1*1c60b9acSAndroid Build Coastguard WorkerNotes about lwsws 2*1c60b9acSAndroid Build Coastguard Worker================= 3*1c60b9acSAndroid Build Coastguard Worker 4*1c60b9acSAndroid Build Coastguard Worker@section lwsws Libwebsockets Web Server 5*1c60b9acSAndroid Build Coastguard Worker 6*1c60b9acSAndroid Build Coastguard Workerlwsws is an implementation of a very lightweight, ws-capable generic web 7*1c60b9acSAndroid Build Coastguard Workerserver, which uses libwebsockets to implement everything underneath. 8*1c60b9acSAndroid Build Coastguard Worker 9*1c60b9acSAndroid Build Coastguard WorkerIf you are basically implementing a standalone server with lws, you can avoid 10*1c60b9acSAndroid Build Coastguard Workerreinventing the wheel and use a debugged server including lws. 11*1c60b9acSAndroid Build Coastguard Worker 12*1c60b9acSAndroid Build Coastguard Worker 13*1c60b9acSAndroid Build Coastguard Worker@section lwswsb Build 14*1c60b9acSAndroid Build Coastguard Worker 15*1c60b9acSAndroid Build Coastguard WorkerJust enable -DLWS_WITH_LWSWS=1 at cmake-time. 16*1c60b9acSAndroid Build Coastguard Worker 17*1c60b9acSAndroid Build Coastguard WorkerIt enables libuv and plugin support automatically. 18*1c60b9acSAndroid Build Coastguard Worker 19*1c60b9acSAndroid Build Coastguard WorkerNOTICE on Ubuntu, the default libuv package is called "libuv-0.10". This is ancient. 20*1c60b9acSAndroid Build Coastguard Worker 21*1c60b9acSAndroid Build Coastguard WorkerYou should replace this with libuv1 and libuv1-dev before proceeding. 22*1c60b9acSAndroid Build Coastguard Worker 23*1c60b9acSAndroid Build Coastguard Worker@section lwswsc Lwsws Configuration 24*1c60b9acSAndroid Build Coastguard Worker 25*1c60b9acSAndroid Build Coastguard Workerlwsws uses JSON config files, they're pure JSON except: 26*1c60b9acSAndroid Build Coastguard Worker 27*1c60b9acSAndroid Build Coastguard Worker - '#' may be used to turn the rest of the line into a comment. 28*1c60b9acSAndroid Build Coastguard Worker 29*1c60b9acSAndroid Build Coastguard Worker - There's also a single substitution, if a string contains "_lws_ddir_", then that is 30*1c60b9acSAndroid Build Coastguard Workerreplaced with the LWS install data directory path, eg, "/usr/share" or whatever was 31*1c60b9acSAndroid Build Coastguard Workerset when LWS was built + installed. That lets you refer to installed paths without 32*1c60b9acSAndroid Build Coastguard Workerhaving to change the config if your install path was different. 33*1c60b9acSAndroid Build Coastguard Worker 34*1c60b9acSAndroid Build Coastguard WorkerThere is a single file intended for global settings 35*1c60b9acSAndroid Build Coastguard Worker 36*1c60b9acSAndroid Build Coastguard Worker/etc/lwsws/conf 37*1c60b9acSAndroid Build Coastguard Worker``` 38*1c60b9acSAndroid Build Coastguard Worker # these are the server global settings 39*1c60b9acSAndroid Build Coastguard Worker # stuff related to vhosts should go in one 40*1c60b9acSAndroid Build Coastguard Worker # file per vhost in ../conf.d/ 41*1c60b9acSAndroid Build Coastguard Worker 42*1c60b9acSAndroid Build Coastguard Worker { 43*1c60b9acSAndroid Build Coastguard Worker "global": { 44*1c60b9acSAndroid Build Coastguard Worker "username": "apache", 45*1c60b9acSAndroid Build Coastguard Worker "groupname": "apache", 46*1c60b9acSAndroid Build Coastguard Worker "count-threads": "1", 47*1c60b9acSAndroid Build Coastguard Worker "server-string": "myserver v1", # returned in http headers 48*1c60b9acSAndroid Build Coastguard Worker "ws-pingpong-secs": "200", # confirm idle established ws connections this often 49*1c60b9acSAndroid Build Coastguard Worker "init-ssl": "yes" 50*1c60b9acSAndroid Build Coastguard Worker } 51*1c60b9acSAndroid Build Coastguard Worker } 52*1c60b9acSAndroid Build Coastguard Worker``` 53*1c60b9acSAndroid Build Coastguard Workerand a config directory intended to take one file per vhost 54*1c60b9acSAndroid Build Coastguard Worker 55*1c60b9acSAndroid Build Coastguard Worker/etc/lwsws/conf.d/warmcat.com 56*1c60b9acSAndroid Build Coastguard Worker``` 57*1c60b9acSAndroid Build Coastguard Worker { 58*1c60b9acSAndroid Build Coastguard Worker "vhosts": [{ 59*1c60b9acSAndroid Build Coastguard Worker "name": "warmcat.com", 60*1c60b9acSAndroid Build Coastguard Worker "port": "443", 61*1c60b9acSAndroid Build Coastguard Worker "interface": "eth0", # optional 62*1c60b9acSAndroid Build Coastguard Worker "host-ssl-key": "/etc/pki/tls/private/warmcat.com.key", # if given enable ssl 63*1c60b9acSAndroid Build Coastguard Worker "host-ssl-cert": "/etc/pki/tls/certs/warmcat.com.crt", 64*1c60b9acSAndroid Build Coastguard Worker "host-ssl-ca": "/etc/pki/tls/certs/warmcat.com.cer", 65*1c60b9acSAndroid Build Coastguard Worker "mounts": [{ # autoserve 66*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/", 67*1c60b9acSAndroid Build Coastguard Worker "origin": "file:///var/www/warmcat.com", 68*1c60b9acSAndroid Build Coastguard Worker "default": "index.html" 69*1c60b9acSAndroid Build Coastguard Worker }] 70*1c60b9acSAndroid Build Coastguard Worker }] 71*1c60b9acSAndroid Build Coastguard Worker } 72*1c60b9acSAndroid Build Coastguard Worker``` 73*1c60b9acSAndroid Build Coastguard WorkerTo get started quickly, an example config reproducing the old test server 74*1c60b9acSAndroid Build Coastguard Workeron port 7681, non-SSL is provided. To set it up 75*1c60b9acSAndroid Build Coastguard Worker``` 76*1c60b9acSAndroid Build Coastguard Worker # mkdir -p /etc/lwsws/conf.d /var/log/lwsws 77*1c60b9acSAndroid Build Coastguard Worker # cp ./lwsws/etc-lwsws-conf-EXAMPLE /etc/lwsws/conf 78*1c60b9acSAndroid Build Coastguard Worker # cp ./lwsws/etc-lwsws-conf.d-localhost-EXAMPLE /etc/lwsws/conf.d/test-server 79*1c60b9acSAndroid Build Coastguard Worker # sudo lwsws 80*1c60b9acSAndroid Build Coastguard Worker``` 81*1c60b9acSAndroid Build Coastguard Worker 82*1c60b9acSAndroid Build Coastguard Worker@section lwswsacme Using Letsencrypt or other ACME providers 83*1c60b9acSAndroid Build Coastguard Worker 84*1c60b9acSAndroid Build Coastguard WorkerLws supports automatic provisioning and renewal of TLS certificates. 85*1c60b9acSAndroid Build Coastguard Worker 86*1c60b9acSAndroid Build Coastguard WorkerSee ./READMEs/README.plugin-acme.md for examples of how to set it up on an lwsws vhost. 87*1c60b9acSAndroid Build Coastguard Worker 88*1c60b9acSAndroid Build Coastguard Worker@section lwsogo Other Global Options 89*1c60b9acSAndroid Build Coastguard Worker 90*1c60b9acSAndroid Build Coastguard Worker - `reject-service-keywords` allows you to return an HTTP error code and message of your choice 91*1c60b9acSAndroid Build Coastguard Workerif a keyword is found in the user agent 92*1c60b9acSAndroid Build Coastguard Worker 93*1c60b9acSAndroid Build Coastguard Worker``` 94*1c60b9acSAndroid Build Coastguard Worker "reject-service-keywords": [{ 95*1c60b9acSAndroid Build Coastguard Worker "scumbot": "404 Not Found" 96*1c60b9acSAndroid Build Coastguard Worker }] 97*1c60b9acSAndroid Build Coastguard Worker``` 98*1c60b9acSAndroid Build Coastguard Worker 99*1c60b9acSAndroid Build Coastguard Worker - `timeout-secs` lets you set the global timeout for various network-related 100*1c60b9acSAndroid Build Coastguard Worker operations in lws, in seconds. It defaults to 5. 101*1c60b9acSAndroid Build Coastguard Worker 102*1c60b9acSAndroid Build Coastguard Worker@section lwswsv Lwsws Vhosts 103*1c60b9acSAndroid Build Coastguard Worker 104*1c60b9acSAndroid Build Coastguard WorkerOne server can run many vhosts, where SSL is in use SNI is used to match 105*1c60b9acSAndroid Build Coastguard Workerthe connection to a vhost and its vhost-specific SSL keys during SSL 106*1c60b9acSAndroid Build Coastguard Workernegotiation. 107*1c60b9acSAndroid Build Coastguard Worker 108*1c60b9acSAndroid Build Coastguard WorkerListing multiple vhosts looks something like this 109*1c60b9acSAndroid Build Coastguard Worker``` 110*1c60b9acSAndroid Build Coastguard Worker { 111*1c60b9acSAndroid Build Coastguard Worker "vhosts": [ { 112*1c60b9acSAndroid Build Coastguard Worker "name": "localhost", 113*1c60b9acSAndroid Build Coastguard Worker "port": "443", 114*1c60b9acSAndroid Build Coastguard Worker "host-ssl-key": "/etc/pki/tls/private/libwebsockets.org.key", 115*1c60b9acSAndroid Build Coastguard Worker "host-ssl-cert": "/etc/pki/tls/certs/libwebsockets.org.crt", 116*1c60b9acSAndroid Build Coastguard Worker "host-ssl-ca": "/etc/pki/tls/certs/libwebsockets.org.cer", 117*1c60b9acSAndroid Build Coastguard Worker "mounts": [{ 118*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/", 119*1c60b9acSAndroid Build Coastguard Worker "origin": "file:///var/www/libwebsockets.org", 120*1c60b9acSAndroid Build Coastguard Worker "default": "index.html" 121*1c60b9acSAndroid Build Coastguard Worker }, { 122*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/testserver", 123*1c60b9acSAndroid Build Coastguard Worker "origin": "file:///usr/local/share/libwebsockets-test-server", 124*1c60b9acSAndroid Build Coastguard Worker "default": "test.html" 125*1c60b9acSAndroid Build Coastguard Worker }], 126*1c60b9acSAndroid Build Coastguard Worker # which protocols are enabled for this vhost, and optional 127*1c60b9acSAndroid Build Coastguard Worker # vhost-specific config options for the protocol 128*1c60b9acSAndroid Build Coastguard Worker # 129*1c60b9acSAndroid Build Coastguard Worker "ws-protocols": [{ 130*1c60b9acSAndroid Build Coastguard Worker "warmcat,timezoom": { 131*1c60b9acSAndroid Build Coastguard Worker "status": "ok" 132*1c60b9acSAndroid Build Coastguard Worker } 133*1c60b9acSAndroid Build Coastguard Worker }] 134*1c60b9acSAndroid Build Coastguard Worker }, 135*1c60b9acSAndroid Build Coastguard Worker { 136*1c60b9acSAndroid Build Coastguard Worker "name": "localhost", 137*1c60b9acSAndroid Build Coastguard Worker "port": "7681", 138*1c60b9acSAndroid Build Coastguard Worker "host-ssl-key": "/etc/pki/tls/private/libwebsockets.org.key", 139*1c60b9acSAndroid Build Coastguard Worker "host-ssl-cert": "/etc/pki/tls/certs/libwebsockets.org.crt", 140*1c60b9acSAndroid Build Coastguard Worker "host-ssl-ca": "/etc/pki/tls/certs/libwebsockets.org.cer", 141*1c60b9acSAndroid Build Coastguard Worker "mounts": [{ 142*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/", 143*1c60b9acSAndroid Build Coastguard Worker "origin": ">https://localhost" 144*1c60b9acSAndroid Build Coastguard Worker }] 145*1c60b9acSAndroid Build Coastguard Worker }, 146*1c60b9acSAndroid Build Coastguard Worker { 147*1c60b9acSAndroid Build Coastguard Worker "name": "localhost", 148*1c60b9acSAndroid Build Coastguard Worker "port": "80", 149*1c60b9acSAndroid Build Coastguard Worker "mounts": [{ 150*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/", 151*1c60b9acSAndroid Build Coastguard Worker "origin": ">https://localhost" 152*1c60b9acSAndroid Build Coastguard Worker }] 153*1c60b9acSAndroid Build Coastguard Worker } 154*1c60b9acSAndroid Build Coastguard Worker 155*1c60b9acSAndroid Build Coastguard Worker ] 156*1c60b9acSAndroid Build Coastguard Worker } 157*1c60b9acSAndroid Build Coastguard Worker``` 158*1c60b9acSAndroid Build Coastguard Worker 159*1c60b9acSAndroid Build Coastguard WorkerThat sets up three vhosts all called "localhost" on ports 443 and 7681 with SSL, and port 80 without SSL but with a forced redirect to https://localhost 160*1c60b9acSAndroid Build Coastguard Worker 161*1c60b9acSAndroid Build Coastguard Worker 162*1c60b9acSAndroid Build Coastguard Worker@section lwswsvn Lwsws Vhost name and port sharing 163*1c60b9acSAndroid Build Coastguard Worker 164*1c60b9acSAndroid Build Coastguard WorkerThe vhost name field is used to match on incoming SNI or Host: header, so it 165*1c60b9acSAndroid Build Coastguard Workermust always be the host name used to reach the vhost externally. 166*1c60b9acSAndroid Build Coastguard Worker 167*1c60b9acSAndroid Build Coastguard Worker - Vhosts may have the same name and different ports, these will each create a 168*1c60b9acSAndroid Build Coastguard Workerlistening socket on the appropriate port. 169*1c60b9acSAndroid Build Coastguard Worker 170*1c60b9acSAndroid Build Coastguard Worker - Vhosts may also have the same port and different name: these will be treated as 171*1c60b9acSAndroid Build Coastguard Workertrue vhosts on one listening socket and the active vhost decided at SSL 172*1c60b9acSAndroid Build Coastguard Workernegotiation time (via SNI) or if no SSL, then after the Host: header from 173*1c60b9acSAndroid Build Coastguard Workerthe client has been parsed. 174*1c60b9acSAndroid Build Coastguard Worker 175*1c60b9acSAndroid Build Coastguard Worker 176*1c60b9acSAndroid Build Coastguard Worker@section lwswspr Lwsws Protocols 177*1c60b9acSAndroid Build Coastguard Worker 178*1c60b9acSAndroid Build Coastguard WorkerVhosts by default have available the union of any initial protocols from context creation time, and 179*1c60b9acSAndroid Build Coastguard Workerany protocols exposed by plugins. 180*1c60b9acSAndroid Build Coastguard Worker 181*1c60b9acSAndroid Build Coastguard WorkerVhosts can select which plugins they want to offer and give them per-vhost settings using this syntax 182*1c60b9acSAndroid Build Coastguard Worker``` 183*1c60b9acSAndroid Build Coastguard Worker "ws-protocols": [{ 184*1c60b9acSAndroid Build Coastguard Worker "warmcat-timezoom": { 185*1c60b9acSAndroid Build Coastguard Worker "status": "ok" 186*1c60b9acSAndroid Build Coastguard Worker } 187*1c60b9acSAndroid Build Coastguard Worker }] 188*1c60b9acSAndroid Build Coastguard Worker``` 189*1c60b9acSAndroid Build Coastguard Worker 190*1c60b9acSAndroid Build Coastguard WorkerThe "x":"y" parameters like "status":"ok" are made available to the protocol during its per-vhost 191*1c60b9acSAndroid Build Coastguard WorkerLWS_CALLBACK_PROTOCOL_INIT (in is a pointer to a linked list of struct lws_protocol_vhost_options 192*1c60b9acSAndroid Build Coastguard Workercontaining the name and value pointers). 193*1c60b9acSAndroid Build Coastguard Worker 194*1c60b9acSAndroid Build Coastguard WorkerTo indicate that a protocol should be used when no Protocol: header is sent 195*1c60b9acSAndroid Build Coastguard Workerby the client, you can use "default": "1" 196*1c60b9acSAndroid Build Coastguard Worker``` 197*1c60b9acSAndroid Build Coastguard Worker "ws-protocols": [{ 198*1c60b9acSAndroid Build Coastguard Worker "warmcat-timezoom": { 199*1c60b9acSAndroid Build Coastguard Worker "status": "ok", 200*1c60b9acSAndroid Build Coastguard Worker "default": "1" 201*1c60b9acSAndroid Build Coastguard Worker } 202*1c60b9acSAndroid Build Coastguard Worker }] 203*1c60b9acSAndroid Build Coastguard Worker``` 204*1c60b9acSAndroid Build Coastguard Worker 205*1c60b9acSAndroid Build Coastguard WorkerSimilarly, if your vhost is serving a raw protocol, you can mark the protocol 206*1c60b9acSAndroid Build Coastguard Workerto be selected using "raw": "1" 207*1c60b9acSAndroid Build Coastguard Worker``` 208*1c60b9acSAndroid Build Coastguard Worker "ws-protocols": [{ 209*1c60b9acSAndroid Build Coastguard Worker "warmcat-timezoom": { 210*1c60b9acSAndroid Build Coastguard Worker "status": "ok", 211*1c60b9acSAndroid Build Coastguard Worker "raw": "1" 212*1c60b9acSAndroid Build Coastguard Worker } 213*1c60b9acSAndroid Build Coastguard Worker }] 214*1c60b9acSAndroid Build Coastguard Worker``` 215*1c60b9acSAndroid Build Coastguard Worker 216*1c60b9acSAndroid Build Coastguard WorkerSee also "apply-listen-accept" below. 217*1c60b9acSAndroid Build Coastguard Worker 218*1c60b9acSAndroid Build Coastguard Worker@section lwswsovo Lwsws Other vhost options 219*1c60b9acSAndroid Build Coastguard Worker 220*1c60b9acSAndroid Build Coastguard Worker - If the three options `host-ssl-cert`, `host-ssl-ca` and `host-ssl-key` are given, then the vhost supports SSL. 221*1c60b9acSAndroid Build Coastguard Worker 222*1c60b9acSAndroid Build Coastguard Worker Each vhost may have its own certs, SNI is used during the initial connection negotiation to figure out which certs to use by the server name it's asking for from the request DNS name. 223*1c60b9acSAndroid Build Coastguard Worker 224*1c60b9acSAndroid Build Coastguard Worker - `keeplive-timeout` (in secs) defaults to 60 for lwsws, it may be set as a vhost option 225*1c60b9acSAndroid Build Coastguard Worker 226*1c60b9acSAndroid Build Coastguard Worker - `interface` lets you specify which network interface to listen on, if not given listens on all. If the network interface is not usable (eg, ethernet cable out) it will be logged at startup with such vhost not listening, and lws will poll for it and bind a listen socket to the interface if and when it becomes available. 227*1c60b9acSAndroid Build Coastguard Worker 228*1c60b9acSAndroid Build Coastguard Worker - "`unix-socket`": "1" causes the unix socket specified in the interface option to be used instead of an INET socket 229*1c60b9acSAndroid Build Coastguard Worker 230*1c60b9acSAndroid Build Coastguard Worker - "`unix-socket-perms`": "user:group" allows you to control the unix permissons on the listening unix socket. It's always get to `0600` mode, but you can control the user and group for the socket fd at creation time. This allows you to use unix user and groups to control who may open the other end of the unix socket on the local system. 231*1c60b9acSAndroid Build Coastguard Worker 232*1c60b9acSAndroid Build Coastguard Worker - "`sts`": "1" causes lwsws to send a Strict Transport Security header with responses that informs the client he should never accept to connect to this address using http. This is needed to get the A+ security rating from SSL Labs for your server. 233*1c60b9acSAndroid Build Coastguard Worker 234*1c60b9acSAndroid Build Coastguard Worker - "`access-log`": "filepath" sets where apache-compatible access logs will be written 235*1c60b9acSAndroid Build Coastguard Worker 236*1c60b9acSAndroid Build Coastguard Worker - `"enable-client-ssl"`: `"1"` enables the vhost's client SSL context, you will need this if you plan to create client conections on the vhost that will use SSL. You don't need it if you only want http / ws client connections. 237*1c60b9acSAndroid Build Coastguard Worker 238*1c60b9acSAndroid Build Coastguard Worker - "`ciphers`": "<cipher list>" OPENSSL only: sets the allowed list of TLS <= 1.2 ciphers and key exchange protocols for the serving SSL_CTX on the vhost. The default list is restricted to only those providing PFS (Perfect Forward Secrecy) on the author's Fedora system. 239*1c60b9acSAndroid Build Coastguard Worker 240*1c60b9acSAndroid Build Coastguard Worker If you need to allow weaker ciphers, you can provide an alternative list here per-vhost. 241*1c60b9acSAndroid Build Coastguard Worker 242*1c60b9acSAndroid Build Coastguard Worker - "`client-ssl-ciphers`": "<cipher list>" OPENSSL only: sets the allowed list of <= TLS1.2 ciphers and key exchange protocols for the client SSL_CTX on the vhost 243*1c60b9acSAndroid Build Coastguard Worker 244*1c60b9acSAndroid Build Coastguard Worker - "`tls13-ciphers`": "<cipher list>" OPENSSL 1.1.1+ only: sets allowed list of TLS1.3+ ciphers and key exchange protocols for the client SSL_CTX on the vhost. The default is to allow all. 245*1c60b9acSAndroid Build Coastguard Worker 246*1c60b9acSAndroid Build Coastguard Worker - "`client-tls13-ciphers`": "<cipher list>" OPENSSL 1.1.1+ only: sets the allowed list of TLS1.3+ ciphers and key exchange protocols for the client SSL_CTX on the vhost. The default is to allow all. 247*1c60b9acSAndroid Build Coastguard Worker 248*1c60b9acSAndroid Build Coastguard Worker - "`ecdh-curve`": "<curve name>" The default ecdh curve is "prime256v1", but you can override it here, per-vhost 249*1c60b9acSAndroid Build Coastguard Worker 250*1c60b9acSAndroid Build Coastguard Worker - "`noipv6`": "on" Disable ipv6 completely for this vhost 251*1c60b9acSAndroid Build Coastguard Worker 252*1c60b9acSAndroid Build Coastguard Worker - "`ipv6only`": "on" Only allow ipv6 on this vhost / "off" only allow ipv4 on this vhost 253*1c60b9acSAndroid Build Coastguard Worker 254*1c60b9acSAndroid Build Coastguard Worker - "`ssl-option-set`": "<decimal>" Sets the SSL option flag value for the vhost. 255*1c60b9acSAndroid Build Coastguard Worker It may be used multiple times and OR's the flags together. 256*1c60b9acSAndroid Build Coastguard Worker 257*1c60b9acSAndroid Build Coastguard Worker The values are derived from /usr/include/openssl/ssl.h 258*1c60b9acSAndroid Build Coastguard Worker``` 259*1c60b9acSAndroid Build Coastguard Worker # define SSL_OP_NO_TLSv1_1 0x10000000L 260*1c60b9acSAndroid Build Coastguard Worker``` 261*1c60b9acSAndroid Build Coastguard Worker 262*1c60b9acSAndroid Build Coastguard Worker would equate to 263*1c60b9acSAndroid Build Coastguard Worker 264*1c60b9acSAndroid Build Coastguard Worker``` 265*1c60b9acSAndroid Build Coastguard Worker "`ssl-option-set`": "268435456" 266*1c60b9acSAndroid Build Coastguard Worker ``` 267*1c60b9acSAndroid Build Coastguard Worker - "`ssl-option-clear'": "<decimal>" Clears the SSL option flag value for the vhost. 268*1c60b9acSAndroid Build Coastguard Worker It may be used multiple times and OR's the flags together. 269*1c60b9acSAndroid Build Coastguard Worker 270*1c60b9acSAndroid Build Coastguard Worker - "`ssl-client-option-set`" and "`ssl-client-option-clear`" work the same way for the vhost Client SSL context 271*1c60b9acSAndroid Build Coastguard Worker 272*1c60b9acSAndroid Build Coastguard Worker - "`headers':: [{ "header1": "h1value", "header2": "h2value" }] 273*1c60b9acSAndroid Build Coastguard Worker 274*1c60b9acSAndroid Build Coastguard Workerallows you to set arbitrary headers on every file served by the vhost 275*1c60b9acSAndroid Build Coastguard Worker 276*1c60b9acSAndroid Build Coastguard Workerrecommended vhost headers for good client security are 277*1c60b9acSAndroid Build Coastguard Worker 278*1c60b9acSAndroid Build Coastguard Worker``` 279*1c60b9acSAndroid Build Coastguard Worker "headers": [{ 280*1c60b9acSAndroid Build Coastguard Worker "Content-Security-Policy": "script-src 'self'", 281*1c60b9acSAndroid Build Coastguard Worker "X-Content-Type-Options": "nosniff", 282*1c60b9acSAndroid Build Coastguard Worker "X-XSS-Protection": "1; mode=block", 283*1c60b9acSAndroid Build Coastguard Worker "X-Frame-Options": "SAMEORIGIN" 284*1c60b9acSAndroid Build Coastguard Worker }] 285*1c60b9acSAndroid Build Coastguard Worker 286*1c60b9acSAndroid Build Coastguard Worker``` 287*1c60b9acSAndroid Build Coastguard Worker 288*1c60b9acSAndroid Build Coastguard Worker - "`apply-listen-accept`": "on" This vhost only serves a non-http protocol, specified in "listen-accept-role" and "listen-accept-protocol" 289*1c60b9acSAndroid Build Coastguard Worker 290*1c60b9acSAndroid Build Coastguard Worker@section lwswsm Lwsws Mounts 291*1c60b9acSAndroid Build Coastguard Worker 292*1c60b9acSAndroid Build Coastguard WorkerWhere mounts are given in the vhost definition, then directory contents may 293*1c60b9acSAndroid Build Coastguard Workerbe auto-served if it matches the mountpoint. 294*1c60b9acSAndroid Build Coastguard Worker 295*1c60b9acSAndroid Build Coastguard WorkerMount protocols are used to control what kind of translation happens 296*1c60b9acSAndroid Build Coastguard Worker 297*1c60b9acSAndroid Build Coastguard Worker - file:// serve the uri using the remainder of the url past the mountpoint based on the origin directory. 298*1c60b9acSAndroid Build Coastguard Worker 299*1c60b9acSAndroid Build Coastguard Worker Eg, with this mountpoint 300*1c60b9acSAndroid Build Coastguard Worker``` 301*1c60b9acSAndroid Build Coastguard Worker { 302*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/", 303*1c60b9acSAndroid Build Coastguard Worker "origin": "file:///var/www/mysite.com", 304*1c60b9acSAndroid Build Coastguard Worker "default": "/" 305*1c60b9acSAndroid Build Coastguard Worker } 306*1c60b9acSAndroid Build Coastguard Worker``` 307*1c60b9acSAndroid Build Coastguard Worker The uri /file.jpg would serve /var/www/mysite.com/file.jpg, since / matched. 308*1c60b9acSAndroid Build Coastguard Worker 309*1c60b9acSAndroid Build Coastguard Worker - ^http:// or ^https:// these cause any url matching the mountpoint to issue a redirect to the origin url 310*1c60b9acSAndroid Build Coastguard Worker 311*1c60b9acSAndroid Build Coastguard Worker - cgi:// this causes any matching url to be given to the named cgi, eg 312*1c60b9acSAndroid Build Coastguard Worker``` 313*1c60b9acSAndroid Build Coastguard Worker { 314*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/git", 315*1c60b9acSAndroid Build Coastguard Worker "origin": "cgi:///var/www/cgi-bin/cgit", 316*1c60b9acSAndroid Build Coastguard Worker "default": "/" 317*1c60b9acSAndroid Build Coastguard Worker }, { 318*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/cgit-data", 319*1c60b9acSAndroid Build Coastguard Worker "origin": "file:///usr/share/cgit", 320*1c60b9acSAndroid Build Coastguard Worker "default": "/" 321*1c60b9acSAndroid Build Coastguard Worker }, 322*1c60b9acSAndroid Build Coastguard Worker``` 323*1c60b9acSAndroid Build Coastguard Worker would cause the url /git/myrepo to pass "myrepo" to the cgi /var/www/cgi-bin/cgit and send the results to the client. 324*1c60b9acSAndroid Build Coastguard Worker 325*1c60b9acSAndroid Build Coastguard Worker - http:// or https:// these perform reverse proxying, serving the remote origin content from the mountpoint. Eg 326*1c60b9acSAndroid Build Coastguard Worker 327*1c60b9acSAndroid Build Coastguard Worker``` 328*1c60b9acSAndroid Build Coastguard Worker { 329*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/proxytest", 330*1c60b9acSAndroid Build Coastguard Worker "origin": "https://libwebsockets.org" 331*1c60b9acSAndroid Build Coastguard Worker } 332*1c60b9acSAndroid Build Coastguard Worker``` 333*1c60b9acSAndroid Build Coastguard Worker 334*1c60b9acSAndroid Build Coastguard WorkerThis will cause your local url `/proxytest` to serve content fetched from libwebsockets.org over ssl; whether it's served from your server using ssl is unrelated and depends how you configured your local server. Notice if you will use the proxying feature, `LWS_WITH_HTTP_PROXY` is required to be enabled at cmake, and for `https` proxy origins, your lwsws configuration must include `"init-ssl": "1"` and the vhost with the proxy mount must have `"enable-client-ssl": "1"`, even if you are not using ssl to serve. 335*1c60b9acSAndroid Build Coastguard Worker 336*1c60b9acSAndroid Build Coastguard Worker`/proxytest/abc`, or `/proxytest/abc?def=ghi` etc map to the origin + the part past `/proxytest`, so links and img src urls etc work as do all urls under the origin path. 337*1c60b9acSAndroid Build Coastguard Worker 338*1c60b9acSAndroid Build Coastguard WorkerIn addition link and src urls in the document are rewritten so / or the origin url part are rewritten to the mountpoint part. 339*1c60b9acSAndroid Build Coastguard Worker 340*1c60b9acSAndroid Build Coastguard Worker 341*1c60b9acSAndroid Build Coastguard Worker@section lwswsomo Lwsws Other mount options 342*1c60b9acSAndroid Build Coastguard Worker 343*1c60b9acSAndroid Build Coastguard Worker1) Some protocols may want "per-mount options" in name:value format. You can 344*1c60b9acSAndroid Build Coastguard Workerprovide them using "pmo" 345*1c60b9acSAndroid Build Coastguard Worker 346*1c60b9acSAndroid Build Coastguard Worker { 347*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/stuff", 348*1c60b9acSAndroid Build Coastguard Worker "origin": "callback://myprotocol", 349*1c60b9acSAndroid Build Coastguard Worker "pmo": [{ 350*1c60b9acSAndroid Build Coastguard Worker "myname": "myvalue" 351*1c60b9acSAndroid Build Coastguard Worker }] 352*1c60b9acSAndroid Build Coastguard Worker } 353*1c60b9acSAndroid Build Coastguard Worker 354*1c60b9acSAndroid Build Coastguard Worker2) When using a cgi:// protocol origin at a mountpoint, you may also give cgi environment variables specific to the mountpoint like this 355*1c60b9acSAndroid Build Coastguard Worker``` 356*1c60b9acSAndroid Build Coastguard Worker { 357*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/git", 358*1c60b9acSAndroid Build Coastguard Worker "origin": "cgi:///var/www/cgi-bin/cgit", 359*1c60b9acSAndroid Build Coastguard Worker "default": "/", 360*1c60b9acSAndroid Build Coastguard Worker "cgi-env": [{ 361*1c60b9acSAndroid Build Coastguard Worker "CGIT_CONFIG": "/etc/cgitrc/libwebsockets.org" 362*1c60b9acSAndroid Build Coastguard Worker }] 363*1c60b9acSAndroid Build Coastguard Worker } 364*1c60b9acSAndroid Build Coastguard Worker``` 365*1c60b9acSAndroid Build Coastguard Worker This allows you to customize one cgi depending on the mountpoint (and / or vhost). 366*1c60b9acSAndroid Build Coastguard Worker 367*1c60b9acSAndroid Build Coastguard Worker3) It's also possible to set the cgi timeout (in secs) per cgi:// mount, like this 368*1c60b9acSAndroid Build Coastguard Worker``` 369*1c60b9acSAndroid Build Coastguard Worker "cgi-timeout": "30" 370*1c60b9acSAndroid Build Coastguard Worker``` 371*1c60b9acSAndroid Build Coastguard Worker4) `callback://` protocol may be used when defining a mount to associate a 372*1c60b9acSAndroid Build Coastguard Workernamed protocol callback with the URL namespace area. For example 373*1c60b9acSAndroid Build Coastguard Worker``` 374*1c60b9acSAndroid Build Coastguard Worker { 375*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/formtest", 376*1c60b9acSAndroid Build Coastguard Worker "origin": "callback://protocol-post-demo" 377*1c60b9acSAndroid Build Coastguard Worker } 378*1c60b9acSAndroid Build Coastguard Worker``` 379*1c60b9acSAndroid Build Coastguard WorkerAll handling of client access to /formtest[anything] will be passed to the 380*1c60b9acSAndroid Build Coastguard Workercallback registered to the protocol "protocol-post-demo". 381*1c60b9acSAndroid Build Coastguard Worker 382*1c60b9acSAndroid Build Coastguard WorkerThis is useful for handling POST http body content or general non-cgi http 383*1c60b9acSAndroid Build Coastguard Workerpayload generation inside a plugin. 384*1c60b9acSAndroid Build Coastguard Worker 385*1c60b9acSAndroid Build Coastguard WorkerSee the related notes in README.coding.md 386*1c60b9acSAndroid Build Coastguard Worker 387*1c60b9acSAndroid Build Coastguard Worker5) Cache policy of the files in the mount can also be set. If no 388*1c60b9acSAndroid Build Coastguard Workeroptions are given, the content is marked uncacheable. 389*1c60b9acSAndroid Build Coastguard Worker``` 390*1c60b9acSAndroid Build Coastguard Worker { 391*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/", 392*1c60b9acSAndroid Build Coastguard Worker "origin": "file:///var/www/mysite.com", 393*1c60b9acSAndroid Build Coastguard Worker "cache-max-age": "60", # seconds 394*1c60b9acSAndroid Build Coastguard Worker "cache-reuse": "1", # allow reuse at client at all 395*1c60b9acSAndroid Build Coastguard Worker "cache-revalidate": "1", # check it with server each time 396*1c60b9acSAndroid Build Coastguard Worker "cache-intermediaries": "1" # allow intermediary caches to hold 397*1c60b9acSAndroid Build Coastguard Worker } 398*1c60b9acSAndroid Build Coastguard Worker``` 399*1c60b9acSAndroid Build Coastguard Worker 400*1c60b9acSAndroid Build Coastguard Worker6) You can also define a list of additional mimetypes per-mount 401*1c60b9acSAndroid Build Coastguard Worker``` 402*1c60b9acSAndroid Build Coastguard Worker "extra-mimetypes": { 403*1c60b9acSAndroid Build Coastguard Worker ".zip": "application/zip", 404*1c60b9acSAndroid Build Coastguard Worker ".doc": "text/evil" 405*1c60b9acSAndroid Build Coastguard Worker } 406*1c60b9acSAndroid Build Coastguard Worker``` 407*1c60b9acSAndroid Build Coastguard Worker 408*1c60b9acSAndroid Build Coastguard WorkerNormally a file suffix MUST match one of the canned mimetypes or one of the extra 409*1c60b9acSAndroid Build Coastguard Workermimetypes, or the file is not served. This adds a little bit of security because 410*1c60b9acSAndroid Build Coastguard Workereven if there is a bug somewhere and the mount dirs are circumvented, lws will not 411*1c60b9acSAndroid Build Coastguard Workerserve, eg, /etc/passwd. 412*1c60b9acSAndroid Build Coastguard Worker 413*1c60b9acSAndroid Build Coastguard WorkerIf you provide an extra mimetype entry 414*1c60b9acSAndroid Build Coastguard Worker 415*1c60b9acSAndroid Build Coastguard Worker "*": "" 416*1c60b9acSAndroid Build Coastguard Worker 417*1c60b9acSAndroid Build Coastguard WorkerThen any file is served, if the mimetype was not known then it is served without a 418*1c60b9acSAndroid Build Coastguard WorkerContent-Type: header. 419*1c60b9acSAndroid Build Coastguard Worker 420*1c60b9acSAndroid Build Coastguard Worker7) A mount can be protected by HTTP Basic Auth. This only makes sense when using 421*1c60b9acSAndroid Build Coastguard Workerhttps, since otherwise the password can be sniffed. 422*1c60b9acSAndroid Build Coastguard Worker 423*1c60b9acSAndroid Build Coastguard WorkerYou can add a `basic-auth` entry on an http mount like this 424*1c60b9acSAndroid Build Coastguard Worker 425*1c60b9acSAndroid Build Coastguard Worker``` 426*1c60b9acSAndroid Build Coastguard Worker{ 427*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/basic-auth", 428*1c60b9acSAndroid Build Coastguard Worker "origin": "file://_lws_ddir_/libwebsockets-test-server/private", 429*1c60b9acSAndroid Build Coastguard Worker "basic-auth": "/var/www/balogins-private" 430*1c60b9acSAndroid Build Coastguard Worker} 431*1c60b9acSAndroid Build Coastguard Worker``` 432*1c60b9acSAndroid Build Coastguard Worker 433*1c60b9acSAndroid Build Coastguard WorkerBefore serving anything, lws will signal to the browser that a username / password 434*1c60b9acSAndroid Build Coastguard Workercombination is required, and it will pop up a dialog. When the user has filled it 435*1c60b9acSAndroid Build Coastguard Workerin, lwsws checks the user:password string against the text file named in the `basic-auth` 436*1c60b9acSAndroid Build Coastguard Workerentry. 437*1c60b9acSAndroid Build Coastguard Worker 438*1c60b9acSAndroid Build Coastguard WorkerThe file should contain user:pass one per line 439*1c60b9acSAndroid Build Coastguard Worker 440*1c60b9acSAndroid Build Coastguard Worker``` 441*1c60b9acSAndroid Build Coastguard Workertestuser:testpass 442*1c60b9acSAndroid Build Coastguard Workermyuser:hispass 443*1c60b9acSAndroid Build Coastguard Worker``` 444*1c60b9acSAndroid Build Coastguard Worker 445*1c60b9acSAndroid Build Coastguard WorkerThe file should be readable by lwsws, and for a little bit of extra security not 446*1c60b9acSAndroid Build Coastguard Workerhave a file suffix, so lws would reject to serve it even if it could find it on 447*1c60b9acSAndroid Build Coastguard Workera mount. 448*1c60b9acSAndroid Build Coastguard Worker 449*1c60b9acSAndroid Build Coastguard WorkerAfter successful authentication, `WSI_TOKEN_HTTP_AUTHORIZATION` contains the 450*1c60b9acSAndroid Build Coastguard Workerauthenticated username. 451*1c60b9acSAndroid Build Coastguard Worker 452*1c60b9acSAndroid Build Coastguard WorkerIn the case you want to also protect being able to connect to a ws protocol on 453*1c60b9acSAndroid Build Coastguard Workera particular vhost by requiring the http part can authenticate using Basic 454*1c60b9acSAndroid Build Coastguard WorkerAuth before the ws upgrade, this is also possible. In this case, the 455*1c60b9acSAndroid Build Coastguard Worker"basic-auth": and filepath to the credentials file is passed as a pvo in the 456*1c60b9acSAndroid Build Coastguard Worker"ws-protocols" section of the vhost definition. 457*1c60b9acSAndroid Build Coastguard Worker 458*1c60b9acSAndroid Build Coastguard Worker@section lwswscc Requiring a Client Cert on a vhost 459*1c60b9acSAndroid Build Coastguard Worker 460*1c60b9acSAndroid Build Coastguard WorkerYou can make a vhost insist to get a client certificate from the peer before 461*1c60b9acSAndroid Build Coastguard Workerallowing the connection with 462*1c60b9acSAndroid Build Coastguard Worker 463*1c60b9acSAndroid Build Coastguard Worker``` 464*1c60b9acSAndroid Build Coastguard Worker "client-cert-required": "1" 465*1c60b9acSAndroid Build Coastguard Worker``` 466*1c60b9acSAndroid Build Coastguard Worker 467*1c60b9acSAndroid Build Coastguard Workerthe connection will only proceed if the client certificate was signed by the 468*1c60b9acSAndroid Build Coastguard Workersame CA as the server has been told to trust. 469*1c60b9acSAndroid Build Coastguard Worker 470*1c60b9acSAndroid Build Coastguard Worker@section rawconf Configuring Fallback and Raw vhosts 471*1c60b9acSAndroid Build Coastguard Worker 472*1c60b9acSAndroid Build Coastguard WorkerLws supports some unusual modes for vhost listen sockets, which may be 473*1c60b9acSAndroid Build Coastguard Workerconfigured entirely using the JSON per-vhost config language in the related 474*1c60b9acSAndroid Build Coastguard Workervhost configuration section. 475*1c60b9acSAndroid Build Coastguard Worker 476*1c60b9acSAndroid Build Coastguard WorkerThere are three main uses for them 477*1c60b9acSAndroid Build Coastguard Worker 478*1c60b9acSAndroid Build Coastguard Worker1) A vhost bound to a specific role and protocol, not http. This binds all 479*1c60b9acSAndroid Build Coastguard Workerincoming connections on the vhost listen socket to the "raw-proxy" role and 480*1c60b9acSAndroid Build Coastguard Workerprotocol "myprotocol". 481*1c60b9acSAndroid Build Coastguard Worker 482*1c60b9acSAndroid Build Coastguard Worker``` 483*1c60b9acSAndroid Build Coastguard Worker "listen-accept-role": "raw-proxy", 484*1c60b9acSAndroid Build Coastguard Worker "listen-accept-protocol": "myprotocol", 485*1c60b9acSAndroid Build Coastguard Worker "apply-listen-accept": "1" 486*1c60b9acSAndroid Build Coastguard Worker``` 487*1c60b9acSAndroid Build Coastguard Worker 488*1c60b9acSAndroid Build Coastguard Worker2) A vhost that wants to treat noncompliant connections for http or https as 489*1c60b9acSAndroid Build Coastguard Worker belonging to a secondary fallback role and protocol. This causes non-https 490*1c60b9acSAndroid Build Coastguard Worker connections to an https listener to stop being treated as https, to lose the 491*1c60b9acSAndroid Build Coastguard Worker tls wrapper, and bind to role "raw-proxy" and protocol "myprotocol". For 492*1c60b9acSAndroid Build Coastguard Worker example, connect a browser on your external IP :443 as usual and it serves 493*1c60b9acSAndroid Build Coastguard Worker as normal, but if you have configured the raw-proxy to portforward 494*1c60b9acSAndroid Build Coastguard Worker 127.0.0.1:22, then connecting your ssh client to your external port 443 will 495*1c60b9acSAndroid Build Coastguard Worker instead proxy your sshd over :443 with no http or tls getting in the way. 496*1c60b9acSAndroid Build Coastguard Worker 497*1c60b9acSAndroid Build Coastguard Worker``` 498*1c60b9acSAndroid Build Coastguard Worker "listen-accept-role": "raw-proxy", 499*1c60b9acSAndroid Build Coastguard Worker "listen-accept-protocol": "myprotocol", 500*1c60b9acSAndroid Build Coastguard Worker "fallback-listen-accept": "1", 501*1c60b9acSAndroid Build Coastguard Worker "allow-non-tls": "1" 502*1c60b9acSAndroid Build Coastguard Worker``` 503*1c60b9acSAndroid Build Coastguard Worker 504*1c60b9acSAndroid Build Coastguard Worker3) A vhost wants to either redirect stray http traffic back to https, or to 505*1c60b9acSAndroid Build Coastguard Worker actually serve http on an https listen socket (this is not recommended 506*1c60b9acSAndroid Build Coastguard Worker since it allows anyone to drop the security assurances of https by 507*1c60b9acSAndroid Build Coastguard Worker accident or design). 508*1c60b9acSAndroid Build Coastguard Worker 509*1c60b9acSAndroid Build Coastguard Worker``` 510*1c60b9acSAndroid Build Coastguard Worker "allow-non-tls": "1", 511*1c60b9acSAndroid Build Coastguard Worker "redirect-http": "1", 512*1c60b9acSAndroid Build Coastguard Worker``` 513*1c60b9acSAndroid Build Coastguard Worker 514*1c60b9acSAndroid Build Coastguard Worker...or, 515*1c60b9acSAndroid Build Coastguard Worker 516*1c60b9acSAndroid Build Coastguard Worker``` 517*1c60b9acSAndroid Build Coastguard Worker "allow-non-tls": "1", 518*1c60b9acSAndroid Build Coastguard Worker "allow-http-on-https": "1", 519*1c60b9acSAndroid Build Coastguard Worker``` 520*1c60b9acSAndroid Build Coastguard Worker 521*1c60b9acSAndroid Build Coastguard Worker@section lwswspl Lwsws Plugins 522*1c60b9acSAndroid Build Coastguard Worker 523*1c60b9acSAndroid Build Coastguard WorkerProtcols and extensions may also be provided from "plugins", these are 524*1c60b9acSAndroid Build Coastguard Workerlightweight dynamic libraries. They are scanned for at init time, and 525*1c60b9acSAndroid Build Coastguard Workerany protocols and extensions found are added to the list given at context 526*1c60b9acSAndroid Build Coastguard Workercreation time. 527*1c60b9acSAndroid Build Coastguard Worker 528*1c60b9acSAndroid Build Coastguard WorkerProtocols receive init (LWS_CALLBACK_PROTOCOL_INIT) and destruction 529*1c60b9acSAndroid Build Coastguard Worker(LWS_CALLBACK_PROTOCOL_DESTROY) callbacks per-vhost, and there are arrangements 530*1c60b9acSAndroid Build Coastguard Workerthey can make per-vhost allocations and get hold of the correct pointer from 531*1c60b9acSAndroid Build Coastguard Workerthe wsi at the callback. 532*1c60b9acSAndroid Build Coastguard Worker 533*1c60b9acSAndroid Build Coastguard WorkerThis allows a protocol to choose to strictly segregate data on a per-vhost 534*1c60b9acSAndroid Build Coastguard Workerbasis, and also allows the plugin to handle its own initialization and 535*1c60b9acSAndroid Build Coastguard Workercontext storage. 536*1c60b9acSAndroid Build Coastguard Worker 537*1c60b9acSAndroid Build Coastguard WorkerTo help that happen conveniently, there are some new apis 538*1c60b9acSAndroid Build Coastguard Worker 539*1c60b9acSAndroid Build Coastguard Worker - lws_vhost_get(wsi) 540*1c60b9acSAndroid Build Coastguard Worker - lws_protocol_get(wsi) 541*1c60b9acSAndroid Build Coastguard Worker - lws_callback_on_writable_all_protocol_vhost(vhost, protocol) 542*1c60b9acSAndroid Build Coastguard Worker - lws_protocol_vh_priv_zalloc(vhost, protocol, size) 543*1c60b9acSAndroid Build Coastguard Worker - lws_protocol_vh_priv_get(vhost, protocol) 544*1c60b9acSAndroid Build Coastguard Worker 545*1c60b9acSAndroid Build Coastguard Workerdumb increment, mirror and status protocol plugins are provided as examples. 546*1c60b9acSAndroid Build Coastguard Worker 547*1c60b9acSAndroid Build Coastguard Worker 548*1c60b9acSAndroid Build Coastguard Worker@section lwswsplaplp Additional plugin search paths 549*1c60b9acSAndroid Build Coastguard Worker 550*1c60b9acSAndroid Build Coastguard WorkerPackages that have their own lws plugins can install them in their own 551*1c60b9acSAndroid Build Coastguard Workerpreferred dir and ask lwsws to scan there by using a config fragment 552*1c60b9acSAndroid Build Coastguard Workerlike this, in its own conf.d/ file managed by the other package 553*1c60b9acSAndroid Build Coastguard Worker``` 554*1c60b9acSAndroid Build Coastguard Worker { 555*1c60b9acSAndroid Build Coastguard Worker "global": { 556*1c60b9acSAndroid Build Coastguard Worker "plugin-dir": "/usr/local/share/coherent-timeline/plugins" 557*1c60b9acSAndroid Build Coastguard Worker } 558*1c60b9acSAndroid Build Coastguard Worker } 559*1c60b9acSAndroid Build Coastguard Worker``` 560*1c60b9acSAndroid Build Coastguard Worker 561*1c60b9acSAndroid Build Coastguard Worker@section lwswsssp lws-server-status plugin 562*1c60b9acSAndroid Build Coastguard Worker 563*1c60b9acSAndroid Build Coastguard WorkerOne provided protocol can be used to monitor the server status. 564*1c60b9acSAndroid Build Coastguard Worker 565*1c60b9acSAndroid Build Coastguard WorkerEnable the protocol like this on a vhost's ws-protocols section 566*1c60b9acSAndroid Build Coastguard Worker``` 567*1c60b9acSAndroid Build Coastguard Worker "lws-server-status": { 568*1c60b9acSAndroid Build Coastguard Worker "status": "ok", 569*1c60b9acSAndroid Build Coastguard Worker "update-ms": "5000" 570*1c60b9acSAndroid Build Coastguard Worker } 571*1c60b9acSAndroid Build Coastguard Worker``` 572*1c60b9acSAndroid Build Coastguard Worker`"update-ms"` is used to control how often updated JSON is sent on a ws link. 573*1c60b9acSAndroid Build Coastguard Worker 574*1c60b9acSAndroid Build Coastguard WorkerAnd map the provided HTML into the vhost in the mounts section 575*1c60b9acSAndroid Build Coastguard Worker``` 576*1c60b9acSAndroid Build Coastguard Worker { 577*1c60b9acSAndroid Build Coastguard Worker "mountpoint": "/server-status", 578*1c60b9acSAndroid Build Coastguard Worker "origin": "file:///usr/local/share/libwebsockets-test-server/server-status", 579*1c60b9acSAndroid Build Coastguard Worker "default": "server-status.html" 580*1c60b9acSAndroid Build Coastguard Worker } 581*1c60b9acSAndroid Build Coastguard Worker``` 582*1c60b9acSAndroid Build Coastguard WorkerYou might choose to put it on its own vhost which has "interface": "lo", so it's not 583*1c60b9acSAndroid Build Coastguard Workerexternally visible, or use the Basic Auth support to require authentication to 584*1c60b9acSAndroid Build Coastguard Workeraccess it. 585*1c60b9acSAndroid Build Coastguard Worker 586*1c60b9acSAndroid Build Coastguard Worker`"hide-vhosts": "{0 | 1}"` lets you control if information about your vhosts is included. 587*1c60b9acSAndroid Build Coastguard WorkerSince this includes mounts, you might not want to leak that information, mount names, 588*1c60b9acSAndroid Build Coastguard Workeretc. 589*1c60b9acSAndroid Build Coastguard Worker 590*1c60b9acSAndroid Build Coastguard Worker`"filespath":"{path}"` lets you give a server filepath which is read and sent to the browser 591*1c60b9acSAndroid Build Coastguard Workeron each refresh. For example, you can provide server temperature information on most 592*1c60b9acSAndroid Build Coastguard WorkerLinux systems by giving an appropriate path down /sys. 593*1c60b9acSAndroid Build Coastguard Worker 594*1c60b9acSAndroid Build Coastguard WorkerThis may be given multiple times. 595*1c60b9acSAndroid Build Coastguard Worker 596*1c60b9acSAndroid Build Coastguard Worker 597*1c60b9acSAndroid Build Coastguard Worker@section lwswsreload Lwsws Configuration Reload 598*1c60b9acSAndroid Build Coastguard Worker 599*1c60b9acSAndroid Build Coastguard WorkerYou may send lwsws a `HUP` signal, by, eg 600*1c60b9acSAndroid Build Coastguard Worker 601*1c60b9acSAndroid Build Coastguard Worker``` 602*1c60b9acSAndroid Build Coastguard Worker$ sudo killall -HUP lwsws 603*1c60b9acSAndroid Build Coastguard Worker``` 604*1c60b9acSAndroid Build Coastguard Worker 605*1c60b9acSAndroid Build Coastguard WorkerThis causes lwsws to "deprecate" the existing lwsws process, and remove and close all of 606*1c60b9acSAndroid Build Coastguard Workerits listen sockets, but otherwise allowing it to continue to run, until all 607*1c60b9acSAndroid Build Coastguard Workerof its open connections close. 608*1c60b9acSAndroid Build Coastguard Worker 609*1c60b9acSAndroid Build Coastguard WorkerWhen a deprecated lwsws process has no open connections left, it is destroyed 610*1c60b9acSAndroid Build Coastguard Workerautomatically. 611*1c60b9acSAndroid Build Coastguard Worker 612*1c60b9acSAndroid Build Coastguard WorkerAfter sending the SIGHUP to the main lwsws process, a new lwsws process, which can 613*1c60b9acSAndroid Build Coastguard Workerpick up the newly-available listen sockets, and use the current configuration 614*1c60b9acSAndroid Build Coastguard Workerfiles, is automatically started. 615*1c60b9acSAndroid Build Coastguard Worker 616*1c60b9acSAndroid Build Coastguard WorkerThe new configuration may differ from the original one in arbitrary ways, the new 617*1c60b9acSAndroid Build Coastguard Workercontext is created from scratch each time without reference to the original one. 618*1c60b9acSAndroid Build Coastguard Worker 619*1c60b9acSAndroid Build Coastguard WorkerNotes 620*1c60b9acSAndroid Build Coastguard Worker 621*1c60b9acSAndroid Build Coastguard Worker1) Protocols that provide a "shared world" like mirror will have as many "worlds" 622*1c60b9acSAndroid Build Coastguard Workeras there are lwsws processes still active. People connected to a deprecated lwsws 623*1c60b9acSAndroid Build Coastguard Workerprocess remain connected to the existing peers. 624*1c60b9acSAndroid Build Coastguard Worker 625*1c60b9acSAndroid Build Coastguard WorkerBut any new connections will apply to the new lwsws process, which does not share 626*1c60b9acSAndroid Build Coastguard Workerper-vhost "shared world" data with the deprecated process. That means no new 627*1c60b9acSAndroid Build Coastguard Workerconnections on the deprecated context, ie a "shrinking world" for those guys, and a 628*1c60b9acSAndroid Build Coastguard Worker"growing world" for people who connect after the SIGHUP. 629*1c60b9acSAndroid Build Coastguard Worker 630*1c60b9acSAndroid Build Coastguard Worker2) The new lwsws process owes nothing to the previous one. It starts with fresh 631*1c60b9acSAndroid Build Coastguard Workerplugins, fresh configuration, fresh root privileges if that how you start it. 632*1c60b9acSAndroid Build Coastguard Worker 633*1c60b9acSAndroid Build Coastguard WorkerThe plugins may have been updated in arbitrary ways including struct size changes 634*1c60b9acSAndroid Build Coastguard Workeretc, and lwsws or lws may also have been updated arbitrarily. 635*1c60b9acSAndroid Build Coastguard Worker 636*1c60b9acSAndroid Build Coastguard Worker3) A root parent process is left up that is not able to do anything except 637*1c60b9acSAndroid Build Coastguard Workerrespond to SIGHUP or SIGTERM. Actual serving and network listening etc happens 638*1c60b9acSAndroid Build Coastguard Workerin child processes which use the privileges set in the lwsws config files. 639*1c60b9acSAndroid Build Coastguard Worker 640*1c60b9acSAndroid Build Coastguard Worker@section lwswssysd Lwsws Integration with Systemd 641*1c60b9acSAndroid Build Coastguard Worker 642*1c60b9acSAndroid Build Coastguard Workerlwsws needs a service file like this as `/usr/lib/systemd/system/lwsws.service` 643*1c60b9acSAndroid Build Coastguard Worker``` 644*1c60b9acSAndroid Build Coastguard Worker[Unit] 645*1c60b9acSAndroid Build Coastguard WorkerDescription=Libwebsockets Web Server 646*1c60b9acSAndroid Build Coastguard WorkerAfter=syslog.target 647*1c60b9acSAndroid Build Coastguard Worker 648*1c60b9acSAndroid Build Coastguard Worker[Service] 649*1c60b9acSAndroid Build Coastguard WorkerExecStart=/usr/local/bin/lwsws 650*1c60b9acSAndroid Build Coastguard WorkerExecReload=/usr/bin/killall -s SIGHUP lwsws ; sleep 1 ; /usr/local/bin/lwsws 651*1c60b9acSAndroid Build Coastguard WorkerStandardError=null 652*1c60b9acSAndroid Build Coastguard Worker 653*1c60b9acSAndroid Build Coastguard Worker[Install] 654*1c60b9acSAndroid Build Coastguard WorkerWantedBy=multi-user.target 655*1c60b9acSAndroid Build Coastguard Worker``` 656*1c60b9acSAndroid Build Coastguard Worker 657*1c60b9acSAndroid Build Coastguard WorkerYou can find this prepared in `./lwsws/usr-lib-systemd-system-lwsws.service` 658*1c60b9acSAndroid Build Coastguard Worker 659*1c60b9acSAndroid Build Coastguard Worker 660*1c60b9acSAndroid Build Coastguard Worker@section lwswslr Lwsws Integration with logrotate 661*1c60b9acSAndroid Build Coastguard Worker 662*1c60b9acSAndroid Build Coastguard WorkerFor correct operation with logrotate, `/etc/logrotate.d/lwsws` (if that's 663*1c60b9acSAndroid Build Coastguard Workerwhere we're putting the logs) should contain 664*1c60b9acSAndroid Build Coastguard Worker``` 665*1c60b9acSAndroid Build Coastguard Worker /var/log/lwsws/*log { 666*1c60b9acSAndroid Build Coastguard Worker copytruncate 667*1c60b9acSAndroid Build Coastguard Worker missingok 668*1c60b9acSAndroid Build Coastguard Worker notifempty 669*1c60b9acSAndroid Build Coastguard Worker delaycompress 670*1c60b9acSAndroid Build Coastguard Worker } 671*1c60b9acSAndroid Build Coastguard Worker``` 672*1c60b9acSAndroid Build Coastguard WorkerYou can find this prepared in `/lwsws/etc-logrotate.d-lwsws` 673*1c60b9acSAndroid Build Coastguard Worker 674*1c60b9acSAndroid Build Coastguard WorkerPrepare the log directory like this 675*1c60b9acSAndroid Build Coastguard Worker 676*1c60b9acSAndroid Build Coastguard Worker``` 677*1c60b9acSAndroid Build Coastguard Worker sudo mkdir /var/log/lwsws 678*1c60b9acSAndroid Build Coastguard Worker sudo chmod 700 /var/log/lwsws 679*1c60b9acSAndroid Build Coastguard Worker``` 680*1c60b9acSAndroid Build Coastguard Worker 681*1c60b9acSAndroid Build Coastguard Worker@section lwswsgdb Debugging lwsws with gdb 682*1c60b9acSAndroid Build Coastguard Worker 683*1c60b9acSAndroid Build Coastguard WorkerHopefully you won't need to debug lwsws itself, but you may want to debug your plugins. start lwsws like this to have everything running under gdb 684*1c60b9acSAndroid Build Coastguard Worker 685*1c60b9acSAndroid Build Coastguard Worker``` 686*1c60b9acSAndroid Build Coastguard Workersudo gdb -ex "set follow-fork-mode child" -ex "run" --args /usr/local/bin/lwsws 687*1c60b9acSAndroid Build Coastguard Worker 688*1c60b9acSAndroid Build Coastguard Worker``` 689*1c60b9acSAndroid Build Coastguard Worker 690*1c60b9acSAndroid Build Coastguard Workerthis will give nice backtraces in lwsws itself and in plugins, if they were built with symbols. 691*1c60b9acSAndroid Build Coastguard Worker 692*1c60b9acSAndroid Build Coastguard Worker@section lwswsvgd Running lwsws under valgrind 693*1c60b9acSAndroid Build Coastguard Worker 694*1c60b9acSAndroid Build Coastguard WorkerYou can just run lwsws under valgrind as usual and get valid results. However the results / analysis part of valgrind runs 695*1c60b9acSAndroid Build Coastguard Workerafter the plugins have removed themselves, this means valgrind backtraces into plugin code is opaque, without 696*1c60b9acSAndroid Build Coastguard Workersource-level info because the dynamic library is gone. 697*1c60b9acSAndroid Build Coastguard Worker 698*1c60b9acSAndroid Build Coastguard WorkerThere's a simple workaround, use LD_PRELOAD=<plugin.so> before running lwsws, this has the loader bring the plugin 699*1c60b9acSAndroid Build Coastguard Workerin before executing lwsws as if it was a direct dependency. That means it's still mapped until the whole process 700*1c60b9acSAndroid Build Coastguard Workerexits after valgtind has done its thing. 701*1c60b9acSAndroid Build Coastguard Worker 702*1c60b9acSAndroid Build Coastguard Worker 703
