http - Central server for RPC and the message database
Name Synopsis Description Options URI processing order RPC-over-HTTP Configuration directives (gromox.cfg) Configuration directives (http.cfg) Files Normative references See alsoName
http — Central server for RPC and the message database
Synopsis
http [−c config]
Description
http(8gx) is a trivial HTTP server. It understands the special HTTP methods as used by RPC-over-HTTP protocol as used by Outlook, it can serve files verbatim, or forward requests to a FastCGI server such as php-fpm(8).
Options
−c config
Read configuration directives from the given file. If this option is not specified, /etc/gromox/http.cfg will be read if it exists.
|
−? |
Display option summary. |
URI processing order
|
• |
Requests are passed to the mod_rewrite(4gx) module (built-in) to have their URI potentially rewritten. | ||
|
• |
If a HTTP request is using the methods RPC_IN_DATA or RPC_OUT_DATA, the data stream is handed off to the exchange_emsmdb(4gx) plugin. | ||
|
• |
Otherwise, HTTP processing modules (HPM) are invoked. Processing ends when one module signals that the request was handled. The order depends on the HPM list (which is fixed): ews, mh_emsmdb, mh_nsp, oxdisco, oab. | ||
|
• |
Otherwise, the mod_fastcgi(4gx) module (built-in) is invoked. Processing ends if the module handled the request. | ||
|
• |
Otherwise, the mod_cache(4gx) module (built-in) is invoked. Processing ends if the module handled the request. | ||
|
• |
Otherwise, the request is rejected. |
RPC-over-HTTP
RPC-over-HTTP utilizes two special HTTP methods, RPC_IN_DATA and RPC_OUT_DATA. These requests can, similarly to HTTP CONNECT, be very long-lived. The RPC data stream is handled by the included exchange_emsmdb(4gx) plugin.
All time-based command-line options and configuration file directives are subject to the syntax described in gromox(7), section "Duration specifications".
Configuration directives (gromox.cfg)
The following
directives are recognized when reading from
/etc/gromox/gromox.cfg, or when the −c option
is used to specify a custom file:
daemons_fd_limit
In gromox-http, this is treated as an alias for http_fd_limit.
http_basic_auth_cred_caching
Perform credential caching for
HTTP Basic.
Default: 1minute
http_fd_limit
Request that the file
descriptor table be at least this large. The magic value 0
indicates that the system default hard limit (rlim_max, cf.
setrlimit(2)) should be used.
Default: 0
http_remote_host_hdr
The name of the HTTP request
header which contains the actual client IPv6/IPv4 address.
When a (reverse) proxy is placed in front of gromox-http,
the address gxhttp normally sees is the proxy address (e.g.
::1). If the proxy sets a custom header to convey the actual
client address, Gromox can pick this up for its own
reporting, which in turn is useful for e.g. fail2ban setups.
Default: (empty)
Configuration directives (http.cfg)
The following
directives are recognized when reading from
/etc/gromox/http.cfg, or when the −c option is
used to specify a custom file:
block_interval_auths
The amount of time a user is
blocked from connecting to the service after too many failed
logins.
Default: 1 minute
config_file_path
Colon-separated list of
directories which will be scanned when locating further
configuration files, especially those used by plugin
instances.
Default: /etc/gromox/http:/etc/gromox
context_average_mem
Default: 256K
context_num
Default: 400
data_file_path
Colon-separated list of
directories which will be scanned when locating data files.
Default: /usr/share/gromox/http
fastcgi_exec_timeout
Maximum execution time for CGI
scripts.
Default: 10 minutes
gss_program
The helper program to use for
authenticating SPNEGO-GSS requests. The value is
rudimentarily tokenized at whitespaces, so no special
characters may be used. (If you need to, write a shell
wrapper.) The special value "internal-gss" uses
libgssapi directly. The use of Squid’s
negotiate_wrapper_auth is optional; Gromox can identify
whether requests are SPNEGO-NTLMSSP or SPNEGO-Kerberos in
the same fashion as negotiate_wrapper_auth does.
Default: internal−gss
Example: /usr/lib/squid/negotiate_kerberos_auth −s
GSS_C_NO_NAME
Example: /usr/lib/squid/negotiate_wrapper_auth
−−ntlm /usr/bin/ntlm_auth
−−helper−protocol=squid−2.5−ntlmssp
−−kerberos
/usr/lib/squid/negotiate_kerberos_auth −s
GSS_C_NO_NAME
host_id
A unique identifier for this
system. It is used for the Server HTTP responses header, for
service plugins like exmdb_provider(4gx), which makes use of
it for SMTP HELO lines, for DSN report texts, for MIDB
database/EML cache. The identifier should only use
characters allowed for hostnames.
Default: (system hostname)
http_auth_basic
Enable HTTP Basic
authentication.
Default: yes
http_auth_spnego
Enable HTTP Negotiate
authentication.
Default: no
http_auth_times
The number of login tries a
user is allowed before the account is blocked.
Default: 10
http_certificate_passwd
The password to unlock TLS
certificates.
Default: (unset)
http_certificate_path
A colon-separated list of TLS
certificate files. The complete certificate chain should be
present (as there is no other config directive to pull CA
certs in, and implicit loading from system directories is
not guaranteed by Gromox).
Default: (unset)
http_conn_timeout
If a HTTP connection is
inactive for the given period, the connection is terminated.
Default: 3 minutes
http_debug
If set to 1, prints all
incoming and outgoing HTTP traffic to stderr (not
http_log_file!).
Default: 0
http_enforce_auth
Enforce authentication at all
times. This is a debugging knob.
Default: no
http_krb_service_principal
Default: gromox@host_id
http_listen_addr
AF_INET6 socket address to bind
the HTTP service to.
Default: ::
http_listen_port
The TCP port to expose the HTTP
protocol service on.
Default: 80
http_listen_tls_port
The TCP port to expose
implicit-TLS HTTP protocol service (HTTPS) on.
Default: (unset)
http_log_file
Target for log messages here.
Special values: "-" (stderr/syslog
depending on parent PID) or "syslog" are
recognized.
Default: - (auto)
http_log_level
Maximum verbosity of logging.
1=crit, 2=error, 3=warn, 4=notice, 5=info, 6=debug.
Default: 4 (notice)
http_private_key_path
A colon-separated list of TLS
certificate private key files.
Default: (unset)
http_rqbody_flush_size
If the HTTP request to a CGI
endpoint has a HTTP body larger than the limit given here,
the data is buffered in a file rather than kept in memory.
If the request uses Chunked Transfer Encoding, a file is
used unconditionally.
Default: 512K
http_rqbody_max_size
If the Content-Length of a HTTP
request to a CGI endpoint is larger than this value, the
request is rejected.
Default: 50M
http_support_tls
This flag controls whether (or
not) the server offers TLS at all. The default is false
because you need a certificate for this first.
Default: false
http_thread_charge_num
Connection load factor
(oversubscription ratio) for a processing thread.
Default: 20
http_thread_init_num
The initial and also minimum
number of client processing threads to keep around. This is
similar to php-fpm’s start_servers/min_spare_servere.
(The maximum number of threads, i.e. what would be
max_spare_servers, is determined by: context_num divided by
imap_thread_charge_num)
Default: 5
msrpc_debug
Log every completed RPC call
and the return code of the operation in a minimal fashion to
stderr. Level 1 emits RPCs with a failure return code, level
2 emits all RPCs. Note the daemon log level needs to be
"debug" (6), too.
Default: 0
ntlmssp_program
Path to samba-winbind ntlm_auth
or equivalent program that implements the Squid
authentication helper text protocol ("YR, TT, KK,
AF"). The value is rudimentarily tokenized at
whitespaces, so no special characters may be used. (If you
need to, write a shell wrapper.) The use of Squid’s
negotiate_wrapper_auth is optional; Gromox can identify
whether requests are SPNEGO-NTLMSSP or SPNEGO-Kerberos in
the same fashion as negotiate_wrapper_auth does.
Default: /usr/bin/ntlm_auth
−−helper−protocol=squid−2.5−ntlmssp
Example: /usr/lib/squid/negotiate_wrapper_auth
−−ntlm /usr/bin/ntlm_auth
−−helper−protocol=squid−2.5−ntlmssp
−−kerberos
/usr/lib/squid/negotiate_kerberos_auth −s
GSS_C_NO_NAME
request_max_mem
The maximum hint size for
fragmented RPC PDU requests that will be allowed (C706
§12.6.3.7, MS-RPCE v33 §2.2.2.6).
Default: 4M
tls_min_proto
The lowest TLS version to
offer. Possible values are: tls1.0, tls1.1,
tls1.2, and, if supported by the system,
tls1.3.
Default: tls1.2
running_identity
An unprivileged user account to
switch the process to after startup. To inhibit the switch,
assign the empty value.
Default: gromox
tcp_mss_size
Sets the TCP_MAXSEG socket
option with the given MSS value for the listening socket(s),
cf. tcp(7).
Default: 0 (do not limit the MSS)
user_default_lang
Default: en
Files
|
• |
/usr/lib/gromox/libgxh_*.so: HTTP processing plugins |
|||
|
• |
/usr/lib/gromox/libgxp_*.so: PDU processing plugins |
|||
|
• |
/usr/lib/gromox/libgxs_*.so: service plugins |
Normative references
|
• |
MS-RPCE: Remote Procedure Call Protocol Extensions | ||
|
• |
DCERPC / C706: Technical Standard DCE 1.1: Remote Procedure Call by The Open Group, 1997 |
See also
gromox(7), mod_cache(4gx), mod_fastcgi(4gx), mod_rewrite(4gx)