• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1FILES
2-----
3
4*/etc/nghttpx/nghttpx.conf*
5  The default configuration file path nghttpx searches at startup.
6  The configuration file path can be changed using :option:`--conf`
7  option.
8
9  Those lines which are staring ``#`` are treated as comment.
10
11  The option name in the configuration file is the long command-line
12  option name with leading ``--`` stripped (e.g., ``frontend``).  Put
13  ``=`` between option name and value.  Don't put extra leading or
14  trailing spaces.
15
16  When specifying arguments including characters which have special
17  meaning to a shell, we usually use quotes so that shell does not
18  interpret them.  When writing this configuration file, quotes for
19  this purpose must not be used.  For example, specify additional
20  request header field, do this:
21
22  .. code-block:: text
23
24    add-request-header=foo: bar
25
26  instead of:
27
28  .. code-block:: text
29
30    add-request-header="foo: bar"
31
32  The options which do not take argument in the command-line *take*
33  argument in the configuration file.  Specify ``yes`` as an argument
34  (e.g., ``http2-proxy=yes``).  If other string is given, it is
35  ignored.
36
37  To specify private key and certificate file which are given as
38  positional arguments in command-line, use ``private-key-file`` and
39  ``certificate-file``.
40
41  :option:`--conf` option cannot be used in the configuration file and
42  will be ignored if specified.
43
44Error log
45  Error log is written to stderr by default.  It can be configured
46  using :option:`--errorlog-file`.  The format of log message is as
47  follows:
48
49  <datetime> <main-pid> <current-pid> <thread-id> <level> (<filename>:<line>) <msg>
50
51  <datetime>
52    It is a combination of date and time when the log is written.  It
53    is in ISO 8601 format.
54
55  <main-pid>
56    It is a main process ID.
57
58  <current-pid>
59    It is a process ID which writes this log.
60
61  <thread-id>
62    It is a thread ID which writes this log.  It would be unique
63    within <current-pid>.
64
65  <filename> and <line>
66    They are source file name, and line number which produce this log.
67
68  <msg>
69    It is a log message body.
70
71SIGNALS
72-------
73
74SIGQUIT
75  Shutdown gracefully.  First accept pending connections and stop
76  accepting connection.  After all connections are handled, nghttpx
77  exits.
78
79SIGHUP
80  Reload configuration file given in :option:`--conf`.
81
82SIGUSR1
83  Reopen log files.
84
85SIGUSR2
86
87  Fork and execute nghttpx.  It will execute the binary in the same
88  path with same command-line arguments and environment variables.  As
89  of nghttpx version 1.20.0, the new main process sends SIGQUIT to the
90  original main process when it is ready to serve requests.  For the
91  earlier versions of nghttpx, user has to send SIGQUIT to the
92  original main process.
93
94  The difference between SIGUSR2 (+ SIGQUIT) and SIGHUP is that former
95  is usually used to execute new binary, and the main process is newly
96  spawned.  On the other hand, the latter just reloads configuration
97  file, and the same main process continues to exist.
98
99.. note::
100
101  nghttpx consists of multiple processes: one process for processing
102  these signals, and another one for processing requests.  The former
103  spawns the latter.  The former is called main process, and the
104  latter is called worker process.  If neverbleed is enabled, the
105  worker process spawns neverbleed daemon process which does RSA key
106  processing.  The above signal must be sent to the main process.  If
107  the other processes received one of them, it is ignored.  This
108  behaviour of these processes may change in the future release.  In
109  other words, in the future release, the processes other than main
110  process may terminate upon the reception of these signals.
111  Therefore these signals should not be sent to the processes other
112  than main process.
113
114SERVER PUSH
115-----------
116
117nghttpx supports HTTP/2 server push in default mode with Link header
118field.  nghttpx looks for Link header field (`RFC 5988
119<http://tools.ietf.org/html/rfc5988>`_) in response headers from
120backend server and extracts URI-reference with parameter
121``rel=preload`` (see `preload
122<http://w3c.github.io/preload/#interoperability-with-http-link-header>`_)
123and pushes those URIs to the frontend client. Here is a sample Link
124header field to initiate server push:
125
126.. code-block:: text
127
128  Link: </fonts/font.woff>; rel=preload
129  Link: </css/theme.css>; rel=preload
130
131Currently, the following restriction is applied for server push:
132
1331. The associated stream must have method "GET" or "POST".  The
134   associated stream's status code must be 200.
135
136This limitation may be loosened in the future release.
137
138nghttpx also supports server push if both frontend and backend are
139HTTP/2 in default mode.  In this case, in addition to server push via
140Link header field, server push from backend is forwarded to frontend
141HTTP/2 session.
142
143HTTP/2 server push will be disabled if :option:`--http2-proxy` is
144used.
145
146UNIX DOMAIN SOCKET
147------------------
148
149nghttpx supports UNIX domain socket with a filename for both frontend
150and backend connections.
151
152Please note that current nghttpx implementation does not delete a
153socket with a filename.  And on start up, if nghttpx detects that the
154specified socket already exists in the file system, nghttpx first
155deletes it.  However, if SIGUSR2 is used to execute new binary and
156both old and new configurations use same filename, new binary does not
157delete the socket and continues to use it.
158
159OCSP STAPLING
160-------------
161
162OCSP query is done using external Python script
163``fetch-ocsp-response``, which has been originally developed in Perl
164as part of h2o project (https://github.com/h2o/h2o), and was
165translated into Python.
166
167The script file is usually installed under
168``$(prefix)/share/nghttp2/`` directory.  The actual path to script can
169be customized using :option:`--fetch-ocsp-response-file` option.
170
171If OCSP query is failed, previous OCSP response, if any, is continued
172to be used.
173
174:option:`--fetch-ocsp-response-file` option provides wide range of
175possibility to manage OCSP response.  It can take an arbitrary script
176or executable.  The requirement is that it supports the command-line
177interface of ``fetch-ocsp-response`` script, and it must return a
178valid DER encoded OCSP response on success.  It must return exit code
1790 on success, and 75 for temporary error, and the other error code for
180generic failure.  For large cluster of servers, it is not efficient
181for each server to perform OCSP query using ``fetch-ocsp-response``.
182Instead, you can retrieve OCSP response in some way, and store it in a
183disk or a shared database.  Then specify a program in
184:option:`--fetch-ocsp-response-file` to fetch it from those stores.
185This could provide a way to share the OCSP response between fleet of
186servers, and also any OCSP query strategy can be applied which may be
187beyond the ability of nghttpx itself or ``fetch-ocsp-response``
188script.
189
190TLS SESSION RESUMPTION
191----------------------
192
193nghttpx supports TLS session resumption through both session ID and
194session ticket.
195
196SESSION ID RESUMPTION
197~~~~~~~~~~~~~~~~~~~~~
198
199By default, session ID is shared by all worker threads.
200
201If :option:`--tls-session-cache-memcached` is given, nghttpx will
202insert serialized session data to memcached with
203``nghttpx:tls-session-cache:`` + lowercase hex string of session ID
204as a memcached entry key, with expiry time 12 hours.  Session timeout
205is set to 12 hours.
206
207By default, connections to memcached server are not encrypted.  To
208enable encryption, use ``tls`` keyword in
209:option:`--tls-session-cache-memcached` option.
210
211TLS SESSION TICKET RESUMPTION
212~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
213
214By default, session ticket is shared by all worker threads.  The
215automatic key rotation is also enabled by default.  Every an hour, new
216encryption key is generated, and previous encryption key becomes
217decryption only key.  We set session timeout to 12 hours, and thus we
218keep at most 12 keys.
219
220If :option:`--tls-ticket-key-memcached` is given, encryption keys are
221retrieved from memcached.  nghttpx just reads keys from memcached; one
222has to deploy key generator program to update keys frequently (e.g.,
223every 1 hour).  The example key generator tlsticketupdate.go is
224available under contrib directory in nghttp2 archive.  The memcached
225entry key is ``nghttpx:tls-ticket-key``.  The data format stored in
226memcached is the binary format described below:
227
228.. code-block:: text
229
230    +--------------+-------+----------------+
231    | VERSION (4)  |LEN (2)|KEY(48 or 80) ...
232    +--------------+-------+----------------+
233                   ^                        |
234		   |                        |
235		   +------------------------+
236                   (LEN, KEY) pair can be repeated
237
238All numbers in the above figure is bytes.  All integer fields are
239network byte order.
240
241First 4 bytes integer VERSION field, which must be 1.  The 2 bytes
242integer LEN field gives the length of following KEY field, which
243contains key.  If :option:`--tls-ticket-key-cipher`\=aes-128-cbc is
244used, LEN must be 48.  If
245:option:`--tls-ticket-key-cipher`\=aes-256-cbc is used, LEN must be
24680.  LEN and KEY pair can be repeated multiple times to store multiple
247keys.  The key appeared first is used as encryption key.  All the
248remaining keys are used as decryption only.
249
250By default, connections to memcached server are not encrypted.  To
251enable encryption, use ``tls`` keyword in
252:option:`--tls-ticket-key-memcached` option.
253
254If :option:`--tls-ticket-key-file` is given, encryption key is read
255from the given file.  In this case, nghttpx does not rotate key
256automatically.  To rotate key, one has to restart nghttpx (see
257SIGNALS).
258
259CERTIFICATE TRANSPARENCY
260------------------------
261
262nghttpx supports TLS ``signed_certificate_timestamp`` extension (`RFC
2636962 <https://tools.ietf.org/html/rfc6962>`_).  The relevant options
264are :option:`--tls-sct-dir` and ``sct-dir`` parameter in
265:option:`--subcert`.  They takes a directory, and nghttpx reads all
266files whose extension is ``.sct`` under the directory.  The ``*.sct``
267files are encoded as ``SignedCertificateTimestamp`` struct described
268in `section 3.2 of RFC 69662
269<https://tools.ietf.org/html/rfc6962#section-3.2>`_.  This format is
270the same one used by `nginx-ct
271<https://github.com/grahamedgecombe/nginx-ct>`_ and `mod_ssl_ct
272<https://httpd.apache.org/docs/trunk/mod/mod_ssl_ct.html>`_.
273`ct-submit <https://github.com/grahamedgecombe/ct-submit>`_ can be
274used to submit certificates to log servers, and obtain the
275``SignedCertificateTimestamp`` struct which can be used with nghttpx.
276
277MRUBY SCRIPTING
278---------------
279
280.. warning::
281
282  The current mruby extension API is experimental and not frozen.  The
283  API is subject to change in the future release.
284
285.. warning::
286
287  Almost all string value returned from method, or attribute is a
288  fresh new mruby string, which involves memory allocation, and
289  copies.  Therefore, it is strongly recommended to store a return
290  value in a local variable, and use it, instead of calling method or
291  accessing attribute repeatedly.
292
293nghttpx allows users to extend its capability using mruby scripts.
294nghttpx has 2 hook points to execute mruby script: request phase and
295response phase.  The request phase hook is invoked after all request
296header fields are received from client.  The response phase hook is
297invoked after all response header fields are received from backend
298server.  These hooks allows users to modify header fields, or common
299HTTP variables, like authority or request path, and even return custom
300response without forwarding request to backend servers.
301
302There are 2 levels of mruby script invocations: global and
303per-pattern.  The global mruby script is set by :option:`--mruby-file`
304option and is called for all requests.  The per-pattern mruby script
305is set by "mruby" parameter in :option:`-b` option.  It is invoked for
306a request which matches the particular pattern.  The order of hook
307invocation is: global request phase hook, per-pattern request phase
308hook, per-pattern response phase hook, and finally global response
309phase hook.  If a hook returns a response, any later hooks are not
310invoked.  The global request hook is invoked before the pattern
311matching is made and changing request path may affect the pattern
312matching.
313
314Please note that request and response hooks of per-pattern mruby
315script for a single request might not come from the same script.  This
316might happen after a request hook is executed, backend failed for some
317reason, and at the same time, backend configuration is replaced by API
318request, and then the request uses new configuration on retry.  The
319response hook from new configuration, if it is specified, will be
320invoked.
321
322The all mruby script will be evaluated once per thread on startup, and
323it must instantiate object and evaluate it as the return value (e.g.,
324``App.new``).  This object is called app object.  If app object
325defines ``on_req`` method, it is called with :rb:class:`Nghttpx::Env`
326object on request hook.  Similarly, if app object defines ``on_resp``
327method, it is called with :rb:class:`Nghttpx::Env` object on response
328hook.  For each method invocation, user can can access
329:rb:class:`Nghttpx::Request` and :rb:class:`Nghttpx::Response` objects
330via :rb:attr:`Nghttpx::Env#req` and :rb:attr:`Nghttpx::Env#resp`
331respectively.
332
333.. rb:module:: Nghttpx
334
335.. rb:const:: REQUEST_PHASE
336
337    Constant to represent request phase.
338
339.. rb:const:: RESPONSE_PHASE
340
341    Constant to represent response phase.
342
343.. rb:class:: Env
344
345    Object to represent current request specific context.
346
347    .. rb:attr_reader:: req
348
349        Return :rb:class:`Request` object.
350
351    .. rb:attr_reader:: resp
352
353        Return :rb:class:`Response` object.
354
355    .. rb:attr_reader:: ctx
356
357        Return Ruby hash object.  It persists until request finishes.
358        So values set in request phase hook can be retrieved in
359        response phase hook.
360
361    .. rb:attr_reader:: phase
362
363        Return the current phase.
364
365    .. rb:attr_reader:: remote_addr
366
367        Return IP address of a remote client.  If connection is made
368        via UNIX domain socket, this returns the string "localhost".
369
370    .. rb:attr_reader:: server_addr
371
372        Return address of server that accepted the connection.  This
373	is a string which specified in :option:`--frontend` option,
374	excluding port number, and not a resolved IP address.  For
375	UNIX domain socket, this is a path to UNIX domain socket.
376
377    .. rb:attr_reader:: server_port
378
379        Return port number of the server frontend which accepted the
380        connection from client.
381
382    .. rb:attr_reader:: tls_used
383
384        Return true if TLS is used on the connection.
385
386    .. rb:attr_reader:: tls_sni
387
388        Return the TLS SNI value which client sent in this connection.
389
390    .. rb:attr_reader:: tls_client_fingerprint_sha256
391
392        Return the SHA-256 fingerprint of a client certificate.
393
394    .. rb:attr_reader:: tls_client_fingerprint_sha1
395
396        Return the SHA-1 fingerprint of a client certificate.
397
398    .. rb:attr_reader:: tls_client_issuer_name
399
400        Return the issuer name of a client certificate.
401
402    .. rb:attr_reader:: tls_client_subject_name
403
404        Return the subject name of a client certificate.
405
406    .. rb:attr_reader:: tls_client_serial
407
408        Return the serial number of a client certificate.
409
410    .. rb:attr_reader:: tls_client_not_before
411
412        Return the start date of a client certificate in seconds since
413        the epoch.
414
415    .. rb:attr_reader:: tls_client_not_after
416
417        Return the end date of a client certificate in seconds since
418        the epoch.
419
420    .. rb:attr_reader:: tls_cipher
421
422        Return a TLS cipher negotiated in this connection.
423
424    .. rb:attr_reader:: tls_protocol
425
426        Return a TLS protocol version negotiated in this connection.
427
428    .. rb:attr_reader:: tls_session_id
429
430        Return a session ID for this connection in hex string.
431
432    .. rb:attr_reader:: tls_session_reused
433
434        Return true if, and only if a SSL/TLS session is reused.
435
436    .. rb:attr_reader:: alpn
437
438        Return ALPN identifier negotiated in this connection.
439
440    .. rb:attr_reader:: tls_handshake_finished
441
442        Return true if SSL/TLS handshake has finished.  If it returns
443        false in the request phase hook, the request is received in
444        TLSv1.3 early data (0-RTT) and might be vulnerable to the
445        replay attack.  nghttpx will send Early-Data header field to
446        backend servers to indicate this.
447
448.. rb:class:: Request
449
450    Object to represent request from client.  The modification to
451    Request object is allowed only in request phase hook.
452
453    .. rb:attr_reader:: http_version_major
454
455        Return HTTP major version.
456
457    .. rb:attr_reader:: http_version_minor
458
459        Return HTTP minor version.
460
461    .. rb:attr_accessor:: method
462
463        HTTP method.  On assignment, copy of given value is assigned.
464        We don't accept arbitrary method name.  We will document them
465        later, but well known methods, like GET, PUT and POST, are all
466        supported.
467
468    .. rb:attr_accessor:: authority
469
470        Authority (i.e., example.org), including optional port
471        component .  On assignment, copy of given value is assigned.
472
473    .. rb:attr_accessor:: scheme
474
475        Scheme (i.e., http, https).  On assignment, copy of given
476        value is assigned.
477
478    .. rb:attr_accessor:: path
479
480        Request path, including query component (i.e., /index.html).
481        On assignment, copy of given value is assigned.  The path does
482        not include authority component of URI.  This may include
483        query component.  nghttpx makes certain normalization for
484        path.  It decodes percent-encoding for unreserved characters
485        (see https://tools.ietf.org/html/rfc3986#section-2.3), and
486        resolves ".." and ".".  But it may leave characters which
487        should be percent-encoded as is. So be careful when comparing
488        path against desired string.
489
490    .. rb:attr_reader:: headers
491
492        Return Ruby hash containing copy of request header fields.
493        Changing values in returned hash does not change request
494        header fields actually used in request processing.  Use
495        :rb:meth:`Nghttpx::Request#add_header` or
496        :rb:meth:`Nghttpx::Request#set_header` to change request
497        header fields.
498
499    .. rb:method:: add_header(key, value)
500
501        Add header entry associated with key.  The value can be single
502        string or array of string.  It does not replace any existing
503        values associated with key.
504
505    .. rb:method:: set_header(key, value)
506
507        Set header entry associated with key.  The value can be single
508        string or array of string.  It replaces any existing values
509        associated with key.
510
511    .. rb:method:: clear_headers
512
513        Clear all existing request header fields.
514
515    .. rb:method:: push(uri)
516
517        Initiate to push resource identified by *uri*.  Only HTTP/2
518        protocol supports this feature.  For the other protocols, this
519        method is noop.  *uri* can be absolute URI, absolute path or
520        relative path to the current request.  For absolute or
521        relative path, scheme and authority are inherited from the
522        current request.  Currently, method is always GET.  nghttpx
523        will issue request to backend servers to fulfill this request.
524        The request and response phase hooks will be called for pushed
525        resource as well.
526
527.. rb:class:: Response
528
529    Object to represent response from backend server.
530
531    .. rb:attr_reader:: http_version_major
532
533        Return HTTP major version.
534
535    .. rb:attr_reader:: http_version_minor
536
537        Return HTTP minor version.
538
539    .. rb:attr_accessor:: status
540
541        HTTP status code.  It must be in the range [200, 999],
542        inclusive.  The non-final status code is not supported in
543        mruby scripting at the moment.
544
545    .. rb:attr_reader:: headers
546
547        Return Ruby hash containing copy of response header fields.
548        Changing values in returned hash does not change response
549        header fields actually used in response processing.  Use
550        :rb:meth:`Nghttpx::Response#add_header` or
551        :rb:meth:`Nghttpx::Response#set_header` to change response
552        header fields.
553
554    .. rb:method:: add_header(key, value)
555
556        Add header entry associated with key.  The value can be single
557        string or array of string.  It does not replace any existing
558        values associated with key.
559
560    .. rb:method:: set_header(key, value)
561
562        Set header entry associated with key.  The value can be single
563        string or array of string.  It replaces any existing values
564        associated with key.
565
566    .. rb:method:: clear_headers
567
568        Clear all existing response header fields.
569
570    .. rb:method:: return(body)
571
572        Return custom response *body* to a client.  When this method
573        is called in request phase hook, the request is not forwarded
574        to the backend, and response phase hook for this request will
575        not be invoked.  When this method is called in response phase
576        hook, response from backend server is canceled and discarded.
577        The status code and response header fields should be set
578        before using this method.  To set status code, use
579        :rb:attr:`Nghttpx::Response#status`.  If status code is not
580        set, 200 is used.  To set response header fields,
581        :rb:meth:`Nghttpx::Response#add_header` and
582        :rb:meth:`Nghttpx::Response#set_header`.  When this method is
583        invoked in response phase hook, the response headers are
584        filled with the ones received from backend server.  To send
585        completely custom header fields, first call
586        :rb:meth:`Nghttpx::Response#clear_headers` to erase all
587        existing header fields, and then add required header fields.
588        It is an error to call this method twice for a given request.
589
590    .. rb:method:: send_info(status, headers)
591
592        Send non-final (informational) response to a client.  *status*
593        must be in the range [100, 199], inclusive.  *headers* is a
594        hash containing response header fields.  Its key must be a
595        string, and the associated value must be either string or
596        array of strings.  Since this is not a final response, even if
597        this method is invoked, request is still forwarded to a
598        backend unless :rb:meth:`Nghttpx::Response#return` is called.
599        This method can be called multiple times.  It cannot be called
600        after :rb:meth:`Nghttpx::Response#return` is called.
601
602MRUBY EXAMPLES
603~~~~~~~~~~~~~~
604
605Modify request path:
606
607.. code-block:: ruby
608
609    class App
610      def on_req(env)
611        env.req.path = "/apps#{env.req.path}"
612      end
613    end
614
615    App.new
616
617Don't forget to instantiate and evaluate object at the last line.
618
619Restrict permission of viewing a content to a specific client
620addresses:
621
622.. code-block:: ruby
623
624    class App
625      def on_req(env)
626        allowed_clients = ["127.0.0.1", "::1"]
627
628        if env.req.path.start_with?("/log/") &&
629           !allowed_clients.include?(env.remote_addr) then
630          env.resp.status = 404
631          env.resp.return "permission denied"
632        end
633      end
634    end
635
636    App.new
637
638API ENDPOINTS
639-------------
640
641nghttpx exposes API endpoints to manipulate it via HTTP based API.  By
642default, API endpoint is disabled.  To enable it, add a dedicated
643frontend for API using :option:`--frontend` option with "api"
644parameter.  All requests which come from this frontend address, will
645be treated as API request.
646
647The response is normally JSON dictionary, and at least includes the
648following keys:
649
650status
651  The status of the request processing.  The following values are
652  defined:
653
654  Success
655    The request was successful.
656
657  Failure
658    The request was failed.  No change has been made.
659
660code
661  HTTP status code
662
663Additionally, depending on the API endpoint, ``data`` key may be
664present, and its value contains the API endpoint specific data.
665
666We wrote "normally", since nghttpx may return ordinal HTML response in
667some cases where the error has occurred before reaching API endpoint
668(e.g., header field is too large).
669
670The following section describes available API endpoints.
671
672POST /api/v1beta1/backendconfig
673~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
674
675This API replaces the current backend server settings with the
676requested ones.  The request method should be POST, but PUT is also
677acceptable.  The request body must be nghttpx configuration file
678format.  For configuration file format, see `FILES`_ section.  The
679line separator inside the request body must be single LF (0x0A).
680Currently, only :option:`backend <--backend>` option is parsed, the
681others are simply ignored.  The semantics of this API is replace the
682current backend with the backend options in request body.  Describe
683the desired set of backend severs, and nghttpx makes it happen.  If
684there is no :option:`backend <--backend>` option is found in request
685body, the current set of backend is replaced with the :option:`backend
686<--backend>` option's default value, which is ``127.0.0.1,80``.
687
688The replacement is done instantly without breaking existing
689connections or requests.  It also avoids any process creation as is
690the case with hot swapping with signals.
691
692The one limitation is that only numeric IP address is allowed in
693:option:`backend <--backend>` in request body unless "dns" parameter
694is used while non numeric hostname is allowed in command-line or
695configuration file is read using :option:`--conf`.
696
697GET /api/v1beta1/configrevision
698~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
699
700This API returns configuration revision of the current nghttpx.  The
701configuration revision is opaque string, and it changes after each
702reloading by SIGHUP.  With this API, an external application knows
703that whether nghttpx has finished reloading its configuration by
704comparing the configuration revisions between before and after
705reloading.  It is recommended to disable persistent (keep-alive)
706connection for this purpose in order to avoid to send a request using
707the reused connection which may bound to an old process.
708
709This API returns response including ``data`` key.  Its value is JSON
710object, and it contains at least the following key:
711
712configRevision
713  The configuration revision of the current nghttpx
714
715
716SEE ALSO
717--------
718
719:manpage:`nghttp(1)`, :manpage:`nghttpd(1)`, :manpage:`h2load(1)`
720