diff --git a/doc/h2load.1 b/doc/h2load.1 index 24842a12..78ad9443 100644 --- a/doc/h2load.1 +++ b/doc/h2load.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "H2LOAD" "1" "Oct 08, 2016" "1.16.0-DEV" "nghttp2" +.TH "H2LOAD" "1" "Oct 09, 2016" "1.16.0-DEV" "nghttp2" .SH NAME h2load \- HTTP/2 benchmarking tool . diff --git a/doc/h2load.1.rst b/doc/h2load.1.rst index c3cbe657..bf4703ed 100644 --- a/doc/h2load.1.rst +++ b/doc/h2load.1.rst @@ -74,14 +74,14 @@ OPTIONS .. option:: -w, --window-bits= Sets the stream level initial window size to (2\*\*)-1. - For SPDY, 2** is used instead. + For SPDY, 2\*\* is used instead. Default: ``30`` .. option:: -W, --connection-window-bits= Sets the connection level initial window size to - (2**)-1. For SPDY, if is strictly less than 16, + (2\*\*)-1. For SPDY, if is strictly less than 16, this option is ignored. Otherwise 2\*\* is used for SPDY. diff --git a/doc/nghttp.1 b/doc/nghttp.1 index 1aebe998..b8622d5e 100644 --- a/doc/nghttp.1 +++ b/doc/nghttp.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTP" "1" "Oct 08, 2016" "1.16.0-DEV" "nghttp2" +.TH "NGHTTP" "1" "Oct 09, 2016" "1.16.0-DEV" "nghttp2" .SH NAME nghttp \- HTTP/2 client . diff --git a/doc/nghttpd.1 b/doc/nghttpd.1 index 03382039..9ded4038 100644 --- a/doc/nghttpd.1 +++ b/doc/nghttpd.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPD" "1" "Oct 08, 2016" "1.16.0-DEV" "nghttp2" +.TH "NGHTTPD" "1" "Oct 09, 2016" "1.16.0-DEV" "nghttp2" .SH NAME nghttpd \- HTTP/2 server . diff --git a/doc/nghttpx.1 b/doc/nghttpx.1 index 18e50ca2..cc9dcd6d 100644 --- a/doc/nghttpx.1 +++ b/doc/nghttpx.1 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "NGHTTPX" "1" "Oct 08, 2016" "1.16.0-DEV" "nghttp2" +.TH "NGHTTPX" "1" "Oct 09, 2016" "1.16.0-DEV" "nghttp2" .SH NAME nghttpx \- HTTP/2 proxy . @@ -55,7 +55,7 @@ The options are categorized into several groups. .SS Connections .INDENT 0.0 .TP -.B \-b, \-\-backend=(,|unix:)[;[[:...]][[;PARAM]...] +.B \-b, \-\-backend=(,|unix:)[;[[:...]][[;]...] Set backend host and port. The multiple backend addresses are accepted by repeating this option. UNIX domain socket can be specified by prefixing path name @@ -183,7 +183,7 @@ Default: \fB127.0.0.1,80\fP .UNINDENT .INDENT 0.0 .TP -.B \-f, \-\-frontend=(,|unix:)[[;PARAM]...] +.B \-f, \-\-frontend=(,|unix:)[[;]...] Set frontend host and port. If is \(aq*\(aq, it assumes all addresses including both IPv4 and IPv6. UNIX domain socket can be specified by prefixing path @@ -542,12 +542,21 @@ password protected it\(aqll be requested interactively. .UNINDENT .INDENT 0.0 .TP -.B \-\-subcert=: +.B \-\-subcert=:[[;]...] Specify additional certificate and private key file. nghttpx will choose certificates based on the hostname indicated by client using TLS SNI extension. This option can be used multiple times. To make OCSP stapling work, must be absolute path. +.sp +Additional parameter can be specified in . The +available is "sct\-dir=". +.sp +"sct\-dir=" specifies the path to directory which +contains *.sct files for TLS +signed_certificate_timestamp extension (RFC 6962). This +feature requires OpenSSL >= 1.0.2. See also +\fI\%\-\-tls\-sct\-dir\fP option. .UNINDENT .INDENT 0.0 .TP @@ -790,6 +799,18 @@ Allow black listed cipher suite on HTTP/2 connection. See \fI\%https://tools.ietf.org/html/rfc7540#appendix\-A\fP for the complete HTTP/2 cipher suites black list. .UNINDENT +.INDENT 0.0 +.TP +.B \-\-tls\-sct\-dir= +Specifies the directory where *.sct files exist. All +*.sct files in are read, and sent as +extension_data of TLS signed_certificate_timestamp (RFC +6962) to client. These *.sct files are for the +certificate specified in positional command\-line +argument , or certificate option in configuration +file. For additional certificates, use \fI\%\-\-subcert\fP +option. This option requires OpenSSL >= 1.0.2. +.UNINDENT .SS HTTP/2 and SPDY .INDENT 0.0 .TP @@ -1536,6 +1557,19 @@ If \fI\%\-\-tls\-ticket\-key\-file\fP is given, encryption key is read from the given file. In this case, nghttpx does not rotate key automatically. To rotate key, one has to restart nghttpx (see SIGNALS). +.SH CERTIFICATE TRANSPARENCY +.sp +nghttpx supports TLS \fBsigned_certificate_timestamp\fP extension (\fI\%RFC +6962\fP). The relevant options +are \fI\%\-\-tls\-sct\-dir\fP and \fBsct\-dir\fP parameter in +\fI\%\-\-subcert\fP\&. They takes a directory, and nghttpx reads all +files whose extension is \fB\&.sct\fP under the directory. The \fB*.sct\fP +files are encoded as \fBSignedCertificateTimestamp\fP struct described +in \fI\%section 3.2 of RFC 69662\fP\&. This format is +the same one used by \fI\%nginx\-ct\fP and \fI\%mod_ssl_ct\fP\&. +\fI\%ct\-submit\fP can be +used to submit certificates to log servers, and obtain the +\fBSignedCertificateTimestamp\fP struct which can be used with nghttpx. .SH MRUBY SCRIPTING .sp \fBWARNING:\fP diff --git a/doc/nghttpx.1.rst b/doc/nghttpx.1.rst index 7c6dab0c..aeffb0cb 100644 --- a/doc/nghttpx.1.rst +++ b/doc/nghttpx.1.rst @@ -37,7 +37,7 @@ The options are categorized into several groups. Connections ~~~~~~~~~~~ -.. option:: -b, --backend=(,|unix:)[;[[:...]][[;PARAM]...] +.. option:: -b, --backend=(,|unix:)[;[[:...]][[;]...] Set backend host and port. The multiple backend @@ -70,7 +70,7 @@ Connections Host can include "\*" in the left most position to indicate wildcard match (only suffix match is done). - The "*" must match at least one character. For example, + The "\*" must match at least one character. For example, host pattern "\*.nghttp2.org" matches against "www.nghttp2.org" and "git.ngttp2.org", but does not match against "nghttp2.org". The exact hosts match @@ -166,7 +166,7 @@ Connections Default: ``127.0.0.1,80`` -.. option:: -f, --frontend=(,|unix:)[[;PARAM]...] +.. option:: -f, --frontend=(,|unix:)[[;]...] Set frontend host and port. If is '\*', it assumes all addresses including both IPv4 and IPv6. @@ -496,7 +496,7 @@ SSL/TLS private key. If none is given and the private key is password protected it'll be requested interactively. -.. option:: --subcert=: +.. option:: --subcert=:[[;]...] Specify additional certificate and private key file. nghttpx will choose certificates based on the hostname @@ -504,6 +504,15 @@ SSL/TLS option can be used multiple times. To make OCSP stapling work, must be absolute path. + Additional parameter can be specified in . The + available is "sct-dir=". + + "sct-dir=" specifies the path to directory which + contains \*.sct files for TLS + signed_certificate_timestamp extension (RFC 6962). This + feature requires OpenSSL >= 1.0.2. See also + :option:`--tls-sct-dir` option. + .. option:: --dh-param-file= Path to file that contains DH parameters in PEM format. @@ -719,6 +728,17 @@ SSL/TLS See https://tools.ietf.org/html/rfc7540#appendix-A for the complete HTTP/2 cipher suites black list. +.. option:: --tls-sct-dir= + + Specifies the directory where \*.sct files exist. All + \*.sct files in are read, and sent as + extension_data of TLS signed_certificate_timestamp (RFC + 6962) to client. These \*.sct files are for the + certificate specified in positional command-line + argument , or certificate option in configuration + file. For additional certificates, use :option:`--subcert` + option. This option requires OpenSSL >= 1.0.2. + HTTP/2 and SPDY ~~~~~~~~~~~~~~~ @@ -1083,7 +1103,7 @@ HTTP Set file path to custom error page served when nghttpx originally generates HTTP error status code . must be greater than or equal to 400, and at most - 599. If "*" is used instead of , it matches all + 599. If "\*" is used instead of , it matches all HTTP status code. If error status code comes from backend server, the custom error pages are not used. @@ -1407,6 +1427,24 @@ from the given file. In this case, nghttpx does not rotate key automatically. To rotate key, one has to restart nghttpx (see SIGNALS). +CERTIFICATE TRANSPARENCY +------------------------ + +nghttpx supports TLS ``signed_certificate_timestamp`` extension (`RFC +6962 `_). The relevant options +are :option:`--tls-sct-dir` and ``sct-dir`` parameter in +:option:`--subcert`. They takes a directory, and nghttpx reads all +files whose extension is ``.sct`` under the directory. The ``*.sct`` +files are encoded as ``SignedCertificateTimestamp`` struct described +in `section 3.2 of RFC 69662 +`_. This format is +the same one used by `nginx-ct +`_ and `mod_ssl_ct +`_. +`ct-submit `_ can be +used to submit certificates to log servers, and obtain the +``SignedCertificateTimestamp`` struct which can be used with nghttpx. + MRUBY SCRIPTING ---------------