Merge branch 'main' into nginx-one-new-homepage

Author: ADubhlaoich

config/_default/config.toml

@@ -47,7 +47,8 @@ enableGitInfo = true
     "taxonomyTerm"
   ]
   taxonomiesExcludedFromSitemap = ["tags", "categories", "doctypes"]
-
+  unitversion= "1.34.1"
+  unitversionv= "v1.34.1"
   #logo = ""
 
   # Version lists; used by the versions shortcode

content/includes/unit/howto_change_ownership.md

@@ -0,0 +1,18 @@
+Run the following command (as root) so Unit can access the application
+directory (If the application uses several directories, run the command for
+each one):
+
+```console
+# chown -R unit:unit /path/to/app/  # User and group that Unit's router runs as by default
+```
+
+
+{{< note >}}
+The **unit:unit** user-group pair is available only with
+[official packages]({{< relref "/unit/installation.md#installation-precomp-pkgs" >}})
+, Docker [images]({{< relref "/unit/installation.md#installation-docker" >}}),
+and some [third-party repos]({{< relref "/unit/installation.md#installation-community-repos" >}}). Otherwise, account names may differ; run the `ps aux | grep unitd` command to be sure.
+{{< /note >}}
+
+For further details, including permissions, see the
+[security checklist]({{< relref "/unit/howto/security.md#secutiry-apps" >}}).

content/includes/unit/howto_install_app.md

@@ -0,0 +1,2 @@
+Install {{ app }}'s [app-link]. Here, we install it at **/path/to/app/**; use
+a real path in your configuration.

content/includes/unit/howto_install_prereq.md

@@ -0,0 +1 @@
+Install and configure {{ app }}'s [app-preq].

content/includes/unit/howto_install_unit.md

@@ -0,0 +1 @@
+Install [Unit]({{< relref "/unit/installation.md#installation-precomp-pkgs" >}}) with a {{ mod }} language module.

content/includes/unit/howto_upload_config.md

@@ -0,0 +1,14 @@
+Assuming the JSON above was added to
+`config.json`. Run the following command as root:
+
+```console
+# curl -X PUT --data-binary @config.json --unix-socket \
+   /path/to/control.unit.sock \  # Path to Unit's control socket in your installation
+   http://localhost/config/      # Path to the config section in Unit's control API
+```
+
+{{< note >}}
+The [control socket]({{< relref "/unit/installation.md#configuration-socket" >}}) path may vary; run
+`unitd -h` or see
+[Startup and shutdown]({{< relref "/unit/howto/source.md#source-startup" >}}) for details.
+{{< /note >}}

content/includes/unit/version.md

@@ -0,0 +1 @@
+1.34.1

content/nginx/admin-guide/basic-functionality/runtime-control.md

@@ -32,7 +32,7 @@ where `<SIGNAL>` can be one of the following:
 - `quit` – Shut down gracefully (the `SIGQUIT` signal)
 - `reload` – Reload the configuration file (the `SIGHUP` signal)
 - `reopen` – Reopen log files (the `SIGUSR1` signal)
-- `stop` – Shut down immediately (or fast shutdown, the `SIGTERM` singal)
+- `stop` – Shut down immediately (or fast shutdown, the `SIGTERM` signal)
 
 The `kill` utility can also be used to send a signal directly to the master process. The process ID of the master process is written, by default, to the **nginx.pid** file, which is located in the **/usr/local/nginx/logs** or **/var/run** directory.
 

content/nginx/admin-guide/installing-nginx/installing-nginx-open-source.md

@@ -24,29 +24,77 @@ This guide explains how to enable single sign-on (SSO) for applications being pr
 
 ## Configure Keycloak {#keycloak-setup}
 
-1. Log in to your Keycloak admin console, for example, `https://<keycloak-server>/auth/admin/`.
+{{<tabs name="configure-keycloak">}}
 
-2. In the left navigation, go to **Clients**.then 
+{{%tab name="Standard OIDC"%}}
 
-3. Select **Create** and provide the following details:
+1. Log in to your Keycloak admin console, for example, `https://<keycloak-server>/admin/master/console/`.
 
-   - Enter a **Client ID**, for example, `nginx-demo-app`. You will need it later when configuring NGINX Plus.
+2. In the left navigation, go to **Clients**, then
 
-   - Set **Client Protocol** to **openid-connect**.
+3. Select **Create client** and provide the following details:
 
-   - Select **Save**.
+    - Set **Client type** to **OpenID Connect**.
+
+    - Enter a **Client ID**, for example, `nginx-demo-app`. You will need it later when configuring NGINX Plus.
+
+    - Select **Next**.
 
-4. In the **Settings** tab of your new client:
+4. In the **Capability Config** section:
 
-   - Set **Access Type** to `confidential`.
+    - Set **Client Authentication** to **On**. This sets the client type to **confidential**.
+   
+    - Select **Next**.
 
-   - Add a **Redirect URI**, for example:
+5. In the **Login Settings** section:
+
+    - Add a **Redirect URI**, for example:
      ```
      https://demo.example.com/oidc_callback
      ```
    - Select **Save**.
 
-5. In the **Credentials** tab, make note of the **Client Secret**. You will need it later when configuring NGINX Plus.
+6. In the **Credentials** tab, make note of the **Client Secret**. You will need it later when configuring NGINX Plus.
+
+{{%/tab%}}
+
+{{%tab name="Using PKCE"%}}
+
+1. Log in to your Keycloak admin console, for example, `https://<keycloak-server>/auth/admin/`.
+
+2. In the left navigation, go to **Clients**, then
+
+3. Select **Create client** and provide the following details:
+
+    - Set **Client type** to **OpenID Connect**.
+
+    - Enter a **Client ID**, for example, `nginx-demo-app`. You will need it later when configuring NGINX Plus.
+
+    - Select **Next**.
+
+4. In the **Capability Config** section:
+
+    - Set **Client Authentication** to **Off**. This sets the client type to **public**.
+
+    - Unselect the **Direct access grants** in the **Authentication Flow** section.
+
+    - Select **Next**
+
+5. In the **Login Settings** section:
+
+    - Add a **Redirect URI**, for example:
+     ```
+     https://demo.example.com/oidc_callback
+     ```
+    - Select **Save**.
+
+6. In the **Advanced** tab, under the **Advanced Settings** section set the **Proof Key for Code Exchange Code Challenge Method** to **S256**.
+
+7. Note that as opposed to standard OIDC flow, PKCE does not use Client Secrets, so there is no Credentials tab. This is expected.
+
+{{%/tab%}}
+
+{{</tabs>}}
 
 ### Assign Users or Groups
 
@@ -63,7 +111,7 @@ This step is optional, and is necessary if you need to restrict or organize user
 
 ## Set up NGINX Plus {#nginx-plus-setup}
 
-With Keycloak configured, you can enable OIDC on NGINX Plus. NGINX Plus serves as the Rely Party (RP) application &mdash; a client service that verifies user identity.
+With Keycloak configured, you can enable OIDC on NGINX Plus. NGINX Plus serves as the Relying Party (RP) application &mdash; a client service that verifies user identity.
 
 1.  Ensure that you are using the latest version of NGINX Plus by running the `nginx -v` command in a terminal:
 
@@ -76,7 +124,8 @@ With Keycloak configured, you can enable OIDC on NGINX Plus. NGINX Plus serves a
     nginx version: nginx/1.27.4 (nginx-plus-r34)
     ```
 
-2.  Ensure that you have the values of the **Client ID**, **Client Secret**, and **Issuer** obtained during [Keycloak Configuration](#keycloak-setup).
+2.  Ensure that you have the values of the **Client ID**, **Client Secret**, and **Issuer** obtained during 
+    [Keycloak Configuration](#keycloak-setup) if applicable. PKCE will not have a **Client Secret**.
 
 3.  In your preferred text editor, open the NGINX configuration file (`/etc/nginx/nginx.conf` for Linux or `/usr/local/etc/nginx/nginx.conf` for FreeBSD).
 
@@ -110,7 +159,8 @@ With Keycloak configured, you can enable OIDC on NGINX Plus. NGINX Plus serves a
 
     - your actual Keycloak **Client ID** obtained in [Keycloak Configuration](#keycloak-setup) with the [`client_id`](https://nginx.org/en/docs/http/ngx_http_oidc_module.html#client_id) directive
 
-    - your **Client Secret** obtained in [Keycloak Configuration](#keycloak-setup) with the [`client_secret`](https://nginx.org/en/docs/http/ngx_http_oidc_module.html#client_secret) directive
+    - (if not using PKCE) your **Client Secret** obtained in [Keycloak Configuration](#keycloak-setup) with the 
+      [`client_secret`](https://nginx.org/en/docs/http/ngx_http_oidc_module.html#client_secret) directive
 
     - the **Issuer** URL obtained in [Keycloak Configuration](#keycloak-setup) with the [`issuer`](https://nginx.org/en/docs/http/ngx_http_oidc_module.html#client_secret) directive