diff options
Diffstat (limited to '')
| -rw-r--r-- | web/server/h2o/libh2o/doc/configure/base_directives.html | 975 |
1 files changed, 975 insertions, 0 deletions
diff --git a/web/server/h2o/libh2o/doc/configure/base_directives.html b/web/server/h2o/libh2o/doc/configure/base_directives.html new file mode 100644 index 00000000..38f8ea02 --- /dev/null +++ b/web/server/h2o/libh2o/doc/configure/base_directives.html @@ -0,0 +1,975 @@ +<!DOCTYPE html> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> +<meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no" /> +<base href="../" /> + +<!-- oktavia --> +<link rel="stylesheet" href="assets/searchstyle.css" type="text/css" /> +<script src="search/jquery-1.9.1.min.js"></script> +<script src="search/oktavia-jquery-ui.js"></script> +<script src="search/oktavia-english-search.js"></script> +<!-- /oktavia --> + +<link rel="stylesheet" href="assets/style.css" type="text/css" /> + +<title>Base Directives - Configure - H2O - the optimized HTTP/2 server</title> +</head> +<body> +<div id="body"> +<div id="top"> + +<h1> +<a href="index.html">H2O</a> +</h1> +<p class="description">the optimized HTTP/1.x, HTTP/2 server</p> + +<!-- oktavia --> +<form id="searchform"> +<input class="search" type="search" name="search" id="search" results="5" value="" placeholder="Search" /> +<div id="searchresult_box"> +<div id="close_search_box">×</div> +<div id="searchresult_summary"></div> +<div id="searchresult"></div> +<div id="searchresult_nav"></div> +<span class="pr">Powered by <a href="https://github.com/shibukawa/oktavia">Oktavia</a></span> +</div> +</form> +<!-- /oktavia --> + +</div> + +<table id="menu"> +<tr> +<td><a href="index.html">Top</a></td> +<td><a href="install.html">Install</a></td> +<td class="selected">Configure</td> +<td><a href="faq.html">FAQ</a></td> +<td><a href="http://blog.kazuhooku.com/search/label/H2O" target="_blank">Blog</a></td> +<td><a href="http://github.com/h2o/h2o/" target="_blank">Source</a></td> +</tr> +</table> + +<div id="main"> + +<h2> +<a href="configure.html">Configure</a> > +Base Directives +</h2> + + +<p> +This document describes the configuration directives common to all the protocols and handlers. +</p> + +<div id="hosts" class="directive-head"> +<h3><a href="configure/base_directives.html#hosts"><code>"hosts"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Maps <code>host:port</code> to the mappings of per-host configs. +</p> + +<p> +The directive specifies the mapping between the authorities (the host or <code>host:port</code> section of an URL) and their configurations. +The directive is mandatory, and must at least contain one entry. +</p> +<p> +When <code>port</code> is omitted, the entry will match the requests targetting the default ports (i.e. port 80 for HTTP, port 443 for HTTPS) with given hostname. +Otherwise, the entry will match the requests targetting the specified port. +</p> +<p> +Since version 1.7, a wildcard character <code>*</code> can be used as the first component of the hostname. +If used, they are matched using the rule defined in <a href="https://tools.ietf.org/html/rfc2818#section-3.1" target="_blank">RFC 2818 Section 3.1</a>. +For example, <code>*.example.com</code> will match HTTP requests for both <code>foo.example.com</code> and <code>bar.example.com</code>. +Note that an exact match is preferred over host definitions using wildcard characters. +</p> + + +<div class="example"> +<div class="caption">Example. A host redirecting all HTTP requests to HTTPS</div> +<pre><code>hosts: + "www.example.com:80": + listen: + port: 80 + paths: + "/": + redirect: https://www.example.com/ + "www.example.com:443": + listen: + port: 443 + ssl: + key-file: /path/to/ssl-key-file + certificate-file: /path/to/ssl-certificate-file + paths: + "/": + file.dir: /path/to/doc-root +</code></pre> +</div> + + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +</dl> + +<div id="paths" class="directive-head"> +<h3><a href="configure/base_directives.html#paths"><code>"paths"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Mapping of paths and their configurations. +</p> + +</p> +<p> +The mapping is searched using prefix-match. +The entry with the longest path is chosen when more than one matching paths were found. +An <code>404 Not Found</code> error is returned if no matching paths were found. +</p> +<div class="example"> +<div class="caption">Example. Configuration with two paths</div> +<pre><code>hosts: + "www.example.com": + listen: + port: 80 + paths: + "/": + file.dir: /path/to/doc-root + "/assets": + file.dir: /path/to/assets +</code></pre> +</div> + +<p> +In releases prior to version 2.0, all the path entries are considered as directories. +When H2O receives a request that exactly matches to an entry in paths that does not end with a slash, the server always returns a 301 redirect that appends a slash. +</p> +<p> +Since 2.0, it depends on the handler of the path whether if a 301 redirect that appends a slash is returned. +Server administrators can take advantage of this change to define per-path configurations (see the examples in <a href="configure/file_directives.html#file.file"><code>file.file</code></a> and the <a href="configure/fastcgi_directives.html">FastCGI handler</a>). +<a href="configure/file_directives.html#file.dir"><code>file.dir</code></a> is an exception that continues to perform the redirection; in case of the example above, access to <code>/assets</code> is redirected to <code>/assets/</code>. +</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>host</dd> +</dl> + +<div id="listen" class="directive-head"> +<h3><a href="configure/base_directives.html#listen"><code>"listen"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Specifies the port at which the server should listen to. +</p> + +</p> +<p> +In addition to specifying the port number, it is also possible to designate the bind address or the SSL configuration. +</p> +<div class="example"> +<div class="caption">Example. Various ways of using the Listen Directive</div> +<pre><code># accept HTTP on port 80 on default address (both IPv4 and IPv6) +listen: 80 + +# accept HTTP on 127.0.0.1:8080 +listen: + host: 127.0.0.1 + port: 8080 + +# accept HTTPS on port 443 +listen: + port: 443 + ssl: + key-file: /path/to/key-file + certificate-file: /path/to/certificate-file + +# accept HTTPS on port 443 (using PROXY protocol) +listen: + port: 443 + ssl: + key-file: /path/to/key-file + certificate-file: /path/to/certificate-file + proxy-protocol: ON +</code></pre> +</div> + +<h4 id="listen-configuration-levels">Configuration Levels</h4> +<p> +The directive can be used either at global-level or at host-level. +At least one <code>listen</code> directive must exist at the global level, or every <i>host</i>-level configuration must have at least one <code>listen</code> directive. +</p> +<p> +Incoming connections accepted by global-level listeners will be dispatched to one of the host-level contexts with the corresponding <code>host:port</code>, or to the first host-level context if none of the contexts were given <code>host:port</code> corresponding to the request. +</p> +<p> +Host-level listeners specify bind addresses specific to the host-level context. +However it is permitted to specify the same bind address for more than one host-level contexts, in which case hostname-based lookup will be performed between the host contexts that share the address. +The feature is useful for setting up a HTTPS virtual host using <a href="https://tools.ietf.org/html/rfc6066">Server-Name Indication (RFC 6066)</a>. +</p> +<div class="example"> +<div class="caption">Example. Using host-level listeners for HTTPS virtual-hosting</div> +<pre><code>hosts: + "www.example.com:443": + listen: + port: 443 + ssl: + key-file: /path/to/www_example_com.key + certificate-file: /path/to/www_example_com.crt + paths: + "/": + file.dir: /path/to/doc-root_of_www_example_com + "www.example.jp:443": + listen: + port: 443 + ssl: + key-file: /path/to/www_example_jp.key + certificate-file: /path/to/www_example_jp.crt + paths: + "/": + file.dir: /path/to/doc-root_of_www_example_jp +</code></pre> +</div> + +<h4 id="listen-ssl">SSL Attribute</h4> +<p> +The <code style="font-weight: bold;">ssl</code> attribute must be defined as a mapping, and recognizes the following attributes. +</p> +<dl> +<dt id="certificate-file">certificate-file:</dt> +<dd>path of the SSL certificate file (mandatory)</dd> +<dt id="key-file">key-file:</dt> +<dd>path of the SSL private key file (mandatory)</dd> +<dt id="minimum-version">minimum-version:</dt> +<dd> +minimum protocol version, should be one of: <code>SSLv2</code>, <code>SSLv3</code>, <code>TLSv1</code>, <code>TLSv1.1</code>, <code>TLSv1.2</code>. +Default is <code>TLSv1</code> +</dd> +<dt id="min-version">min-verison:</dt> +<dd> +synonym of <code>minimum-version</code> (introduced in version 2.2) +</dd> +<dt id="maximum-version">maximum-version:</dt> +<dd> +maximum protocol version. +Introduced in version 2.2. +Default is the maximum protocol version supported by the server. +</dd> +<dt id="maximum-version">max-version:</dt> +<dd> +synonym of <code>maximum-version</code>. +</dd> +<dt id="cipher-suite">cipher-suite:</dt> +<dd>list of cipher suites to be passed to OpenSSL via SSL_CTX_set_cipher_list (optional)</dd> +<dt id="cipher-preferences">cipher-preference:</dt> +<dd> +side of the list that should be used for selecting the cipher-suite; should be either of: <code>client</code>, <code>server</code>. +Default is <code>client</code>. +</dd> +<dt id="dh-file">dh-file:</dt> +<dd> +path of a PEM file containing the Diffie-Hellman parameters to be used. +Use of the file is recommended for servers using Diffie-Hellman key agreement. +(optional) +</dd> +<dt id="ocsp-update-interval">ocsp-update-interval:</dt> +<dd> +interval for updating the OCSP stapling data (in seconds), or set to zero to disable OCSP stapling. +Default is <code>14400</code> (4 hours). +</dd> +<dt id="ocsp-max-failures">ocsp-max-failures:</dt> +<dd> +number of consecutive OCSP query failures before stopping to send OCSP stapling data to the client. +Default is 3. +</dd> +<dt id="neverbleed">neverbleed:</dt> +<dd> +unless set to <code>OFF</code>, H2O isolates RSA private key operations to an isolated process by using <a href="https://github.com/h2o/neverbleed">Neverbleed</a>. +Default is <code>ON</code>. +</dl> +<p> +<a href="configure/base_directives.html#ssl-session-resumption"><code>ssl-session-resumption</code></a> directive is provided for tuning parameters related to session resumption and session tickets. +</p> +<h4 id="listen-proxy-protocol">The Proxy-Protocol Attribute</h4> +<p> +The <code>proxy-protocol</code> attribute (i.e. the value of the attribute must be either <code>ON</code> or <code>OFF</code>) specifies if the server should recognize the information passed via <a href="http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt">"the PROXY protocol</a> in the incoming connections. +The protocol is used by L4 gateways such as <a href="http://aws.amazon.com/jp/elasticloadbalancing/">AWS Elastic Load Balancing</a> to send peer address to the servers behind the gateways. +</p> +<p> +When set to <code>ON</code>, H2O standalone server tries to parse the first octets of the incoming connections as defined in version 1 of the specification, and if successful, passes the addresses obtained from the protocol to the web applications and the logging handlers. +If the first octets do not accord with the specification, it is considered as the start of the SSL handshake or as the beginning of an HTTP request depending on whether if the <code>ssl</code> attribute has been used. +</p> +<p> +Default is <code>OFF</code>. +</p> +<h4 id="listen-unix-socket">Listening to a Unix Socket</h4> +<p> +If the <code>type</code> attribute is set to <code>unix</code>, then the <code>port</code> attribute is assumed to specify the path of the unix socket to which the standalone server should bound. +Also following attributes are recognized. +</p> +<dl> +<dt>owner</dt> +<dd> +username of the owner of the socket file. +If omitted, the socket file will be owned by the launching user. +</dd> +<dt>permission</dt> +<dd> +an octal number specifying the permission of the socket file. +Many operating systems require write permission for connecting to the socket file. +If omitted, the permission of the socket file will reflect the umask of the calling process. +</dd> +</dl> +<div class="example"> +<div class="caption">Example. Listening to a Unix Socket accessible only by www-data</div> +<pre><code>listen: + type: unix + port: /tmp/h2o.sock + owner: www-data + permission: 600 +</code></pre> +</div> + + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global, host</dd> +</dl> + +<div id="error-log" class="directive-head"> +<h3><a href="configure/base_directives.html#error-log"><code>"error-log"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Path of the file to which error logs should be appended. +</p> + +<p> +Default is stderr. +</p> +<p> +If the path starts with <code>|</code>, the rest of the path is considered as a command to which the logs should be piped. +</p> +<div class="example"> +<div class="caption">Example. Log errors to file</div> +<pre><code>error-log: /path/to/error-log-file +</code></pre> +</div> + +<div class="example"> +<div class="caption">Example. Log errors through pipe</div> +<pre><code>error-log: "| rotatelogs /path/to/error-log-file.%Y%m%d 86400" +</code></pre> +</div> + + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +<dt>See also:</dt> +<dd><a href="configure/base_directives.html#error-log.emit-request-errors"><code>error-log.emit-request-errors</code></a> +</dd> +</dl> + +<div id="error-log.emit-request-errors" class="directive-head"> +<div class="directive-since">since v2.1</div> +<h3><a href="configure/base_directives.html#error-log.emit-request-errors"><code>"error-log.emit-request-errors"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Sets whether if request-level errors should be emitted to the error log. +</p> + +By setting the value to <code>OFF</code> and by using the <code>%{error}x</code> specifier of the <a href="configure/access_log_directives.html">access-log</a> directive, it is possible to log request-level errors only to the access log. + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global, host, path, extension</dd> +<dt>Default:</dt> +<dd><code><pre>error-log.emit-request-errors: ON</pre></code> +<dt>See also:</dt> +<dd><a href="configure/access_log_directives.html#access-log"><code>access-log</code></a> +<a href="configure/base_directives.html#error-log"><code>error-log</code></a> +</dd> +</dl> + +<div id="handshake-timeout" class="directive-head"> +<h3><a href="configure/base_directives.html#handshake-timeout"><code>"handshake-timeout"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Maximum time (in seconds) that can be spent by a connection before it becomes ready to accept an HTTP request. +</p> + +Times spent for receiving <a href="configure/base_directives.html#listen-proxy-protocol">the PROXY protocol</a> and TLS handshake are counted. + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +<dt>Default:</dt> +<dd><code><pre>handshake-timeout: 10</pre></code> +</dl> + +<div id="limit-request-body" class="directive-head"> +<h3><a href="configure/base_directives.html#limit-request-body"><code>"limit-request-body"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Maximum size of request body in bytes (e.g. content of POST). +</p> + +<p> +Default is 1073741824 (1GB). +</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +</dl> + +<div id="max-connections" class="directive-head"> +<h3><a href="configure/base_directives.html#max-connections"><code>"max-connections"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Number of connections to handle at once at maximum. +</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +<dt>Default:</dt> +<dd><code><pre>max-connections: 1024</pre></code> +</dl> +<div id="max-delegations" class="directive-head"> +<h3><a href="configure/base_directives.html#max-delegations"><code>"max-delegations"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Limits the number of delegations (i.e. internal redirects using the <code>X-Reproxy-URL</code> header). +</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +<dt>Default:</dt> +<dd><code><pre>max-delegations: 5</pre></code> +</dl> +<div id="num-name-resolution-threads" class="directive-head"> +<h3><a href="configure/base_directives.html#num-name-resolution-threads"><code>"num-name-resolution-threads"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Maximum number of threads to run for name resolution. +</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +<dt>Default:</dt> +<dd><code><pre>num-name-resolution-threads: 32</pre></code> +</dl> + + +<div id="num-ocsp-updaters" class="directive-head"> +<div class="directive-since">since v2.0</div> +<h3><a href="configure/base_directives.html#num-ocsp-updaters"><code>"num-ocsp-updaters"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Maximum number of OCSP updaters. +</p> + +<p> +<a href="https://en.wikipedia.org/wiki/OCSP_stapling">OSCP Stapling</a> is an optimization that speeds up the time spent for establishing a TLS connection. +In order to <i>staple</i> OCSP information, a HTTP server is required to periodically contact the certificate authority. +This directive caps the number of the processes spawn for collecting the information. +</p> +<p> +The use and the update interval of OCSP can be configured using the <a href="configure/base_directives.html#listen-ssl">SSL attributes</a> of the <a href="configure/base_directives.html#listen"><code>listen</code></a> configuration directive. +</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +<dt>Default:</dt> +<dd><code><pre>num-ocsp-updaters: 10</pre></code> +</dl> + +<div id="num-threads" class="directive-head"> +<h3><a href="configure/base_directives.html#num-threads"><code>"num-threads"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Number of worker threads. +</p> + +<p> +Default is the number of the processors connected to the system as obtained by <code>getconf NPROCESSORS_ONLN</code>. +</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +</dl> + +<div id="pid-file" class="directive-head"> +<h3><a href="configure/base_directives.html#pid-file"><code>"pid-file"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Name of the file to which the process id of the server should be written. +</p> + +<p> +Default is none. +</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +</dl> + +<div id="tcp-fastopen" class="directive-head"> +<h3><a href="configure/base_directives.html#tcp-fastopen"><code>"tcp-fastopen"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Size of the queue used for TCP Fast Open. +</p> + +<p> +<a href="https://en.wikipedia.org/wiki/TCP_Fast_Open">TCP Fast Open</a> is an extension to the TCP/IP protocol that reduces the time spent for establishing a connection. +On Linux that support the feature, the default value is <code>4,096</code>. +On other platforms the default value is <code>0</code> (disabled). +</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +</dl> + +<div id="send-server-name" class="directive-head"> +<div class="directive-since">since v2.0</div> +<h3><a href="configure/base_directives.html#send-server-name"><code>"send-server-name"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +A boolean flag (<code>ON</code> or <code>OFF</code>) indicating whether if the <code>server</code> response header should be sent. +</p> + + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +<dt>Default:</dt> +<dd><code><pre>send-server-name: ON</pre></code> +<dt>See also:</dt> +<dd><a href="configure/base_directives.html#server-name"><code>server-name</code></a> +</dd> +</dl> + +<div id="server-name" class="directive-head"> +<div class="directive-since">since v2.0</div> +<h3><a href="configure/base_directives.html#server-name"><code>"server-name"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Lets the user override the value of the <code>server</code> response header. +</p> + +The default value is <code>h2o/VERSION-NUMBER</code>. + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +<dt>See also:</dt> +<dd><a href="configure/base_directives.html#send-server-name"><code>send-server-name</code></a> +</dd> +</dl> + +<div id="setenv" class="directive-head"> +<div class="directive-since">since v2.0</div> +<h3><a href="configure/base_directives.html#setenv"><code>"setenv"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Sets one or more environment variables. +</p> + +<p> +Environment variables are a set of key-value pairs containing arbitrary strings, that can be read from applications invoked by the standalone server (e.g. <a href="configure/fastcgi_directives.html">fastcgi handler</a>, <a href="configure/mruby_directives.html">mruby handler</a>) and the access logger. +</p> +<p> +The directive is applied from outer-level to inner-level. +At each level, the directive is applied after the <a href="configure/base_directives.html#unsetenv"><code>unsetenv</code></a> directive at the corresponding level is applied. +</p> +<p> +Environment variables are retained through internal redirections. +</p> +<div class="example"> +<div class="caption">Example. Setting an environment variable named <code>FOO</code></div> +<pre><code>setenv: + FOO: "value_of_FOO" +</code></pre> +</div> + + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global, host, path, extension</dd> +<dt>See also:</dt> +<dd><a href="configure/base_directives.html#unsetenv"><code>unsetenv</code></a> +</dd> +</dl> + +<div id="unsetenv" class="directive-head"> +<div class="directive-since">since v2.0</div> +<h3><a href="configure/base_directives.html#unsetenv"><code>"unsetenv"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Unsets one or more environment variables. +</p> + +<p> +The directive can be used to have an exception for the paths that have an environment variable set, or can be used to reset variables after an internal redirection. +</p> +<div class="example"> +<div class="caption">Example. Setting environment variable for <code>example.com</code> excluding <code>/specific-path</code></div> +<pre><code>hosts: + example.com: + setenv: + FOO: "value_of_FOO" + paths: + /specific-path: + unsetenv: + - FOO + ... +</code></pre> +</div> + + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global, host, path, extension</dd> +<dt>See also:</dt> +<dd><a href="configure/base_directives.html#setenv"><code>setenv</code></a> +</dd> +</dl> + +<div id="ssl-session-resumption" class="directive-head"> +<h3><a href="configure/base_directives.html#ssl-session-resumption"><code>"ssl-session-resumption"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Configures cache-based and ticket-based session resumption. +</p> + +<p> +To reduce the latency introduced by the TLS (SSL) handshake, two methods to resume a previous encrypted session are defined by the Internet Engineering Task Force. +H2O supports both of the methods: cache-based session resumption (defined in <a href="https://tools.ietf.org/html/rfc5246">RFC 5246</a>) and ticket-based session resumption (defined in <a href="https://tools.ietf.org/html/rfc5077">RFC 5077</a>). +</p> +<div class="example"> +<div class="caption">Example. Various session-resumption configurations</div> +<pre><code># use both methods (storing data on internal memory) +ssl-session-resumption: + mode: all + +# use both methods (storing data on memcached running at 192.168.0.4:11211) +ssl-session-resumption: + mode: all + cache-store: memcached + ticket-store: memcached + cache-memcached-num-threads: 8 + memcached: + host: 192.168.0.4 + port: 11211 + +# use ticket-based resumption only (with secrets used for encrypting the tickets stored in a file) +ssl-session-resumption: + mode: ticket + ticket-store: file + ticket-file: /path/to/ticket-secrets.yaml +</code></pre> +</div> + +<h4 id="ssl-session-resumption-methods">Defining the Methods Used</h4> +<p> +The <code>mode</code> attribute defines which methods should be used for resuming the TLS sessions. +The value can be either of: <code>off</code>, <code>cache</code>, <code>ticket</code>, <code>all</code>. +Default is <code>all</code>. +</p> +<p> +If set to <code>off</code>, session resumption will be disabled, and all TLS connections will be established via full handshakes. +If set to <code>all</code>, both session-based and ticket-based resumptions will be used, with the preference given to the ticket-based resumption for clients supporting both the methods. +</p> +<p> +For each method, additional attributes can be used to customize their behaviors. +Attributes that modify the behavior of the disabled method are ignored. +</p> +<h4 id="ssl-session-resumption-cache-based">Attributes for Cache-based Resumption</h4> +<p> +Following attributes are recognized if the cache-based session resumption is enabled. +Note that <code>memcached</code> attribute must be defined as well in case the <code>memcached</code> cache-store is used. +</p> +<dl> +<dt>cache-store:</dt> +<dd> +<p> +defines where the cache should be stored, must be one of: <code>internal</code>, <code>memcached</code>. +Default is <code>internal</code>. +</p> +<p> +Please note that if you compiled h2o with OpenSSL 1.1.0 ~ 1.1.0f, session resumption with external cache store would fail due to bug of OpenSSL. +</p> +</dd> +<dt>cache-memcached-num-threads:</dt> +<dd>defines the maximum number of threads used for communicating with the memcached server. +Default is <code>1</code>. +</dd> +<dt>cache-memcached-prefix:</dt> +<dd> +for the <code>memcached</code> store specifies the key prefix used to store the secrets on memcached. +Default is <code>h2o:ssl-session-cache:</code>. +</dd> +</dl> +<h4 id="ssl-session-resumption-ticket-based">Attributes for Ticket-based Resumption</h4> +<p> +Ticket-based session resumption uses master secret(s) to encrypt the keys used for encrypting the data transmitted over TLS connections. +To achieve <a href="https://en.wikipedia.org/wiki/Forward_secrecy" target="_blank">forward-secrecy</a> (i.e. protect past communications from being decrypted in case a master secret gets obtained by a third party), it is essential to periodically change the secret and remove the old ones. +</p> +<p> +Among the three types of stores supported for ticket-based session resumption, the <code>internal</code> store and <code>memcached</code> store implement automatic roll-over of the secrets. +A new master secret is created every 1/4 of the session lifetime (defined by the <code>lifetime</code> attribute), and they expire (and gets removed) after 5/4 of the session lifetime elapse. +</p> +<p> +For the <code>file</code> store, it is the responsibility of the web-site administrator to periodically update the secrets. H2O monitors the file and reloads the secrets when the file is altered. +</p> +<p> +Following attributes are recognized if the ticket-based resumption is enabled. +</p> +<dl> +<dt>ticket-store:</dt> +<dd>defines where the secrets for ticket-based resumption should be / is stored, must be one of: <code>internal</code>, <code>file</code>, <code>memcached</code>. +Default is <code>internal</code>. +<dt>ticket-cipher:</dt> +<dd> +for stores that implement automatic roll-over, specifies the cipher used for encrypting the tickets. +The value must be one recognizable by <code>EVP_get_cipherbyname</code>. +Default is <code>aes-256-cbc</code>. +<dt>ticket-hash:</dt> +<dd> +for stores that implement automatic roll-over, specifies the cipher used for digitally-signing the tickets. +The value must be one recognizable by <code>EVP_get_digestbyname</code>. +Default is <code>sha-256</code>. +</dd> +<dt>ticket-file:</dt> +<dd>for the <code>file</code> store specifies the file in which the secrets are stored</dd> +<dt>ticket-memcached-key:</dt> +<dd> +for the <code>memcached</code> store specifies the key used to store the secrets on memcached. +Default is <code>h2o:ssl-session-ticket</code>. +</dd> +</dl> +<h4 id="ssl-session-resumption-other">Other Attributes</h4> +<p> +Following attributes are common to cache-based and ticket-based session resumption. +</p> +<dl> +<dt>lifetime:</dt> +<dd> +defines the lifetime of a TLS session; when it expires the session cache entry is purged, and establishing a new connection will require a full TLS handshake. +Default value is <code>3600</code> (in seconds). +</dd> +<dt>memcached:</dt> +<dd> +specifies the location of memcached used by the <code>memcached</code> stores. +The value must be a mapping with <code>host</code> attribute specifying the address of the memcached server, and optionally a <code>port</code> attribute specifying the port number (default is <code>11211</code>). +By default, the memcached client uses the <a href="https://github.com/memcached/memcached/blob/master/doc/protocol-binary.xml">BINARY protocol</a>. +Users can opt-in to using the legacy <a href="https://github.com/memcached/memcached/blob/master/doc/protocol.txt">ASCII protocol</a> by adding a <code>protocol</code> attribute set to <code>ASCII</code>. +</dd> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +</dl> + +<div id="temp-buffer-path" class="directive-head"> +<div class="directive-since">since v2.0</div> +<h3><a href="configure/base_directives.html#temp-buffer-path"><code>"temp-buffer-path"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Directory in which temporary buffer files are created. +</p> + +<p> +H2O uses an internal structure called <code>h2o_buffer_t</code> for buffering various kinds of data (e.g. POST content, response from upstream HTTP or FastCGI server). +When amount of the data allocated in the buffer exceeds 32MB, it starts allocating storage from the directory pointed to by the directive. +</p> +<p> +By using the directive, users can set the directory to one within a memory-backed file system (e.g. <a href="https://en.wikipedia.org/wiki/Tmpfs">tmpfs</a>) for speed, or specify a disk-based file system to avoid memory pressure. +</p> +<p> +Note that the directory must be writable by the running user of the server. +</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +<dt>Default:</dt> +<dd><code><pre>temp-buffer-path: "/tmp"</pre></code> +<dt>See also:</dt> +<dd><a href="configure/base_directives.html#user"><code>user</code></a> +</dd> +</dl> + +<div id="user" class="directive-head"> +<h3><a href="configure/base_directives.html#user"><code>"user"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Username under which the server should handle incoming requests. +</p> + +<p> +If the directive is omitted and if the server is started under root privileges, the server will attempt to <code>setuid</code> to <code>nobody</code>. +</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +</dl> + +<div id="crash-handler" class="directive-head"> +<div class="directive-since">since v2.1</div> +<h3><a href="configure/base_directives.html#crash-handler"><code>"crash-handler"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Script to invoke if <code>h2o</code> receives a fatal signal. +</p> + +<p>Note: this feature is only available when linking to the GNU libc.</p> + +<p>The script is invoked if one of the <code>SIGABRT</code>, +<code>SIGBUS</code>, <code>SIGFPE</code>, <code>SIGILL</code> or +<code>SIGSEGV</code> signals is received by <code>h2o</code>.</p> + +<p><code>h2o</code> writes the backtrace as provided by +<code>backtrace()</code> and <code>backtrace_symbols_fd</code> to the +standard input of the program.</p> + +<p>If the path is not absolute, it is prefixed with <code>${H2O_ROOT}/</code>.</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +<dt>Default:</dt> +<dd><code><pre>crash-handler: "${H2O_ROOT}/share/h2o/annotate-backtrace-symbols"</pre></code> +</dl> + +<div id="crash-handler.wait-pipe-close" class="directive-head"> +<div class="directive-since">since v2.1</div> +<h3><a href="configure/base_directives.html#crash-handler.wait-pipe-close"><code>"crash-handler.wait-pipe-close"</code></a></h3> +</div> + +<dl class="directive-desc"> +<dt>Description:</dt> +<dd> +<p> +Whether <code>h2o</code> should wait for the crash handler pipe to close before exiting. +</p> + +<p>When this setting is <code>ON</code>, <code>h2o</code> will wait +for the pipe to the crash handler to be closed before exiting. +This can be useful if you use a custom handler that inspects the dying +process.</p> + +</dd> +<dt><a href="configure/syntax_and_structure.html#config_levels">Level</a>:</dt> +<dd>global</dd> +<dt>Default:</dt> +<dd><code><pre>crash-handler.wait-pipe-close: OFF</pre></code> +</dl> + + + + +</div> +<div id="footer"> +<p> +Copyright © 2015 <a href="http://dena.com/intl/">DeNA Co., Ltd.</a> et al. +</p> +</div> +</body> +</html> |