [<server>:7072] Config Text: zmroutehandlers <server>:7072/service/extension/nginx-lookup; How to modify: N/A
web.enabled
NGINX Keyword: web.enabled Description: Indicates whether HTTP proxying is enabled Controlling Attribute: zimbraReverseProxyHttpEnabled Default Value: false Config Text: How to modify: N/A
web.http.enabled
NGINX Keyword: web.http.enabled Description: Indicates whether HTTP Proxy will accept connections on HTTP (true unless zimbraReverseProxyMailMode is 'https') Controlling Attribute: (none) Default Value: true Config Text: How to modify: N/A
web.http.maxbody
NGINX Keyword: web.http.maxbody Description: Maximum accepted client request body size (indicated by Content-Length) - if content length exceeds this limit, then request fails with HTTP 413 Controlling Attribute: zimbraFileUploadMaxSize Default Value: 10485760 Config Text: 10485760 How to modify: N/A
web.http.port
NGINX Keyword: web.http.port Description: Web Proxy HTTP Port Controlling Attribute: zimbraMailProxyPort Default Value: 0 Config Text: 80 How to modify: N/A
web.http.uport
NGINX Keyword: web.http.uport Description: Web upstream server port Controlling Attribute: zimbraMailPort Default Value: 80 Config Text: 7070 How to modify: N/A
web.https.enabled
NGINX Keyword: web.https.enabled Description: Indicates whether HTTP Proxy will accept connections on HTTPS (true unless zimbraReverseProxyMailMode is 'http') Controlling Attribute: (none) Default Value: true Config Text: How to modify: N/A
web.https.maxbody
NGINX Keyword: web.https.maxbody Description: Maximum accepted client request body size (indicated by Content-Length) - if content length exceeds this limit, then request fails with HTTP 413 Controlling Attribute: zimbraFileUploadMaxSize Default Value: 10485760 Config Text: 10485760 How to modify: N/A
web.https.port
NGINX Keyword: web.https.port Description: Web Proxy HTTPS Port Controlling Attribute: zimbraMailSSLProxyPort Default Value: 0 Config Text: 443 How to modify: N/A
web.mailmode
NGINX Keyword: web.mailmode Description: Reverse Proxy Mail Mode - can be http|https|both|redirect|mixed Controlling Attribute: zimbraReverseProxyMailMode Default Value: both Config Text: mixed How to modify: N/A
web.routetimeout
NGINX Keyword: web.routetimeout Description: Time interval (ms) given to web route lookup handler to respond to route lookup request (after this time elapses, Proxy fails over to next handler, or fails the request if there are no more lookup handlers) Controlling Attribute: (none) Default Value: 15000 Config Text: 15000ms How to modify: N/A
web.ssl.cert
NGINX Keyword: web.ssl.cert Description: Web Proxy SSL certificate path Controlling Attribute: (none) Default Value: /opt/zimbra/conf/nginx.crt Config Text: /opt/zimbra/conf/nginx.crt
web.ssl.key
NGINX Keyword: web.ssl.key Description: Web Proxy SSL certificate key Controlling Attribute: (none) Default Value: /opt/zimbra/conf/nginx.key Config Text: /opt/zimbra/conf/nginx.key How to modify: N/A
web.uploadmax
NGINX Keyword: web.uploadmax Description: Maximum accepted client request body size (indicated by Content-Length) - if content length exceeds this limit, then request fails with HTTP 413 Controlling Attribute: zimbraFileUploadMaxSize Default Value: 10485760 Config Text: 10485760 How to modify: N/A
web.upstream.:servers
NGINX Keyword: web.upstream.:servers Description: List of upstream HTTP servers used by Web Proxy (i.e. servers for which zimbraReverseProxyLookupTarget is true, and whose mail mode is http|mixed|both) Controlling Attribute: zimbraReverseProxyLookupTarget Default Value: [] Current Value: [<server>:7070] Config Text: server <server>:7070; How to modify: N/A
web.upstream.name
NGINX Keyword: web.upstream.name Description: Symbolic name for HTTP upstream cluster Controlling Attribute: (none) Default Value: zimbra Config Text: zimbra How to modify: N/A