2015-01-09 15:37:42 +00:00
|
|
|
FILES
|
|
|
|
-----
|
|
|
|
|
|
|
|
*/etc/nghttpx/nghttpx.conf*
|
|
|
|
The default configuration file path nghttpx searches at startup.
|
|
|
|
The configuration file path can be changed using :option:`--conf`
|
|
|
|
option.
|
|
|
|
|
2015-01-11 08:34:43 +00:00
|
|
|
Those lines which are staring ``#`` are treated as comment.
|
|
|
|
|
|
|
|
The option name in the configuration file is the long command-line
|
|
|
|
option name with leading ``--`` stripped (e.g., ``frontend``). Put
|
|
|
|
``=`` between option name and value. Don't put extra leading or
|
|
|
|
trailing spaces.
|
|
|
|
|
2016-01-16 07:11:41 +00:00
|
|
|
When specifying arguments including characters which have special
|
|
|
|
meaning to a shell, we usually use quotes so that shell does not
|
|
|
|
interpret them. When writing this configuration file, quotes for
|
|
|
|
this purpose must not be used. For example, specify additional
|
|
|
|
request header field, do this:
|
|
|
|
|
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
add-request-header=foo: bar
|
|
|
|
|
|
|
|
instead of:
|
|
|
|
|
|
|
|
.. code-block:: text
|
|
|
|
|
|
|
|
add-request-header="foo: bar"
|
|
|
|
|
2015-01-11 08:34:43 +00:00
|
|
|
The options which do not take argument in the command-line *take*
|
|
|
|
argument in the configuration file. Specify ``yes`` as an argument
|
|
|
|
(e.g., ``http2-proxy=yes``). If other string is given, it is
|
|
|
|
ignored.
|
|
|
|
|
|
|
|
To specify private key and certificate file which are given as
|
2015-05-12 14:24:18 +00:00
|
|
|
positional arguments in command-line, use ``private-key-file`` and
|
2015-01-11 08:34:43 +00:00
|
|
|
``certificate-file``.
|
|
|
|
|
|
|
|
:option:`--conf` option cannot be used in the configuration file and
|
|
|
|
will be ignored if specified.
|
|
|
|
|
2016-12-18 13:56:24 +00:00
|
|
|
Error log
|
|
|
|
Error log is written to stderr by default. It can be configured
|
|
|
|
using :option:`--errorlog-file`. The format of log message is as
|
|
|
|
follows:
|
|
|
|
|
2021-07-18 05:02:52 +00:00
|
|
|
<datetime> <main-pid> <current-pid> <thread-id> <level> (<filename>:<line>) <msg>
|
2016-12-18 13:56:24 +00:00
|
|
|
|
|
|
|
<datetime>
|
2017-10-29 07:54:21 +00:00
|
|
|
It is a combination of date and time when the log is written. It
|
2016-12-18 13:56:24 +00:00
|
|
|
is in ISO 8601 format.
|
|
|
|
|
2021-07-18 05:02:52 +00:00
|
|
|
<main-pid>
|
|
|
|
It is a main process ID.
|
2016-12-18 13:56:24 +00:00
|
|
|
|
|
|
|
<current-pid>
|
|
|
|
It is a process ID which writes this log.
|
|
|
|
|
|
|
|
<thread-id>
|
|
|
|
It is a thread ID which writes this log. It would be unique
|
|
|
|
within <current-pid>.
|
|
|
|
|
|
|
|
<filename> and <line>
|
|
|
|
They are source file name, and line number which produce this log.
|
|
|
|
|
|
|
|
<msg>
|
|
|
|
It is a log message body.
|
|
|
|
|
2015-01-09 15:37:42 +00:00
|
|
|
SIGNALS
|
|
|
|
-------
|
|
|
|
|
|
|
|
SIGQUIT
|
|
|
|
Shutdown gracefully. First accept pending connections and stop
|
|
|
|
accepting connection. After all connections are handled, nghttpx
|
|
|
|
exits.
|
|
|
|
|
2016-07-31 11:59:06 +00:00
|
|
|
SIGHUP
|
|
|
|
Reload configuration file given in :option:`--conf`.
|
|
|
|
|
2015-01-09 15:37:42 +00:00
|
|
|
SIGUSR1
|
|
|
|
Reopen log files.
|
|
|
|
|
|
|
|
SIGUSR2
|
2017-02-09 13:51:17 +00:00
|
|
|
|
2015-01-09 15:37:42 +00:00
|
|
|
Fork and execute nghttpx. It will execute the binary in the same
|
2017-02-09 13:51:17 +00:00
|
|
|
path with same command-line arguments and environment variables. As
|
2021-07-18 05:02:52 +00:00
|
|
|
of nghttpx version 1.20.0, the new main process sends SIGQUIT to the
|
|
|
|
original main process when it is ready to serve requests. For the
|
|
|
|
earlier versions of nghttpx, user has to send SIGQUIT to the
|
|
|
|
original main process.
|
2017-02-09 13:51:17 +00:00
|
|
|
|
|
|
|
The difference between SIGUSR2 (+ SIGQUIT) and SIGHUP is that former
|
2021-07-18 05:02:52 +00:00
|
|
|
is usually used to execute new binary, and the main process is newly
|
|
|
|
spawned. On the other hand, the latter just reloads configuration
|
|
|
|
file, and the same main process continues to exist.
|
2015-01-09 15:37:42 +00:00
|
|
|
|
2015-09-17 16:16:49 +00:00
|
|
|
.. note::
|
|
|
|
|
2015-09-26 11:59:56 +00:00
|
|
|
nghttpx consists of multiple processes: one process for processing
|
|
|
|
these signals, and another one for processing requests. The former
|
2021-07-18 05:02:52 +00:00
|
|
|
spawns the latter. The former is called main process, and the
|
2015-09-26 11:59:56 +00:00
|
|
|
latter is called worker process. If neverbleed is enabled, the
|
|
|
|
worker process spawns neverbleed daemon process which does RSA key
|
2021-07-18 05:02:52 +00:00
|
|
|
processing. The above signal must be sent to the main process. If
|
|
|
|
the other processes received one of them, it is ignored. This
|
2015-09-26 11:59:56 +00:00
|
|
|
behaviour of these processes may change in the future release. In
|
2021-07-18 05:02:52 +00:00
|
|
|
other words, in the future release, the processes other than main
|
2015-09-26 11:59:56 +00:00
|
|
|
process may terminate upon the reception of these signals.
|
|
|
|
Therefore these signals should not be sent to the processes other
|
2021-07-18 05:02:52 +00:00
|
|
|
than main process.
|
2015-09-17 16:16:49 +00:00
|
|
|
|
2015-02-08 08:13:36 +00:00
|
|
|
SERVER PUSH
|
|
|
|
-----------
|
|
|
|
|
2015-11-15 15:12:54 +00:00
|
|
|
nghttpx supports HTTP/2 server push in default mode with Link header
|
|
|
|
field. nghttpx looks for Link header field (`RFC 5988
|
2015-02-12 14:04:21 +00:00
|
|
|
<http://tools.ietf.org/html/rfc5988>`_) in response headers from
|
2015-02-08 08:13:36 +00:00
|
|
|
backend server and extracts URI-reference with parameter
|
|
|
|
``rel=preload`` (see `preload
|
|
|
|
<http://w3c.github.io/preload/#interoperability-with-http-link-header>`_)
|
|
|
|
and pushes those URIs to the frontend client. Here is a sample Link
|
|
|
|
header field to initiate server push:
|
|
|
|
|
2016-07-16 10:07:31 +00:00
|
|
|
.. code-block:: text
|
2015-02-08 08:13:36 +00:00
|
|
|
|
|
|
|
Link: </fonts/font.woff>; rel=preload
|
|
|
|
Link: </css/theme.css>; rel=preload
|
|
|
|
|
2015-09-05 09:59:19 +00:00
|
|
|
Currently, the following restriction is applied for server push:
|
2015-02-08 08:13:36 +00:00
|
|
|
|
2015-09-05 09:59:19 +00:00
|
|
|
1. The associated stream must have method "GET" or "POST". The
|
2015-02-08 08:13:36 +00:00
|
|
|
associated stream's status code must be 200.
|
|
|
|
|
2015-09-05 09:59:19 +00:00
|
|
|
This limitation may be loosened in the future release.
|
2015-02-08 08:13:36 +00:00
|
|
|
|
2015-11-15 15:12:54 +00:00
|
|
|
nghttpx also supports server push if both frontend and backend are
|
2016-02-28 14:12:57 +00:00
|
|
|
HTTP/2 in default mode. In this case, in addition to server push via
|
|
|
|
Link header field, server push from backend is forwarded to frontend
|
|
|
|
HTTP/2 session.
|
2015-11-15 15:12:54 +00:00
|
|
|
|
2016-02-28 14:12:57 +00:00
|
|
|
HTTP/2 server push will be disabled if :option:`--http2-proxy` is
|
|
|
|
used.
|
2015-11-15 15:12:54 +00:00
|
|
|
|
2015-02-22 09:23:09 +00:00
|
|
|
UNIX DOMAIN SOCKET
|
|
|
|
------------------
|
|
|
|
|
|
|
|
nghttpx supports UNIX domain socket with a filename for both frontend
|
|
|
|
and backend connections.
|
|
|
|
|
|
|
|
Please note that current nghttpx implementation does not delete a
|
|
|
|
socket with a filename. And on start up, if nghttpx detects that the
|
|
|
|
specified socket already exists in the file system, nghttpx first
|
|
|
|
deletes it. However, if SIGUSR2 is used to execute new binary and
|
|
|
|
both old and new configurations use same filename, new binary does not
|
|
|
|
delete the socket and continues to use it.
|
|
|
|
|
2015-03-31 14:31:24 +00:00
|
|
|
OCSP STAPLING
|
|
|
|
-------------
|
|
|
|
|
2015-06-22 15:53:12 +00:00
|
|
|
OCSP query is done using external Python script
|
|
|
|
``fetch-ocsp-response``, which has been originally developed in Perl
|
|
|
|
as part of h2o project (https://github.com/h2o/h2o), and was
|
|
|
|
translated into Python.
|
2015-03-31 14:31:24 +00:00
|
|
|
|
|
|
|
The script file is usually installed under
|
|
|
|
``$(prefix)/share/nghttp2/`` directory. The actual path to script can
|
|
|
|
be customized using :option:`--fetch-ocsp-response-file` option.
|
|
|
|
|
2015-08-12 15:47:32 +00:00
|
|
|
If OCSP query is failed, previous OCSP response, if any, is continued
|
|
|
|
to be used.
|
|
|
|
|
2017-05-22 13:53:49 +00:00
|
|
|
:option:`--fetch-ocsp-response-file` option provides wide range of
|
|
|
|
possibility to manage OCSP response. It can take an arbitrary script
|
|
|
|
or executable. The requirement is that it supports the command-line
|
|
|
|
interface of ``fetch-ocsp-response`` script, and it must return a
|
|
|
|
valid DER encoded OCSP response on success. It must return exit code
|
|
|
|
0 on success, and 75 for temporary error, and the other error code for
|
|
|
|
generic failure. For large cluster of servers, it is not efficient
|
|
|
|
for each server to perform OCSP query using ``fetch-ocsp-response``.
|
|
|
|
Instead, you can retrieve OCSP response in some way, and store it in a
|
|
|
|
disk or a shared database. Then specify a program in
|
|
|
|
:option:`--fetch-ocsp-response-file` to fetch it from those stores.
|
|
|
|
This could provide a way to share the OCSP response between fleet of
|
|
|
|
servers, and also any OCSP query strategy can be applied which may be
|
|
|
|
beyond the ability of nghttpx itself or ``fetch-ocsp-response``
|
|
|
|
script.
|
|
|
|
|
2015-07-28 14:43:32 +00:00
|
|
|
TLS SESSION RESUMPTION
|
|
|
|
----------------------
|
|
|
|
|
|
|
|
nghttpx supports TLS session resumption through both session ID and
|
|
|
|
session ticket.
|
|
|
|
|
|
|
|
SESSION ID RESUMPTION
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
By default, session ID is shared by all worker threads.
|
|
|
|
|
|
|
|
If :option:`--tls-session-cache-memcached` is given, nghttpx will
|
2015-07-28 15:01:12 +00:00
|
|
|
insert serialized session data to memcached with
|
2017-10-29 07:54:21 +00:00
|
|
|
``nghttpx:tls-session-cache:`` + lowercase hex string of session ID
|
2015-07-28 15:01:12 +00:00
|
|
|
as a memcached entry key, with expiry time 12 hours. Session timeout
|
|
|
|
is set to 12 hours.
|
2015-07-28 14:43:32 +00:00
|
|
|
|
2016-02-13 09:50:15 +00:00
|
|
|
By default, connections to memcached server are not encrypted. To
|
2016-03-24 17:15:02 +00:00
|
|
|
enable encryption, use ``tls`` keyword in
|
|
|
|
:option:`--tls-session-cache-memcached` option.
|
2016-02-13 09:50:15 +00:00
|
|
|
|
2015-07-28 14:43:32 +00:00
|
|
|
TLS SESSION TICKET RESUMPTION
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
By default, session ticket is shared by all worker threads. The
|
|
|
|
automatic key rotation is also enabled by default. Every an hour, new
|
|
|
|
encryption key is generated, and previous encryption key becomes
|
|
|
|
decryption only key. We set session timeout to 12 hours, and thus we
|
|
|
|
keep at most 12 keys.
|
|
|
|
|
2015-07-28 15:01:12 +00:00
|
|
|
If :option:`--tls-ticket-key-memcached` is given, encryption keys are
|
2015-07-28 14:43:32 +00:00
|
|
|
retrieved from memcached. nghttpx just reads keys from memcached; one
|
|
|
|
has to deploy key generator program to update keys frequently (e.g.,
|
2015-07-29 12:18:16 +00:00
|
|
|
every 1 hour). The example key generator tlsticketupdate.go is
|
|
|
|
available under contrib directory in nghttp2 archive. The memcached
|
|
|
|
entry key is ``nghttpx:tls-ticket-key``. The data format stored in
|
2015-11-29 10:08:17 +00:00
|
|
|
memcached is the binary format described below:
|
|
|
|
|
|
|
|
.. code-block:: text
|
2015-07-28 14:43:32 +00:00
|
|
|
|
|
|
|
+--------------+-------+----------------+
|
|
|
|
| VERSION (4) |LEN (2)|KEY(48 or 80) ...
|
|
|
|
+--------------+-------+----------------+
|
|
|
|
^ |
|
|
|
|
| |
|
|
|
|
+------------------------+
|
|
|
|
(LEN, KEY) pair can be repeated
|
|
|
|
|
|
|
|
All numbers in the above figure is bytes. All integer fields are
|
|
|
|
network byte order.
|
|
|
|
|
|
|
|
First 4 bytes integer VERSION field, which must be 1. The 2 bytes
|
|
|
|
integer LEN field gives the length of following KEY field, which
|
2015-07-28 15:01:12 +00:00
|
|
|
contains key. If :option:`--tls-ticket-key-cipher`\=aes-128-cbc is
|
2015-07-28 14:43:32 +00:00
|
|
|
used, LEN must be 48. If
|
2015-07-28 15:01:12 +00:00
|
|
|
:option:`--tls-ticket-key-cipher`\=aes-256-cbc is used, LEN must be
|
2015-07-28 14:43:32 +00:00
|
|
|
80. LEN and KEY pair can be repeated multiple times to store multiple
|
|
|
|
keys. The key appeared first is used as encryption key. All the
|
|
|
|
remaining keys are used as decryption only.
|
|
|
|
|
2016-02-13 09:50:15 +00:00
|
|
|
By default, connections to memcached server are not encrypted. To
|
2016-03-24 17:15:02 +00:00
|
|
|
enable encryption, use ``tls`` keyword in
|
|
|
|
:option:`--tls-ticket-key-memcached` option.
|
2016-02-13 09:50:15 +00:00
|
|
|
|
2015-07-28 15:01:12 +00:00
|
|
|
If :option:`--tls-ticket-key-file` is given, encryption key is read
|
2015-07-28 14:43:32 +00:00
|
|
|
from the given file. In this case, nghttpx does not rotate key
|
|
|
|
automatically. To rotate key, one has to restart nghttpx (see
|
|
|
|
SIGNALS).
|
|
|
|
|
2016-10-08 10:03:21 +00:00
|
|
|
CERTIFICATE TRANSPARENCY
|
|
|
|
------------------------
|
|
|
|
|
|
|
|
nghttpx supports TLS ``signed_certificate_timestamp`` extension (`RFC
|
|
|
|
6962 <https://tools.ietf.org/html/rfc6962>`_). The relevant options
|
|
|
|
are :option:`--tls-sct-dir` and ``sct-dir`` parameter in
|
|
|
|
:option:`--subcert`. They takes a directory, and nghttpx reads all
|
|
|
|
files whose extension is ``.sct`` under the directory. The ``*.sct``
|
|
|
|
files are encoded as ``SignedCertificateTimestamp`` struct described
|
|
|
|
in `section 3.2 of RFC 69662
|
|
|
|
<https://tools.ietf.org/html/rfc6962#section-3.2>`_. This format is
|
|
|
|
the same one used by `nginx-ct
|
|
|
|
<https://github.com/grahamedgecombe/nginx-ct>`_ and `mod_ssl_ct
|
|
|
|
<https://httpd.apache.org/docs/trunk/mod/mod_ssl_ct.html>`_.
|
|
|
|
`ct-submit <https://github.com/grahamedgecombe/ct-submit>`_ can be
|
|
|
|
used to submit certificates to log servers, and obtain the
|
|
|
|
``SignedCertificateTimestamp`` struct which can be used with nghttpx.
|
|
|
|
|
2015-09-05 12:23:27 +00:00
|
|
|
MRUBY SCRIPTING
|
|
|
|
---------------
|
|
|
|
|
2015-09-05 12:28:43 +00:00
|
|
|
.. warning::
|
|
|
|
|
|
|
|
The current mruby extension API is experimental and not frozen. The
|
|
|
|
API is subject to change in the future release.
|
|
|
|
|
2017-10-29 07:18:20 +00:00
|
|
|
.. warning::
|
|
|
|
|
|
|
|
Almost all string value returned from method, or attribute is a
|
|
|
|
fresh new mruby string, which involves memory allocation, and
|
|
|
|
copies. Therefore, it is strongly recommended to store a return
|
|
|
|
value in a local variable, and use it, instead of calling method or
|
|
|
|
accessing attribute repeatedly.
|
|
|
|
|
2015-09-05 12:23:27 +00:00
|
|
|
nghttpx allows users to extend its capability using mruby scripts.
|
|
|
|
nghttpx has 2 hook points to execute mruby script: request phase and
|
|
|
|
response phase. The request phase hook is invoked after all request
|
|
|
|
header fields are received from client. The response phase hook is
|
|
|
|
invoked after all response header fields are received from backend
|
|
|
|
server. These hooks allows users to modify header fields, or common
|
|
|
|
HTTP variables, like authority or request path, and even return custom
|
|
|
|
response without forwarding request to backend servers.
|
|
|
|
|
2018-08-21 12:11:07 +00:00
|
|
|
There are 2 levels of mruby script invocations: global and
|
2018-08-28 08:50:01 +00:00
|
|
|
per-pattern. The global mruby script is set by :option:`--mruby-file`
|
|
|
|
option and is called for all requests. The per-pattern mruby script
|
2018-08-21 12:11:07 +00:00
|
|
|
is set by "mruby" parameter in :option:`-b` option. It is invoked for
|
2018-08-28 08:50:01 +00:00
|
|
|
a request which matches the particular pattern. The order of hook
|
|
|
|
invocation is: global request phase hook, per-pattern request phase
|
|
|
|
hook, per-pattern response phase hook, and finally global response
|
|
|
|
phase hook. If a hook returns a response, any later hooks are not
|
|
|
|
invoked. The global request hook is invoked before the pattern
|
|
|
|
matching is made and changing request path may affect the pattern
|
|
|
|
matching.
|
2018-08-21 12:11:07 +00:00
|
|
|
|
2018-08-28 08:58:18 +00:00
|
|
|
Please note that request and response hooks of per-pattern mruby
|
|
|
|
script for a single request might not come from the same script. This
|
|
|
|
might happen after a request hook is executed, backend failed for some
|
|
|
|
reason, and at the same time, backend configuration is replaced by API
|
|
|
|
request, and then the request uses new configuration on retry. The
|
|
|
|
response hook from new configuration, if it is specified, will be
|
|
|
|
invoked.
|
|
|
|
|
2018-08-21 12:11:07 +00:00
|
|
|
The all mruby script will be evaluated once per thread on startup, and
|
|
|
|
it must instantiate object and evaluate it as the return value (e.g.,
|
2015-10-05 15:26:45 +00:00
|
|
|
``App.new``). This object is called app object. If app object
|
|
|
|
defines ``on_req`` method, it is called with :rb:class:`Nghttpx::Env`
|
|
|
|
object on request hook. Similarly, if app object defines ``on_resp``
|
|
|
|
method, it is called with :rb:class:`Nghttpx::Env` object on response
|
|
|
|
hook. For each method invocation, user can can access
|
|
|
|
:rb:class:`Nghttpx::Request` and :rb:class:`Nghttpx::Response` objects
|
|
|
|
via :rb:attr:`Nghttpx::Env#req` and :rb:attr:`Nghttpx::Env#resp`
|
|
|
|
respectively.
|
2015-09-05 12:23:27 +00:00
|
|
|
|
|
|
|
.. rb:module:: Nghttpx
|
|
|
|
|
|
|
|
.. rb:const:: REQUEST_PHASE
|
|
|
|
|
|
|
|
Constant to represent request phase.
|
|
|
|
|
|
|
|
.. rb:const:: RESPONSE_PHASE
|
|
|
|
|
|
|
|
Constant to represent response phase.
|
|
|
|
|
|
|
|
.. rb:class:: Env
|
|
|
|
|
|
|
|
Object to represent current request specific context.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: req
|
|
|
|
|
|
|
|
Return :rb:class:`Request` object.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: resp
|
|
|
|
|
|
|
|
Return :rb:class:`Response` object.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: ctx
|
|
|
|
|
|
|
|
Return Ruby hash object. It persists until request finishes.
|
2017-10-29 07:14:30 +00:00
|
|
|
So values set in request phase hook can be retrieved in
|
2015-09-05 12:23:27 +00:00
|
|
|
response phase hook.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: phase
|
|
|
|
|
|
|
|
Return the current phase.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: remote_addr
|
|
|
|
|
2016-04-29 03:17:25 +00:00
|
|
|
Return IP address of a remote client. If connection is made
|
|
|
|
via UNIX domain socket, this returns the string "localhost".
|
|
|
|
|
|
|
|
.. rb:attr_reader:: server_addr
|
|
|
|
|
|
|
|
Return address of server that accepted the connection. This
|
|
|
|
is a string which specified in :option:`--frontend` option,
|
|
|
|
excluding port number, and not a resolved IP address. For
|
|
|
|
UNIX domain socket, this is a path to UNIX domain socket.
|
2015-09-05 12:23:27 +00:00
|
|
|
|
2016-04-27 15:19:30 +00:00
|
|
|
.. rb:attr_reader:: server_port
|
|
|
|
|
|
|
|
Return port number of the server frontend which accepted the
|
|
|
|
connection from client.
|
|
|
|
|
2016-04-29 03:17:25 +00:00
|
|
|
.. rb:attr_reader:: tls_used
|
|
|
|
|
|
|
|
Return true if TLS is used on the connection.
|
|
|
|
|
2016-09-10 13:02:46 +00:00
|
|
|
.. rb:attr_reader:: tls_sni
|
|
|
|
|
|
|
|
Return the TLS SNI value which client sent in this connection.
|
|
|
|
|
2017-10-31 12:41:40 +00:00
|
|
|
.. rb:attr_reader:: tls_client_fingerprint_sha256
|
2017-10-28 15:25:20 +00:00
|
|
|
|
|
|
|
Return the SHA-256 fingerprint of a client certificate.
|
|
|
|
|
2017-10-31 12:41:40 +00:00
|
|
|
.. rb:attr_reader:: tls_client_fingerprint_sha1
|
|
|
|
|
|
|
|
Return the SHA-1 fingerprint of a client certificate.
|
|
|
|
|
2017-11-15 14:41:47 +00:00
|
|
|
.. rb:attr_reader:: tls_client_issuer_name
|
|
|
|
|
|
|
|
Return the issuer name of a client certificate.
|
|
|
|
|
2017-10-28 15:25:20 +00:00
|
|
|
.. rb:attr_reader:: tls_client_subject_name
|
|
|
|
|
|
|
|
Return the subject name of a client certificate.
|
|
|
|
|
2017-11-16 12:13:56 +00:00
|
|
|
.. rb:attr_reader:: tls_client_serial
|
|
|
|
|
2017-11-16 15:02:33 +00:00
|
|
|
Return the serial number of a client certificate.
|
2017-11-16 12:13:56 +00:00
|
|
|
|
2018-02-03 08:58:49 +00:00
|
|
|
.. rb:attr_reader:: tls_client_not_before
|
|
|
|
|
|
|
|
Return the start date of a client certificate in seconds since
|
|
|
|
the epoch.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: tls_client_not_after
|
|
|
|
|
|
|
|
Return the end date of a client certificate in seconds since
|
|
|
|
the epoch.
|
|
|
|
|
2017-10-29 13:42:30 +00:00
|
|
|
.. rb:attr_reader:: tls_cipher
|
|
|
|
|
|
|
|
Return a TLS cipher negotiated in this connection.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: tls_protocol
|
|
|
|
|
|
|
|
Return a TLS protocol version negotiated in this connection.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: tls_session_id
|
|
|
|
|
|
|
|
Return a session ID for this connection in hex string.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: tls_session_reused
|
|
|
|
|
|
|
|
Return true if, and only if a SSL/TLS session is reused.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: alpn
|
|
|
|
|
|
|
|
Return ALPN identifier negotiated in this connection.
|
|
|
|
|
2018-09-09 13:59:35 +00:00
|
|
|
.. rb:attr_reader:: tls_handshake_finished
|
|
|
|
|
|
|
|
Return true if SSL/TLS handshake has finished. If it returns
|
|
|
|
false in the request phase hook, the request is received in
|
|
|
|
TLSv1.3 early data (0-RTT) and might be vulnerable to the
|
|
|
|
replay attack. nghttpx will send Early-Data header field to
|
|
|
|
backend servers to indicate this.
|
|
|
|
|
2015-09-05 12:23:27 +00:00
|
|
|
.. rb:class:: Request
|
|
|
|
|
|
|
|
Object to represent request from client. The modification to
|
|
|
|
Request object is allowed only in request phase hook.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: http_version_major
|
|
|
|
|
|
|
|
Return HTTP major version.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: http_version_minor
|
|
|
|
|
|
|
|
Return HTTP minor version.
|
|
|
|
|
|
|
|
.. rb:attr_accessor:: method
|
|
|
|
|
|
|
|
HTTP method. On assignment, copy of given value is assigned.
|
|
|
|
We don't accept arbitrary method name. We will document them
|
|
|
|
later, but well known methods, like GET, PUT and POST, are all
|
|
|
|
supported.
|
|
|
|
|
|
|
|
.. rb:attr_accessor:: authority
|
|
|
|
|
|
|
|
Authority (i.e., example.org), including optional port
|
|
|
|
component . On assignment, copy of given value is assigned.
|
|
|
|
|
|
|
|
.. rb:attr_accessor:: scheme
|
|
|
|
|
|
|
|
Scheme (i.e., http, https). On assignment, copy of given
|
|
|
|
value is assigned.
|
|
|
|
|
|
|
|
.. rb:attr_accessor:: path
|
|
|
|
|
|
|
|
Request path, including query component (i.e., /index.html).
|
|
|
|
On assignment, copy of given value is assigned. The path does
|
2016-04-29 13:45:47 +00:00
|
|
|
not include authority component of URI. This may include
|
|
|
|
query component. nghttpx makes certain normalization for
|
|
|
|
path. It decodes percent-encoding for unreserved characters
|
|
|
|
(see https://tools.ietf.org/html/rfc3986#section-2.3), and
|
|
|
|
resolves ".." and ".". But it may leave characters which
|
|
|
|
should be percent-encoded as is. So be careful when comparing
|
|
|
|
path against desired string.
|
2015-09-05 12:23:27 +00:00
|
|
|
|
|
|
|
.. rb:attr_reader:: headers
|
|
|
|
|
|
|
|
Return Ruby hash containing copy of request header fields.
|
|
|
|
Changing values in returned hash does not change request
|
|
|
|
header fields actually used in request processing. Use
|
|
|
|
:rb:meth:`Nghttpx::Request#add_header` or
|
|
|
|
:rb:meth:`Nghttpx::Request#set_header` to change request
|
|
|
|
header fields.
|
|
|
|
|
|
|
|
.. rb:method:: add_header(key, value)
|
|
|
|
|
|
|
|
Add header entry associated with key. The value can be single
|
|
|
|
string or array of string. It does not replace any existing
|
|
|
|
values associated with key.
|
|
|
|
|
|
|
|
.. rb:method:: set_header(key, value)
|
|
|
|
|
|
|
|
Set header entry associated with key. The value can be single
|
|
|
|
string or array of string. It replaces any existing values
|
|
|
|
associated with key.
|
|
|
|
|
|
|
|
.. rb:method:: clear_headers
|
|
|
|
|
|
|
|
Clear all existing request header fields.
|
|
|
|
|
2016-04-16 09:52:32 +00:00
|
|
|
.. rb:method:: push(uri)
|
2015-09-05 14:37:32 +00:00
|
|
|
|
|
|
|
Initiate to push resource identified by *uri*. Only HTTP/2
|
|
|
|
protocol supports this feature. For the other protocols, this
|
|
|
|
method is noop. *uri* can be absolute URI, absolute path or
|
|
|
|
relative path to the current request. For absolute or
|
|
|
|
relative path, scheme and authority are inherited from the
|
2015-09-06 06:21:36 +00:00
|
|
|
current request. Currently, method is always GET. nghttpx
|
|
|
|
will issue request to backend servers to fulfill this request.
|
|
|
|
The request and response phase hooks will be called for pushed
|
|
|
|
resource as well.
|
2015-09-05 14:37:32 +00:00
|
|
|
|
2015-09-05 12:23:27 +00:00
|
|
|
.. rb:class:: Response
|
|
|
|
|
|
|
|
Object to represent response from backend server.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: http_version_major
|
|
|
|
|
|
|
|
Return HTTP major version.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: http_version_minor
|
|
|
|
|
|
|
|
Return HTTP minor version.
|
|
|
|
|
|
|
|
.. rb:attr_accessor:: status
|
|
|
|
|
|
|
|
HTTP status code. It must be in the range [200, 999],
|
|
|
|
inclusive. The non-final status code is not supported in
|
|
|
|
mruby scripting at the moment.
|
|
|
|
|
|
|
|
.. rb:attr_reader:: headers
|
|
|
|
|
|
|
|
Return Ruby hash containing copy of response header fields.
|
|
|
|
Changing values in returned hash does not change response
|
|
|
|
header fields actually used in response processing. Use
|
|
|
|
:rb:meth:`Nghttpx::Response#add_header` or
|
|
|
|
:rb:meth:`Nghttpx::Response#set_header` to change response
|
|
|
|
header fields.
|
|
|
|
|
|
|
|
.. rb:method:: add_header(key, value)
|
|
|
|
|
|
|
|
Add header entry associated with key. The value can be single
|
|
|
|
string or array of string. It does not replace any existing
|
|
|
|
values associated with key.
|
|
|
|
|
|
|
|
.. rb:method:: set_header(key, value)
|
|
|
|
|
|
|
|
Set header entry associated with key. The value can be single
|
|
|
|
string or array of string. It replaces any existing values
|
|
|
|
associated with key.
|
|
|
|
|
|
|
|
.. rb:method:: clear_headers
|
|
|
|
|
|
|
|
Clear all existing response header fields.
|
|
|
|
|
|
|
|
.. rb:method:: return(body)
|
|
|
|
|
|
|
|
Return custom response *body* to a client. When this method
|
|
|
|
is called in request phase hook, the request is not forwarded
|
|
|
|
to the backend, and response phase hook for this request will
|
2015-11-09 02:40:35 +00:00
|
|
|
not be invoked. When this method is called in response phase
|
2015-09-05 12:23:27 +00:00
|
|
|
hook, response from backend server is canceled and discarded.
|
|
|
|
The status code and response header fields should be set
|
2018-08-23 02:01:12 +00:00
|
|
|
before using this method. To set status code, use
|
2015-09-05 12:23:27 +00:00
|
|
|
:rb:attr:`Nghttpx::Response#status`. If status code is not
|
2018-08-23 02:01:12 +00:00
|
|
|
set, 200 is used. To set response header fields,
|
|
|
|
:rb:meth:`Nghttpx::Response#add_header` and
|
2015-09-05 12:23:27 +00:00
|
|
|
:rb:meth:`Nghttpx::Response#set_header`. When this method is
|
|
|
|
invoked in response phase hook, the response headers are
|
|
|
|
filled with the ones received from backend server. To send
|
|
|
|
completely custom header fields, first call
|
|
|
|
:rb:meth:`Nghttpx::Response#clear_headers` to erase all
|
|
|
|
existing header fields, and then add required header fields.
|
|
|
|
It is an error to call this method twice for a given request.
|
|
|
|
|
2016-11-03 12:29:07 +00:00
|
|
|
.. rb:method:: send_info(status, headers)
|
|
|
|
|
|
|
|
Send non-final (informational) response to a client. *status*
|
|
|
|
must be in the range [100, 199], inclusive. *headers* is a
|
|
|
|
hash containing response header fields. Its key must be a
|
|
|
|
string, and the associated value must be either string or
|
|
|
|
array of strings. Since this is not a final response, even if
|
|
|
|
this method is invoked, request is still forwarded to a
|
|
|
|
backend unless :rb:meth:`Nghttpx::Response#return` is called.
|
|
|
|
This method can be called multiple times. It cannot be called
|
|
|
|
after :rb:meth:`Nghttpx::Response#return` is called.
|
|
|
|
|
2015-09-05 12:23:27 +00:00
|
|
|
MRUBY EXAMPLES
|
|
|
|
~~~~~~~~~~~~~~
|
|
|
|
|
2015-11-09 02:40:35 +00:00
|
|
|
Modify request path:
|
2015-09-05 12:23:27 +00:00
|
|
|
|
|
|
|
.. code-block:: ruby
|
|
|
|
|
2015-10-05 15:26:45 +00:00
|
|
|
class App
|
|
|
|
def on_req(env)
|
|
|
|
env.req.path = "/apps#{env.req.path}"
|
|
|
|
end
|
2015-09-05 12:23:27 +00:00
|
|
|
end
|
|
|
|
|
2015-10-05 15:26:45 +00:00
|
|
|
App.new
|
|
|
|
|
|
|
|
Don't forget to instantiate and evaluate object at the last line.
|
2015-09-05 12:23:27 +00:00
|
|
|
|
|
|
|
Restrict permission of viewing a content to a specific client
|
|
|
|
addresses:
|
|
|
|
|
|
|
|
.. code-block:: ruby
|
|
|
|
|
2015-10-05 15:26:45 +00:00
|
|
|
class App
|
|
|
|
def on_req(env)
|
|
|
|
allowed_clients = ["127.0.0.1", "::1"]
|
2015-09-05 12:23:27 +00:00
|
|
|
|
2015-10-05 15:26:45 +00:00
|
|
|
if env.req.path.start_with?("/log/") &&
|
|
|
|
!allowed_clients.include?(env.remote_addr) then
|
|
|
|
env.resp.status = 404
|
|
|
|
env.resp.return "permission denied"
|
|
|
|
end
|
2015-09-05 12:23:27 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-10-05 15:26:45 +00:00
|
|
|
App.new
|
|
|
|
|
2016-06-04 09:42:30 +00:00
|
|
|
API ENDPOINTS
|
|
|
|
-------------
|
|
|
|
|
|
|
|
nghttpx exposes API endpoints to manipulate it via HTTP based API. By
|
|
|
|
default, API endpoint is disabled. To enable it, add a dedicated
|
|
|
|
frontend for API using :option:`--frontend` option with "api"
|
|
|
|
parameter. All requests which come from this frontend address, will
|
|
|
|
be treated as API request.
|
|
|
|
|
2016-06-05 04:17:48 +00:00
|
|
|
The response is normally JSON dictionary, and at least includes the
|
|
|
|
following keys:
|
|
|
|
|
|
|
|
status
|
|
|
|
The status of the request processing. The following values are
|
|
|
|
defined:
|
|
|
|
|
|
|
|
Success
|
|
|
|
The request was successful.
|
|
|
|
|
|
|
|
Failure
|
2016-06-13 12:19:01 +00:00
|
|
|
The request was failed. No change has been made.
|
2016-06-05 04:17:48 +00:00
|
|
|
|
|
|
|
code
|
|
|
|
HTTP status code
|
|
|
|
|
2017-02-19 14:27:40 +00:00
|
|
|
Additionally, depending on the API endpoint, ``data`` key may be
|
|
|
|
present, and its value contains the API endpoint specific data.
|
|
|
|
|
2016-06-05 04:17:48 +00:00
|
|
|
We wrote "normally", since nghttpx may return ordinal HTML response in
|
|
|
|
some cases where the error has occurred before reaching API endpoint
|
|
|
|
(e.g., header field is too large).
|
|
|
|
|
2016-06-04 09:42:30 +00:00
|
|
|
The following section describes available API endpoints.
|
|
|
|
|
2017-01-28 08:54:00 +00:00
|
|
|
POST /api/v1beta1/backendconfig
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
2016-06-13 12:17:53 +00:00
|
|
|
|
|
|
|
This API replaces the current backend server settings with the
|
2017-01-28 08:54:00 +00:00
|
|
|
requested ones. The request method should be POST, but PUT is also
|
2016-06-13 12:17:53 +00:00
|
|
|
acceptable. The request body must be nghttpx configuration file
|
|
|
|
format. For configuration file format, see `FILES`_ section. The
|
|
|
|
line separator inside the request body must be single LF (0x0A).
|
2016-06-04 09:42:30 +00:00
|
|
|
Currently, only :option:`backend <--backend>` option is parsed, the
|
|
|
|
others are simply ignored. The semantics of this API is replace the
|
|
|
|
current backend with the backend options in request body. Describe
|
|
|
|
the desired set of backend severs, and nghttpx makes it happen. If
|
|
|
|
there is no :option:`backend <--backend>` option is found in request
|
|
|
|
body, the current set of backend is replaced with the :option:`backend
|
|
|
|
<--backend>` option's default value, which is ``127.0.0.1,80``.
|
|
|
|
|
|
|
|
The replacement is done instantly without breaking existing
|
|
|
|
connections or requests. It also avoids any process creation as is
|
|
|
|
the case with hot swapping with signals.
|
|
|
|
|
2017-10-29 07:54:21 +00:00
|
|
|
The one limitation is that only numeric IP address is allowed in
|
2016-12-11 08:00:33 +00:00
|
|
|
:option:`backend <--backend>` in request body unless "dns" parameter
|
|
|
|
is used while non numeric hostname is allowed in command-line or
|
|
|
|
configuration file is read using :option:`--conf`.
|
2016-06-04 09:42:30 +00:00
|
|
|
|
2017-02-19 14:27:40 +00:00
|
|
|
GET /api/v1beta1/configrevision
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
This API returns configuration revision of the current nghttpx. The
|
|
|
|
configuration revision is opaque string, and it changes after each
|
|
|
|
reloading by SIGHUP. With this API, an external application knows
|
|
|
|
that whether nghttpx has finished reloading its configuration by
|
|
|
|
comparing the configuration revisions between before and after
|
2017-02-22 12:06:45 +00:00
|
|
|
reloading. It is recommended to disable persistent (keep-alive)
|
|
|
|
connection for this purpose in order to avoid to send a request using
|
|
|
|
the reused connection which may bound to an old process.
|
2017-02-19 14:27:40 +00:00
|
|
|
|
|
|
|
This API returns response including ``data`` key. Its value is JSON
|
|
|
|
object, and it contains at least the following key:
|
|
|
|
|
|
|
|
configRevision
|
|
|
|
The configuration revision of the current nghttpx
|
|
|
|
|
|
|
|
|
2015-01-09 15:37:42 +00:00
|
|
|
SEE ALSO
|
|
|
|
--------
|
|
|
|
|
|
|
|
:manpage:`nghttp(1)`, :manpage:`nghttpd(1)`, :manpage:`h2load(1)`
|