Provided by: nghttp2-proxy_1.36.0-2_amd64 bug

NAME

       nghttpx - HTTP/2 proxy

SYNOPSIS

       nghttpx [OPTIONS]... [<PRIVATE_KEY> <CERT>]

DESCRIPTION

       A reverse proxy for HTTP/2, and HTTP/1.

       <PRIVATE_KEY>
              Set  path  to  server's private  key.   Required  unless "no-tls" parameter is used
              in --frontend option.

       <CERT> Set  path  to  server's  certificate.   Required   unless  "no-tls"   parameter  is
              used  in  --frontend option.   To make OCSP stapling work, this must be an absolute
              path.

OPTIONS

       The options are categorized into several groups.

   Connections
       -b, --backend=(<HOST>,<PORT>|unix:<PATH>)[;[<PATTERN>[:...]][[;<PARAM>]...]
              Set  backend  host  and   port.   The  multiple  backend addresses are  accepted by
              repeating  this   option.  UNIX domain socket  can be  specified by prefixing  path
              name with "unix:" (e.g., unix:/var/run/backend.sock).

              Optionally, if <PATTERN>s are  given,  the  backend  address  is   only   used   if
              request  matches   the   pattern.   The pattern  matching is  closely  designed  to
              ServeMux  in net/http package of  Go programming language.  <PATTERN>  consists  of
              path, host +  path or just host.   The path must start  with "/".  If  it ends with
              "/",  it matches all  request path  in  its subtree.   To  deal with   the  request
              to  the   directory  without   trailing  slash,  the path which ends  with "/" also
              matches  the request path which  only  lacks  trailing  '/'  (e.g.,  path   "/foo/"
              matches  request  path   "/foo").  If it does  not end with "/", it  performs exact
              match against  the request path.  If   host   is  given,   it   performs   a  match
              against  the request host.   For a  request received on  the frontend listener with
              "sni-fwd" parameter enabled, SNI  host is used instead of a request host.  If  host
              alone  is  given,  "/"  is   appended to it,  so that it matches  all request paths
              under the  host   (e.g.,  specifying   "nghttp2.org"  equals   to  "nghttp2.org/").
              CONNECT method  is treated specially.  It  does not have  path, and we  don't allow
              empty path.  To workaround  this, we assume that CONNECT method has "/" as path.

              Patterns with  host take  precedence over  patterns with just path.   Then,  longer
              patterns take  precedence over shorter ones.

              Host   can   include "*"  in  the  left most  position  to indicate  wildcard match
              (only suffix  match is  done).  The "*" must match at  least  one  character.   For
              example, host    pattern    "*.nghttp2.org"    matches    against "www.nghttp2.org"
              and  "git.ngttp2.org", but  does  not match  against   "nghttp2.org".    The  exact
              hosts  match takes precedence over the wildcard hosts match.

              If  path  part ends with  "*", it is treated  as wildcard path.  The  wildcard path
              behaves differently  from the normal path.  For normal path,  match is made  around
              the  boundary  of  path  component  separator,"/".  On the other hand, the wildcard
              path does not take  into account the path component  separator.   All  paths  which
              include  the  wildcard   path   without   last   "*" as  prefix,  and  are strictly
              longer than wildcard  path without last "*" are matched.  "*"  must match  at least
              one   character.   For  example,   the    pattern   "/foo*"  matches   "/foo/"  and
              "/foobar".  But it does not match "/foo", or "/fo".

              If <PATTERN> is omitted or  empty string, "/" is used as pattern,   which   matches
              all request  paths  (catch-all pattern).  The catch-all backend must be given.

              When  doing  a match, nghttpx made  some normalization to pattern, request host and
              path.   For  host  part,  they  are  converted  to  lower  case.   For  path  part,
              percent-encoded  unreserved  characters   defined in RFC 3986  are decoded, and any
              dot-segments (".."  and ".")   are resolved and removed.

              For   example,   -b'127.0.0.1,8080;nghttp2.org/httpbin/' matches the  request  host
              "nghttp2.org"  and  the request path "/httpbin/get", but does not match the request
              host "nghttp2.org" and the request path "/index.html".

              The   multiple  <PATTERN>s   can   be  specified,   delimiting  them             by
              ":".               Specifying  -b'127.0.0.1,8080;nghttp2.org:www.nghttp2.org'   has
              the    same     effect     to    specify     -b'127.0.0.1,8080;nghttp2.org'     and
              -b'127.0.0.1,8080;www.nghttp2.org'.

              The  backend  addresses  sharing  same <PATTERN> are grouped together forming  load
              balancing  group.

              Several parameters <PARAM> are  accepted  after  <PATTERN>.   The   parameters  are
              delimited   by   ";".   The   available parameters       are:      "proto=<PROTO>",
              "tls",       "sni=<SNI_HOST>",                "fall=<N>",               "rise=<N>",
              "affinity=<METHOD>",       "dns",       "redirect-if-not-tls",    "upgrade-scheme",
              "mruby=<PATH>",      "read-timeout=<DURATION>",                                 and
              "write-timeout=<DURATION>".    The  parameter   consists of keyword, and optionally
              followed  by "=" and value.  For example,  the   parameter    "proto=h2"   consists
              of   the keyword  "proto" and  value "h2".   The parameter  "tls" consists  of  the
              keyword "tls"  without  value.   Each parameter is described as follows.

              The  backend  application  protocol   can  be  specified  using  optional   "proto"
              parameter,  and   in  the   form  of "proto=<PROTO>".  <PROTO> should be one of the
              following list  without  quotes:  "h2", "http/1.1".   The  default value of <PROTO>
              is   "http/1.1".   Note  that usually "h2" refers to HTTP/2  over TLS.  But in this
              option, it may mean HTTP/2  over cleartext TCP unless  "tls" keyword is  used  (see
              below).

              TLS   can    be   enabled   by  specifying   optional  "tls" parameter.  TLS is not
              enabled by default.

              With "sni=<SNI_HOST>" parameter, it can override the TLS SNI   field   value   with
              given  <SNI_HOST>.   This  will default to the backend <HOST> name

              The   feature   to  detect   whether  backend  is online  or offline can be enabled
              using optional "fall" and "rise" parameters.   Using   "fall=<N>"   parameter,   if
              nghttpx  cannot connect  to a  this backend <N>  times in  a row, this  backend  is
              assumed  to be  offline,  and  it  is excluded from load balancing.  If <N>  is  0,
              this  backend  never   be  excluded   from  load  balancing whatever  times nghttpx
              cannot connect  to it, and  this   is  the  default.   There  is   also  "rise=<N>"
              parameter.   After   backend  was  excluded  from  load  balancing  group,  nghttpx
              periodically attempts to make a connection  to  the  failed  backend,  and  if  the
              connection is made  successfully <N> times  in a row, the backend is assumed to  be
              online, and it is now eligible  for load  balancing target.    If  <N>   is  0,   a
              backend   is  permanently   offline,  once  it goes  in that state, and this is the
              default behaviour.

              The      session      affinity     is      enabled      using   "affinity=<METHOD>"
              parameter.   If  "ip" is  given  in <METHOD>, client  IP based session affinity  is
              enabled.  If "cookie"  is given in <METHOD>,   cookie  based  session  affinity  is
              enabled.  If  "none" is given  in <METHOD>, session affinity  is disabled, and this
              is the default.  The session  affinity is  enabled per  <PATTERN>.    If  at  least
              one  backend  has  "affinity"  parameter, and  its <METHOD> is not "none",  session
              affinity is enabled for all backend  servers sharing the same   <PATTERN>.   It  is
              advised   to   set   "affinity"  parameter   to  all  backend explicitly if session
              affinity  is desired.  The  session  affinity   may    break   if    one   of   the
              backend   gets unreachable,  or   backend  settings  are   reloaded  or replaced by
              API.

              If     "affinity=cookie"      is     used,      the     additional    configuration
              is                required.  "affinity-cookie-name=<NAME>" must be  used to specify
              a     name         of         cookie          to         use.           Optionally,
              "affinity-cookie-path=<PATH>"  can   be  used  to   specify a path   which   cookie
              is   applied.    The   optional  "affinity-cookie-secure=<SECURE>"   controls   the
              Secure  attribute  of  a  cookie.   The  default  value  is  "auto", and the Secure
              attribute is  determined by a request scheme.  If a request scheme is "https", then
              Secure  attribute  is  set.  Otherwise, it  is not set.  If  <SECURE> is "yes", the
              Secure attribute  is  always set.   If <SECURE>  is "no", the Secure  attribute  is
              always omitted.

              By  default,  name  resolution  of  backend  host  name  is done at  start  up,  or
              reloading  configuration.   If  "dns" parameter    is   given,    name   resolution
              takes   place  dynamically.  This is useful  if backend address changes frequently.
              If  "dns"  is given,  name  resolution  of backend   host   name   at  start    up,
              or   reloading configuration is skipped.

              If  "redirect-if-not-tls"  parameter  is used, the matched backend  requires   that
              frontend  connection   is  TLS encrypted.  If it isn't,  nghttpx  responds  to  the
              request  with  308   status code, and  https URI the  client should use instead  is
              included in Location  header field.  The port number in  redirect  URI  is  443  by
              default, and can be  changed using  --redirect-https-port option.   If at least one
              backend has  "redirect-if-not-tls" parameter, this  feature  is  enabled   for  all
              backend  servers  sharing  the   same   <PATTERN>.    It    is   advised   to   set
              "redirect-if-no-tls"    parameter   to    all   backends explicitly if this feature
              is desired.

              If  "upgrade-scheme"  parameter is used along  with "tls" parameter, HTTP/2 :scheme
              pseudo header field is changed to "https" from "http" when forwarding a request  to
              this  particular  backend.   This  is   a  workaround  for  a backend server  which
              requires  "https" :scheme  pseudo  header field on TLS encrypted connection.

              "mruby=<PATH>"  parameter  specifies  a  path  to  mruby script   file   which   is
              invoked when  this  pattern  is matched.  All backends which share the same pattern
              must have the same mruby path.

              "read-timeout=<DURATION>" and "write-timeout=<DURATION>"  parameters   specify  the
              read and  write timeout  of the backend connection  when this  pattern is  matched.
              All backends which share the same pattern must have the same  timeouts.   If  these
              timeouts   are  entirely  omitted  for a pattern,            --backend-read-timeout
              and --backend-write-timeout are used.

              Since ";" and ":" are   used  as  delimiter,  <PATTERN>  must  not   contain  these
              characters.   Since   ";"  has   special meaning in shell, the option value must be
              quoted.

              Default: 127.0.0.1,80

       -f, --frontend=(<HOST>,<PORT>|unix:<PATH>)[[;<PARAM>]...]
              Set  frontend  host and  port.   If  <HOST> is  '*',   it  assumes   all  addresses
              including   both   IPv4  and   IPv6.   UNIX  domain   socket  can   be specified by
              prefixing path  name   with   "unix:"  (e.g.,   unix:/var/run/nghttpx.sock).   This
              option can  be used  multiple times  to listen  to multiple addresses.

              This  option   can take  0 or  more parameters,  which are described  below.   Note
              that  "api"  and  "healthmon" parameters are mutually exclusive.

              Optionally, TLS  can be disabled by  specifying "no-tls" parameter.  TLS is enabled
              by default.

              If  "sni-fwd"  parameter  is   used,  when  performing  a match to select a backend
              server,  SNI host name received from the client  is used  instead of   the  request
              host.  See --backend option about the pattern match.

              To   make  this   frontend  as  API endpoint,  specify "api" parameter.   This   is
              disabled  by  default.    It  is important  to  limit  the   access   to   the  API
              frontend.   Otherwise,  someone   may  change   the backend  server, and break your
              services,  or expose confidential information to the outside the world.

              To  make  this  frontend   as   health   monitor   endpoint,  specify   "healthmon"
              parameter.   This is  disabled  by default.  Any  requests which come through  this
              address are replied with 200 HTTP status, without no body.

              To  accept   PROXY  protocol    version   1    on   frontend  connection,   specify
              "proxyproto" parameter.   This  is disabled by default.

              Default: *,3000

       --backlog=<N>
              Set listen backlog size.

              Default: 65536

       --backend-address-family=(auto|IPv4|IPv6)
              Specify  address  family  of  backend  connections.   If "auto" is given, both IPv4
              and IPv6 are considered.  If "IPv4" is  given, only  IPv4 address  is   considered.
              If "IPv6" is given, only IPv6 address is considered.

              Default: auto

       --backend-http-proxy-uri=<URI>
              Specify            proxy             URI           in            the           form
              http://[<USER>:<PASS>@]<PROXY>:<PORT>.    If   a   proxy requires   authentication,
              specify   <USER>   and  <PASS>.  Note that  they must be properly  percent-encoded.
              This proxy  is used  when the  backend connection   is  HTTP/2.   First,   make   a
              CONNECT   request   to  the proxy  and  it connects  to the  backend  on behalf  of
              nghttpx.   This forms  tunnel.   After  that, nghttpx  performs  SSL/TLS  handshake
              with  the downstream through the  tunnel.  The timeouts when connecting and  making
              CONNECT  request  can  be      specified     by      --backend-read-timeout     and
              --backend-write-timeout options.

   Performance
       -n, --workers=<N>
              Set the number of worker threads.

              Default: 1

       --single-thread
              Run  everything  in  one   thread  inside  the worker process.  This   feature   is
              provided  for   better   debugging experience,  or  for  the platforms  which  lack
              thread support.   If  threading  is disabled,  this  option  is always enabled.

       --read-rate=<SIZE>
              Set  maximum  average read  rate on  frontend connection.  Setting 0 to this option
              means read rate is unlimited.

              Default: 0

       --read-burst=<SIZE>
              Set  maximum read  burst  size  on  frontend   connection.   Setting   0   to  this
              option  means  read burst  size  is unlimited.

              Default: 0

       --write-rate=<SIZE>
              Set  maximum  average write rate on  frontend connection.  Setting 0 to this option
              means write rate is unlimited.

              Default: 0

       --write-burst=<SIZE>
              Set  maximum write  burst size  on  frontend   connection.   Setting   0  to   this
              option means  write  burst size  is unlimited.

              Default: 0

       --worker-read-rate=<SIZE>
              Set  maximum  average  read  rate on frontend connection per worker.  Setting  0 to
              this option  means read  rate is unlimited.  Not implemented yet.

              Default: 0

       --worker-read-burst=<SIZE>
              Set maximum  read burst size on  frontend connection per worker.  Setting 0 to this
              option means read burst size is unlimited.  Not implemented yet.

              Default: 0

       --worker-write-rate=<SIZE>
              Set maximum  average write  rate on  frontend connection per worker.  Setting  0 to
              this option  means write rate is unlimited.  Not implemented yet.

              Default: 0

       --worker-write-burst=<SIZE>
              Set maximum write burst  size on frontend connection per worker.  Setting 0 to this
              option means write burst size is unlimited.  Not implemented yet.

              Default: 0

       --worker-frontend-connections=<N>
              Set  maximum number  of simultaneous connections frontend accepts.  Setting 0 means
              unlimited.

              Default: 0

       --backend-connections-per-host=<N>
              Set  maximum number  of  backend concurrent  connections (and/or  streams in   case
              of  HTTP/2)   per  origin   host.   This  option   is meaningful when --http2-proxy
              option is used.   The  origin  host   is   determined   by   authority  portion  of
              request URI (or :authority  header field for HTTP/2).   To  limit  the   number  of
              connections   per  frontend          for         default          mode,         use
              --backend-connections-per-frontend.

              Default: 8

       --backend-connections-per-frontend=<N>
              Set   maximum  number  of  backend concurrent  connections (and/or streams  in case
              of HTTP/2)  per frontend.  This option  is   only  used  for  default    mode.    0
              means   unlimited.    To   limit   the    number   of  connections  per  host  with
              --http2-proxy         option,          use --backend-connections-per-host.

              Default: 0

       --rlimit-nofile=<N>
              Set maximum number of open files (RLIMIT_NOFILE) to <N>.  If 0  is  given,  nghttpx
              does not set the limit.

              Default: 0

       --backend-request-buffer=<SIZE>
              Set buffer size used to store backend request.

              Default: 16K

       --backend-response-buffer=<SIZE>
              Set buffer size used to store backend response.

              Default: 128K

       --fastopen=<N>
              Enables  "TCP Fast  Open" for  the listening  socket and limits the  maximum length
              for the  queue of connections that have not yet completed the three-way  handshake.
              If value is 0 then fast open is disabled.

              Default: 0

       --no-kqueue
              Don't  use  kqueue.  This  option is only  applicable for the platforms  which have
              kqueue.  For  other platforms, this option will be simply ignored.

   Timeout
       --frontend-http2-read-timeout=<DURATION>
              Specify read timeout for HTTP/2 frontend connection.

              Default: 3m

       --frontend-read-timeout=<DURATION>
              Specify read timeout for HTTP/1.1 frontend connection.

              Default: 1m

       --frontend-write-timeout=<DURATION>
              Specify write timeout for all frontend connections.

              Default: 30s

       --frontend-keep-alive-timeout=<DURATION>
              Specify   keep-alive   timeout   for   frontend   HTTP/1 connection.

              Default: 1m

       --stream-read-timeout=<DURATION>
              Specify  read timeout  for HTTP/2  streams.  0  means no timeout.

              Default: 0

       --stream-write-timeout=<DURATION>
              Specify write  timeout for  HTTP/2 streams.  0  means no timeout.

              Default: 1m

       --backend-read-timeout=<DURATION>
              Specify read timeout for backend connection.

              Default: 1m

       --backend-write-timeout=<DURATION>
              Specify write timeout for backend connection.

              Default: 30s

       --backend-connect-timeout=<DURATION>
              Specify  timeout before  establishing TCP  connection to backend.

              Default: 30s

       --backend-keep-alive-timeout=<DURATION>
              Specify   keep-alive   timeout    for   backend   HTTP/1 connection.

              Default: 2s

       --listener-disable-timeout=<DURATION>
              After accepting  connection failed,  connection listener is disabled  for  a  given
              amount of time.   Specifying 0 disables this feature.

              Default: 30s

       --frontend-http2-setting-timeout=<DURATION>
              Specify  timeout before  SETTINGS ACK  is received  from client.

              Default: 10s

       --backend-http2-settings-timeout=<DURATION>
              Specify  timeout before  SETTINGS ACK  is received  from backend server.

              Default: 10s

       --backend-max-backoff=<DURATION>
              Specify   maximum  backoff   interval.   This   is  used   when doing health  check
              against offline backend  (see "fail" parameter   in  --backend   option).    It  is
              also  used   to  limit   the   maximum   interval  to  temporarily  disable backend
              when nghttpx  failed to  connect to  it.  These  intervals  are  calculated   using
              exponential  backoff,  and consecutive failed attempts increase the interval.  This
              option caps its maximum value.

              Default: 2m

   SSL/TLS
       --ciphers=<SUITE>
              Set allowed  cipher list  for frontend  connection.  The format of  the  string  is
              described  in  OpenSSL ciphers(1).  This option  sets cipher suites for  TLSv1.2 or
              earlier.  Use --tls13-ciphers for TLSv1.3.

              Default:
              ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

       --tls13-ciphers=<SUITE>
              Set allowed  cipher list  for frontend  connection.  The format of  the  string  is
              described  in  OpenSSL  ciphers(1).   This   option   sets   cipher    suites   for
              TLSv1.3.   Use --ciphers for TLSv1.2 or earlier.

              Default: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

       --client-ciphers=<SUITE>
              Set  allowed cipher  list for  backend connection.   The format of  the  string  is
              described  in  OpenSSL ciphers(1).  This option  sets cipher suites for  TLSv1.2 or
              earlier.  Use --tls13-client-ciphers for TLSv1.3.

              Default:
              ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

       --tls13-client-ciphers=<SUITE>
              Set  allowed cipher  list for  backend connection.   The format of  the  string  is
              described  in  OpenSSL  ciphers(1).   This   option   sets   cipher    suites   for
              TLSv1.3.   Use --tls13-client-ciphers for TLSv1.2 or earlier.

              Default: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

       --ecdh-curves=<LIST>
              Set  supported  curve  list   for   frontend   connections.   <LIST>  is  a   colon
              separated  list  of  curve   NID  or  names in the preference order.  The supported
              curves depend on the  linked  OpenSSL  library.  This  function   requires  OpenSSL
              >= 1.0.2.

              Default: X25519:P-256:P-384:P-521

       -k, --insecure
              Don't   verify  backend   server's   certificate   if  TLS   is enabled for backend
              connections.

       --cacert=<PATH>
              Set path to trusted CA  certificate file.  It is used in backend   TLS  connections
              to  verify   peer's certificate.  It is also used to  verify OCSP response from the
              script set by --fetch-ocsp-response-file.  The  file must be in  PEM  format.    It
              can contain multiple  certificates.  If the  linked OpenSSL  is configured  to load
              system wide certificates, they  are loaded at startup  regardless of this option.

       --private-key-passwd-file=<PATH>
              Path  to file  that contains  password for  the server's private key.   If none  is
              given and the private  key is password protected it'll be requested interactively.

       --subcert=<KEYPATH>:<CERTPATH>[[;<PARAM>]...]
              Specify   additional  certificate   and   private  key  file.  nghttpx will  choose
              certificates based on  the hostname indicated by client using  TLS  SNI  extension.
              If  nghttpx  is  built with  OpenSSL  >= 1.0.2,  the shared  elliptic curves (e.g.,
              P-256) between  client and server are also taken into  consideration.  This  allows
              nghttpx   to  send  ECDSA  certificate  to modern clients, while  sending RSA based
              certificate to older  clients.  This option can  be  used   multiple   times.    To
              make  OCSP  stapling  work, <CERTPATH> must be absolute path.

              Additional  parameter   can  be  specified  in   <PARAM>.  The available <PARAM> is
              "sct-dir=<DIR>".

              "sct-dir=<DIR>"  specifies the  path  to   directory  which  contains         *.sct
              files         for         TLS  signed_certificate_timestamp  extension  (RFC 6962).
              This feature   requires   OpenSSL   >=   1.0.2.    See   also --tls-sct-dir option.

       --dh-param-file=<PATH>
              Path to file that contains  DH parameters in PEM format.  Without   this    option,
              DHE   cipher  suites   are  not available.

       --npn-list=<LIST>
              Comma  delimited  list  of   ALPN  protocol  identifier  sorted  in  the   order of
              preference.  That  means most desirable protocol comes  first.  This  is  used   in
              both   ALPN  and NPN.  The parameter must be  delimited by a single comma only  and
              any  white spaces  are  treated as  a part  of protocol string.

              Default: h2,h2-16,h2-14,http/1.1

       --verify-client
              Require and verify client certificate.

       --verify-client-cacert=<PATH>
              Path  to file  that contains  CA certificates  to verify client  certificate.   The
              file must be in PEM format.  It can contain multiple certificates.

       --verify-client-tolerate-expired
              Accept   expired   client   certificate.    Operator   should  handle   the expired
              client  certificate  by some   means  (e.g.,   mruby   script).    Otherwise,  this
              option  might cause a security risk.

       --client-private-key-file=<PATH>
              Path   to   file  that  contains   client  private  key   used  in  backend  client
              authentication.

       --client-cert-file=<PATH>
              Path  to   file  that   contains  client  certificate   used  in   backend   client
              authentication.

       --tls-min-proto-version=<VER>
              Specify  minimum SSL/TLS protocol.   The name matching is done in  case-insensitive
              manner.  The  versions between --tls-min-proto-version and  --tls-max-proto-version
              are  enabled.   If  the  protocol list advertised by client does not  overlap  this
              range,  you  will  receive the  error message "unknown protocol".   If  a  protocol
              version  lower than TLSv1.2 is specified, make sure that the compatible ciphers are
              included in --ciphers option.   The default cipher  list  only   includes   ciphers
              compatible   with  TLSv1.2 or above.  The available versions are: TLSv1.3, TLSv1.2,
              TLSv1.1, and TLSv1.0

              Default: TLSv1.2

       --tls-max-proto-version=<VER>
              Specify maximum SSL/TLS protocol.   The name matching is done in   case-insensitive
              manner.  The  versions between --tls-min-proto-version and  --tls-max-proto-version
              are enabled.  If the protocol list advertised by client  does  not   overlap   this
              range,   you   will   receive the  error message "unknown protocol".  The available
              versions are: TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0

              Default: TLSv1.3

       --tls-ticket-key-file=<PATH>
              Path  to  file  that  contains   random  data  to  construct  TLS  session   ticket
              parameters.   If  aes-128-cbc  is  given in --tls-ticket-key-cipher, the  file must
              contain  exactly  48     bytes.      If      aes-256-cbc      is      given      in
              --tls-ticket-key-cipher, the  file must  contain exactly 80  bytes.   This  options
              can be  used  repeatedly  to specify  multiple  ticket   parameters.   If   several
              files  are  given,   only the  first key is  used to  encrypt TLS session  tickets.
              Other  keys are  accepted but  server will  issue new  session  ticket with   first
              key.   This allows  session  key  rotation.  Please  note  that  key rotation  does
              not  occur automatically.    User   should  rearrange   files  or   change  options
              values and  restart nghttpx gracefully.   If opening  or reading  given file fails,
              all loaded  keys are discarded and  it is treated as if none   of  this  option  is
              given.  If  this option is not given or an error  occurred while opening or reading
              a file,  key is  generated every  1 hour  internally and they are   valid  for   12
              hours.    This  is  recommended if ticket  key sharing  between  nghttpx  instances
              is  not required.

       --tls-ticket-key-memcached=<HOST>,<PORT>[;tls]
              Specify address  of  memcached   server  to  get   TLS  ticket  keys  for   session
              resumption.    This  enables   shared  TLS  ticket  key  between   multiple nghttpx
              instances.  nghttpx does not set TLS ticket  key to memcached.  The external ticket
              key  generator  is  required.  nghttpx just gets TLS ticket  keys  from  memcached,
              and  use  them,  possibly replacing current set  of keys.  It is up  to extern  TLS
              ticket   key  generator   to  rotate   keys  frequently.   See "TLS SESSION  TICKET
              RESUMPTION" section in  manual page to know the data  format  in  memcached  entry.
              Optionally,  memcached   connection   can   be  encrypted  with  TLS  by specifying
              "tls" parameter.

       --tls-ticket-key-memcached-address-family=(auto|IPv4|IPv6)
              Specify address  family of memcached connections   to  get  TLS  ticket  keys.   If
              "auto"  is  given,  both  IPv4 and IPv6 are considered.   If "IPv4" is given,  only
              IPv4 address is considered.  If "IPv6" is given, only IPv6 address is considered.

              Default: auto

       --tls-ticket-key-memcached-interval=<DURATION>
              Set interval to get TLS ticket keys from memcached.

              Default: 10m

       --tls-ticket-key-memcached-max-retry=<N>
              Set  maximum   number  of  consecutive   retries  before abandoning TLS ticket  key
              retrieval.   If  this number is reached,  the  attempt  is considered  as  failure,
              and "failure" count  is incremented by  1,   which  contributed  to             the
              value            controlled --tls-ticket-key-memcached-max-fail option.

              Default: 3

       --tls-ticket-key-memcached-max-fail=<N>
              Set  maximum   number  of  consecutive   failure  before disabling TLS ticket until
              next scheduled key retrieval.

              Default: 2

       --tls-ticket-key-cipher=<CIPHER>
              Specify cipher  to encrypt TLS session  ticket.  Specify either   aes-128-cbc    or
              aes-256-cbc.    By   default, aes-128-cbc is used.

       --tls-ticket-key-memcached-cert-file=<PATH>
              Path to client certificate  for memcached connections to get TLS ticket keys.

       --tls-ticket-key-memcached-private-key-file=<PATH>
              Path to client private  key for memcached connections to get TLS ticket keys.

       --fetch-ocsp-response-file=<PATH>
              Path to  fetch-ocsp-response script file.  It  should be absolute path.

              Default: /usr/local/share/nghttp2/fetch-ocsp-response

       --ocsp-update-interval=<DURATION>
              Set interval to update OCSP response cache.

              Default: 4h

       --ocsp-startup
              Start   accepting  connections   after  initial   attempts  to  get  OCSP responses
              finish.  It does not  matter some  of  the   attempts   fail.   This   feature   is
              useful   if    OCSP   responses    must     be    available     before    accepting
              connections.

       --no-verify-ocsp
              nghttpx does not verify OCSP response.

       --no-ocsp
              Disable OCSP stapling.

       --tls-session-cache-memcached=<HOST>,<PORT>[;tls]
              Specify  address of  memcached server  to store   session  cache.    This   enables
              shared   session   cache   between  multiple    nghttpx   instances.    Optionally,
              memcached connection can be encrypted with TLS by specifying "tls" parameter.

       --tls-session-cache-memcached-address-family=(auto|IPv4|IPv6)
              Specify address family of memcached connections to store session cache.  If  "auto"
              is  given,  both   IPv4  and  IPv6 are considered.   If "IPv4" is given,  only IPv4
              address is considered.  If "IPv6" is given, only IPv6 address is considered.

              Default: auto

       --tls-session-cache-memcached-cert-file=<PATH>
              Path to client certificate  for memcached connections to store session cache.

       --tls-session-cache-memcached-private-key-file=<PATH>
              Path to client private  key for memcached connections to store session cache.

       --tls-dyn-rec-warmup-threshold=<SIZE>
              Specify the  threshold size for TLS  dynamic record size behaviour.  During  a  TLS
              session,  after   the threshold number of bytes  have been written, the  TLS record
              size will be increased to the maximum allowed (16K).   The  max  record  size  will
              continue  to be used on  the active TLS session.  After  --tls-dyn-rec-idle-timeout
              has elapsed, the record size is reduced  to 1300 bytes.  Specify 0  to  always  use
              the  maximum  record  size,   regardless of idle period.   This  behaviour  applies
              to  all  TLS  based frontends, and TLS HTTP/2 backends.

              Default: 1M

       --tls-dyn-rec-idle-timeout=<DURATION>
              Specify    TLS     dynamic     record      size     behaviour     timeout.      See
              --tls-dyn-rec-warmup-threshold   for    more  information.  This behaviour  applies
              to all TLS  based frontends, and TLS HTTP/2 backends.

              Default: 1s

       --no-http2-cipher-black-list
              Allow   black    listed    cipher   suite    on    frontend    HTTP/2   connection.
              See https://tools.ietf.org/html/rfc7540#appendix-A  for  the complete HTTP/2 cipher
              suites black list.

       --client-no-http2-cipher-black-list
              Allow   black    listed    cipher    suite    on    backend    HTTP/2   connection.
              See https://tools.ietf.org/html/rfc7540#appendix-A  for  the complete HTTP/2 cipher
              suites black list.

       --tls-sct-dir=<DIR>
              Specifies the  directory where  *.sct files  exist.  All *.sct   files   in   <DIR>
              are    read,    and   sent   as extension_data of  TLS signed_certificate_timestamp
              (RFC  6962)   to   client.    These    *.sct   files   are   for   the  certificate
              specified    in   positional   command-line argument <CERT>, or  certificate option
              in configuration file.   For   additional  certificates,   use   --subcert  option.
              This option requires OpenSSL >= 1.0.2.

       --psk-secrets=<PATH>
              Read  list  of  PSK  identity  and  secrets from <PATH>.  This is used for frontend
              connection.    The   each   line    of    input    file     is     formatted     as
              <identity>:<hex-secret>,   where  <identity> is  PSK identity, and <hex-secret>  is
              secret in hex.  An  empty line, and line which  starts with '#' are  skipped.   The
              default  enabled cipher list might not contain any PSK cipher suite.  In that case,
              desired PSK cipher suites  must be  enabled using  --ciphers option.  The   desired
              PSK   cipher  suite   may  be   black  listed  by HTTP/2.   To  use  those   cipher
              suites  with  HTTP/2, consider  to  use  --no-http2-cipher-black-list  option.  But
              be aware its implications.

       --client-psk-secrets=<PATH>
              Read  PSK  identity  and secrets from <PATH>.  This is used for backend connection.
              The each  line of input  file  is  formatted   as  <identity>:<hex-secret>,   where
              <identity> is PSK identity, and <hex-secret>  is secret in hex.  An empty line, and
              line which  starts with '#' are skipped.   The  first  identity  and   secret  pair
              encountered  is used.  The default  enabled cipher  list might not  contain any PSK
              cipher suite.   In  that case,  desired PSK  cipher suites  must be  enabled  using
              --client-ciphers  option.  The  desired PSK  cipher suite  may be  black listed  by
              HTTP/2.   To  use   those    cipher   suites   with   HTTP/2,  consider    to   use
              --client-no-http2-cipher-black-list option.  But be aware its implications.

       --tls-no-postpone-early-data
              By  default,   nghttpx  postpones  forwarding   HTTP  requests  sent in early data,
              including those sent in partially in it, until  TLS  handshake  finishes.   If  all
              backend  server  recognizes  "Early-Data"  header   field,  using this option makes
              nghttpx  not postpone  forwarding request  and get full potential of 0-RTT data.

       --tls-max-early-data=<SIZE>
              Sets  the  maximum  amount  of 0-RTT  data  that  server accepts.

              Default: 16K

   HTTP/2
       -c, --frontend-http2-max-concurrent-streams=<N>
              Set the maximum number of  the concurrent streams in one frontend HTTP/2 session.

              Default: 100

       --backend-http2-max-concurrent-streams=<N>
              Set the maximum number of  the concurrent streams in one backend   HTTP/2  session.
              This sets  maximum number  of concurrent opened pushed streams.  The maximum number
              of concurrent requests are set by a remote server.

              Default: 100

       --frontend-http2-window-size=<SIZE>
              Sets  the  per-stream  initial  window  size  of  HTTP/2 frontend connection.

              Default: 65535

       --frontend-http2-connection-window-size=<SIZE>
              Sets the  per-connection window size of  HTTP/2 frontend connection.

              Default: 65535

       --backend-http2-window-size=<SIZE>
              Sets  the   initial  window   size  of   HTTP/2  backend connection.

              Default: 65535

       --backend-http2-connection-window-size=<SIZE>
              Sets the  per-connection window  size of  HTTP/2 backend connection.

              Default: 2147483647

       --http2-no-cookie-crumbling
              Don't crumble cookie header field.

       --padding=<N>
              Add  at most  <N> bytes  to  a HTTP/2  frame payload  as  padding.   Specify  0  to
              disable  padding.   This option is meant for debugging purpose  and not intended to
              enhance protocol security.

       --no-server-push
              Disable HTTP/2 server push.  Server push is supported by default  mode  and  HTTP/2
              frontend  via  Link  header  field.   It  is   also supported if  both frontend and
              backend are HTTP/2 in default mode.   In   this  case,  server  push  from  backend
              session  is  relayed   to  frontend,  and server push via Link header field is also
              supported.

       --frontend-http2-optimize-write-buffer-size
              (Experimental) Enable write   buffer  size  optimization  in  frontend  HTTP/2  TLS
              connection.  This optimization aims to reduce  write buffer  size so  that it  only
              contains bytes  which can  send immediately.   This makes  server  more  responsive
              to  prioritized  HTTP/2 stream because the buffering  of lower  priority stream  is
              reduced.   This option is only effective on recent Linux platform.

       --frontend-http2-optimize-window-size
              (Experimental)   Automatically  tune   connection  level window  size  of  frontend
              HTTP/2 TLS connection.  If this feature is  enabled, connection window size  starts
              with  the    default   window    size,    65535   bytes.     nghttpx  automatically
              adjusts  connection  window size  based on TCP receiving  window size.  The maximum
              window  size  is  capped       by        the       value        specified        by
              --frontend-http2-connection-window-size.      Since    the  stream  is  subject  to
              stream level window size, it should be adjusted using  --frontend-http2-window-size
              option as well.   This option  is only  effective on  recent Linux platform.

       --frontend-http2-encoder-dynamic-table-size=<SIZE>
              Specify  the  maximum  dynamic   table size of HPACK encoder in the frontend HTTP/2
              connection.  The decoder (client) specifies  the maximum  dynamic  table   size  it
              accepts.   Then  the  negotiated  dynamic  table size is the minimum of this option
              value and the value which client specified.

              Default: 4K

       --frontend-http2-decoder-dynamic-table-size=<SIZE>
              Specify the maximum dynamic  table size of HPACK decoder  in  the  frontend  HTTP/2
              connection.

              Default: 4K

       --backend-http2-encoder-dynamic-table-size=<SIZE>
              Specify  the  maximum  dynamic   table  size of HPACK encoder in the backend HTTP/2
              connection.  The decoder (backend) specifies  the maximum  dynamic table   size  it
              accepts.   Then  the  negotiated  dynamic  table size is the minimum of this option
              value and the value which backend specified.

              Default: 4K

       --backend-http2-decoder-dynamic-table-size=<SIZE>
              Specify the maximum dynamic  table size of HPACK  decoder  in  the  backend  HTTP/2
              connection.

              Default: 4K

   Mode
       (default mode)
              Accept   HTTP/2,   and   HTTP/1.1  over   SSL/TLS.   "no-tls" parameter is  used in
              --frontend option,  accept HTTP/2 and HTTP/1.1 over cleartext  TCP.   The  incoming
              HTTP/1.1 connection  can  be  upgraded  to  HTTP/2  through  HTTP Upgrade.

       -s, --http2-proxy
              Like default mode, but enable forward proxy.  This is so called HTTP/2 proxy mode.

   Logging
       -L, --log-level=<LEVEL>
              Set the severity  level of log output.   <LEVEL> must be one of INFO, NOTICE, WARN,
              ERROR and FATAL.

              Default: NOTICE

       --accesslog-file=<PATH>
              Set path to write access log.  To reopen file, send USR1 signal to nghttpx.

       --accesslog-syslog
              Send  access log  to syslog.   If this  option is  used, --accesslog-file option is
              ignored.

       --accesslog-format=<FORMAT>
              Specify  format  string  for access  log.   The  default format is combined format.
              The following variables are available:

              · $remote_addr: client IP address.

              · $time_local: local time in Common Log format.

              · $time_iso8601: local time in ISO 8601 format.

              · $request: HTTP request line.

              · $status: HTTP response status code.

              · $body_bytes_sent: the  number of bytes sent  to client as response body.

              · $http_<VAR>: value of HTTP  request header <VAR> where '_' in <VAR>  is  replaced
                with '-'.

              · $remote_port: client  port.

              · $server_port: server port.

              · $request_time: request processing time in seconds with milliseconds resolution.

              · $pid: PID of the running process.

              · $alpn:  ALPN  identifier  of  the  protocol  which  generates the response.   For
                HTTP/1,  ALPN is  always http/1.1, regardless of minor version.

              · $tls_cipher: cipher used for SSL/TLS connection.

              · $tls_client_fingerprint_sha256: SHA-256 fingerprint of client certificate.

              · $tls_client_fingerprint_sha1:  SHA-1   fingerprint  of client certificate.

              · $tls_client_subject_name:   subject  name   in  client certificate.

              · $tls_client_issuer_name:   issuer   name   in   client certificate.

              · $tls_client_serial:    serial    number   in    client certificate.

              · $tls_protocol: protocol for SSL/TLS connection.

              · $tls_session_id: session ID for SSL/TLS connection.

              · $tls_session_reused:  "r"   if  SSL/TLS   session  was reused.  Otherwise, "."

              · $tls_sni: SNI server name for SSL/TLS connection.

              · $backend_host:  backend  host   used  to  fulfill  the request.  "-"  if  backend
                host is not available.

              · $backend_port:   backend   port   used  to  fulfill  the request.  "-" if backend
                host is not available.

              The  variable  can  be  enclosed  by  "{"   and   "}"   for  disambiguation  (e.g.,
              ${remote_addr}).

              Default:   $remote_addr  -  -  [$time_local]  "$request"  $status  $body_bytes_sent
              "$http_referer" "$http_user_agent"

       --accesslog-write-early
              Write  access  log  when   response  header  fields  are received    from   backend
              rather   than  when   request transaction finishes.

       --errorlog-file=<PATH>
              Set  path  to  write  error   log.   To  reopen file, send USR1 signal  to nghttpx.
              stderr will  be redirected  to the error log file unless --errorlog-syslog is used.

              Default: /dev/stderr

       --errorlog-syslog
              Send  error log  to  syslog.  If  this  option is  used, --errorlog-file option  is
              ignored.

       --syslog-facility=<FACILITY>
              Set syslog facility to <FACILITY>.

              Default: daemon

   HTTP
       --add-x-forwarded-for
              Append  X-Forwarded-For header  field to  the downstream request.

       --strip-incoming-x-forwarded-for
              Strip X-Forwarded-For  header field from  inbound client requests.

       --no-add-x-forwarded-proto
              Don't   append   additional  X-Forwarded-Proto   header  field  to   the    backend
              request.        If       inbound        client        sets       X-Forwarded-Proto,
              and --no-strip-incoming-x-forwarded-proto  option  is  used, they are passed to the
              backend.

       --no-strip-incoming-x-forwarded-proto
              Don't strip X-Forwarded-Proto  header field from inbound client requests.

       --add-forwarded=<LIST>
              Append RFC  7239  Forwarded  header  field   with  parameters  specified  in  comma
              delimited  list  <LIST>.   The supported parameters  are "by",  "for", "host",  and
              "proto".   By default,  the value  of  "by" and  "for" parameters   are  obfuscated
              string.      See      --forwarded-by     and  --forwarded-for options respectively.
              Note that nghttpx does  not  translate non-standard  X-Forwarded-*   header  fields
              into Forwarded header field, and vice versa.

       --strip-incoming-forwarded
              Strip  Forwarded   header  field  from   inbound  client requests.

       --forwarded-by=(obfuscated|ip|<VALUE>)
              Specify  the  parameter  value  sent  out  with "by" parameter of Forwarded  header
              field.   If "obfuscated"  is given, the string is randomly  generated  at  startup.
              If  "ip" is given,   the  interface   address  of   the  connection, including port
              number, is  sent with "by" parameter.  In case of UNIX domain  socket,  "localhost"
              is used instead of address and  port.  User can also  specify the static obfuscated
              string.  The limitation is that it must start with   "_",   and    only    consists
              of  character   set [A-Za-z0-9._-], as described in RFC 7239.

              Default: obfuscated

       --forwarded-for=(obfuscated|ip)
              Specify   the    parameter   value   sent  out   with  "for" parameter of Forwarded
              header field.  If "obfuscated" is given, the string is  randomly generated for each
              client connection.  If "ip" is given, the remote client address of  the connection,
              without port  number, is  sent with "for"  parameter.   In  case   of  UNIX  domain
              socket, "localhost" is used instead of address.

              Default: obfuscated

       --no-via
              Don't  append  to   Via header field.  If  Via header field is received, it is left
              unaltered.

       --no-strip-incoming-early-data
              Don't strip Early-Data header  field from inbound client requests.

       --no-location-rewrite
              Don't  rewrite location  header field  in default  mode.   When  --http2-proxy   is
              used, location header  field will not be altered regardless of this option.

       --host-rewrite
              Rewrite  host and  :authority header  fields in  default mode.  When  --http2-proxy
              is  used, these  headers will not be altered regardless of this option.

       --altsvc=<PROTOID,PORT[,HOST,[ORIGIN]]>
              Specify   protocol  ID,   port,   host    and   origin    of  alternative  service.
              <HOST>  and <ORIGIN> are optional.  They  are advertised  in  alt-svc header  field
              only  in HTTP/1.1  frontend.  This   option  can   be  used   multiple  times    to
              specify  multiple   alternative   services.  Example: --altsvc=h2,443

       --add-request-header=<HEADER>
              Specify  additional  header  field to add to request header set.  This  option just
              appends header field  and won't replace anything  already set.  This option  can be
              used   several    times     to    specify   multiple    header   fields.   Example:
              --add-request-header="foo: bar"

       --add-response-header=<HEADER>
              Specify  additional  header  field to  add  to  response header set.   This  option
              just  appends   header  field and won't replace anything already  set.  This option
              can  be  used  several   times  to   specify  multiple   header  fields.   Example:
              --add-response-header="foo: bar"

       --request-header-field-buffer=<SIZE>
              Set  maximum  buffer size for incoming HTTP request header field list.  This is the
              sum of header name and value in bytes.   If  trailer   fields   exist,   they   are
              counted towards this number.

              Default: 64K

       --max-request-header-fields=<N>
              Set   maximum   number   of  incoming   HTTP  request  header fields.   If  trailer
              fields exist,  they  are  counted towards this number.

              Default: 100

       --response-header-field-buffer=<SIZE>
              Set  maximum  buffer  size for  incoming  HTTP  response header field list.    This
              is  the sum of  header name and value  in  bytes.  If  trailer  fields  exist, they
              are counted towards this number.

              Default: 64K

       --max-response-header-fields=<N>
              Set  maximum number  of  incoming  HTTP  response   header  fields.    If   trailer
              fields exist,  they  are  counted towards this number.

              Default: 500

       --error-page=(<CODE>|*)=<PATH>
              Set  file  path   to  custom  error page  served when nghttpx originally  generates
              HTTP  error status  code  <CODE>.  <CODE> must be greater than or equal to 400, and
              at  most  599.   If  "*"   is  used instead of <CODE>,  it matches all HTTP  status
              code.  If  error  status  code comes  from backend server, the custom  error  pages
              are not used.

       --server-name=<NAME>
              Change server response header field value to <NAME>.

              Default: nghttpx

       --no-server-rewrite
              Don't  rewrite  server  header  field in default mode.  When --http2-proxy is used,
              these headers will not be altered regardless of this option.

       --redirect-https-port=<PORT>
              Specify the port number which appears in Location header field  when  redirect   to
              HTTPS  URI  is  made  due  to "redirect-if-not-tls" parameter in --backend option.

              Default: 443

   API
       --api-max-request-body=<SIZE>
              Set the maximum size of request body for API request.

              Default: 32M

   DNS
       --dns-cache-timeout=<DURATION>
              Set  duration  that  cached DNS results remain valid.  Note that nghttpx caches the
              unsuccessful results as well.

              Default: 10s

       --dns-lookup-timeout=<DURATION>
              Set timeout that  DNS server is given to  respond to the initial  DNS  query.   For
              the  2nd  and later  queries, server is  given time based  on this timeout, and  it
              is scaled linearly.

              Default: 5s

       --dns-max-try=<N>
              Set the number of DNS query before nghttpx gives up name lookup.

              Default: 2

       --frontend-max-requests=<N>
              The number  of requests that single  frontend connection can process.  For  HTTP/2,
              this   is the number of streams in  one  HTTP/2 connection.   For  HTTP/1,  this is
              the number of keep alive requests.  This is hint to  nghttpx,  and  it   may  allow
              additional few  requests.  The default value is unlimited.

   Debug
       --frontend-http2-dump-request-header=<PATH>
              Dumps  request  headers received by HTTP/2 frontend to the file denoted  in <PATH>.
              The  output is done  in HTTP/1  header  field  format  and  each  header  block  is
              followed  by  an  empty line.  This option  is not thread safe and MUST NOT be used
              with option -n<N>, where <N> >= 2.

       --frontend-http2-dump-response-header=<PATH>
              Dumps response headers sent  from HTTP/2 frontend to the file denoted   in  <PATH>.
              The   output  is  done   in  HTTP/1  header  field  format and each header block is
              followed by an empty line.  This option  is not thread safe and MUST  NOT  be  used
              with option -n<N>, where <N> >= 2.

       -o, --frontend-frame-debug
              Print  HTTP/2  frames in  frontend to stderr.  This option is  not thread  safe and
              MUST NOT  be used  with option -n=N, where N >= 2.

   Process
       -D, --daemon
              Run in a background.  If -D is used, the current working directory  is  changed  to
              '/'.

       --pid-file=<PATH>
              Set path to save PID of this program.

       --user=<USER>
              Run  this  program  as  <USER>.    This  option is intended to be used to drop root
              privileges.

       --single-process
              Run this program in a  single process mode for  debugging  purpose.   Without  this
              option,   nghttpx  creates  at  least 2  processes:  master  and worker  processes.
              If  this option is  used, master  and worker  are unified  into a  single  process.
              nghttpx  still  spawns  additional  process  if neverbleed is used.  In  the single
              process mode, the signal handling feature is disabled.

   Scripting
       --mruby-file=<PATH>
              Set mruby script file

       --ignore-per-pattern-mruby-error
              Ignore mruby compile error  for per-pattern mruby script file.  If error  occurred,
              it is treated as  if no mruby file were specified for the pattern.

   Misc
       --conf=<PATH>
              Load   configuration   from   <PATH>.   Please  note  that nghttpx always  tries to
              read the  default configuration file if --conf is not given.

              Default: /etc/nghttpx/nghttpx.conf

       --include=<PATH>
              Load  additional  configurations  from  <PATH>.   File  <PATH>   is    read    when
              configuration   parser  encountered  this option.  This option can be used multiple
              times, or even recursively.

       -v, --version
              Print version and exit.

       -h, --help
              Print this help and exit.

       The <SIZE> argument is an integer and an optional unit (e.g., 10K is 10  *  1024).   Units
       are K, M and G (powers of 1024).

       The <DURATION> argument is an integer and an optional unit (e.g., 1s is 1 second and 500ms
       is 500 milliseconds).  Units are h, m, s or ms (hours, minutes, seconds and  milliseconds,
       respectively).  If a unit is omitted, a second is used as unit.

FILES

       /etc/nghttpx/nghttpx.conf
              The default configuration file path nghttpx searches at startup.  The configuration
              file path can be changed using --conf option.

              Those lines which are staring # are treated as comment.

              The option name in the configuration file is the long command-line option name with
              leading  -- stripped (e.g., frontend).  Put = between option name and value.  Don't
              put extra leading or trailing spaces.

              When specifying arguments including characters which  have  special  meaning  to  a
              shell,  we  usually use quotes so that shell does not interpret them.  When writing
              this configuration file, quotes for this purpose must not be  used.   For  example,
              specify additional request header field, do this:

                 add-request-header=foo: bar

              instead of:

                 add-request-header="foo: bar"

              The  options  which  do  not take argument in the command-line take argument in the
              configuration file.  Specify yes as an argument (e.g., http2-proxy=yes).  If  other
              string is given, it is ignored.

              To specify private key and certificate file which are given as positional arguments
              in command-line, use private-key-file and certificate-file.

              --conf option cannot be used in the configuration  file  and  will  be  ignored  if
              specified.

       Error log
              Error   log  is  written  to  stderr  by  default.   It  can  be  configured  using
              --errorlog-file.  The format of log message is as follows:

              <datetime> <master-pid> <current-pid> <thread-id> <level> (<filename>:<line>) <msg>

              <datetime>
                     It is a combination of date and time when the log is written.  It is in  ISO
                     8601 format.

              <master-pid>
                     It is a master process ID.

              <current-pid>
                     It is a process ID which writes this log.

              <thread-id>
                     It  is  a  thread  ID  which  writes  this  log.   It would be unique within
                     <current-pid>.

              <filename> and <line>
                     They are source file name, and line number which produce this log.

              <msg>  It is a log message body.

SIGNALS

       SIGQUIT
              Shutdown  gracefully.   First  accept  pending  connections  and   stop   accepting
              connection.  After all connections are handled, nghttpx exits.

       SIGHUP Reload configuration file given in --conf.

       SIGUSR1
              Reopen log files.

       SIGUSR2
          Fork  and  execute  nghttpx.   It  will  execute  the binary in the same path with same
          command-line arguments and environment variables.  As of nghttpx  version  1.20.0,  the
          new  master  process  sends  SIGQUIT to the original master process when it is ready to
          serve requests.  For the earlier versions of nghttpx, user has to send SIGQUIT  to  the
          original master process.

          The difference between SIGUSR2 (+ SIGQUIT) and SIGHUP is that former is usually used to
          execute new binary, and the master process is newly spawned.  On the  other  hand,  the
          latter just reloads configuration file, and the same master process continues to exist.

       NOTE:
          nghttpx  consists  of multiple processes: one process for processing these signals, and
          another one for processing requests.  The former spawns  the  latter.   The  former  is
          called  master  process,  and  the  latter  is called worker process.  If neverbleed is
          enabled, the worker process  spawns  neverbleed  daemon  process  which  does  RSA  key
          processing.   The  above  signal  must  be  sent  to  the master process.  If the other
          processes received one of them, it is ignored.  This behaviour of these  processes  may
          change  in  the  future  release.  In other words, in the future release, the processes
          other than master process may terminate upon the reception of these signals.  Therefore
          these signals should not be sent to the processes other than master process.

SERVER PUSH

       nghttpx supports HTTP/2 server push in default mode with Link header field.  nghttpx looks
       for Link header field (RFC 5988) in response headers  from  backend  server  and  extracts
       URI-reference  with  parameter  rel=preload  (see  preload)  and  pushes those URIs to the
       frontend client. Here is a sample Link header field to initiate server push:

          Link: </fonts/font.woff>; rel=preload
          Link: </css/theme.css>; rel=preload

       Currently, the following restriction is applied for server push:

       1. The associated stream must have method "GET" or "POST".  The associated stream's status
          code must be 200.

       This limitation may be loosened in the future release.

       nghttpx also supports server push if both frontend and backend are HTTP/2 in default mode.
       In this case, in addition to server push via Link header field, server push  from  backend
       is forwarded to frontend HTTP/2 session.

       HTTP/2 server push will be disabled if --http2-proxy is used.

UNIX DOMAIN SOCKET

       nghttpx  supports  UNIX  domain  socket  with  a  filename  for  both frontend and backend
       connections.

       Please note that current nghttpx implementation does not delete a socket with a  filename.
       And  on  start up, if nghttpx detects that the specified socket already exists in the file
       system, nghttpx first deletes it.  However, if SIGUSR2 is used to execute new  binary  and
       both  old  and new configurations use same filename, new binary does not delete the socket
       and continues to use it.

OCSP STAPLING

       OCSP query is done using  external  Python  script  fetch-ocsp-response,  which  has  been
       originally  developed in Perl as part of h2o project (https://github.com/h2o/h2o), and was
       translated into Python.

       The script file is usually installed under $(prefix)/share/nghttp2/ directory.  The actual
       path to script can be customized using --fetch-ocsp-response-file option.

       If OCSP query is failed, previous OCSP response, if any, is continued to be used.

       --fetch-ocsp-response-file  option  provides  wide  range  of  possibility  to manage OCSP
       response.  It can take an arbitrary script or executable.   The  requirement  is  that  it
       supports  the  command-line  interface of fetch-ocsp-response script, and it must return a
       valid DER encoded OCSP response on success.  It must return exit code 0 on success, and 75
       for  temporary  error, and the other error code for generic failure.  For large cluster of
       servers,  it  is  not  efficient  for  each   server   to   perform   OCSP   query   using
       fetch-ocsp-response.  Instead, you can retrieve OCSP response in some way, and store it in
       a disk or a shared database.  Then specify  a  program  in  --fetch-ocsp-response-file  to
       fetch  it  from those stores.  This could provide a way to share the OCSP response between
       fleet of servers, and also any OCSP query strategy can be applied which may be beyond  the
       ability of nghttpx itself or fetch-ocsp-response script.

TLS SESSION RESUMPTION

       nghttpx supports TLS session resumption through both session ID and session ticket.

   SESSION ID RESUMPTION
       By default, session ID is shared by all worker threads.

       If  --tls-session-cache-memcached is given, nghttpx will insert serialized session data to
       memcached with nghttpx:tls-session-cache: + lowercase  hex  string  of  session  ID  as  a
       memcached entry key, with expiry time 12 hours.  Session timeout is set to 12 hours.

       By  default, connections to memcached server are not encrypted.  To enable encryption, use
       tls keyword in --tls-session-cache-memcached option.

   TLS SESSION TICKET RESUMPTION
       By default, session ticket is shared by all worker threads.  The automatic key rotation is
       also  enabled  by  default.   Every an hour, new encryption key is generated, and previous
       encryption key becomes decryption only key.  We set session timeout to 12 hours, and  thus
       we keep at most 12 keys.

       If  --tls-ticket-key-memcached  is  given,  encryption  keys are retrieved from memcached.
       nghttpx just reads keys from memcached; one has to deploy key generator program to  update
       keys  frequently  (e.g.,  every  1 hour).  The example key generator tlsticketupdate.go is
       available under contrib  directory  in  nghttp2  archive.   The  memcached  entry  key  is
       nghttpx:tls-ticket-key.   The  data  format  stored  in  memcached  is  the  binary format
       described below:

          +--------------+-------+----------------+
          | VERSION (4)  |LEN (2)|KEY(48 or 80) ...
          +--------------+-------+----------------+
                         ^                        |
                         |                        |
                         +------------------------+
                         (LEN, KEY) pair can be repeated

       All numbers in the above figure is bytes.  All integer fields are network byte order.

       First 4 bytes integer VERSION field, which must be 1.  The 2 bytes integer LEN field gives
       the     length     of     following     KEY     field,    which    contains    key.     If
       --tls-ticket-key-cipher=aes-128-cbc    is    used,     LEN     must     be     48.      If
       --tls-ticket-key-cipher=aes-256-cbc  is  used,  LEN  must  be 80.  LEN and KEY pair can be
       repeated multiple times to store multiple  keys.   The  key  appeared  first  is  used  as
       encryption key.  All the remaining keys are used as decryption only.

       By  default, connections to memcached server are not encrypted.  To enable encryption, use
       tls keyword in --tls-ticket-key-memcached option.

       If --tls-ticket-key-file is given, encryption key is read from the given  file.   In  this
       case,  nghttpx  does  not  rotate  key  automatically.   To rotate key, one has to restart
       nghttpx (see SIGNALS).

CERTIFICATE TRANSPARENCY

       nghttpx supports TLS signed_certificate_timestamp  extension  (RFC  6962).   The  relevant
       options are --tls-sct-dir and sct-dir parameter in --subcert.  They takes a directory, and
       nghttpx reads all files whose extension is .sct under the directory.  The *.sct files  are
       encoded  as SignedCertificateTimestamp struct described in section 3.2 of RFC 69662.  This
       format is the same one used by nginx-ct and mod_ssl_ct.  ct-submit can be used  to  submit
       certificates to log servers, and obtain the SignedCertificateTimestamp struct which can be
       used with nghttpx.

MRUBY SCRIPTING

       WARNING:
          The current mruby extension API is experimental and not frozen.  The API is subject  to
          change in the future release.

       WARNING:
          Almost all string value returned from method, or attribute is a fresh new mruby string,
          which involves memory allocation, and copies.  Therefore, it is strongly recommended to
          store  a  return  value  in  a local variable, and use it, instead of calling method or
          accessing attribute repeatedly.

       nghttpx allows users to extend its capability using mruby scripts.   nghttpx  has  2  hook
       points  to execute mruby script: request phase and response phase.  The request phase hook
       is invoked after all request header fields are received from client.  The  response  phase
       hook  is invoked after all response header fields are received from backend server.  These
       hooks allows users to modify header fields, or common HTTP variables,  like  authority  or
       request  path,  and  even  return  custom  response  without forwarding request to backend
       servers.

       There are 2 levels of mruby script invocations: global and per-pattern.  The global  mruby
       script  is  set  by  --mruby-file  option and is called for all requests.  The per-pattern
       mruby script is set by "mruby" parameter in -b option.  It is invoked for a request  which
       matches  the  particular  pattern.   The order of hook invocation is: global request phase
       hook, per-pattern request phase hook, per-pattern response phase hook, and finally  global
       response  phase hook.  If a hook returns a response, any later hooks are not invoked.  The
       global request hook is invoked before the pattern matching is made  and  changing  request
       path may affect the pattern matching.

       Please  note  that  request  and  response  hooks of per-pattern mruby script for a single
       request might not come from the same script.  This might happen after a  request  hook  is
       executed,  backend  failed for some reason, and at the same time, backend configuration is
       replaced by API request, and then the  request  uses  new  configuration  on  retry.   The
       response hook from new configuration, if it is specified, will be invoked.

       The all mruby script will be evaluated once per thread on startup, and it must instantiate
       object and evaluate it as the return value (e.g., App.new).  This  object  is  called  app
       object.   If  app  object  defines on_req method, it is called with Nghttpx::Env object on
       request hook.  Similarly, if  app  object  defines  on_resp  method,  it  is  called  with
       Nghttpx::Env  object  on  response  hook.  For each method invocation, user can can access
       Nghttpx::Request and Nghttpx::Response objects via Nghttpx::Env#req and  Nghttpx::Env#resp
       respectively.

       Nghttpx::REQUEST_PHASE
              Constant to represent request phase.

       Nghttpx::RESPONSE_PHASE
              Constant to represent response phase.

       class Nghttpx::Env
              Object to represent current request specific context.

              attribute [R] req
                     Return Request object.

              attribute [R] resp
                     Return Response object.

              attribute [R] ctx
                     Return Ruby hash object.  It persists until request finishes.  So values set
                     in request phase hook can be retrieved in response phase hook.

              attribute [R] phase
                     Return the current phase.

              attribute [R] remote_addr
                     Return IP address of a remote client.  If connection is made via UNIX domain
                     socket, this returns the string "localhost".

              attribute [R] server_addr
                     Return  address  of  server  that accepted the connection.  This is a string
                     which specified in --frontend option,  excluding  port  number,  and  not  a
                     resolved  IP address.  For UNIX domain socket, this is a path to UNIX domain
                     socket.

              attribute [R] server_port
                     Return port number of the server frontend which accepted the connection from
                     client.

              attribute [R] tls_used
                     Return true if TLS is used on the connection.

              attribute [R] tls_sni
                     Return the TLS SNI value which client sent in this connection.

              attribute [R] tls_client_fingerprint_sha256
                     Return the SHA-256 fingerprint of a client certificate.

              attribute [R] tls_client_fingerprint_sha1
                     Return the SHA-1 fingerprint of a client certificate.

              attribute [R] tls_client_issuer_name
                     Return the issuer name of a client certificate.

              attribute [R] tls_client_subject_name
                     Return the subject name of a client certificate.

              attribute [R] tls_client_serial
                     Return the serial number of a client certificate.

              attribute [R] tls_client_not_before
                     Return the start date of a client certificate in seconds since the epoch.

              attribute [R] tls_client_not_after
                     Return the end date of a client certificate in seconds since the epoch.

              attribute [R] tls_cipher
                     Return a TLS cipher negotiated in this connection.

              attribute [R] tls_protocol
                     Return a TLS protocol version negotiated in this connection.

              attribute [R] tls_session_id
                     Return a session ID for this connection in hex string.

              attribute [R] tls_session_reused
                     Return true if, and only if a SSL/TLS session is reused.

              attribute [R] alpn
                     Return ALPN identifier negotiated in this connection.

              attribute [R] tls_handshake_finished
                     Return  true  if SSL/TLS handshake has finished.  If it returns false in the
                     request phase hook, the request is received in TLSv1.3  early  data  (0-RTT)
                     and  might be vulnerable to the replay attack.  nghttpx will send Early-Data
                     header field to backend servers to indicate this.

       class Nghttpx::Request
              Object to represent request from client.  The modification  to  Request  object  is
              allowed only in request phase hook.

              attribute [R] http_version_major
                     Return HTTP major version.

              attribute [R] http_version_minor
                     Return HTTP minor version.

              attribute [R/W] method
                     HTTP  method.   On  assignment,  copy  of given value is assigned.  We don't
                     accept arbitrary method name.  We will document them later, but  well  known
                     methods, like GET, PUT and POST, are all supported.

              attribute [R/W] authority
                     Authority  (i.e.,  example.org),  including  optional  port  component .  On
                     assignment, copy of given value is assigned.

              attribute [R/W] scheme
                     Scheme (i.e., http, https).  On assignment, copy of given value is assigned.

              attribute [R/W] path
                     Request path, including query component (i.e., /index.html).  On assignment,
                     copy  of  given  value  is  assigned.   The  path does not include authority
                     component of URI.  This may include query component.  nghttpx makes  certain
                     normalization   for   path.   It  decodes  percent-encoding  for  unreserved
                     characters   (see   https://tools.ietf.org/html/rfc3986#section-2.3),    and
                     resolves  ".."  and  ".".   But  it  may  leave  characters  which should be
                     percent-encoded as is. So be careful when  comparing  path  against  desired
                     string.

              attribute [R] headers
                     Return  Ruby hash containing copy of request header fields.  Changing values
                     in returned hash does not change request  header  fields  actually  used  in
                     request       processing.       Use      Nghttpx::Request#add_header      or
                     Nghttpx::Request#set_header to change request header fields.

              add_header(key, value)
                     Add header entry associated with key.  The value can  be  single  string  or
                     array  of  string.   It does not replace any existing values associated with
                     key.

              set_header(key, value)
                     Set header entry associated with key.  The value can  be  single  string  or
                     array of string.  It replaces any existing values associated with key.

              clear_headers()
                     Clear all existing request header fields.

              push(uri)
                     Initiate  to push resource identified by uri.  Only HTTP/2 protocol supports
                     this feature.  For the other protocols, this method is  noop.   uri  can  be
                     absolute  URI,  absolute  path or relative path to the current request.  For
                     absolute or relative path, scheme  and  authority  are  inherited  from  the
                     current  request.   Currently,  method  is  always  GET.  nghttpx will issue
                     request to backend  servers  to  fulfill  this  request.   The  request  and
                     response phase hooks will be called for pushed resource as well.

       class Nghttpx::Response
              Object to represent response from backend server.

              attribute [R] http_version_major
                     Return HTTP major version.

              attribute [R] http_version_minor
                     Return HTTP minor version.

              attribute [R/W] status
                     HTTP  status  code.   It  must  be  in the range [200, 999], inclusive.  The
                     non-final status code is not supported in mruby scripting at the moment.

              attribute [R] headers
                     Return Ruby hash containing copy of response header fields.  Changing values
                     in  returned  hash  does  not change response header fields actually used in
                     response     processing.       Use      Nghttpx::Response#add_header      or
                     Nghttpx::Response#set_header to change response header fields.

              add_header(key, value)
                     Add  header  entry  associated  with key.  The value can be single string or
                     array of string.  It does not replace any existing  values  associated  with
                     key.

              set_header(key, value)
                     Set  header  entry  associated  with key.  The value can be single string or
                     array of string.  It replaces any existing values associated with key.

              clear_headers()
                     Clear all existing response header fields.

              return(body)
                     Return custom response body to a client.  When  this  method  is  called  in
                     request  phase  hook,  the  request  is  not  forwarded  to the backend, and
                     response phase hook for this request will not be invoked.  When this  method
                     is  called  in response phase hook, response from backend server is canceled
                     and discarded.  The status code and response header  fields  should  be  set
                     before using this method.  To set status code, use Nghttpx::Response#status.
                     If status code is not set, 200 is used.   To  set  response  header  fields,
                     Nghttpx::Response#add_header  and  Nghttpx::Response#set_header.   When this
                     method is invoked in response phase hook, the response  headers  are  filled
                     with  the  ones  received  from  backend  server.  To send completely custom
                     header fields,  first  call  Nghttpx::Response#clear_headers  to  erase  all
                     existing header fields, and then add required header fields.  It is an error
                     to call this method twice for a given request.

              send_info(status, headers)
                     Send non-final (informational) response to a client.  status must be in  the
                     range  [100,  199], inclusive.  headers is a hash containing response header
                     fields.  Its key must be a string, and the associated value must  be  either
                     string  or  array  of  strings.  Since this is not a final response, even if
                     this method is invoked, request is  still  forwarded  to  a  backend  unless
                     Nghttpx::Response#return  is  called.   This  method  can be called multiple
                     times.  It cannot be called after Nghttpx::Response#return is called.

   MRUBY EXAMPLES
       Modify request path:

          class App
            def on_req(env)
              env.req.path = "/apps#{env.req.path}"
            end
          end

          App.new

       Don't forget to instantiate and evaluate object at the last line.

       Restrict permission of viewing a content to a specific client addresses:

          class App
            def on_req(env)
              allowed_clients = ["127.0.0.1", "::1"]

              if env.req.path.start_with?("/log/") &&
                 !allowed_clients.include?(env.remote_addr) then
                env.resp.status = 404
                env.resp.return "permission denied"
              end
            end
          end

          App.new

API ENDPOINTS

       nghttpx exposes API endpoints to manipulate it  via  HTTP  based  API.   By  default,  API
       endpoint  is  disabled.   To  enable it, add a dedicated frontend for API using --frontend
       option with "api" parameter.  All requests which come from this frontend address, will  be
       treated as API request.

       The response is normally JSON dictionary, and at least includes the following keys:

       status The status of the request processing.  The following values are defined:

              Success
                     The request was successful.

              Failure
                     The request was failed.  No change has been made.

       code   HTTP status code

       Additionally,  depending  on  the  API  endpoint,  data  key may be present, and its value
       contains the API endpoint specific data.

       We wrote "normally", since nghttpx may return ordinal HTML response in  some  cases  where
       the error has occurred before reaching API endpoint (e.g., header field is too large).

       The following section describes available API endpoints.

   POST /api/v1beta1/backendconfig
       This  API  replaces  the  current  backend  server  settings with the requested ones.  The
       request method should be POST, but PUT is also  acceptable.   The  request  body  must  be
       nghttpx configuration file format.  For configuration file format, see FILES section.  The
       line separator inside the request body must be single LF (0x0A).  Currently, only  backend
       option is parsed, the others are simply ignored.  The semantics of this API is replace the
       current backend with the backend options in request body.  Describe  the  desired  set  of
       backend  severs,  and  nghttpx makes it happen.  If there is no backend option is found in
       request body, the current set of backend is replaced with  the  backend  option's  default
       value, which is 127.0.0.1,80.

       The  replacement  is done instantly without breaking existing connections or requests.  It
       also avoids any process creation as is the case with hot swapping with signals.

       The one limitation is that only numeric IP address is allowed in backend in  request  body
       unless  "dns"  parameter  is used while non numeric hostname is allowed in command-line or
       configuration file is read using --conf.

   GET /api/v1beta1/configrevision
       This API returns  configuration  revision  of  the  current  nghttpx.   The  configuration
       revision  is opaque string, and it changes after each reloading by SIGHUP.  With this API,
       an  external  application  knows  that  whether  nghttpx  has   finished   reloading   its
       configuration by comparing the configuration revisions between before and after reloading.
       It is recommended to disable persistent (keep-alive) connection for this purpose in  order
       to avoid to send a request using the reused connection which may bound to an old process.

       This  API  returns response including data key.  Its value is JSON object, and it contains
       at least the following key:

       configRevision
              The configuration revision of the current nghttpx

SEE ALSO

       nghttp(1), nghttpd(1), h2load(1)

AUTHOR

       Tatsuhiro Tsujikawa

COPYRIGHT

       2012, 2015, 2016, Tatsuhiro Tsujikawa