2015-01-09 16:37:42 +01:00
|
|
|
FILES
|
|
|
|
-----
|
|
|
|
|
|
|
|
*/etc/nghttpx/nghttpx.conf*
|
|
|
|
The default configuration file path nghttpx searches at startup.
|
|
|
|
The configuration file path can be changed using :option:`--conf`
|
|
|
|
option.
|
|
|
|
|
2015-01-11 09:34:43 +01:00
|
|
|
Those lines which are staring ``#`` are treated as comment.
|
|
|
|
|
|
|
|
The option name in the configuration file is the long command-line
|
|
|
|
option name with leading ``--`` stripped (e.g., ``frontend``). Put
|
|
|
|
``=`` between option name and value. Don't put extra leading or
|
|
|
|
trailing spaces.
|
|
|
|
|
|
|
|
The options which do not take argument in the command-line *take*
|
|
|
|
argument in the configuration file. Specify ``yes`` as an argument
|
|
|
|
(e.g., ``http2-proxy=yes``). If other string is given, it is
|
|
|
|
ignored.
|
|
|
|
|
|
|
|
To specify private key and certificate file which are given as
|
2015-05-12 16:24:18 +02:00
|
|
|
positional arguments in command-line, use ``private-key-file`` and
|
2015-01-11 09:34:43 +01:00
|
|
|
``certificate-file``.
|
|
|
|
|
|
|
|
:option:`--conf` option cannot be used in the configuration file and
|
|
|
|
will be ignored if specified.
|
|
|
|
|
2015-01-09 16:37:42 +01:00
|
|
|
SIGNALS
|
|
|
|
-------
|
|
|
|
|
|
|
|
SIGQUIT
|
|
|
|
Shutdown gracefully. First accept pending connections and stop
|
|
|
|
accepting connection. After all connections are handled, nghttpx
|
|
|
|
exits.
|
|
|
|
|
|
|
|
SIGUSR1
|
|
|
|
Reopen log files.
|
|
|
|
|
|
|
|
SIGUSR2
|
|
|
|
Fork and execute nghttpx. It will execute the binary in the same
|
2015-01-10 09:12:24 +01:00
|
|
|
path with same command-line arguments and environment variables.
|
|
|
|
After new process comes up, sending SIGQUIT to the original process
|
|
|
|
to perform hot swapping.
|
2015-01-09 16:37:42 +01:00
|
|
|
|
2015-09-17 18:16:49 +02:00
|
|
|
.. note::
|
|
|
|
|
2015-09-26 13:59:56 +02:00
|
|
|
nghttpx consists of multiple processes: one process for processing
|
|
|
|
these signals, and another one for processing requests. The former
|
|
|
|
spawns the latter. The former is called master process, and the
|
|
|
|
latter is called worker process. If neverbleed is enabled, the
|
|
|
|
worker process spawns neverbleed daemon process which does RSA key
|
|
|
|
processing. The above signal must be sent to the master process.
|
|
|
|
If the other processes received one of them, it is ignored. This
|
|
|
|
behaviour of these processes may change in the future release. In
|
|
|
|
other words, in the future release, the processes other than master
|
|
|
|
process may terminate upon the reception of these signals.
|
|
|
|
Therefore these signals should not be sent to the processes other
|
|
|
|
than master process.
|
2015-09-17 18:16:49 +02:00
|
|
|
|
2015-02-08 09:13:36 +01:00
|
|
|
SERVER PUSH
|
|
|
|
-----------
|
|
|
|
|
|
|
|
nghttpx supports HTTP/2 server push in default mode. nghttpx looks
|
|
|
|
for Link header field (`RFC 5988
|
2015-02-12 15:04:21 +01:00
|
|
|
<http://tools.ietf.org/html/rfc5988>`_) in response headers from
|
2015-02-08 09:13:36 +01:00
|
|
|
backend server and extracts URI-reference with parameter
|
|
|
|
``rel=preload`` (see `preload
|
|
|
|
<http://w3c.github.io/preload/#interoperability-with-http-link-header>`_)
|
|
|
|
and pushes those URIs to the frontend client. Here is a sample Link
|
|
|
|
header field to initiate server push:
|
|
|
|
|
|
|
|
.. code-block:: http
|
|
|
|
|
|
|
|
Link: </fonts/font.woff>; rel=preload
|
|
|
|
Link: </css/theme.css>; rel=preload
|
|
|
|
|
2015-09-05 11:59:19 +02:00
|
|
|
Currently, the following restriction is applied for server push:
|
2015-02-08 09:13:36 +01:00
|
|
|
|
2015-09-05 11:59:19 +02:00
|
|
|
1. The associated stream must have method "GET" or "POST". The
|
2015-02-08 09:13:36 +01:00
|
|
|
associated stream's status code must be 200.
|
|
|
|
|
2015-09-05 11:59:19 +02:00
|
|
|
This limitation may be loosened in the future release.
|
2015-02-08 09:13:36 +01:00
|
|
|
|
2015-02-22 10:23:09 +01:00
|
|
|
UNIX DOMAIN SOCKET
|
|
|
|
------------------
|
|
|
|
|
|
|
|
nghttpx supports UNIX domain socket with a filename for both frontend
|
|
|
|
and backend connections.
|
|
|
|
|
|
|
|
Please note that current nghttpx implementation does not delete a
|
|
|
|
socket with a filename. And on start up, if nghttpx detects that the
|
|
|
|
specified socket already exists in the file system, nghttpx first
|
|
|
|
deletes it. However, if SIGUSR2 is used to execute new binary and
|
|
|
|
both old and new configurations use same filename, new binary does not
|
|
|
|
delete the socket and continues to use it.
|
|
|
|
|
2015-03-31 16:31:24 +02:00
|
|
|
OCSP STAPLING
|
|
|
|
-------------
|
|
|
|
|
2015-06-22 17:53:12 +02:00
|
|
|
OCSP query is done using external Python script
|
|
|
|
``fetch-ocsp-response``, which has been originally developed in Perl
|
|
|
|
as part of h2o project (https://github.com/h2o/h2o), and was
|
|
|
|
translated into Python.
|
2015-03-31 16:31:24 +02:00
|
|
|
|
|
|
|
The script file is usually installed under
|
|
|
|
``$(prefix)/share/nghttp2/`` directory. The actual path to script can
|
|
|
|
be customized using :option:`--fetch-ocsp-response-file` option.
|
|
|
|
|
2015-08-12 17:47:32 +02:00
|
|
|
If OCSP query is failed, previous OCSP response, if any, is continued
|
|
|
|
to be used.
|
|
|
|
|
2015-07-28 16:43:32 +02:00
|
|
|
TLS SESSION RESUMPTION
|
|
|
|
----------------------
|
|
|
|
|
|
|
|
nghttpx supports TLS session resumption through both session ID and
|
|
|
|
session ticket.
|
|
|
|
|
|
|
|
SESSION ID RESUMPTION
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
By default, session ID is shared by all worker threads.
|
|
|
|
|
|
|
|
If :option:`--tls-session-cache-memcached` is given, nghttpx will
|
2015-07-28 17:01:12 +02:00
|
|
|
insert serialized session data to memcached with
|
|
|
|
``nghttpx:tls-session-cache:`` + lowercased hex string of session ID
|
|
|
|
as a memcached entry key, with expiry time 12 hours. Session timeout
|
|
|
|
is set to 12 hours.
|
2015-07-28 16:43:32 +02:00
|
|
|
|
|
|
|
TLS SESSION TICKET RESUMPTION
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
By default, session ticket is shared by all worker threads. The
|
|
|
|
automatic key rotation is also enabled by default. Every an hour, new
|
|
|
|
encryption key is generated, and previous encryption key becomes
|
|
|
|
decryption only key. We set session timeout to 12 hours, and thus we
|
|
|
|
keep at most 12 keys.
|
|
|
|
|
2015-07-28 17:01:12 +02:00
|
|
|
If :option:`--tls-ticket-key-memcached` is given, encryption keys are
|
2015-07-28 16:43:32 +02:00
|
|
|
retrieved from memcached. nghttpx just reads keys from memcached; one
|
|
|
|
has to deploy key generator program to update keys frequently (e.g.,
|
2015-07-29 14:18:16 +02:00
|
|
|
every 1 hour). The example key generator tlsticketupdate.go is
|
|
|
|
available under contrib directory in nghttp2 archive. The memcached
|
|
|
|
entry key is ``nghttpx:tls-ticket-key``. The data format stored in
|
|
|
|
memcached is the binary format described below::
|
2015-07-28 16:43:32 +02:00
|
|
|
|
|
|
|
+--------------+-------+----------------+
|
|
|
|
| VERSION (4) |LEN (2)|KEY(48 or 80) ...
|
|
|
|
+--------------+-------+----------------+
|
|
|
|
^ |
|
|
|
|
| |
|
|
|
|
+------------------------+
|
|
|
|
(LEN, KEY) pair can be repeated
|
|
|
|
|
|
|
|
All numbers in the above figure is bytes. All integer fields are
|
|
|
|
network byte order.
|
|
|
|
|
|
|
|
First 4 bytes integer VERSION field, which must be 1. The 2 bytes
|
|
|
|
integer LEN field gives the length of following KEY field, which
|
2015-07-28 17:01:12 +02:00
|
|
|
contains key. If :option:`--tls-ticket-key-cipher`\=aes-128-cbc is
|
2015-07-28 16:43:32 +02:00
|
|
|
used, LEN must be 48. If
|
2015-07-28 17:01:12 +02:00
|
|
|
:option:`--tls-ticket-key-cipher`\=aes-256-cbc is used, LEN must be
|
2015-07-28 16:43:32 +02:00
|
|
|
80. LEN and KEY pair can be repeated multiple times to store multiple
|
|
|
|
keys. The key appeared first is used as encryption key. All the
|
|
|
|
remaining keys are used as decryption only.
|
|
|
|
|
2015-07-28 17:01:12 +02:00
|
|
|
If :option:`--tls-ticket-key-file` is given, encryption key is read
|
2015-07-28 16:43:32 +02:00
|
|
|
from the given file. In this case, nghttpx does not rotate key
|
|
|
|
automatically. To rotate key, one has to restart nghttpx (see
|
|
|
|
SIGNALS).
|
|
|
|
|
2015-09-05 14:23:27 +02:00
|
|
|
MRUBY SCRIPTING
|
|
|
|
---------------
|
|
|
|
|
2015-09-05 14:28:43 +02:00
|
|
|
.. warning::
|
|
|
|
|
|
|
|
The current mruby extension API is experimental and not frozen. The
|
|
|
|
API is subject to change in the future release.
|
|
|
|
|
2015-09-05 14:23:27 +02:00
|
|
|
nghttpx allows users to extend its capability using mruby scripts.
|
|
|
|
nghttpx has 2 hook points to execute mruby script: request phase and
|
|
|
|
response phase. The request phase hook is invoked after all request
|
|
|
|
header fields are received from client. The response phase hook is
|
|
|
|
invoked after all response header fields are received from backend
|
|
|
|
server. These hooks allows users to modify header fields, or common
|
|
|
|
HTTP variables, like authority or request path, and even return custom
|
|
|
|
response without forwarding request to backend servers.
|
|
|
|
|
|
|
|
To set request phase hook, use :option:`--request-phase-file` option.
|
|
|
|
To set response phase hook, use :option:`--response-phase-file`
|
|
|
|
option.
|
|
|
|
|
|
|
|
For request and response phase hook, user calls :rb:meth:`Nghttpx.run`
|
|
|
|
with block. The :rb:class:`Nghttpx::Env` is passed to the block.
|
|
|
|
User can can access :rb:class:`Nghttpx::Request` and
|
|
|
|
:rb:class:`Nghttpx::Response` objects via :rb:attr:`Nghttpx::Env#req`
|
|
|
|
and :rb:attr:`Nghttpx::Env#resp` respectively.
|
|
|
|
|
|
|
|
.. rb:module:: Nghttpx
|
|
|
|
|
|
|
|
.. rb:classmethod:: run(&block)
|
|
|
|
|
|
|
|
Run request or response phase hook with given *block*.
|
|
|
|
:rb:class:`Nghttpx::Env` object is passed to the given block.
|
|
|
|
|
|
|
|
.. rb:const:: REQUEST_PHASE
|
|
|
|
|
|
|
|
Constant to represent request phase.
|
|
|
|
|
|
|
|
.. rb:const:: RESPONSE_PHASE
|
|
|
|
|
|
|
|
Constant to represent response phase.
|
|
|
|
|
|
|
|
.. rb:class:: Env
|
|
|
|
|
|
|
|
Object to represent current request specific context.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: req
|
|
|
|
|
|
|
|
Return :rb:class:`Request` object.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: resp
|
|
|
|
|
|
|
|
Return :rb:class:`Response` object.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: ctx
|
|
|
|
|
|
|
|
Return Ruby hash object. It persists until request finishes.
|
|
|
|
So values set in request phase hoo can be retrieved in
|
|
|
|
response phase hook.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: phase
|
|
|
|
|
|
|
|
Return the current phase.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: remote_addr
|
|
|
|
|
|
|
|
Return IP address of a remote client.
|
|
|
|
|
|
|
|
.. rb:class:: Request
|
|
|
|
|
|
|
|
Object to represent request from client. The modification to
|
|
|
|
Request object is allowed only in request phase hook.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: http_version_major
|
|
|
|
|
|
|
|
Return HTTP major version.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: http_version_minor
|
|
|
|
|
|
|
|
Return HTTP minor version.
|
|
|
|
|
|
|
|
.. rb:attr_accessor:: method
|
|
|
|
|
|
|
|
HTTP method. On assignment, copy of given value is assigned.
|
|
|
|
We don't accept arbitrary method name. We will document them
|
|
|
|
later, but well known methods, like GET, PUT and POST, are all
|
|
|
|
supported.
|
|
|
|
|
|
|
|
.. rb:attr_accessor:: authority
|
|
|
|
|
|
|
|
Authority (i.e., example.org), including optional port
|
|
|
|
component . On assignment, copy of given value is assigned.
|
|
|
|
|
|
|
|
.. rb:attr_accessor:: scheme
|
|
|
|
|
|
|
|
Scheme (i.e., http, https). On assignment, copy of given
|
|
|
|
value is assigned.
|
|
|
|
|
|
|
|
.. rb:attr_accessor:: path
|
|
|
|
|
|
|
|
Request path, including query component (i.e., /index.html).
|
|
|
|
On assignment, copy of given value is assigned. The path does
|
|
|
|
not include authority component of URI.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: headers
|
|
|
|
|
|
|
|
Return Ruby hash containing copy of request header fields.
|
|
|
|
Changing values in returned hash does not change request
|
|
|
|
header fields actually used in request processing. Use
|
|
|
|
:rb:meth:`Nghttpx::Request#add_header` or
|
|
|
|
:rb:meth:`Nghttpx::Request#set_header` to change request
|
|
|
|
header fields.
|
|
|
|
|
|
|
|
.. rb:method:: add_header(key, value)
|
|
|
|
|
|
|
|
Add header entry associated with key. The value can be single
|
|
|
|
string or array of string. It does not replace any existing
|
|
|
|
values associated with key.
|
|
|
|
|
|
|
|
.. rb:method:: set_header(key, value)
|
|
|
|
|
|
|
|
Set header entry associated with key. The value can be single
|
|
|
|
string or array of string. It replaces any existing values
|
|
|
|
associated with key.
|
|
|
|
|
|
|
|
.. rb:method:: clear_headers
|
|
|
|
|
|
|
|
Clear all existing request header fields.
|
|
|
|
|
2015-09-05 16:37:32 +02:00
|
|
|
.. rb:method:: push uri
|
|
|
|
|
|
|
|
Initiate to push resource identified by *uri*. Only HTTP/2
|
|
|
|
protocol supports this feature. For the other protocols, this
|
|
|
|
method is noop. *uri* can be absolute URI, absolute path or
|
|
|
|
relative path to the current request. For absolute or
|
|
|
|
relative path, scheme and authority are inherited from the
|
2015-09-06 08:21:36 +02:00
|
|
|
current request. Currently, method is always GET. nghttpx
|
|
|
|
will issue request to backend servers to fulfill this request.
|
|
|
|
The request and response phase hooks will be called for pushed
|
|
|
|
resource as well.
|
2015-09-05 16:37:32 +02:00
|
|
|
|
2015-09-05 14:23:27 +02:00
|
|
|
.. rb:class:: Response
|
|
|
|
|
|
|
|
Object to represent response from backend server.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: http_version_major
|
|
|
|
|
|
|
|
Return HTTP major version.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: http_version_minor
|
|
|
|
|
|
|
|
Return HTTP minor version.
|
|
|
|
|
|
|
|
.. rb:attr_accessor:: status
|
|
|
|
|
|
|
|
HTTP status code. It must be in the range [200, 999],
|
|
|
|
inclusive. The non-final status code is not supported in
|
|
|
|
mruby scripting at the moment.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: headers
|
|
|
|
|
|
|
|
Return Ruby hash containing copy of response header fields.
|
|
|
|
Changing values in returned hash does not change response
|
|
|
|
header fields actually used in response processing. Use
|
|
|
|
:rb:meth:`Nghttpx::Response#add_header` or
|
|
|
|
:rb:meth:`Nghttpx::Response#set_header` to change response
|
|
|
|
header fields.
|
|
|
|
|
|
|
|
.. rb:method:: add_header(key, value)
|
|
|
|
|
|
|
|
Add header entry associated with key. The value can be single
|
|
|
|
string or array of string. It does not replace any existing
|
|
|
|
values associated with key.
|
|
|
|
|
|
|
|
.. rb:method:: set_header(key, value)
|
|
|
|
|
|
|
|
Set header entry associated with key. The value can be single
|
|
|
|
string or array of string. It replaces any existing values
|
|
|
|
associated with key.
|
|
|
|
|
|
|
|
.. rb:method:: clear_headers
|
|
|
|
|
|
|
|
Clear all existing response header fields.
|
|
|
|
|
|
|
|
.. rb:method:: return(body)
|
|
|
|
|
|
|
|
Return custom response *body* to a client. When this method
|
|
|
|
is called in request phase hook, the request is not forwarded
|
|
|
|
to the backend, and response phase hook for this request will
|
|
|
|
not be invoked. When this method is called in resonse phase
|
|
|
|
hook, response from backend server is canceled and discarded.
|
|
|
|
The status code and response header fields should be set
|
|
|
|
before using this method. To set status code, use :rb:meth To
|
|
|
|
set response header fields, use
|
|
|
|
:rb:attr:`Nghttpx::Response#status`. If status code is not
|
|
|
|
set, 200 is used. :rb:meth:`Nghttpx::Response#add_header` and
|
|
|
|
:rb:meth:`Nghttpx::Response#set_header`. When this method is
|
|
|
|
invoked in response phase hook, the response headers are
|
|
|
|
filled with the ones received from backend server. To send
|
|
|
|
completely custom header fields, first call
|
|
|
|
:rb:meth:`Nghttpx::Response#clear_headers` to erase all
|
|
|
|
existing header fields, and then add required header fields.
|
|
|
|
It is an error to call this method twice for a given request.
|
|
|
|
|
|
|
|
MRUBY EXAMPLES
|
|
|
|
~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
Modify requet path:
|
|
|
|
|
|
|
|
.. code-block:: ruby
|
|
|
|
|
|
|
|
Nghttpx.run do |env|
|
|
|
|
env.req.path = "/apps#{env.req.path}"
|
|
|
|
end
|
|
|
|
|
|
|
|
Note that the file containing the above script must be set with
|
|
|
|
:option:`--request-phase-file` option since we modify request path.
|
|
|
|
|
|
|
|
Restrict permission of viewing a content to a specific client
|
|
|
|
addresses:
|
|
|
|
|
|
|
|
.. code-block:: ruby
|
|
|
|
|
|
|
|
Nghttpx.run do |env|
|
|
|
|
allowed_clients = ["127.0.0.1", "::1"]
|
|
|
|
|
|
|
|
if env.req.path.start_with?("/log/") &&
|
|
|
|
!allowed_clients.include?(env.remote_addr) then
|
|
|
|
env.resp.status = 404
|
|
|
|
env.resp.return "permission denied"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-01-09 16:37:42 +01:00
|
|
|
SEE ALSO
|
|
|
|
--------
|
|
|
|
|
|
|
|
:manpage:`nghttp(1)`, :manpage:`nghttpd(1)`, :manpage:`h2load(1)`
|