http — Central server for RPC and the message database
http [-c config]
http(8gx) is a trivial HTTP server. It understands the special HTTP methods as used by RPC-over-HTTP protocol as used by Outlook, it can serve files verbatim, or forward requests to a FastCGI server such as php-fpm(8).
- -c config
Read configuration directives from the given file. If this option is not specified, /etc/gromox/http.cfg will be read if it exists.
Display option summary.
URI processing order¶
Requests are passed to the mod_rewrite(4gx) module (built-in) to have their URI potentially rewritten.
If a HTTP request is using the methods RPC_IN_DATA or RPC_OUT_DATA, the data stream is handed off to the exchange_emsmdb(4gx) plugin.
Otherwise, HTTP processing modules (HPM) are invoked. Processing ends when one module signals that the request was handled. The order depends on the HPM list (which is fixed): ews, mh_emsmdb, mh_nsp, oxdisco, oab.
Otherwise, the mod_fastcgi(4gx) module (built-in) is invoked. Processing ends if the module handled the request.
Otherwise, the mod_cache(4gx) module (built-in) is invoked. Processing ends if the module handled the request.
Otherwise, the request is rejected.
RPC-over-HTTP utilizes two special HTTP methods, RPC_IN_DATA and RPC_OUT_DATA. These requests can, similarly to HTTP CONNECT, be very long-lived. The RPC data stream is handled by the included exchange_emsmdb(4gx) plugin.
The usual config file location is /etc/gromox/http.cfg.
- The amount of time a user is blocked from connecting to the service after too many failed logins.Default: 1 minute
- Colon-separated list of directories which will be scanned when locating further configuration files, especially those used by plugin instances.Default: /etc/gromox/http:/etc/gromox
- Colon-separated list of directories which will be scanned when locating data files.Default: /usr/share/gromox/http
- Maximum execution time for CGI scripts.Default: 10 minutes
- The helper program to use for authenticating SPNEGO-GSS requests. The value is rudimentarily tokenized at whitespaces, so no special characters may be used. (If you need to, write a shell wrapper.) The special value "internal-gss" uses libgssapi directly. The use of Squid's negotiate_wrapper_auth is optional; Gromox can identify whether requests are SPNEGO-NTLMSSP or SPNEGO-Kerberos in the same fashion as negotiate_wrapper_auth does.Default: internal-gssExample: /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAMEExample: /usr/lib/squid/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
- A unique identifier for this system. It is used for the Server HTTP responses header, for service plugins like exmdb_provider(4gx), which makes use of it for SMTP HELO lines, for DSN report texts, for MIDB database/EML cache. The identifier should only use characters allowed for hostnames.Default: (system hostname)
- Enable HTTP Basic authentication.Default: yes
- Enable HTTP Negotiate authentication.Default: no
- The number of login tries a user is allowed before the account is blocked.Default: 10
- The password to unlock TLS certificates.Default: (unset)
- Filesystem path to a certificate file for use with encrypted connections. The complete certificate chain should be present (as there is no other config directive to pull CA certs in).Default: (unset)
- If a HTTP connection stalls for the given period, the connection is terminated.Default: 3 minutes
- If set to 1, prints all incoming and outgoing HTTP traffic to stderr.Default: 0
- Enforce authentication at all times. This is a debugging knob.Default: no
- Default: gromox@host_id
- AF_INET6 socket address to bind the HTTP service to.Default: ::
- The TCP port to expose the HTTP protocol service on.Default: 80
- The TCP port to expose implicit-TLS HTTP protocol service (HTTPS) on.Default: (unset)
- Target for log messages here. Special values: "-" (stderr/syslog depending on parent PID) or "syslog" are recognized.Default: - (auto)
- Maximum verbosity of logging. 1=crit, 2=error, 3=warn, 4=notice, 5=info, 6=debug.Default: 4 (notice)
- Filesystem path to the key file needed to unlock the TLS certificate.Default: (unset)
- If the HTTP request to a CGI endpoint has a HTTP body larger than the limit given here, the data is buffered in a file rather than kept in memory. If the request uses Chunked Transfer Encoding, a file is used unconditionally.Default: 512K
- If the Content-Length of a HTTP request to a CGI endpoint is larger than this value, the request is rejected.Default: 4M
- This flag controls whether (or not) the server offers TLS at all. The default is false because you need a certificate for this first.Default: false
- The maximum number of connections that each thread is allowed to process.Default: 20
- The minimum number of client processing threads to keep around.Default: 5
- Log every completed RPC call and the return code of the operation in a minimal fashion to stderr. Level 1 emits RPCs with a failure return code, level 2 emits all RPCs. Note the daemon log level needs to be "debug" (6), too.Default: 0
- Path to samba-winbind ntlm_auth or equivalent program that implements the Squid authentication helper text protocol ("YR, TT, KK, AF"). The value is rudimentarily tokenized at whitespaces, so no special characters may be used. (If you need to, write a shell wrapper.) The use of Squid's negotiate_wrapper_auth is optional; Gromox can identify whether requests are SPNEGO-NTLMSSP or SPNEGO-Kerberos in the same fashion as negotiate_wrapper_auth does.Default: /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmsspExample: /usr/lib/squid/negotiate_wrapper_auth --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME
The maximum hint size for fragmented RPC PDU requests that will be allowed (C706 §18.104.22.168, MS-RPCE v33 §22.214.171.124).
- The lowest TLS version to offer. Possible values are: tls1.0, tls1.1, tls1.2, and, if supported by the system, tls1.3.Default: tls1.2
- An unprivileged user account to switch the process to after startup. To inhibit the switch, assign the empty value.Default: gromox
- Directory for runtime variadic data.Default: /var/lib/gromox
- Sets the TCP_MAXSEG socket option with the given MSS value for the listening socket(s), cf. tcp(7).Default: 0 (do not limit the MSS)
/usr/lib/gromox/libgxh_*.so: HTTP processing plugins
/usr/lib/gromox/libgxp_*.so: PDU processing plugins
/usr/lib/gromox/libgxs_*.so: service plugins
MS-RPCE: Remote Procedure Call Protocol Extensions
DCERPC / C706: Technical Standard DCE 1.1: Remote Procedure Call by The Open Group, 1997
gromox(7), mod_cache(4gx), mod_fastcgi(4gx), mod_rewrite(4gx)