From c8b6a79225eb98676e84148aa47008580d4fc352 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 7 Feb 2016 21:24:11 +0900 Subject: [PATCH] Update man pages --- doc/h2load.1 | 2 +- doc/nghttp.1 | 2 +- doc/nghttpd.1 | 13 +++++- doc/nghttpd.1.rst | 9 ++++ doc/nghttpx.1 | 102 ++++++++++++++++++++++++++++++++++------------ doc/nghttpx.1.rst | 93 ++++++++++++++++++++++++++++++------------ 6 files changed, 166 insertions(+), 55 deletions(-) diff --git a/doc/h2load.1 b/doc/h2load.1 index 18b49f3d..f9dab89e 100644 --- a/doc/h2load.1 +++ b/doc/h2load.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "H2LOAD" "1" "January 25, 2016" "1.7.0" "nghttp2" +.TH "H2LOAD" "1" "February 07, 2016" "1.8.0-DEV" "nghttp2" .SH NAME h2load \- HTTP/2 benchmarking tool . diff --git a/doc/nghttp.1 b/doc/nghttp.1 index cc302ba7..ad205088 100644 --- a/doc/nghttp.1 +++ b/doc/nghttp.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTP" "1" "January 25, 2016" "1.7.0" "nghttp2" +.TH "NGHTTP" "1" "February 07, 2016" "1.8.0-DEV" "nghttp2" .SH NAME nghttp \- HTTP/2 client . diff --git a/doc/nghttpd.1 b/doc/nghttpd.1 index dceb0a0a..e93ccc8a 100644 --- a/doc/nghttpd.1 +++ b/doc/nghttpd.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPD" "1" "January 25, 2016" "1.7.0" "nghttp2" +.TH "NGHTTPD" "1" "February 07, 2016" "1.8.0-DEV" "nghttp2" .SH NAME nghttpd \- HTTP/2 server . @@ -139,6 +139,17 @@ Make error response gzipped. .UNINDENT .INDENT 0.0 .TP +.B \-w, \-\-window\-bits= +Sets the stream level initial window size to 2**\-1. +.UNINDENT +.INDENT 0.0 +.TP +.B \-W, \-\-connection\-window\-bits= +Sets the connection level initial window size to +2**\-1. +.UNINDENT +.INDENT 0.0 +.TP .B \-\-dh\-param\-file= Path to file that contains DH parameters in PEM format. Without this option, DHE cipher suites are not diff --git a/doc/nghttpd.1.rst b/doc/nghttpd.1.rst index cdb80c31..a059bdea 100644 --- a/doc/nghttpd.1.rst +++ b/doc/nghttpd.1.rst @@ -104,6 +104,15 @@ OPTIONS Make error response gzipped. +.. option:: -w, --window-bits= + + Sets the stream level initial window size to 2\*\*-1. + +.. option:: -W, --connection-window-bits= + + Sets the connection level initial window size to + 2\*\*-1. + .. option:: --dh-param-file= Path to file that contains DH parameters in PEM format. diff --git a/doc/nghttpx.1 b/doc/nghttpx.1 index 9c26395c..90ee5a1f 100644 --- a/doc/nghttpx.1 +++ b/doc/nghttpx.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPX" "1" "January 25, 2016" "1.7.0" "nghttp2" +.TH "NGHTTPX" "1" "February 07, 2016" "1.8.0-DEV" "nghttp2" .SH NAME nghttpx \- HTTP/2 proxy . @@ -121,7 +121,9 @@ Default: \fB127.0.0.1,80\fP Set frontend host and port. If is \(aq*\(aq, it assumes all addresses including both IPv4 and IPv6. UNIX domain socket can be specified by prefixing path -name with "unix:" (e.g., unix:/var/run/nghttpx.sock) +name with "unix:" (e.g., unix:/var/run/nghttpx.sock). +This option can be used multiple times to listen to +multiple addresses. .sp Default: \fB*,3000\fP .UNINDENT @@ -163,6 +165,22 @@ be specified by \fI\%\-\-backend\-read\-timeout\fP and .B \-\-accept\-proxy\-protocol Accept PROXY protocol version 1 on frontend connection. .UNINDENT +.INDENT 0.0 +.TP +.B \-\-backend\-no\-tls +Disable SSL/TLS on backend connections. For HTTP/2 +backend connections, TLS is enabled by default. For +HTTP/1 backend connections, TLS is disabled by default, +and can be enabled by \fI\%\-\-backend\-http1\-tls\fP option. If +both \fI\%\-\-backend\-no\-tls\fP and \fI\%\-\-backend\-http1\-tls\fP options +are used, \fI\%\-\-backend\-no\-tls\fP has the precedence. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-backend\-http1\-tls +Enable SSL/TLS on backend HTTP/1 connections. See also +\fI\%\-\-backend\-no\-tls\fP option. +.UNINDENT .SS Performance .INDENT 0.0 .TP @@ -396,19 +414,17 @@ described in OpenSSL ciphers(1). .INDENT 0.0 .TP .B \-k, \-\-insecure -Don\(aqt verify backend server\(aqs certificate if \fI\%\-p\fP, -\fI\%\-\-client\fP or \fI\%\-\-http2\-bridge\fP are given and -\fI\%\-\-backend\-no\-tls\fP is not given. +Don\(aqt verify backend server\(aqs certificate if TLS is +enabled for backend connections. .UNINDENT .INDENT 0.0 .TP .B \-\-cacert= -Set path to trusted CA certificate file if \fI\%\-p\fP, \fI\%\-\-client\fP -or \fI\%\-\-http2\-bridge\fP are given and \fI\%\-\-backend\-no\-tls\fP is not -given. The file must be in PEM format. It can contain -multiple certificates. If the linked OpenSSL is -configured to load system wide certificates, they are -loaded at startup regardless of this option. +Set path to trusted CA certificate file used in backend +TLS connections. The file must be in PEM format. It +can contain multiple certificates. If the linked +OpenSSL is configured to load system wide certificates, +they are loaded at startup regardless of this option. .UNINDENT .INDENT 0.0 .TP @@ -616,6 +632,21 @@ TLS HTTP/2 backends. .sp Default: \fB1s\fP .UNINDENT +.INDENT 0.0 +.TP +.B \-\-no\-http2\-cipher\-black\-list +Allow black listed cipher suite on HTTP/2 connection. +See \fI\%https://tools.ietf.org/html/rfc7540#appendix\-A\fP for +the complete HTTP/2 cipher suites black list. +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-backend\-tls\-session\-cache\-per\-worker= +Set the maximum number of backend TLS session cache +stored per worker. +.sp +Default: \fB10000\fP +.UNINDENT .SS HTTP/2 and SPDY .INDENT 0.0 .TP @@ -666,11 +697,6 @@ Default: \fB16\fP .UNINDENT .INDENT 0.0 .TP -.B \-\-backend\-no\-tls -Disable SSL/TLS on backend connections. -.UNINDENT -.INDENT 0.0 -.TP .B \-\-http2\-no\-cookie\-crumbling Don\(aqt crumble cookie header field. .UNINDENT @@ -868,11 +894,12 @@ Specify the parameter value sent out with "by" parameter of Forwarded header field. If "obfuscated" is given, the string is randomly generated at startup. If "ip" is given, the interface address of the connection, -including port number, is sent with "by" parameter. -User can also specify the static obfuscated string. The -limitation is that it must start with "_", and only -consists of character set [A\-Za\-z0\-9._\-], as described -in RFC 7239. +including port number, is sent with "by" parameter. In +case of UNIX domain socket, "localhost" is used instead +of address and port. User can also specify the static +obfuscated string. The limitation is that it must start +with "_", and only consists of character set +[A\-Za\-z0\-9._\-], as described in RFC 7239. .sp Default: \fBobfuscated\fP .UNINDENT @@ -884,7 +911,8 @@ parameter of Forwarded header field. If "obfuscated" is given, the string is randomly generated for each client connection. If "ip" is given, the remote client address of the connection, without port number, is sent with -"for" parameter. +"for" parameter. In case of UNIX domain socket, +"localhost" is used instead of address. .sp Default: \fBobfuscated\fP .UNINDENT @@ -940,22 +968,42 @@ Example: \fI\%\-\-add\-response\-header\fP="foo: bar" .UNINDENT .INDENT 0.0 .TP -.B \-\-header\-field\-buffer= +.B \-\-request\-header\-field\-buffer= Set maximum buffer size for incoming HTTP request header field list. This is the sum of header name and value in -bytes. +bytes. If trailer fields exist, they are counted +towards this number. .sp Default: \fB64K\fP .UNINDENT .INDENT 0.0 .TP -.B \-\-max\-header\-fields= +.B \-\-max\-request\-header\-fields= Set maximum number of incoming HTTP request header -fields, which appear in one request or response header -field list. +fields. If trailer fields exist, they are counted +towards this number. .sp Default: \fB100\fP .UNINDENT +.INDENT 0.0 +.TP +.B \-\-response\-header\-field\-buffer= +Set maximum buffer size for incoming HTTP response +header field list. This is the sum of header name and +value in bytes. If trailer fields exist, they are +counted towards this number. +.sp +Default: \fB64K\fP +.UNINDENT +.INDENT 0.0 +.TP +.B \-\-max\-response\-header\-fields= +Set maximum number of incoming HTTP response header +fields. If trailer fields exist, they are counted +towards this number. +.sp +Default: \fB500\fP +.UNINDENT .SS Debug .INDENT 0.0 .TP diff --git a/doc/nghttpx.1.rst b/doc/nghttpx.1.rst index ba5ac4ed..ffafa2bf 100644 --- a/doc/nghttpx.1.rst +++ b/doc/nghttpx.1.rst @@ -104,7 +104,9 @@ Connections Set frontend host and port. If is '\*', it assumes all addresses including both IPv4 and IPv6. UNIX domain socket can be specified by prefixing path - name with "unix:" (e.g., unix:/var/run/nghttpx.sock) + name with "unix:" (e.g., unix:/var/run/nghttpx.sock). + This option can be used multiple times to listen to + multiple addresses. Default: ``*,3000`` @@ -141,6 +143,20 @@ Connections Accept PROXY protocol version 1 on frontend connection. +.. option:: --backend-no-tls + + Disable SSL/TLS on backend connections. For HTTP/2 + backend connections, TLS is enabled by default. For + HTTP/1 backend connections, TLS is disabled by default, + and can be enabled by :option:`--backend-http1-tls` option. If + both :option:`--backend-no-tls` and :option:`\--backend-http1-tls` options + are used, :option:`--backend-no-tls` has the precedence. + +.. option:: --backend-http1-tls + + Enable SSL/TLS on backend HTTP/1 connections. See also + :option:`--backend-no-tls` option. + Performance ~~~~~~~~~~~ @@ -354,18 +370,16 @@ SSL/TLS .. option:: -k, --insecure - Don't verify backend server's certificate if :option:`-p`\, - :option:`--client` or :option:`\--http2-bridge` are given and - :option:`--backend-no-tls` is not given. + Don't verify backend server's certificate if TLS is + enabled for backend connections. .. option:: --cacert= - Set path to trusted CA certificate file if :option:`-p`\, :option:`--client` - or :option:`--http2-bridge` are given and :option:`\--backend-no-tls` is not - given. The file must be in PEM format. It can contain - multiple certificates. If the linked OpenSSL is - configured to load system wide certificates, they are - loaded at startup regardless of this option. + Set path to trusted CA certificate file used in backend + TLS connections. The file must be in PEM format. It + can contain multiple certificates. If the linked + OpenSSL is configured to load system wide certificates, + they are loaded at startup regardless of this option. .. option:: --private-key-passwd-file= @@ -551,6 +565,19 @@ SSL/TLS Default: ``1s`` +.. option:: --no-http2-cipher-black-list + + Allow black listed cipher suite on HTTP/2 connection. + See https://tools.ietf.org/html/rfc7540#appendix-A for + the complete HTTP/2 cipher suites black list. + +.. option:: --backend-tls-session-cache-per-worker= + + Set the maximum number of backend TLS session cache + stored per worker. + + Default: ``10000`` + HTTP/2 and SPDY ~~~~~~~~~~~~~~~ @@ -596,10 +623,6 @@ HTTP/2 and SPDY Default: ``16`` -.. option:: --backend-no-tls - - Disable SSL/TLS on backend connections. - .. option:: --http2-no-cookie-crumbling Don't crumble cookie header field. @@ -773,11 +796,12 @@ HTTP of Forwarded header field. If "obfuscated" is given, the string is randomly generated at startup. If "ip" is given, the interface address of the connection, - including port number, is sent with "by" parameter. - User can also specify the static obfuscated string. The - limitation is that it must start with "_", and only - consists of character set [A-Za-z0-9._-], as described - in RFC 7239. + including port number, is sent with "by" parameter. In + case of UNIX domain socket, "localhost" is used instead + of address and port. User can also specify the static + obfuscated string. The limitation is that it must start + with "_", and only consists of character set + [A-Za-z0-9._-], as described in RFC 7239. Default: ``obfuscated`` @@ -788,7 +812,8 @@ HTTP given, the string is randomly generated for each client connection. If "ip" is given, the remote client address of the connection, without port number, is sent with - "for" parameter. + "for" parameter. In case of UNIX domain socket, + "localhost" is used instead of address. Default: ``obfuscated`` @@ -836,22 +861,40 @@ HTTP used several times to specify multiple header fields. Example: :option:`--add-response-header`\="foo: bar" -.. option:: --header-field-buffer= +.. option:: --request-header-field-buffer= Set maximum buffer size for incoming HTTP request header field list. This is the sum of header name and value in - bytes. + bytes. If trailer fields exist, they are counted + towards this number. Default: ``64K`` -.. option:: --max-header-fields= +.. option:: --max-request-header-fields= Set maximum number of incoming HTTP request header - fields, which appear in one request or response header - field list. + fields. If trailer fields exist, they are counted + towards this number. Default: ``100`` +.. option:: --response-header-field-buffer= + + Set maximum buffer size for incoming HTTP response + header field list. This is the sum of header name and + value in bytes. If trailer fields exist, they are + counted towards this number. + + Default: ``64K`` + +.. option:: --max-response-header-fields= + + Set maximum number of incoming HTTP response header + fields. If trailer fields exist, they are counted + towards this number. + + Default: ``500`` + Debug ~~~~~