-
-
Notifications
You must be signed in to change notification settings - Fork 10
/
server.1.man
366 lines (350 loc) · 12.7 KB
/
server.1.man
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "KAWIPIKO-SERVER" "1" "2023-03-05" "volution.ro" "kawipiko"
.SH NAME
kawipiko -- blazingly fast static HTTP server \- kawipiko-server
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
>> kawipiko\-server \-\-help
>> kawipiko\-server \-\-man
.ft P
.fi
.UNINDENT
.UNINDENT
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
\-\-archive <path>
\-\-archive\-inmem (memory\-loaded archive file)
\-\-archive\-mmap (memory\-mapped archive file)
\-\-archive\-preload (preload archive in OS cache)
\-\-bind <ip>:<port> (HTTP, only HTTP/1.1, FastHTTP)
\-\-bind\-2 <ip>:<port> (HTTP, only HTTP/1.1, Go net/http)
\-\-bind\-tls <ip>:<port> (HTTPS, only HTTP/1.1, FastHTTP)
\-\-bind\-tls\-2 <ip>:<port> (HTTPS, with HTTP/2, Go net/http)
\-\-bind\-quic <ip>:<port> (HTTPS, with HTTP/3)
\-\-http1\-disable
\-\-http2\-disable
\-\-http3\-alt\-svc <ip>:<port>
\-\-tls\-bundle <path> (TLS certificate bundle)
\-\-tls\-public <path> (TLS certificate public)
\-\-tls\-private <path> (TLS certificate private)
\-\-tls\-self\-rsa (use self\-signed RSA)
\-\-tls\-self\-ed25519 (use self\-signed Ed25519)
\-\-processes <count> (of slave processes)
\-\-threads <count> (of threads per process)
\-\-index\-all
\-\-index\-paths
\-\-index\-data\-meta
\-\-index\-data\-content
\-\-hosts\-disable (ignore \(gaHost\(ga header)
\-\-special\-pages\-disable
\-\-security\-headers\-disable
\-\-security\-headers\-tls
\-\-seccomp\-enable
\-\-limit\-descriptors <count>
\-\-limit\-memory <MiB>
\-\-timeout\-disable
\-\-report \-\-quiet \-\-debug
\-\-dummy
\-\-dummy\-empty
\-\-dummy\-delay <duration>
\-\-profile\-cpu <path>
\-\-profile\-mem <path>
\-\-version
\-\-help (show this short help)
\-\-man (show the full manual)
\-\-sources\-md5 (dump an \(gamd5sum\(ga of the sources)
\-\-sources\-cpio (dump a \(gacpio.gz\(ga of the sources)
\-\-sbom \-\-sbom\-text \-\-sbom\-json
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
.ce
----
.ce 0
.sp
.SH FLAGS
.sp
\fB\-\-bind <ip:port>\fP, \fB\-\-bind\-tls <ip:port>\fP, \fB\-\-bind\-2 <ip:port>\fP, \fB\-\-bind\-tls\-2 <ip:port>\fP, and \fB\-\-bind\-quic <ip:port>\fP
.INDENT 0.0
.INDENT 3.5
The IP and port to listen for requests with:
.INDENT 0.0
.IP \(bu 2
(insecure) HTTP/1.1 for \fB\-\-bind\fP, leveraging \fBfasthttp\fP library;
.IP \(bu 2
(secure) HTTP/1.1 over TLS for \fB\-\-bind\-tls\fP, leveraging \fBfasthttp\fP library;
.IP \(bu 2
(insecure) HTTP/1.1 for \fB\-\-bind\-2\fP, leveraging Go\(aqs \fBnet/http\fP library; (not as performant as the \fBfasthttp\fP powered endpoint;)
.IP \(bu 2
(secure) H2 or HTTP/1.1 over TLS for \fB\-\-bind\-tls\-2\fP, leveraging Go\(aqs \fBnet/http\fP; (not as performant as the \fBfasthttp\fP powered endpoint;)
.IP \(bu 2
(secure) H3 over QUIC for \fB\-\-bind\-quic\fP, leveraging \fBgithub.com/lucas\-clemente/quic\-go\fP library; (given that H3 is still a new protocol, this must be used with caution; also one should use the \fB\-\-http3\-alt\-svc <ip:port>\fP;)
.IP \(bu 2
if one uses just \fB\-\-bind\-tls\fP (without \fB\-\-bind\-tls\-2\fP, and without \fB\-\-http2\-disabled\fP), then the TLS endpoint is split between \fBfasthttp\fP for HTTP/1.1 and Go\(aqs \fBnet/http\fP for H2;
.UNINDENT
.UNINDENT
.UNINDENT
.sp
\fB\-\-tls\-bundle <path>\fP, \fB\-\-tls\-public <path>\fP, and \fB\-\-tls\-private <path>\fP (optional)
.INDENT 0.0
.INDENT 3.5
If TLS is enabled, these options allows one to specify the certificate to use, either as a single file (a bundle) or separate files (the actual public certificate and the private key).
.sp
If one doesn\(aqt specify any of these options, an embedded self\-signed certificate will be used. In such case, one can choose between RSA (the \fB\-\-tls\-self\-rsa\fP flag) or Ed25519 (the \fB\-\-tls\-self\-ed25519\fP flag);
.UNINDENT
.UNINDENT
.sp
\fB\-\-http1\-disable\fP, \fB\-\-http2\-disable\fP
.INDENT 0.0
.INDENT 3.5
Disables that particular protocol.
(It can be used only with \fB\-\-bind\-tls\-2\fP, given that \fBfasthttp\fP only supports HTTP/1.)
.UNINDENT
.UNINDENT
.sp
\fB\-\-processes <count>\fP and \fB\-\-threads <count>\fP
.INDENT 0.0
.INDENT 3.5
The number of processes and threads per each process to start. (Given Go\(aqs concurrency model, the threads count is somewhat a soft limit, hinting to the runtime the desired parallelism level.)
.sp
It is highly recommended to use one process and as many threads as there are cores.
.sp
Depending on the use\-case, one can use multiple processes each with a single thread; this would reduce goroutine contention if it causes problems.
(However note that if using \fB\-\-archive\-inmem\fP, then each process will allocate its own copy of the database in RAM; in such cases it is highly recommended to use \fB\-\-archive\-mmap\fP\&.)
.UNINDENT
.UNINDENT
.sp
\fB\-\-archive <path>\fP
.INDENT 0.0
.INDENT 3.5
The path of the CDB file that contains the archived static content.
(It can be created with the \fBkawipiko\-archiver\fP tool.)
.UNINDENT
.UNINDENT
.sp
\fB\-\-archive\-inmem\fP
.INDENT 0.0
.INDENT 3.5
Reads the CDB file in RAM, and thus all requests are served from RAM without touching the file\-system.
(The memory impact is equal to the size of the CDB archive. This can be used if enough RAM is available to avoid swapping.)
.UNINDENT
.UNINDENT
.sp
\fB\-\-archive\-mmap\fP
.INDENT 0.0
.INDENT 3.5
(\fBrecommended\fP) The CDB file is \fI\%memory mapped\fP, thus reading its data uses the kernel\(aqs file\-system cache, as opposed to issuing \fBread\fP syscalls.
.UNINDENT
.UNINDENT
.sp
\fB\-\-archive\-preload\fP
.INDENT 0.0
.INDENT 3.5
Before starting to serve requests, read the CDB file so that its data is buffered in the kernel\(aqs file\-system cache. (This option can be used with or without \fB\-\-archive\-mmap\fP\&.)
.UNINDENT
.UNINDENT
.sp
\fB\-\-index\-all\fP, \fB\-\-index\-paths\fP, \fB\-\-index\-data\-meta\fP, and \fB\-\-index\-data\-content\fP
.INDENT 0.0
.INDENT 3.5
In order to serve a request \fBkawipiko\fP does the following:
.INDENT 0.0
.IP \(bu 2
given the request\(aqs path, it is used to locate the corresponding resource\(aqs metadata (i.e. response headers) and data (i.e. response body) references;
by using \fB\-\-index\-paths\fP a RAM\-based lookup table is created to eliminate a CDB read operation for this purpose; (the memory impact is proportional to the size of all resource paths combined; given that the number of resources is acceptable, say up to a couple hundred thousand, one could safely use this option;)
.IP \(bu 2
based on the resource\(aqs metadata reference, the actual metadata (i.e. the response headers) is located;
by using \fB\-\-index\-data\-meta\fP a RAM\-based lookup table is created to eliminate a CDB read operation for this purpose; (the memory impact is proportional to the size of all resource metadata blocks combined; given that the metadata blocks are deduplicated, one could safely use this option; if one also uses \fB\-\-archive\-mmap\fP or \fB\-\-archive\-inmem\fP, then the memory impact is only proportional to the number of resource metadata blocks;)
.IP \(bu 2
based on the resource\(aqs data reference, the actual data (i.e. the response body) is located;
by using \fB\-\-index\-data\-content\fP a RAM\-based lookup table is created to eliminate a CDB operation operation for this purpose; (the memory impact is proportional to the size of all resource data blocks combined; one can use this option to obtain the best performance; if one also uses \fB\-\-archive\-mmap\fP or \fB\-\-archive\-inmem\fP, then the memory impact is only proportional to the number of resource data blocks;)
.IP \(bu 2
\fB\-\-index\-all\fP enables all the options above;
.IP \(bu 2
(depending on the use\-case) it is recommended to use \fB\-\-index\-paths\fP; if \fB\-\-exclude\-etag\fP was used during archival, one can also use \fB\-\-index\-data\-meta\fP;
.IP \(bu 2
it is recommended to use either \fB\-\-archive\-mmap\fP or \fB\-\-archive\-inmem\fP, else (especially if data is indexed) the resulting effect is that of loading everything in RAM;
.UNINDENT
.UNINDENT
.UNINDENT
.sp
\fB\-\-hosts\-disable\fP
.INDENT 0.0
.INDENT 3.5
Disables the virtual\-hosts feature by ignoring the \fIHost\fP header.
.UNINDENT
.UNINDENT
.sp
\fB\-\-special\-pages\-disable\fP
.INDENT 0.0
.INDENT 3.5
Disables serving a few special pages internal to the server like:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
/__/heartbeat
/__/kawipiko/about
/__/kawipiko/version
/__/kawipiko/manual.txt
/__/kawipiko/manual.html
/__/kawipiko/sbom.txt
/__/kawipiko/sbom.json
/__/kawipiko/sources.md5
/__/kawipiko/sources.cpio
/__/kawipiko/banners/errors/403
/__/kawipiko/banners/errors/...
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.sp
\fB\-\-security\-headers\-disable\fP
.INDENT 0.0
.INDENT 3.5
Disables adding a few security related headers:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
Referrer\-Policy: strict\-origin\-when\-cross\-origin
X\-Content\-Type\-Options: nosniff
X\-XSS\-Protection: 1; mode=block
X\-Frame\-Options: sameorigin
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
.UNINDENT
.sp
\fB\-\-security\-headers\-tls\fP
.INDENT 0.0
.INDENT 3.5
Enables adding the following TLS related headers to the response:
.INDENT 0.0
.INDENT 3.5
.sp
.nf
.ft C
Strict\-Transport\-Security: max\-age=31536000
Content\-Security\-Policy: upgrade\-insecure\-requests
.ft P
.fi
.UNINDENT
.UNINDENT
.sp
These instruct the browser to always use HTTPS for the served domain.
(Useful even without HTTPS, when used behind a TLS terminator, load\-balancer or proxy that do support HTTPS.)
.UNINDENT
.UNINDENT
.sp
\fB\-\-seccomp\-enable\fP
.INDENT 0.0
.INDENT 3.5
On Linux, and if supported, enable a strict \fBseccomp\fP filter to reduce the potential attack surface in case of a security issue.
.sp
The current filter is the minimal set of \fBsyscall\fP\(aqs required to have the server working (thus quite safe).
At each stage (opening the archive, indexing the archive, serving the archive) the non\-required \fBsyscall\fP\(aqs are filtered.
.sp
(At the moment the filter is quite strict and determined by experimentation. If you enable \fBseccomp\fP and the server is \fBkill\fP\-ed, check \fBauditd\fP logs for the problematic \fBsyscall\fP and open an issue report.)
.UNINDENT
.UNINDENT
.sp
\fB\-\-limit\-descriptors\fP, and \fB\-\-limit\-memory\fP
.INDENT 0.0
.INDENT 3.5
Constrains resource usage by configuring via \fBsetrlimit\fP either \fBRLIMIT_NOFILE\fP (in case of descriptors) or both \fBRLIMIT_DATA\fP and \fBRLIMIT_AS\fP (in case of memory).
.UNINDENT
.UNINDENT
.sp
\fB\-\-report\fP
.INDENT 0.0
.INDENT 3.5
Enables periodic reporting of various metrics.
Also enables reporting a selection of metrics if certain thresholds are matched (which most likely is a sign of high\-load).
.UNINDENT
.UNINDENT
.sp
\fB\-\-quiet\fP
.INDENT 0.0
.INDENT 3.5
Disables most logging messages.
.UNINDENT
.UNINDENT
.sp
\fB\-\-debug\fP
.INDENT 0.0
.INDENT 3.5
Enables all logging messages.
.UNINDENT
.UNINDENT
.sp
\fB\-\-dummy\fP, \fB\-\-dummy\-empty\fP
.INDENT 0.0
.INDENT 3.5
It starts the server in a \(dqdummy\(dq mode, ignoring all archive related arguments and always responding with \fBhello world!\en\fP (unless \fB\-\-dummy\-empty\fP was used) and without additional headers except the HTTP status line and \fBContent\-Length\fP\&.
.sp
This argument can be used to benchmark the raw performance of the underlying \fBfasthttp\fP, Go\(aqs \fBnet/http\fP, or QUIC performance; this is the upper limit of the achievable performance given the underlying technologies.
(From my own benchmarks \fBkawipiko\fP\(aqs adds only about ~15% overhead when actually serving the \fBhello\-world.cdb\fP archive.)
.UNINDENT
.UNINDENT
.sp
\fB\-\-dummy\-delay <duration>\fP
.INDENT 0.0
.INDENT 3.5
Enables delaying each response with a certain amount (for example \fB1s\fP, \fB1ms\fP, etc.)
.sp
It can be used to simulate the real\-world network latencies, perhaps to see how a site with many resources loads in various conditions.
(For example, see \fI\%an experiment\fP I made with an image made out of 1425 tiles.)
.UNINDENT
.UNINDENT
.sp
\fB\-\-profile\-cpu <path>\fP, and \fB\-\-profile\-mem <path>\fP
.INDENT 0.0
.INDENT 3.5
Enables CPU and memory profiling using Go\(aqs profiling infrastructure.
.UNINDENT
.UNINDENT
.\" Generated by docutils manpage writer.
.