nghttp2/nghttpx-howto.html

510 lines
29 KiB
HTML

<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>nghttpx - HTTP/2 proxy - HOW-TO &mdash; nghttp2 0.6.0-DEV documentation</title>
<link href='https://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700|Inconsolata:400,700' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
<link rel="top" title="nghttp2 0.6.0-DEV documentation" href="index.html"/>
<link rel="next" title="h2load - HTTP/2 benchmarking tool - HOW-TO" href="h2load-howto.html"/>
<link rel="prev" title="h2load(1)" href="h2load.1.html"/>
<script src="https://cdnjs.cloudflare.com/ajax/libs/modernizr/2.6.2/modernizr.min.js"></script>
</head>
<body class="wy-body-for-nav" role="document">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-nav-search">
<a href="index.html" class="fa fa-home"> nghttp2</a>
<div role="search">
<form id ="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="package_README.html">nghttp2 - HTTP/2 C Library</a><ul>
<li class="toctree-l2"><a class="reference internal" href="package_README.html#development-status">Development Status</a></li>
<li class="toctree-l2"><a class="reference internal" href="package_README.html#public-test-server">Public Test Server</a></li>
<li class="toctree-l2"><a class="reference internal" href="package_README.html#requirements">Requirements</a></li>
<li class="toctree-l2"><a class="reference internal" href="package_README.html#build-from-git">Build from git</a></li>
<li class="toctree-l2"><a class="reference internal" href="package_README.html#building-documentation">Building documentation</a></li>
<li class="toctree-l2"><a class="reference internal" href="package_README.html#client-server-and-proxy-programs">Client, Server and Proxy programs</a></li>
<li class="toctree-l2"><a class="reference internal" href="package_README.html#benchmarking-tool">Benchmarking tool</a></li>
<li class="toctree-l2"><a class="reference internal" href="package_README.html#hpack-tools">HPACK tools</a></li>
<li class="toctree-l2"><a class="reference internal" href="package_README.html#python-bindings">Python bindings</a></li>
<li class="toctree-l2"><a class="reference internal" href="package_README.html#contribution">Contribution</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="building-android-binary.html">Building Android binary</a></li>
<li class="toctree-l1"><a class="reference internal" href="tutorial-client.html">Tutorial: HTTP/2 client</a><ul>
<li class="toctree-l2"><a class="reference internal" href="tutorial-client.html#libevent-client-c">libevent-client.c</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="tutorial-server.html">Tutorial: HTTP/2 server</a><ul>
<li class="toctree-l2"><a class="reference internal" href="tutorial-server.html#libevent-server-c">libevent-server.c</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="tutorial-hpack.html">Tutorial: HPACK API</a><ul>
<li class="toctree-l2"><a class="reference internal" href="tutorial-hpack.html#deflating-encoding-headers">Deflating (encoding) headers</a></li>
<li class="toctree-l2"><a class="reference internal" href="tutorial-hpack.html#inflating-decoding-headers">Inflating (decoding) headers</a></li>
<li class="toctree-l2"><a class="reference internal" href="tutorial-hpack.html#deflate-c">deflate.c</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="nghttp.1.html">nghttp(1)</a><ul>
<li class="toctree-l2"><a class="reference internal" href="nghttp.1.html#name">NAME</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttp.1.html#synopsis">SYNOPSIS</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttp.1.html#description">DESCRIPTION</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttp.1.html#options">OPTIONS</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttp.1.html#see-also">SEE ALSO</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="nghttpd.1.html">nghttpd(1)</a><ul>
<li class="toctree-l2"><a class="reference internal" href="nghttpd.1.html#name">NAME</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttpd.1.html#synopsis">SYNOPSIS</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttpd.1.html#description">DESCRIPTION</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttpd.1.html#options">OPTIONS</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttpd.1.html#see-also">SEE ALSO</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="nghttpx.1.html">nghttpx(1)</a><ul>
<li class="toctree-l2"><a class="reference internal" href="nghttpx.1.html#name">NAME</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttpx.1.html#synopsis">SYNOPSIS</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttpx.1.html#description">DESCRIPTION</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttpx.1.html#options">OPTIONS</a></li>
<li class="toctree-l2"><a class="reference internal" href="nghttpx.1.html#see-also">SEE ALSO</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="h2load.1.html">h2load(1)</a><ul>
<li class="toctree-l2"><a class="reference internal" href="h2load.1.html#name">NAME</a></li>
<li class="toctree-l2"><a class="reference internal" href="h2load.1.html#synopsis">SYNOPSIS</a></li>
<li class="toctree-l2"><a class="reference internal" href="h2load.1.html#description">DESCRIPTION</a></li>
<li class="toctree-l2"><a class="reference internal" href="h2load.1.html#options">OPTIONS</a></li>
<li class="toctree-l2"><a class="reference internal" href="h2load.1.html#see-also">SEE ALSO</a></li>
</ul>
</li>
<li class="toctree-l1 current"><a class="current reference internal" href="">nghttpx - HTTP/2 proxy - HOW-TO</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#default-mode">Default mode</a></li>
<li class="toctree-l2"><a class="reference internal" href="#http-2-proxy-mode">HTTP/2 proxy mode</a></li>
<li class="toctree-l2"><a class="reference internal" href="#client-mode">Client mode</a></li>
<li class="toctree-l2"><a class="reference internal" href="#client-proxy-mode">Client proxy mode</a></li>
<li class="toctree-l2"><a class="reference internal" href="#http-2-bridge-mode">HTTP/2 bridge mode</a></li>
<li class="toctree-l2"><a class="reference internal" href="#disable-ssl-tls">Disable SSL/TLS</a></li>
<li class="toctree-l2"><a class="reference internal" href="#specifying-additional-ca-certificate">Specifying additional CA certificate</a></li>
<li class="toctree-l2"><a class="reference internal" href="#read-write-rate-limit">Read/write rate limit</a></li>
<li class="toctree-l2"><a class="reference internal" href="#rewriting-location-header-field">Rewriting location header field</a></li>
<li class="toctree-l2"><a class="reference internal" href="#hot-deploy">Hot deploy</a></li>
<li class="toctree-l2"><a class="reference internal" href="#re-opening-log-files">Re-opening log files</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="h2load-howto.html">h2load - HTTP/2 benchmarking tool - HOW-TO</a><ul>
<li class="toctree-l2"><a class="reference internal" href="h2load-howto.html#basic-usage">Basic Usage</a></li>
<li class="toctree-l2"><a class="reference internal" href="h2load-howto.html#flow-control">Flow Control</a></li>
<li class="toctree-l2"><a class="reference internal" href="h2load-howto.html#multi-threading">Multi-Threading</a></li>
<li class="toctree-l2"><a class="reference internal" href="h2load-howto.html#selecting-protocol-for-clear-text">Selecting protocol for clear text</a></li>
<li class="toctree-l2"><a class="reference internal" href="h2load-howto.html#multiple-uris">Multiple URIs</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="apiref.html">API Reference</a><ul>
<li class="toctree-l2"><a class="reference internal" href="apiref.html#includes">Includes</a></li>
<li class="toctree-l2"><a class="reference internal" href="apiref.html#remarks">Remarks</a></li>
<li class="toctree-l2"><a class="reference internal" href="apiref.html#macros">Macros</a></li>
<li class="toctree-l2"><a class="reference internal" href="apiref.html#enums">Enums</a></li>
<li class="toctree-l2"><a class="reference internal" href="apiref.html#types-structs-unions-and-typedefs">Types (structs, unions and typedefs)</a></li>
<li class="toctree-l2"><a class="reference internal" href="apiref.html#functions">Functions</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="python-apiref.html">Python API Reference</a><ul>
<li class="toctree-l2"><a class="reference internal" href="python-apiref.html#hpack-api">HPACK API</a></li>
<li class="toctree-l2"><a class="reference internal" href="python-apiref.html#http-2-servers">HTTP/2 servers</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="nghttp2.h.html">nghttp2.h</a></li>
<li class="toctree-l1"><a class="reference internal" href="nghttp2ver.h.html">nghttp2ver.h</a></li>
<li class="toctree-l1"><a class="reference external" href="https://github.com/tatsuhiro-t/nghttp2">Source</a></li>
<li class="toctree-l1"><a class="reference external" href="https://github.com/tatsuhiro-t/nghttp2/issues">Issues</a></li>
</ul>
</div>
&nbsp;
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" role="navigation" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">nghttp2</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html">Docs</a> &raquo;</li>
<li>nghttpx - HTTP/2 proxy - HOW-TO</li>
<li class="wy-breadcrumbs-aside">
</li>
</ul>
<hr/>
</div>
<div role="main">
<div class="section" id="nghttpx-http-2-proxy-how-to">
<h1>nghttpx - HTTP/2 proxy - HOW-TO<a class="headerlink" href="#nghttpx-http-2-proxy-how-to" title="Permalink to this headline"></a></h1>
<p>nghttpx is a proxy translating protocols between HTTP/2 and other
protocols (e.g., HTTP/1, SPDY). It operates in several modes and each
mode may require additional programs to work with. This article
describes each operation mode and explains the intended use-cases. It
also covers some useful options later.</p>
<div class="section" id="default-mode">
<h2>Default mode<a class="headerlink" href="#default-mode" title="Permalink to this headline"></a></h2>
<p>If nghttpx is invoked without any <tt class="docutils literal"><span class="pre">-s</span></tt>, <tt class="docutils literal"><span class="pre">-p</span></tt> and <tt class="docutils literal"><span class="pre">--client</span></tt>, it
operates in default mode. In this mode, nghttpx frontend listens for
HTTP/2 requests and translates them to HTTP/1 requests. Thus it works
as reverse proxy (gateway) for HTTP/2 clients to HTTP/1 web server.
HTTP/1 requests are also supported in frontend as a fallback. If
nghttpx is linked with spdylay library and frontend connection is
SSL/TLS, the frontend also supports SPDY protocol.</p>
<p>By default, this mode&#8217;s frontend connection is encrypted using
SSL/TLS. So server&#8217;s private key and certificate must be supplied to
the command line (or through configuration file). In this case, the
fontend protocol selection will is done via ALPN or NPN.</p>
<p>With <tt class="docutils literal"><span class="pre">--frontend-no-tls</span></tt> option, user can turn off SSL/TLS in
frontend connection. In this case, SPDY protocol is not available
even if spdylay library is liked to nghttpx. HTTP/2 and HTTP/1 are
available on the frontend and a HTTP/1 connection can be upgraded to
HTTP/2 using HTTP Upgrade. Starting HTTP/2 connection by sending
HTTP/2 connection preface is also supported.</p>
<p>The backend is supposed to be HTTP/1 Web server. For example, to make
nghttpx listen to encrypted HTTP/2 requests at port 8443, and a
backend HTTP/1 web server is configured to listen to HTTP/1 request at
port 8080 in the same host, run nghttpx command-line like this:</p>
<div class="highlight-c"><div class="highlight"><pre>$ nghttpx -f0.0.0.0,8443 -b127.0.0.1,8080 /path/to/server.key /path/to/server.crt
</pre></div>
</div>
<p>Then HTTP/2 enabled client can access to the nghttpx in HTTP/2. For
example, you can send GET request to the server using nghttp:</p>
<div class="highlight-c"><div class="highlight"><pre>$ nghttp -nv https://localhost:8443/
</pre></div>
</div>
</div>
<div class="section" id="http-2-proxy-mode">
<h2>HTTP/2 proxy mode<a class="headerlink" href="#http-2-proxy-mode" title="Permalink to this headline"></a></h2>
<p>If nghttpx is invoked with <tt class="docutils literal"><span class="pre">-s</span></tt> option, it operates in HTTP/2 proxy
mode. The supported protocols in frontend and backend connections are
the same in <a class="reference internal" href="#default-mode">default mode</a>. The difference is that this mode acts
like forward proxy and assumes the backend is HTTP/1 proxy server
(e.g., squid, traffic server). So HTTP/1 request must include
absolute URI in request line.</p>
<p>By default, frontend connection is encrypted, this mode is also called
secure proxy. If nghttpx is linked with spdylay, it supports SPDY
protocols and it works as so called SPDY proxy.</p>
<p>With <tt class="docutils literal"><span class="pre">--frontend-no-tls</span></tt> option, SSL/TLS is turned off in frontend
connection, so the connection gets insecure.</p>
<p>The backend must be HTTP/1 proxy server. nghttpx only supports 1
backend server address. It translates incoming requests to HTTP/1
request to backend server. The backend server performs real proxy
work for each request, for example, dispatching requests to the origin
server and caching contents.</p>
<p>For example, to make nghttpx listen to encrypted HTTP/2 requests at
port 8443, and a backend HTTP/1 proxy server is configured to listen
to HTTP/1 request at port 8080 in the same host, run nghttpx
command-line like this:</p>
<div class="highlight-c"><div class="highlight"><pre>$ nghttpx -s -f&#39;*,8443&#39; -b127.0.0.1,8080 /path/to/server.key /path/to/server.crt
</pre></div>
</div>
<p>At the time of this writing, Firefox nightly supports HTTP/2 proxy.
Chromium can use nghttpx as secure (SPDY) proxy and will support
HTTP/2 proxy in the near future.</p>
<p>To make Firefox nightly or Chromium use nghttpx as HTTP/2 or SPDY
proxy, user has to create proxy.pac script file like this:</p>
<div class="highlight-javascript"><div class="highlight"><pre><span class="kd">function</span> <span class="nx">FindProxyForURL</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">host</span><span class="p">)</span> <span class="p">{</span>
<span class="k">return</span> <span class="s2">&quot;HTTPS SERVERADDR:PORT&quot;</span><span class="p">;</span>
<span class="p">}</span>
</pre></div>
</div>
<p><tt class="docutils literal"><span class="pre">SERVERADDR</span></tt> and <tt class="docutils literal"><span class="pre">PORT</span></tt> is the hostname/address and port of the
machine nghttpx is running. Please note that both Firefox nightly and
Chromium requires valid certificate for secure proxy.</p>
<p>For Firefox nightly, open Preference window and select Advanced then
click Network tab. Clicking Connection Settings button will show the
dialog. Select &#8220;Automatic proxy configuration URL&#8221; and enter the path
to proxy.pac file, something like this:</p>
<div class="highlight-c"><div class="highlight"><pre><span class="nl">file:</span><span class="c1">///path/to/proxy.pac</span>
</pre></div>
</div>
<p>For Chromium, use following command-line:</p>
<div class="highlight-c"><div class="highlight"><pre>$ google-chrome --proxy-pac-url=file:///path/to/proxy.pac --use-npn
</pre></div>
</div>
<p>Squid may work as out-of-box. Traffic server requires to be
configured as forward proxy. Here is the minimum configuration items
to edit:</p>
<div class="highlight-c"><div class="highlight"><pre><span class="n">CONFIG</span> <span class="n">proxy</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">reverse_proxy</span><span class="p">.</span><span class="n">enabled</span> <span class="n">INT</span> <span class="mi">0</span>
<span class="n">CONFIG</span> <span class="n">proxy</span><span class="p">.</span><span class="n">config</span><span class="p">.</span><span class="n">url_remap</span><span class="p">.</span><span class="n">remap_required</span> <span class="n">INT</span> <span class="mi">0</span>
</pre></div>
</div>
<p>Consult Traffic server <a class="reference external" href="https://docs.trafficserver.apache.org/en/latest/admin/forward-proxy.en.html">documentation</a>
to know how to configure traffic server as forward proxy and its
security implications.</p>
</div>
<div class="section" id="client-mode">
<h2>Client mode<a class="headerlink" href="#client-mode" title="Permalink to this headline"></a></h2>
<p>If nghttpx is invoked with <tt class="docutils literal"><span class="pre">--client</span></tt> option, it operates in client
mode. In this mode, nghttpx listens for plain, unencrypted HTTP/2 and
HTTP/1 requests and translates them to encrypted HTTP/2 requests to
the backend. User cannot enable SSL/TLS in frontend connection.</p>
<p>HTTP/1 frontend connection can be upgraded to HTTP/2 using HTTP
Upgrade. To disable SSL/TLS in backend connection, use
<tt class="docutils literal"><span class="pre">--backend-no-tls</span></tt> option.</p>
<p>The backend connection is created one per worker (thread).</p>
<p>The backend server is supporsed to be a HTTP/2 web server (e.g.,
nghttpd). The one use-case of this mode is utilize existing HTTP/1
clients to test HTTP/2 deployment. Suppose that HTTP/2 web server
listens to port 80 without encryption. Then run nghttpx as client
mode to access to that web server:</p>
<div class="highlight-c"><div class="highlight"><pre>$ nghttpx --client -f127.0.0.1,8080 -b127.0.0.1,80 --backend-no-tls
</pre></div>
</div>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">You may need <tt class="docutils literal"><span class="pre">-k</span></tt> option if HTTP/2 server enables SSL/TLS and
its certificate is self-signed. But please note that it is
insecure.</p>
</div>
<p>Then you can use curl to access HTTP/2 server via nghttpx:</p>
<div class="highlight-c"><div class="highlight"><pre>$ curl http://localhost:8080/
</pre></div>
</div>
</div>
<div class="section" id="client-proxy-mode">
<h2>Client proxy mode<a class="headerlink" href="#client-proxy-mode" title="Permalink to this headline"></a></h2>
<p>If nghttpx is invoked with <tt class="docutils literal"><span class="pre">-p</span></tt> option, it operates in client proxy
mode. This mode behaves like <a class="reference internal" href="#client-mode">client mode</a>, but it works like
forward proxy. So HTTP/1 request must include absolute URI in request
line.</p>
<p>HTTP/1 frontend connection can be upgraded to HTTP/2 using HTTP
Upgrade. To disable SSL/TLS in backend connection, use
<tt class="docutils literal"><span class="pre">--backend-no-tls</span></tt> option.</p>
<p>The backend connection is created one per worker (thread).</p>
<p>The backend server must be a HTTP/2 proxy. You can use nghttpx in
<a class="reference internal" href="#http-2-proxy-mode">HTTP/2 proxy mode</a> as backend server. The one use-case of this mode
is utilize existing HTTP/1 clients to test HTTP/2 connections between
2 proxies. The another use-case is use this mode to aggregate local
HTTP/1 connections to one HTTP/2 backend encrypted connection. This
makes HTTP/1 clients which does not support secure proxy can use
secure HTTP/2 proxy via nghttpx client mode.</p>
<p>Suppose that HTTP/2 proxy listens to port 8443, just like we saw in
<a class="reference internal" href="#http-2-proxy-mode">HTTP/2 proxy mode</a>. To run nghttpx in client proxy mode to access
that server, invoke nghttpx like this:</p>
<div class="highlight-c"><div class="highlight"><pre>$ nghttpx -p -f127.0.0.1,8080 -b127.0.0.1,8443
</pre></div>
</div>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">You may need <tt class="docutils literal"><span class="pre">-k</span></tt> option if HTTP/2 server&#8217;s certificate is
self-signed. But please note that it is insecure.</p>
</div>
<p>Then you can use curl to issue HTTP request via HTTP/2 proxy:</p>
<div class="highlight-c"><div class="highlight"><pre>$ curl --http-proxy=http://localhost:8080 http://www.google.com/
</pre></div>
</div>
<p>You can configure web browser to use localhost:8080 as forward
proxy.</p>
</div>
<div class="section" id="http-2-bridge-mode">
<h2>HTTP/2 bridge mode<a class="headerlink" href="#http-2-bridge-mode" title="Permalink to this headline"></a></h2>
<p>If nghttpx is invoked with <tt class="docutils literal"><span class="pre">--http2-bridge</span></tt> option, it operates in
HTTP/2 bridge mode. The supported protocols in frontend connections
are the same in <a class="reference internal" href="#default-mode">default mode</a>. The protocol in backend is HTTP/2
only.</p>
<p>With <tt class="docutils literal"><span class="pre">--frontend-no-tls</span></tt> option, SSL/TLS is turned off in frontend
connection, so the connection gets insecure. To disable SSL/TLS in
backend connection, use <tt class="docutils literal"><span class="pre">--backend-no-tls</span></tt> option.</p>
<p>The backend server is supporsed to be a HTTP/2 web server or HTTP/2
proxy. If backend server is HTTP/2 proxy, use
<tt class="docutils literal"><span class="pre">--no-location-rewrite</span></tt> option to disable rewriting location header
field.</p>
<p>The use-case of this mode is aggregate the incoming connections to one
HTTP/2 connection. One backend HTTP/2 connection is created per
worker (thread).</p>
</div>
<div class="section" id="disable-ssl-tls">
<h2>Disable SSL/TLS<a class="headerlink" href="#disable-ssl-tls" title="Permalink to this headline"></a></h2>
<p>In <a class="reference internal" href="#default-mode">default mode</a>, <a class="reference internal" href="#http-2-proxy-mode">HTTP/2 proxy mode</a> and <a class="reference internal" href="#http-2-bridge-mode">HTTP/2 bridge mode</a>,
frontend connections are encrypted with SSL/TLS by default. To turn
off SSL/TLS, use <tt class="docutils literal"><span class="pre">--frontend-no-tls</span></tt> option. If this option is
used, the private key and certificate are not required to run nghttpx.</p>
<p>In <a class="reference internal" href="#client-mode">client mode</a>, <a class="reference internal" href="#client-proxy-mode">client proxy mode</a> and <a class="reference internal" href="#http-2-bridge-mode">HTTP/2 bridge mode</a>,
backend connections are encrypted with SSL/TLS by default. To turn
off SSL/TLS, use <tt class="docutils literal"><span class="pre">--backend-no-tls</span></tt> option.</p>
</div>
<div class="section" id="specifying-additional-ca-certificate">
<h2>Specifying additional CA certificate<a class="headerlink" href="#specifying-additional-ca-certificate" title="Permalink to this headline"></a></h2>
<p>By default, nghttpx tries to read CA certificate from system. But
depending on the system you use, this may fail or is not supported.
To specify CA certificate manually, use <tt class="docutils literal"><span class="pre">--cacert</span></tt> option. The
specified file must be PEM format and can contain multiple
certificates.</p>
<p>By default, nghttpx validates server&#8217;s certificate. If you want to
turn off this validation, knowing this is really insecure and what you
are doing, you can use <tt class="docutils literal"><span class="pre">-k</span></tt> option to disable certificate
validation.</p>
</div>
<div class="section" id="read-write-rate-limit">
<h2>Read/write rate limit<a class="headerlink" href="#read-write-rate-limit" title="Permalink to this headline"></a></h2>
<p>nghttpx supports transfer rate limiting on frontend connections. You
can do rate limit per worker (thread) for reading and writeing
individually.</p>
<p>To rate limit per worker (thread), use <tt class="docutils literal"><span class="pre">--worker-read-rate</span></tt> and
<tt class="docutils literal"><span class="pre">--worker-read-burst</span></tt> options. For writing, use
<tt class="docutils literal"><span class="pre">--worker-write-rate</span></tt> and <tt class="docutils literal"><span class="pre">--worker-write-burst</span></tt>.</p>
<p>Please note that rate limit is performed on top of TCP and nothing to
do with HTTP/2 flow control.</p>
</div>
<div class="section" id="rewriting-location-header-field">
<h2>Rewriting location header field<a class="headerlink" href="#rewriting-location-header-field" title="Permalink to this headline"></a></h2>
<p>nghttpx automatically rewrites location response header field if the
following all conditions satisfy:</p>
<ul class="simple">
<li>URI in location header field is not absolute URI or is not https URI.</li>
<li>URI in location header field includes non empty host component.</li>
<li>host (without port) in URI in location header field must match the
host appearing in :authority or host header field.</li>
</ul>
<p>When rewrite happens, URI scheme and port are replaced with the ones
used in frontend, and host is replaced with which appears in
:authority or host request header field. :authority header field has
precedence. If the above conditions are not met with the host value
in :authority header field, rewrite is retried with the value in host
header field.</p>
</div>
<div class="section" id="hot-deploy">
<h2>Hot deploy<a class="headerlink" href="#hot-deploy" title="Permalink to this headline"></a></h2>
<p>nghttpx supports hot deploy feature using signals. The hot deploy in
nghttpx is multi step process. First send USR2 signal to nghttpx
process. It will do fork and execute new executable, using same
command-line arguments and environment variables. At this point, both
current and new processes can accept requests. To gracefully shutdown
current process, send QUIT signal to current nghttpx process. When
all existing frontend connections are done, the current process will
exit. At this point, only new nghttpx process exists and serves
incoming requests.</p>
</div>
<div class="section" id="re-opening-log-files">
<h2>Re-opening log files<a class="headerlink" href="#re-opening-log-files" title="Permalink to this headline"></a></h2>
<p>When rotating log files, it is desirable to re-open log files after
log rotation daemon renamed existing log files. To tell nghttpx to
re-open log files, send USR1 signal to nghttpx process. It will
re-open files specified by <tt class="docutils literal"><span class="pre">--accesslog-file</span></tt> and
<tt class="docutils literal"><span class="pre">--errorlog-file</span></tt> options.</p>
</div>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="h2load-howto.html" class="btn btn-neutral float-right" title="h2load - HTTP/2 benchmarking tool - HOW-TO">Next <span class="fa fa-arrow-circle-right"></span></a>
<a href="h2load.1.html" class="btn btn-neutral" title="h2load(1)"><span class="fa fa-arrow-circle-left"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<p>
&copy; Copyright 2012, 2014, Tatsuhiro Tsujikawa.
</p>
</div>
<a href="https://github.com/snide/sphinx_rtd_theme">Sphinx theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT:'./',
VERSION:'0.6.0-DEV',
COLLAPSE_INDEX:false,
FILE_SUFFIX:'.html',
HAS_SOURCE: false
};
</script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<script type="text/javascript" src="_static/js/theme.js"></script>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.StickyNav.enable();
});
</script>
</body>
</html>