-
-
Notifications
You must be signed in to change notification settings - Fork 10
/
server.txt
283 lines (212 loc) · 11.7 KB
/
server.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
KAWIPIKO-SERVER(1) kawipiko KAWIPIKO-SERVER(1)
NAME
kawipiko -- blazingly fast static HTTP server - kawipiko-server
>> kawipiko-server --help
>> kawipiko-server --man
--archive <path>
--archive-inmem (memory-loaded archive file)
--archive-mmap (memory-mapped archive file)
--archive-preload (preload archive in OS cache)
--bind <ip>:<port> (HTTP, only HTTP/1.1, FastHTTP)
--bind-2 <ip>:<port> (HTTP, only HTTP/1.1, Go net/http)
--bind-tls <ip>:<port> (HTTPS, only HTTP/1.1, FastHTTP)
--bind-tls-2 <ip>:<port> (HTTPS, with HTTP/2, Go net/http)
--bind-quic <ip>:<port> (HTTPS, with HTTP/3)
--http1-disable
--http2-disable
--http3-alt-svc <ip>:<port>
--tls-bundle <path> (TLS certificate bundle)
--tls-public <path> (TLS certificate public)
--tls-private <path> (TLS certificate private)
--tls-self-rsa (use self-signed RSA)
--tls-self-ed25519 (use self-signed Ed25519)
--processes <count> (of slave processes)
--threads <count> (of threads per process)
--index-all
--index-paths
--index-data-meta
--index-data-content
--hosts-disable (ignore `Host` header)
--special-pages-disable
--security-headers-disable
--security-headers-tls
--seccomp-enable
--limit-descriptors <count>
--limit-memory <MiB>
--timeout-disable
--report --quiet --debug
--dummy
--dummy-empty
--dummy-delay <duration>
--profile-cpu <path>
--profile-mem <path>
--version
--help (show this short help)
--man (show the full manual)
--sources-md5 (dump an `md5sum` of the sources)
--sources-cpio (dump a `cpio.gz` of the sources)
--sbom --sbom-text --sbom-json
----
FLAGS
--bind <ip:port>, --bind-tls <ip:port>, --bind-2 <ip:port>,
--bind-tls-2 <ip:port>, and --bind-quic <ip:port>
The IP and port to listen for requests with:
• (insecure) HTTP/1.1 for --bind, leveraging fasthttp library;
• (secure) HTTP/1.1 over TLS for --bind-tls, leveraging fasthttp
library;
• (insecure) HTTP/1.1 for --bind-2, leveraging Go's net/http
library; (not as performant as the fasthttp powered endpoint;)
• (secure) H2 or HTTP/1.1 over TLS for --bind-tls-2, leveraging Go's
net/http; (not as performant as the fasthttp powered endpoint;)
• (secure) H3 over QUIC for --bind-quic, leveraging
github.com/lucas-clemente/quic-go library; (given that H3 is
still a new protocol, this must be used with caution; also one
should use the --http3-alt-svc <ip:port>;)
• if one uses just --bind-tls (without --bind-tls-2, and without
--http2-disabled), then the TLS endpoint is split between fasthttp
for HTTP/1.1 and Go's net/http for H2;
--tls-bundle <path>, --tls-public <path>, and --tls-private <path>
(optional)
If TLS is enabled, these options allows one to specify the
certificate to use, either as a single file (a bundle) or separate
files (the actual public certificate and the private key).
If one doesn't specify any of these options, an embedded self-signed
certificate will be used. In such case, one can choose between RSA
(the --tls-self-rsa flag) or Ed25519 (the --tls-self-ed25519 flag);
--http1-disable, --http2-disable
Disables that particular protocol. (It can be used only with
--bind-tls-2, given that fasthttp only supports HTTP/1.)
--processes <count> and --threads <count>
The number of processes and threads per each process to start.
(Given Go's concurrency model, the threads count is somewhat a soft
limit, hinting to the runtime the desired parallelism level.)
It is highly recommended to use one process and as many threads as
there are cores.
Depending on the use-case, one can use multiple processes each with
a single thread; this would reduce goroutine contention if it
causes problems. (However note that if using --archive-inmem, then
each process will allocate its own copy of the database in RAM; in
such cases it is highly recommended to use --archive-mmap.)
--archive <path>
The path of the CDB file that contains the archived static content.
(It can be created with the kawipiko-archiver tool.)
--archive-inmem
Reads the CDB file in RAM, and thus all requests are served from RAM
without touching the file-system. (The memory impact is equal to
the size of the CDB archive. This can be used if enough RAM is
available to avoid swapping.)
--archive-mmap
(recommended) The CDB file is memory mapped, thus reading its data
uses the kernel's file-system cache, as opposed to issuing read
syscalls.
--archive-preload
Before starting to serve requests, read the CDB file so that its
data is buffered in the kernel's file-system cache. (This option
can be used with or without --archive-mmap.)
--index-all, --index-paths, --index-data-meta, and
--index-data-content
In order to serve a request kawipiko does the following:
• given the request's path, it is used to locate the corresponding
resource's metadata (i.e. response headers) and data (i.e.
response body) references; by using --index-paths a RAM-based
lookup table is created to eliminate a CDB read operation for this
purpose; (the memory impact is proportional to the size of all
resource paths combined; given that the number of resources is
acceptable, say up to a couple hundred thousand, one could safely
use this option;)
• based on the resource's metadata reference, the actual metadata
(i.e. the response headers) is located; by using --index-data-meta
a RAM-based lookup table is created to eliminate a CDB read
operation for this purpose; (the memory impact is proportional to
the size of all resource metadata blocks combined; given that the
metadata blocks are deduplicated, one could safely use this
option; if one also uses --archive-mmap or --archive-inmem, then
the memory impact is only proportional to the number of resource
metadata blocks;)
• based on the resource's data reference, the actual data (i.e. the
response body) is located; by using --index-data-content a
RAM-based lookup table is created to eliminate a CDB operation
operation for this purpose; (the memory impact is proportional to
the size of all resource data blocks combined; one can use this
option to obtain the best performance; if one also uses
--archive-mmap or --archive-inmem, then the memory impact is only
proportional to the number of resource data blocks;)
• --index-all enables all the options above;
• (depending on the use-case) it is recommended to use
--index-paths; if --exclude-etag was used during archival, one
can also use --index-data-meta;
• it is recommended to use either --archive-mmap or
--archive-inmem, else (especially if data is indexed) the
resulting effect is that of loading everything in RAM;
--hosts-disable
Disables the virtual-hosts feature by ignoring the Host header.
--special-pages-disable
Disables serving a few special pages internal to the server like:
/__/heartbeat
/__/kawipiko/about
/__/kawipiko/version
/__/kawipiko/manual.txt
/__/kawipiko/manual.html
/__/kawipiko/sbom.txt
/__/kawipiko/sbom.json
/__/kawipiko/sources.md5
/__/kawipiko/sources.cpio
/__/kawipiko/banners/errors/403
/__/kawipiko/banners/errors/...
--security-headers-disable
Disables adding a few security related headers:
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: sameorigin
--security-headers-tls
Enables adding the following TLS related headers to the response:
Strict-Transport-Security: max-age=31536000
Content-Security-Policy: upgrade-insecure-requests
These instruct the browser to always use HTTPS for the served
domain. (Useful even without HTTPS, when used behind a TLS
terminator, load-balancer or proxy that do support HTTPS.)
--seccomp-enable
On Linux, and if supported, enable a strict seccomp filter to reduce
the potential attack surface in case of a security issue.
The current filter is the minimal set of syscall's required to have
the server working (thus quite safe). At each stage (opening the
archive, indexing the archive, serving the archive) the non-required
syscall's are filtered.
(At the moment the filter is quite strict and determined by
experimentation. If you enable seccomp and the server is kill-ed,
check auditd logs for the problematic syscall and open an issue
report.)
--limit-descriptors, and --limit-memory
Constrains resource usage by configuring via setrlimit either
RLIMIT_NOFILE (in case of descriptors) or both RLIMIT_DATA and
RLIMIT_AS (in case of memory).
--report
Enables periodic reporting of various metrics. Also enables
reporting a selection of metrics if certain thresholds are matched
(which most likely is a sign of high-load).
--quiet
Disables most logging messages.
--debug
Enables all logging messages.
--dummy, --dummy-empty
It starts the server in a "dummy" mode, ignoring all archive related
arguments and always responding with hello world!\n (unless
--dummy-empty was used) and without additional headers except the
HTTP status line and Content-Length.
This argument can be used to benchmark the raw performance of the
underlying fasthttp, Go's net/http, or QUIC performance; this is
the upper limit of the achievable performance given the underlying
technologies. (From my own benchmarks kawipiko's adds only about
~15% overhead when actually serving the hello-world.cdb archive.)
--dummy-delay <duration>
Enables delaying each response with a certain amount (for example
1s, 1ms, etc.)
It can be used to simulate the real-world network latencies, perhaps
to see how a site with many resources loads in various conditions.
(For example, see an experiment I made with an image made out of
1425 tiles.)
--profile-cpu <path>, and --profile-mem <path>
Enables CPU and memory profiling using Go's profiling
infrastructure.
volution.ro 2023-03-05 KAWIPIKO-SERVER(1)