Configure > Base Directives
This document describes the configuration directives common to all the protocols and handlers.
"hosts"
- Description:
-
Maps
host:port
to the mappings of per-host configs.The directive specifies the mapping between the authorities (the host or
host:port
section of an URL) and their configurations. The directive is mandatory, and must at least contain one entry.When
port
is omitted, the entry will match the requests targetting the default ports (i.e. port 80 for HTTP, port 443 for HTTPS) with given hostname. Otherwise, the entry will match the requests targetting the specified port.Example. A host redirecting all HTTP requests to HTTPShosts: "www.example.com:80": listen: port: 80 paths: "/": redirect: https://www.example.com/ "www.example.com:443": listen: port: 443 ssl: key-file: /path/to/ssl-key-file certificate-file: /path/to/ssl-certificate-file paths: "/": file.dir: /path/to/doc-root
- Level:
- global
"paths"
- Description:
-
Mapping of paths and their configurations.
The mapping is searched using prefix-match. The entry with the longest path is chosen when more than one matching paths were found. An
404 Not Found
error is returned if no matching paths were found.Example. Configuration with two pathshosts: "www.example.com": listen: port: 80 paths: "/": file.dir: /path/to/doc-root "/assets": file.dir: /path/to/assets
- Level:
- host
"listen"
- Description:
-
Specifies the port at which the server should listen to.
In addition to specifying the port number, it is also possible to designate the bind address or the SSL configuration.
Example. Various ways of using the Listen Directive# accept HTTP on port 80 on default address (both IPv4 and IPv6) listen: 80 # accept HTTP on 127.0.0.1:8080 listen: host: 127.0.0.1 port: 8080 # accept HTTPS on port 443 listen: port: 443 ssl: key-file: /path/to/key-file certificate-file: /path/to/certificate-file # accept HTTPS on port 443 (using PROXY protocol) listen: port: 443 ssl: key-file: /path/to/key-file certificate-file: /path/to/certificate-file proxy-protocol: ON
Configuration Levels
The directive can be used either at global-level or at host-level. At least one
listen
directive must exist at the global level, or every host-level configuration must have at least onelisten
directive.Incoming connections accepted by global-level listeners will be dispatched to one of the host-level contexts with the corresponding
host:port
, or to the first host-level context if none of the contexts were givenhost:port
corresponding to the request.Host-level listeners specify bind addresses specific to the host-level context. However it is permitted to specify the same bind address for more than one host-level contexts, in which case hostname-based lookup will be performed between the host contexts that share the address. The feature is useful for setting up a HTTPS virtual host using Server-Name Indication (RFC 6066).
Example. Using host-level listeners for HTTPS virtual-hostinghosts: "www.example.com:443": listen: port: 443 ssl: key-file: /path/to/www_example_com.key certificate-file: /path/to/www_example_com.crt paths: "/": file.dir: /path/to/doc-root_of_www_example_com "www.example.jp:443": listen: port: 443 ssl: key-file: /path/to/www_example_jp.key certificate-file: /path/to/www_example_jp.crt paths: "/": file.dir: /path/to/doc-root_of_www_example_jp
SSL Attribute
The
ssl
attribute must be defined as a mapping, and recognizes the following attributes.- certificate-file:
- path of the SSL certificate file (mandatory)
- key-file:
- path of the SSL private key file (mandatory)
- minimum-version:
-
minimum protocol version, should be one of:
SSLv2
,SSLv3
,TLSv1
,TLSv1.1
,TLSv1.2
. Default isTLSv1
- cipher-suite:
- list of cipher suites to be passed to OpenSSL via SSL_CTX_set_cipher_list (optional)
- cipher-preference:
-
side of the list that should be used for selecting the cipher-suite; should be either of:
client
,server
. Default isclient
. - dh-file:
- path of a PEM file containing the Diffie-Hellman paratemers to be used. Use of the file is recommended for servers using Diffie-Hellman key agreement. (optional)
- ocsp-update-interval:
-
interval for updating the OCSP stapling data (in seconds), or set to zero to disable OCSP stapling.
Default is
14400
(4 hours). - ocsp-max-failures:
- number of consecutive OCSP queriy failures before stopping to send OCSP stapling data to the client. Default is 3.
- neverbleed:
-
when set to
ON
, this experimental property isolates RSA private key operations to an islotated process by using Neverbleed. Default is OFF.
ssl-session-resumption
directive is provided for tuning parameters related to session resumption and session tickets.The Proxy-Protocol Attribute
The
proxy-protocol
attribute (i.e. the value of the attribute must be eitherON
orOFF
) specifies if the server should recognize the information passed via "the PROXY protocol in the incoming connections. The protocol is used by L4 gateways such as AWS Elastic Load Balancing to send peer address to the servers behind the gateways.When set to
ON
, H2O standalone server tries to parse the first octets of the incoming connections as defined in version 1 of the specification, and if successful, passes the addresses obtained from the protocol to the web applications and the logging handlers. If the first octets do not accord with the specification, it is considered as the start of the SSL handshake or as the beginning of an HTTP request depending on whether if thessl
attribute has been used.Default is
OFF
. - Level:
- global, host
"error-log"
- Description:
-
Path of the file to which error logs should be appended.
Default is stderr.
If the path starts with
|
, the rest of the path is considered as a command to which the logs should be piped.Example. Log errors to fileerror-log: /path/to/error-log-file
Example. Log errors through pipeerror-log: "| rotatelogs /path/to/error-log-file.%Y%m%d 86400"
- Level:
- global
"limit-request-body"
- Description:
-
Maximum size of request body in bytes (e.g. content of POST).
Default is unlimited.
- Level:
- global
"max-connections"
- Description:
-
Number of connections to handle at once at maximum.
- Level:
- global
- Default:
max-connections: 1024
"max-delegations"
- Description:
-
Limits the number of delegations (i.e. internal redirects using the
X-Reproxy-URL
header). - Level:
- global
- Default:
max-delegations: 5
"num-name-resolution-threads"
- Description:
-
Number of threads to run for name resolution.
- Level:
- global
- Default:
num-name-resolution-threads: 32
"num-threads"
- Description:
-
Number of worker threads.
Default is the number of the processors connected to the system as obtained by
getconf NPROCESSORS_ONLN
. - Level:
- global
"pid-file"
- Description:
-
Name of the file to which the process id of the server should be written.
Default is none.
- Level:
- global
"tcp-fastopen"
- Description:
-
Size of the queue used for TCP Fast Open.
TCP Fast Open is an extension to the TCP/IP protocol that reduces the time spent for establishing a connection. On Linux that support the feature, the default value is
4,096
. On other platforms the default value is0
(disabled). - Level:
- global
"ssl-session-resumption"
- Description:
-
Configures cache-based and ticket-based session resumption.
To reduce the latency introduced by the TLS (SSL) handshake, two methods to resume a previous encrypted session are defined by the Internet Engineering Task Force. H2O supports both of the methods: cache-based session resumption (defined in RFC 5246) and ticket-based session resumption (defined in RFC 5077).
Example. Various session-resumption configurations# use both methods (storing data on internal memory) ssl-session-resumption: mode: all # use both methods (storing data on memcached running at 192.168.0.4:11211) ssl-session-resumption: mode: all cache-store: memcached ticket-store: memcached cache-memcached-num-threads: 8 memcached: host: 192.168.0.4 port: 11211 # use ticket-based resumption only (with secrets used for encrypting the tickets stored in a file) ssl-session-resumption: mode: ticket ticket-store: file ticket-file: /path/to/ticket-secrets.yaml
Defining the Methods Used
The
mode
attribute defines which methods should be used for resuming the TLS sessions. The value can be either of:off
,cache
,ticket
,all
.If set to
off
, session resumption will be disabled, and all TLS connections will be established via full handshakes. If set toall
, both session-based and ticket-based resumptions will be used, with the preference given to the ticket-based resumption for clients supporting both the methods.For each method, additional attributes can be used to customize their behaviors. Attributes that modify the behavior of the disabled method are ignored.
Attributes for Cache-based Resumption
Following attributes are recognized if the cache-based session resumption is enabled. Note that
memcached
attribute must be defined as well in case thememcached
cache-store is used.- cache-store:
-
defines where the cache should be stored, must be one of:
internal
,memcached
. Default isinternal
. - cache-memcached-num-threads:
- defines the maximum number of threads used for communicating with the memcached server.
Default is
1
. - cache-memcached-prefix:
-
for the
memcached
store specifies the key prefix used to store the secrets on memcached. Default ish2o:ssl-session-cache:
.
Attributes for Ticket-based Resumption
Ticket-based session resumption uses master secret(s) to encrypt the keys used for encrypting the data transmitted over TLS connections. To achieve forward-secrecy (i.e. protect past communications from being decrypted in case a master secret gets obtained by a third party), it is essential to periodically change the secret and remove the old ones.
Among the three types of stores supported for ticket-based session remusption, the
internal
store andmemcached
store implement automatic roll-over of the secrets. A new master secret is created every 1/4 of the session lifetime (defined by thelifetime
attribute), and they expire (and gets removed) after 5/4 of the session lifetime elapse.For the
file
store, it is the responsibility of the web-site administrator to periodically update the secrets. H2O monitors the file and reloads the secrets when the file is altered.Following attributes are recognized if the ticket-based resumption is enabled.
- ticket-store:
- defines where the secrets for ticket-based resumption should be / is stored, must be one of:
internal
,file
,memcached
. Default isinternal
. - ticket-cipher:
-
for stores that implement automatic roll-over, specifies the cipher used for encrypting the tickets.
The value must be one recognizable by
EVP_get_cipherbyname
. Default isaes-256-cbc
. - ticket-hash:
-
for stores that implement automatic roll-over, specifies the cipher used for digitally-signing the tickets.
The value must be one recognizable by
EVP_get_digestbyname
. Default issha-256
. - ticket-file:
- for the
file
store specifies the file in which the secrets are stored - ticket-memcached-key:
-
for the
memcached
store specifies the key used to store the secrets on memcached. Default ish2o:ssl-session-ticket
.
Other Attributes
Following attributes are common to cache-based and ticket-based session resumption.
- lifetime:
-
defines the lifetime of a TLS session; when it expires the session cache entry is purged, and establishing a new connection will require a full TLS handshake.
Default value is
3600
(in seconds). - memcached:
-
specifies the location of memcached used by the
memcached
stores. The value must be a mapping withhost
attribute specifying the address of the memcached server, and optionally aport
attribute specifying the port number (default is11211
).
- Level:
- global
"user"
- Description:
-
Username under which the server should handle incoming requests.
If the directive is omitted and if the server is started under root privileges, the server will attempt to
setuid
tonobody
. - Level:
- global