Webserver Configuration
Configurations within the Satellite Configuration Group.
Configurations within the Satellite Configuration Group.
Element: config
Configure the `jetty` webserver and basic connection parameters.
Best practice is to have two configurations per Satellite Configuration Group - one with a connector insecure *http* connections and one with the connector for secure *https*
connections. Combining both connectors in one configuration is also possible.Truncate last segment from remote IP for logging ( <- DSGVO).show stack traces on error pagesshow servlet name on error pages
Attributes:
@version [ required | fixed: 1 ]
@name [ default: default ] ↦ string
Domain to be matched by request.
@truncate-remote-ip [ default: true ] ↦ boolean
@error-show-stacktrace [ default: false ] ↦ boolean
@error-show-servlet [ default: false ] ↦ boolean
Children:
- all of these elements:
- [1, 1] '→connectors'
» Configure network connectors. - [1, 1] '→hostids'
» Define available hosts - [0, 1] '→logs'
» Define - [0, 1] '→rewriterules'
» redirect rules - [0, 1] '→virtualhosts'
» Define domain names to be distinguished - [0, 1] '→limits'
» Define limits (affecting security). - [0, 1] '→compatibility'
» Configure backward compatibility - [0, 1] '→headers'
» static headers for default host
- [1, 1] '→connectors'
Element: headers
Configure static headers.
Children:
- sequence of these elements:
- [1, n] '→header'
Element: header
Configure a header.
Attributes:
@name ↦ string
header name
@value ↦ string
header value
Element: connectors
Configure network connectors.
Children:
- sequence of these elements:
- [1, n] '→connector'
Element: connector
Configure a network connector.
Attributes:
@port [ required ] ↦ integer
Local port to listen
@host ↦ string
IP to listen to (interface)
@secure ↦ boolean
provides ssl/tls
@forwarded ↦ boolean
Is behind proxy, uses x-forwarded- headers to set internally uses source addresses and & scheme
@forwarded-levels ↦ positiveInteger
Defines how many levels in the fowarded-for headers should be taken into account (usually 1)
@idle-timeout ↦ long
idle timeout for connection in seconds
@http2 [ default: false ] ↦ boolean
@http10-hostname ↦ string
host name to use, if no Host header is transmitted
@http10-port ↦ positiveInteger
port o use, if no Host header is transmitted
@use-forwarded-header [ default: true ] ↦ boolean
use "Forwarded:" header
@use-x-forwarded-headers [ default: true ] ↦ boolean
use "X-Forwarded-*:" header
@use-x-forwarded-host [ default: false ] ↦ boolean
use "X-Forwarded-Host:" header
@use-x-forwarded-server [ default: false ] ↦ boolean
use "X-Forwarded-Server:" header
@use-x-forwarded-proto [ default: true ] ↦ boolean
use "X-Forwarded-Proto:" header
@use-x-forwarded-port [ default: false ] ↦ boolean
use "X-Forwarded-Port:" header
@sni-host-check [ default: false ] ↦ boolean
sni host check if true returns 400 if host not
@sni-required [ default: false ] ↦ boolean
returns 400 if sni required
Children:
- [1, n] choice of these elements:
- [0, n] '→pem'
» Provide certificates. - [0, 1] '→ciphers'
» - [0, 1] '→protocols'
» - [0, 1] '→client-auth-by-cert'
» Configure client-certificate support
- [0, n] '→pem'
Element: client-auth-by-cert
Needed to support login provider certificate, see CommunitySessionManagerConfiguration.xsd (certificate element).Attributes:
@optional [ default: false ] ↦ boolean
Can or must user provide a certificate?
@ocsp [ default: false ] ↦ boolean
Configure underlying jetty connector
@crldp [ default: false ] ↦ boolean
Configure underlying jetty connector
Children:
- [1, n] choice of these elements:
- [0, n] '→client-pem'
» Provide certificate data to validate client certificates.
- [0, n] '→client-pem'
Element: client-pem
content: string
Provide certificates/keys content to validate client certificates.
Element: pem
content: string
Provide certificates/keys content.
Attributes:
@password ↦ string
password for key decryption
Element: ciphers
Define cipher usage for SSL
Attributes:
@respect-order [ default: true ] ↦ boolean
Children:
- sequence of these elements:
- [0, n] '→cipher'
Element: cipher
content: string
Define the cipher to ex-/include. '<cipher exclude="true">TLS_ECDHE_RSA_WITH_RC4_128_SHA</cipher>'Content contains reg-ex pattern selecting ciphers.
Attributes:
@exclude [ default: false ] ↦ boolean
Exclude selected ciphers?
Element: protocols
Configure protocols.
Children:
- sequence of these elements:
- [1, n] '→protocol'
Element: protocol
content: string
Which protocls are allowed? e.g TLSv1, TLSv1.1, TLSv1.2
Element: hostids
Configure hostids.
Children:
- sequence of these elements:
- [1, n] '→hostid'
Element: hostid
Configure hostid provided by default.
Attributes:
@name [ required ] ↦ string
Unique name for host.
Element: logs
Configure log settings
Attributes:
@use-service [ default: false ] ↦ boolean
Children:
- sequence of these elements:
- [0, n] '→log'
Element: log
Configure a logfile
Attributes:
@filename [ required ] ↦ string
Element: rewriterules
Define rewriterules for requests
Children:
- [0, n] choice of these elements:
- [1, 1] '→patternrule'
» Define rewriterule using the jetty syntax pattern (disencouraged) - [1, 1] '→regexrule'
» Define rewriterule using regular expression
- [1, 1] '→patternrule'
Element: patternrule
Define rewriterule using jetty syntax pattern (disencouraged)Define actions on match
Attributes:
@pattern [ required ] ↦ string
@{group '→rewriterule'}
Element: regexrule
Define rewriterule using regular expressionDefine actions on match
Attributes:
@regex [ required ] ↦ string
@{group '→rewriterule'}
Element: virtualhosts
Define special hosts for requested domains
Children:
- sequence of these elements:
- [0, n] '→virtualhost'
Element: virtualhost
Define special host for requested domains
Attributes:
@name [ required ] ↦ string
The domain to be matched by request.
Children:
- all of these elements:
- [0, 1] '→aliases'
» Define alias domains using this host - [1, 1] '→hostids'
» Define available hosts for hr requested domain - [0, 1] '→logs'
» Configure log settings for this v-host - [0, 1] '→rewriterules'
» Define rewriterules for requests matched domain - [0, 1] '→headers'
» static headers for virtual host
- [0, 1] '→aliases'
Element: aliases
Define aliases
Children:
- sequence of these elements:
- [0, n] '→alias'
Element: alias
Attributes:
@name ↦ string
Element: limits
Attributes:
@threads ↦ positiveInteger
Size of the threadpool used for handling the http requests
@form-content-size ↦ positiveInteger
Restrict form content upload size (security) in byte.
@form-keys ↦ positiveInteger
Maximum number of transmitted form keys
@connection-limit [ default: 1000 ] ↦ positiveInteger
Number of concurrent connections allowed
@connection-limit-idle-timeout-in-ms [ default: 1000 ] ↦ positiveInteger
Connection timeout for existing connections, if the connection limit is reached
@accept-rate-limit [ default: 1000 ] ↦ positiveInteger
Number of connections until new connections are allowed
@accept-rate-limit-period-in-ms [ default: 1000 ] ↦ positiveInteger
Period for accept-rate-limit
@request-header-max-size [ default: 8192 ] ↦ positiveInteger
maximum request header size in bytes
@response-header-max-size [ default: 8192 ] ↦ positiveInteger
maximum response header size in bytes
Element: compatibility
Configure backward compatibility
Attributes:
@cookie-compliance [ default: RFC2965 ] ↦ { RFC2965 | RFC6265 }
Define cookies to be compliant with
@http-compliance [ default: RFC7230 ] ↦ { LEGACY | RFC2616_LEGACY | RFC2616 | RFC7230 | RFC7230_LEGACY | RFC7230_NO_AMBIGUOUS_URIS }
http parsing compliance see alse {link https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-http/src/main/java/org/eclipse/jetty/http/HttpCompliance.java}
(link)
AttributeGroup: rewriterule
@replacement [ required ] ↦ string
@redirect ↦ boolean
@statuscode ↦ positiveInteger
@terminate ↦ boolean
@scheme ↦ { HTTP | HTTPS }
Define which scheme this rule should match, leave empty for any
The Webserver Configuration configures the underlying webserver and defines hosts for OnlineChannel instances.
Multiple Webserver Configurations may be present to define multiple connectors.