diff --git a/doc/h2load.1 b/doc/h2load.1 index 6778e46b..1a2e5ef7 100644 --- a/doc/h2load.1 +++ b/doc/h2load.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "H2LOAD" "1" "March 20, 2016" "1.9.0-DEV" "nghttp2" +.TH "H2LOAD" "1" "March 25, 2016" "1.9.0-DEV" "nghttp2" .SH NAME h2load \- HTTP/2 benchmarking tool . diff --git a/doc/nghttp.1 b/doc/nghttp.1 index f7bfdf52..5a058d37 100644 --- a/doc/nghttp.1 +++ b/doc/nghttp.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTP" "1" "March 20, 2016" "1.9.0-DEV" "nghttp2" +.TH "NGHTTP" "1" "March 25, 2016" "1.9.0-DEV" "nghttp2" .SH NAME nghttp \- HTTP/2 client . diff --git a/doc/nghttpd.1 b/doc/nghttpd.1 index f376225b..84c2159c 100644 --- a/doc/nghttpd.1 +++ b/doc/nghttpd.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPD" "1" "March 20, 2016" "1.9.0-DEV" "nghttp2" +.TH "NGHTTPD" "1" "March 25, 2016" "1.9.0-DEV" "nghttp2" .SH NAME nghttpd \- HTTP/2 server . diff --git a/doc/nghttpx.1 b/doc/nghttpx.1 index 6a2d676f..2bdad877 100644 --- a/doc/nghttpx.1 +++ b/doc/nghttpx.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPX" "1" "March 20, 2016" "1.9.0-DEV" "nghttp2" +.TH "NGHTTPX" "1" "March 25, 2016" "1.9.0-DEV" "nghttp2" .SH NAME nghttpx \- HTTP/2 proxy . @@ -40,14 +40,14 @@ A reverse proxy for HTTP/2, HTTP/1 and SPDY. .TP .B Set path to server\(aqs private key. Required unless -\fI\%\-\-frontend\-no\-tls\fP are given. +"no\-tls" keyword is used in \fI\%\-\-frontend\fP option. .UNINDENT .INDENT 0.0 .TP .B Set path to server\(aqs certificate. Required unless -\fI\%\-\-frontend\-no\-tls\fP are given. To make OCSP stapling -work, this must be an absolute path. +"no\-tls" keyword is used in \fI\%\-\-frontend\fP option. To make +OCSP stapling work, this must be an absolute path. .UNINDENT .SH OPTIONS .sp @@ -55,7 +55,7 @@ The options are categorized into several groups. .SS Connections .INDENT 0.0 .TP -.B \-b, \-\-backend=(,|unix:)[;[[:...]][;proto=]] +.B \-b, \-\-backend=(,|unix:)[;[[:...]][;proto=][;tls]] Set backend host and port. The multiple backend addresses are accepted by repeating this option. UNIX domain socket can be specified by prefixing path name @@ -86,10 +86,11 @@ shorter ones. .sp Host can include "*" in the left most position to indicate wildcard match (only suffix match is done). -For example, host pattern "*www.nghttp2.org" matches -against "www.nghttp2.org" and "1www.ngttp2.org", but -does not match against "nghttp2.org". The exact hosts -match takes precedence over the wildcard hosts match. +The "*" must match at least one character. For example, +host pattern "*.nghttp2.org" matches against +"www.nghttp2.org" and "git.ngttp2.org", but does not +match against "nghttp2.org". The exact hosts match +takes precedence over the wildcard hosts match. .sp If is omitted or empty string, "\fI/\fP" is used as pattern, which matches all request paths (catch\-all @@ -123,7 +124,10 @@ must have the same value if it is given. quotes: "h2", "http/1.1". The default value of is "http/1.1". Note that usually "h2" refers to HTTP/2 over TLS. But in this option, it may mean HTTP/2 over -cleartext TCP unless \fI\%\-\-backend\-tls\fP is used. +cleartext TCP unless "tls" keyword is used (see below). +.sp +Optionally, TLS can be enabled by specifying "tls" +keyword. TLS is not enabled by default. .sp Since ";" and ":" are used as delimiter, must not contain these characters. Since ";" has special @@ -133,7 +137,7 @@ Default: \fB127.0.0.1,80\fP .UNINDENT .INDENT 0.0 .TP -.B \-f, \-\-frontend=(,|unix:) +.B \-f, \-\-frontend=(,|unix:)[;no\-tls] Set frontend host and port. If is \(aq*\(aq, it assumes all addresses including both IPv4 and IPv6. UNIX domain socket can be specified by prefixing path @@ -141,6 +145,9 @@ name with "unix:" (e.g., unix:/var/run/nghttpx.sock). This option can be used multiple times to listen to multiple addresses. .sp +Optionally, TLS can be disabled by specifying "no\-tls" +keyword. TLS is enabled by default. +.sp Default: \fB*,3000\fP .UNINDENT .INDENT 0.0 @@ -181,11 +188,6 @@ be specified by \fI\%\-\-backend\-read\-timeout\fP and .B \-\-accept\-proxy\-protocol Accept PROXY protocol version 1 on frontend connection. .UNINDENT -.INDENT 0.0 -.TP -.B \-\-backend\-tls -Enable SSL/TLS on backend connections. -.UNINDENT .SS Performance .INDENT 0.0 .TP @@ -528,7 +530,7 @@ required. .UNINDENT .INDENT 0.0 .TP -.B \-\-tls\-ticket\-key\-memcached=, +.B \-\-tls\-ticket\-key\-memcached=,[;tls] Specify address of memcached server to get TLS ticket keys for session resumption. This enables shared TLS ticket key between multiple nghttpx instances. nghttpx @@ -538,7 +540,9 @@ ticket keys from memcached, and use them, possibly replacing current set of keys. It is up to extern TLS ticket key generator to rotate keys frequently. See "TLS SESSION TICKET RESUMPTION" section in manual page -to know the data format in memcached entry. +to know the data format in memcached entry. Optionally, +memcached connection can be encrypted with TLS by +specifying "tls" keyword. .UNINDENT .INDENT 0.0 .TP @@ -587,12 +591,6 @@ aes\-128\-cbc is used. .UNINDENT .INDENT 0.0 .TP -.B \-\-tls\-ticket\-key\-memcached\-tls -Enable SSL/TLS on memcached connections to get TLS -ticket keys. -.UNINDENT -.INDENT 0.0 -.TP .B \-\-tls\-ticket\-key\-memcached\-cert\-file= Path to client certificate for memcached connections to get TLS ticket keys. @@ -625,10 +623,12 @@ Disable OCSP stapling. .UNINDENT .INDENT 0.0 .TP -.B \-\-tls\-session\-cache\-memcached=, +.B \-\-tls\-session\-cache\-memcached=,[;tls] Specify address of memcached server to store session cache. This enables shared session cache between -multiple nghttpx instances. +multiple nghttpx instances. Optionally, memcached +connection can be encrypted with TLS by specifying "tls" +keyword. .UNINDENT .INDENT 0.0 .TP @@ -643,12 +643,6 @@ Default: \fBauto\fP .UNINDENT .INDENT 0.0 .TP -.B \-\-tls\-session\-cache\-memcached\-tls -Enable SSL/TLS on memcached connections to store session -cache. -.UNINDENT -.INDENT 0.0 -.TP .B \-\-tls\-session\-cache\-memcached\-cert\-file= Path to client certificate for memcached connections to store session cache. @@ -731,11 +725,6 @@ Default: \fB16\fP .UNINDENT .INDENT 0.0 .TP -.B \-\-frontend\-no\-tls -Disable SSL/TLS on frontend connections. -.UNINDENT -.INDENT 0.0 -.TP .B \-\-backend\-http2\-window\-bits= Sets the initial window size of HTTP/2 backend connection to 2**\-1. @@ -778,10 +767,11 @@ does not support server push. .INDENT 0.0 .TP .B (default mode) -Accept HTTP/2, SPDY and HTTP/1.1 over SSL/TLS. If -\fI\%\-\-frontend\-no\-tls\fP is used, accept HTTP/2 and HTTP/1.1. -The incoming HTTP/1.1 connection can be upgraded to -HTTP/2 through HTTP Upgrade. +Accept HTTP/2, SPDY and HTTP/1.1 over SSL/TLS. "no\-tls" +keyword is used in \fI\%\-\-frontend\fP option, accept HTTP/2 and +HTTP/1.1 over cleartext TCP. The incoming HTTP/1.1 +connection can be upgraded to HTTP/2 through HTTP +Upgrade. .UNINDENT .INDENT 0.0 .TP @@ -1289,8 +1279,8 @@ as a memcached entry key, with expiry time 12 hours. Session timeout is set to 12 hours. .sp By default, connections to memcached server are not encrypted. To -enable encryption, use \fI\%\-\-tls\-session\-cache\-memcached\-tls\fP -option. +enable encryption, use \fBtls\fP keyword in +\fI\%\-\-tls\-session\-cache\-memcached\fP option. .SS TLS SESSION TICKET RESUMPTION .sp By default, session ticket is shared by all worker threads. The @@ -1336,8 +1326,8 @@ keys. The key appeared first is used as encryption key. All the remaining keys are used as decryption only. .sp By default, connections to memcached server are not encrypted. To -enable encryption, use \fI\%\-\-tls\-ticket\-key\-memcached\-tls\fP -option. +enable encryption, use \fBtls\fP keyword in +\fI\%\-\-tls\-ticket\-key\-memcached\fP option. .sp If \fI\%\-\-tls\-ticket\-key\-file\fP is given, encryption key is read from the given file. In this case, nghttpx does not rotate key diff --git a/doc/nghttpx.1.rst b/doc/nghttpx.1.rst index ebf26493..0c8b4795 100644 --- a/doc/nghttpx.1.rst +++ b/doc/nghttpx.1.rst @@ -20,13 +20,13 @@ A reverse proxy for HTTP/2, HTTP/1 and SPDY. Set path to server's private key. Required unless - :option:`--frontend-no-tls` are given. + "no-tls" keyword is used in :option:`--frontend` option. .. describe:: Set path to server's certificate. Required unless - :option:`--frontend-no-tls` are given. To make OCSP stapling - work, this must be an absolute path. + "no-tls" keyword is used in :option:`--frontend` option. To make + OCSP stapling work, this must be an absolute path. OPTIONS @@ -37,7 +37,7 @@ The options are categorized into several groups. Connections ~~~~~~~~~~~ -.. option:: -b, --backend=(,|unix:)[;[[:...]][;proto=]] +.. option:: -b, --backend=(,|unix:)[;[[:...]][;proto=][;tls]] Set backend host and port. The multiple backend addresses are accepted by repeating this option. UNIX @@ -69,10 +69,11 @@ Connections Host can include "\*" in the left most position to indicate wildcard match (only suffix match is done). - For example, host pattern "\*www.nghttp2.org" matches - against "www.nghttp2.org" and "1www.ngttp2.org", but - does not match against "nghttp2.org". The exact hosts - match takes precedence over the wildcard hosts match. + The "*" must match at least one character. For example, + host pattern "\*.nghttp2.org" matches against + "www.nghttp2.org" and "git.ngttp2.org", but does not + match against "nghttp2.org". The exact hosts match + takes precedence over the wildcard hosts match. If is omitted or empty string, "*/*" is used as pattern, which matches all request paths (catch-all @@ -106,7 +107,10 @@ Connections quotes: "h2", "http/1.1". The default value of is "http/1.1". Note that usually "h2" refers to HTTP/2 over TLS. But in this option, it may mean HTTP/2 over - cleartext TCP unless :option:`--backend-tls` is used. + cleartext TCP unless "tls" keyword is used (see below). + + Optionally, TLS can be enabled by specifying "tls" + keyword. TLS is not enabled by default. Since ";" and ":" are used as delimiter, must not contain these characters. Since ";" has special @@ -115,7 +119,7 @@ Connections Default: ``127.0.0.1,80`` -.. option:: -f, --frontend=(,|unix:) +.. option:: -f, --frontend=(,|unix:)[;no-tls] Set frontend host and port. If is '\*', it assumes all addresses including both IPv4 and IPv6. @@ -124,6 +128,10 @@ Connections This option can be used multiple times to listen to multiple addresses. + Optionally, TLS can be disabled by specifying "no-tls" + keyword. TLS is enabled by default. + + Default: ``*,3000`` .. option:: --backlog= @@ -160,10 +168,6 @@ Connections Accept PROXY protocol version 1 on frontend connection. -.. option:: --backend-tls - - Enable SSL/TLS on backend connections. - Performance ~~~~~~~~~~~ @@ -473,7 +477,7 @@ SSL/TLS ticket key sharing between nghttpx instances is not required. -.. option:: --tls-ticket-key-memcached=, +.. option:: --tls-ticket-key-memcached=,[;tls] Specify address of memcached server to get TLS ticket keys for session resumption. This enables shared TLS @@ -484,7 +488,9 @@ SSL/TLS replacing current set of keys. It is up to extern TLS ticket key generator to rotate keys frequently. See "TLS SESSION TICKET RESUMPTION" section in manual page - to know the data format in memcached entry. + to know the data format in memcached entry. Optionally, + memcached connection can be encrypted with TLS by + specifying "tls" keyword. .. option:: --tls-ticket-key-memcached-address-family=(auto|IPv4|IPv6) @@ -526,11 +532,6 @@ SSL/TLS either aes-128-cbc or aes-256-cbc. By default, aes-128-cbc is used. -.. option:: --tls-ticket-key-memcached-tls - - Enable SSL/TLS on memcached connections to get TLS - ticket keys. - .. option:: --tls-ticket-key-memcached-cert-file= Path to client certificate for memcached connections to @@ -558,11 +559,13 @@ SSL/TLS Disable OCSP stapling. -.. option:: --tls-session-cache-memcached=, +.. option:: --tls-session-cache-memcached=,[;tls] Specify address of memcached server to store session cache. This enables shared session cache between - multiple nghttpx instances. + multiple nghttpx instances. Optionally, memcached + connection can be encrypted with TLS by specifying "tls" + keyword. .. option:: --tls-session-cache-memcached-address-family=(auto|IPv4|IPv6) @@ -574,11 +577,6 @@ SSL/TLS Default: ``auto`` -.. option:: --tls-session-cache-memcached-tls - - Enable SSL/TLS on memcached connections to store session - cache. - .. option:: --tls-session-cache-memcached-cert-file= Path to client certificate for memcached connections to @@ -655,10 +653,6 @@ HTTP/2 and SPDY Default: ``16`` -.. option:: --frontend-no-tls - - Disable SSL/TLS on frontend connections. - .. option:: --backend-http2-window-bits= Sets the initial window size of HTTP/2 backend @@ -701,10 +695,11 @@ Mode .. describe:: (default mode) - Accept HTTP/2, SPDY and HTTP/1.1 over SSL/TLS. If - :option:`--frontend-no-tls` is used, accept HTTP/2 and HTTP/1.1. - The incoming HTTP/1.1 connection can be upgraded to - HTTP/2 through HTTP Upgrade. + Accept HTTP/2, SPDY and HTTP/1.1 over SSL/TLS. "no-tls" + keyword is used in :option:`--frontend` option, accept HTTP/2 and + HTTP/1.1 over cleartext TCP. The incoming HTTP/1.1 + connection can be upgraded to HTTP/2 through HTTP + Upgrade. .. option:: -s, --http2-proxy @@ -1168,8 +1163,8 @@ as a memcached entry key, with expiry time 12 hours. Session timeout is set to 12 hours. By default, connections to memcached server are not encrypted. To -enable encryption, use :option:`--tls-session-cache-memcached-tls` -option. +enable encryption, use ``tls`` keyword in +:option:`--tls-session-cache-memcached` option. TLS SESSION TICKET RESUMPTION ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -1211,8 +1206,8 @@ keys. The key appeared first is used as encryption key. All the remaining keys are used as decryption only. By default, connections to memcached server are not encrypted. To -enable encryption, use :option:`--tls-ticket-key-memcached-tls` -option. +enable encryption, use ``tls`` keyword in +:option:`--tls-ticket-key-memcached` option. If :option:`--tls-ticket-key-file` is given, encryption key is read from the given file. In this case, nghttpx does not rotate key