Lines Matching +full:ipv4 +full:- +full:simple +full:- +full:service +full:- +full:config
6 lwsws is an implementation of a very lightweight, ws-capable generic web
15 Just enable -DLWS_WITH_LWSWS=1 at cmake-time.
19 NOTICE on Ubuntu, the default libuv package is called "libuv-0.10". This is ancient.
21 You should replace this with libuv1 and libuv1-dev before proceeding.
25 lwsws uses JSON config files, they're pure JSON except:
27 - '#' may be used to turn the rest of the line into a comment.
29 - There's also a single substitution, if a string contains "_lws_ddir_", then that is
32 having to change the config if your install path was different.
46 "count-threads": "1",
47 "server-string": "myserver v1", # returned in http headers
48 "ws-pingpong-secs": "200", # confirm idle established ws connections this often
49 "init-ssl": "yes"
53 and a config directory intended to take one file per vhost
62 "host-ssl-key": "/etc/pki/tls/private/warmcat.com.key", # if given enable ssl
63 "host-ssl-cert": "/etc/pki/tls/certs/warmcat.com.crt",
64 "host-ssl-ca": "/etc/pki/tls/certs/warmcat.com.cer",
73 To get started quickly, an example config reproducing the old test server
74 on port 7681, non-SSL is provided. To set it up
76 # mkdir -p /etc/lwsws/conf.d /var/log/lwsws
77 # cp ./lwsws/etc-lwsws-conf-EXAMPLE /etc/lwsws/conf
78 # cp ./lwsws/etc-lwsws-conf.d-localhost-EXAMPLE /etc/lwsws/conf.d/test-server
86 See ./READMEs/README.plugin-acme.md for examples of how to set it up on an lwsws vhost.
90 - `reject-service-keywords` allows you to return an HTTP error code and message of your choice
94 "reject-service-keywords": [{
99 - `timeout-secs` lets you set the global timeout for various network-related
105 the connection to a vhost and its vhost-specific SSL keys during SSL
114 "host-ssl-key": "/etc/pki/tls/private/libwebsockets.org.key",
115 "host-ssl-cert": "/etc/pki/tls/certs/libwebsockets.org.crt",
116 "host-ssl-ca": "/etc/pki/tls/certs/libwebsockets.org.cer",
123 "origin": "file:///usr/local/share/libwebsockets-test-server",
127 # vhost-specific config options for the protocol
129 "ws-protocols": [{
138 "host-ssl-key": "/etc/pki/tls/private/libwebsockets.org.key",
139 "host-ssl-cert": "/etc/pki/tls/certs/libwebsockets.org.crt",
140 "host-ssl-ca": "/etc/pki/tls/certs/libwebsockets.org.cer",
167 - Vhosts may have the same name and different ports, these will each create a
170 - Vhosts may also have the same port and different name: these will be treated as
181 Vhosts can select which plugins they want to offer and give them per-vhost settings using this synt…
183 "ws-protocols": [{
184 "warmcat-timezoom": {
190 The "x":"y" parameters like "status":"ok" are made available to the protocol during its per-vhost
197 "ws-protocols": [{
198 "warmcat-timezoom": {
208 "ws-protocols": [{
209 "warmcat-timezoom": {
216 See also "apply-listen-accept" below.
220 …- If the three options `host-ssl-cert`, `host-ssl-ca` and `host-ssl-key` are given, then the vhost…
224 - `keeplive-timeout` (in secs) defaults to 60 for lwsws, it may be set as a vhost option
226 …- `interface` lets you specify which network interface to listen on, if not given listens on all. …
228 …- "`unix-socket`": "1" causes the unix socket specified in the interface option to be used instead…
230 …- "`unix-socket-perms`": "user:group" allows you to control the unix permissons on the listening u…
232 …- "`sts`": "1" causes lwsws to send a Strict Transport Security header with responses that informs…
234 - "`access-log`": "filepath" sets where apache-compatible access logs will be written
236 …- `"enable-client-ssl"`: `"1"` enables the vhost's client SSL context, you will need this if you p…
238 …- "`ciphers`": "<cipher list>" OPENSSL only: sets the allowed list of TLS <= 1.2 ciphers and key …
240 If you need to allow weaker ciphers, you can provide an alternative list here per-vhost.
242 …- "`client-ssl-ciphers`": "<cipher list>" OPENSSL only: sets the allowed list of <= TLS1.2 cipher…
244 …- "`tls13-ciphers`": "<cipher list>" OPENSSL 1.1.1+ only: sets allowed list of TLS1.3+ ciphers an…
246 …- "`client-tls13-ciphers`": "<cipher list>" OPENSSL 1.1.1+ only: sets the allowed list of TLS1.3+…
248 …- "`ecdh-curve`": "<curve name>" The default ecdh curve is "prime256v1", but you can override it…
250 - "`noipv6`": "on" Disable ipv6 completely for this vhost
252 - "`ipv6only`": "on" Only allow ipv6 on this vhost / "off" only allow ipv4 on this vhost
254 - "`ssl-option-set`": "<decimal>" Sets the SSL option flag value for the vhost.
265 "`ssl-option-set`": "268435456"
267 - "`ssl-option-clear'": "<decimal>" Clears the SSL option flag value for the vhost.
270 …- "`ssl-client-option-set`" and "`ssl-client-option-clear`" work the same way for the vhost Client…
272 - "`headers':: [{ "header1": "h1value", "header2": "h2value" }]
280 "Content-Security-Policy": "script-src 'self'",
281 "X-Content-Type-Options": "nosniff",
282 "X-XSS-Protection": "1; mode=block",
283 "X-Frame-Options": "SAMEORIGIN"
288 …- "`apply-listen-accept`": "on" This vhost only serves a non-http protocol, specified in "listen-…
293 be auto-served if it matches the mountpoint.
297 …- file:// serve the uri using the remainder of the url past the mountpoint based on the origin di…
309 …- ^http:// or ^https:// these cause any url matching the mountpoint to issue a redirect to the or…
311 - cgi:// this causes any matching url to be given to the named cgi, eg
315 "origin": "cgi:///var/www/cgi-bin/cgit",
318 "mountpoint": "/cgit-data",
323 …would cause the url /git/myrepo to pass "myrepo" to the cgi /var/www/cgi-bin/cgit and send the res…
325 …- http:// or https:// these perform reverse proxying, serving the remote origin content from the …
334 … lwsws configuration must include `"init-ssl": "1"` and the vhost with the proxy mount must have `…
343 1) Some protocols may want "per-mount options" in name:value format. You can
358 "origin": "cgi:///var/www/cgi-bin/cgit",
360 "cgi-env": [{
369 "cgi-timeout": "30"
376 "origin": "callback://protocol-post-demo"
380 callback registered to the protocol "protocol-post-demo".
382 This is useful for handling POST http body content or general non-cgi http
393 "cache-max-age": "60", # seconds
394 "cache-reuse": "1", # allow reuse at client at all
395 "cache-revalidate": "1", # check it with server each time
396 "cache-intermediaries": "1" # allow intermediary caches to hold
400 6) You can also define a list of additional mimetypes per-mount
402 "extra-mimetypes": {
418 Content-Type: header.
423 You can add a `basic-auth` entry on an http mount like this
427 "mountpoint": "/basic-auth",
428 "origin": "file://_lws_ddir_/libwebsockets-test-server/private",
429 "basic-auth": "/var/www/balogins-private"
435 in, lwsws checks the user:password string against the text file named in the `basic-auth`
455 "basic-auth": and filepath to the credentials file is passed as a pvo in the
456 "ws-protocols" section of the vhost definition.
464 "client-cert-required": "1"
473 configured entirely using the JSON per-vhost config language in the related
479 incoming connections on the vhost listen socket to the "raw-proxy" role and
483 "listen-accept-role": "raw-proxy",
484 "listen-accept-protocol": "myprotocol",
485 "apply-listen-accept": "1"
489 belonging to a secondary fallback role and protocol. This causes non-https
491 tls wrapper, and bind to role "raw-proxy" and protocol "myprotocol". For
493 as normal, but if you have configured the raw-proxy to portforward
498 "listen-accept-role": "raw-proxy",
499 "listen-accept-protocol": "myprotocol",
500 "fallback-listen-accept": "1",
501 "allow-non-tls": "1"
510 "allow-non-tls": "1",
511 "redirect-http": "1",
517 "allow-non-tls": "1",
518 "allow-http-on-https": "1",
529 (LWS_CALLBACK_PROTOCOL_DESTROY) callbacks per-vhost, and there are arrangements
530 they can make per-vhost allocations and get hold of the correct pointer from
533 This allows a protocol to choose to strictly segregate data on a per-vhost
539 - lws_vhost_get(wsi)
540 - lws_protocol_get(wsi)
541 - lws_callback_on_writable_all_protocol_vhost(vhost, protocol)
542 - lws_protocol_vh_priv_zalloc(vhost, protocol, size)
543 - lws_protocol_vh_priv_get(vhost, protocol)
551 preferred dir and ask lwsws to scan there by using a config fragment
556 "plugin-dir": "/usr/local/share/coherent-timeline/plugins"
561 @section lwswsssp lws-server-status plugin
565 Enable the protocol like this on a vhost's ws-protocols section
567 "lws-server-status": {
569 "update-ms": "5000"
572 `"update-ms"` is used to control how often updated JSON is sent on a ws link.
577 "mountpoint": "/server-status",
578 "origin": "file:///usr/local/share/libwebsockets-test-server/server-status",
579 "default": "server-status.html"
586 `"hide-vhosts": "{0 | 1}"` lets you control if information about your vhosts is included.
602 $ sudo killall -HUP lwsws
613 pick up the newly-available listen sockets, and use the current configuration
626 per-vhost "shared world" data with the deprecated process. That means no new
638 in child processes which use the privileges set in the lwsws config files.
642 lwsws needs a service file like this as `/usr/lib/systemd/system/lwsws.service`
648 [Service]
650 ExecReload=/usr/bin/killall -s SIGHUP lwsws ; sleep 1 ; /usr/local/bin/lwsws
654 WantedBy=multi-user.target
657 You can find this prepared in `./lwsws/usr-lib-systemd-system-lwsws.service`
672 You can find this prepared in `/lwsws/etc-logrotate.d-lwsws`
686 sudo gdb -ex "set follow-fork-mode child" -ex "run" --args /usr/local/bin/lwsws
696 source-level info because the dynamic library is gone.
698 There's a simple workaround, use LD_PRELOAD=<plugin.so> before running lwsws, this has the loader b…