-
Notifications
You must be signed in to change notification settings - Fork 104
/
config_virtual_servers_rule.txt
370 lines (279 loc) · 11.6 KB
/
config_virtual_servers_rule.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
== link:index.html[Index] -> link:config.html[Configuration] -> link:config_virtual_servers.html[Virtual servers]
////
Last checked: 2010/08/17 Cherokee 1.0.9b
////
Virtual Server: Rules
---------------------
Besides the connection handler set for the rule, there are other
parameters that can be set in order to customize the rule behavior.
This menu offers the following tabs:
. link:#rule[Rule]: this is the *rule type*.
. link:#handler[Handler]: Specifies which handler should manage the
requests that match the rule.
. link:#transforms[Transforms]: Transofmration of output stream on the
fly (encoding, and HTTP header alteration).
. link:#caching[Caching]: Specifies content expiration and caching policies.
. link:#security[Security]: in this section one can configure *Access Restrictions*
and *Authentication*.
. link:#restrictions[Restrictions]: Specify connection timeouts, and
also traffic shaping by setting an outbound traffic limit for this
rule, specified in bytes per second.
[[rule]]
Rule
~~~~
Several rule types are available to fit the needs of specific
tasks. Sometimes you will want to restrict the content delivery based
on a user's country of origin, sometimes you might want a behavior to
be applied to a web directory, or you might be interested in modeling
how the web server behaves if a request matches an existing file (or
not).
There is a complete list of the types in the
link:config_virtual_servers_rule_types.html[Rule Types] section.
The behavior can be specified further by combining several basic
rule-types into a complex rule. Complex rules can be defined by
combining several basic types with the boolean operators AND, OR and
NOT. For instance, we could define a rule that would apply to certain
directories only if the request was made from a specific country. It
would be as simple as defining a 'directory type' rule AND a 'GeoIP
type' rule.
[[handler]]
Handler
~~~~~~~
This allows to fine tune the behavior of any of the available
handlers. Since so many options are available, refer to the complete
list of link:modules_handlers.html[handlers] shipped with Cherokee.
Handlers are the modules that generate the information with which the
server responds to a client's request. By default Cherokee provides a
number of them:
**********************************************************************
- link:modules_handlers_common.html[common] - **List & Send**
+
Combines both `Static Content` and `Only listing` handlers
functionality to behave similarly to common web servers, it will
display directory listings when a directory is requested and serve the
requested files.
- link:modules_handlers_file.html[Static Content] - **Static Content**
+
This is the file handler and it serves files straight from the
file system.
- link:modules_handlers_dirlist.html[dirlist] - **Only listing**:
+
Displays a directory content list when a directory is requested,
but it does not allow to download any content.
- link:modules_handlers_redir.html[redir] - **Redirection**
+
Perform simple and/or complex redirections using regexes.
- link:modules_handlers_cgi.html[cgi] - **CGI Execution**
+
Executes CGI programs.
- link:modules_handlers_fcgi.html[fcgi] - **FastCGI Server Support**
+
Communicates with FastCGI servers.
- link:modules_handlers_scgi.html[scgi] - **SCGI Server Support**
+
Communicates with SCGI servers.
- link:modules_handlers_uwsgi.html[uwsgi] - **uWSGI Server Support**
+
Communicates with the uWSGI server.
- link:modules_handlers_proxy.html[proxy] - **HTTP Reverse Proxy**
+
Advanced proxy services.
- link:modules_handlers_streaming.html[streaming] - **Audio/Video streaming**
+
Media streaming directly within Cherokee.
- link:modules_handlers_ssi.html[ssi] - **Server Side Includes**
+
Enables Server Side Includes.
- link:modules_handlers_secdownload.html[secdownload] - **Hidden Downloads**
+
Creates one-time, secure, time-expiring downloads.
- link:modules_handlers_dbslayer.html[dbslayer] - **MySQL Bridge**
+
MySQL load-balancing database abstraction layer.
- link:modules_handlers_custom_error.html[custom_error] - **HTTP Error**
+
Generates customizable HTTP errors.
- link:modules_handlers_empty_gif.html[empty_gif] - **1x1 Transparent GIF**
+
Returns a 1 pixel transparent image.
- link:modules_handlers_server_info.html[Server Info] - **Server
Info**
+
Provide some configurable information about the server.
- link:modules_handlers_admin.html[Remote Administration] - **Remote
Administration**
+
Implements an administration interface to work with
link:other_bundle_cherokee-tweak.html[cherokee-tweak].
**********************************************************************
[[transforms]]
Transforms
~~~~~~~~
The content sent by Cherokee can be processed before being sent.
Basically, you can apply encoders (or not), and alter HTTP headers by
adding or removing the ones you choose.
Information Encoders
^^^^^^^^^^^^^^^^^^^^
This tab is used to configure, on a per-rule basis, what
link:modules_encoders.html[encoders], if any, are to be applied.
You can set up the encoding method to use, and it shall be applied to
whatever content is handled by the parent rule.
Whenever you set up a virtual server, creating a rule where
link:modules_encoders_gzip.html[gzip] is enabled by default for the
following file types: `html`, `htm`, `txt`, `css` and `js` is a good
idea. You are encouraged to use this. Hardware is cheap. Bandwidth is
not.
Header Operations
^^^^^^^^^^^^^^^^^
You can specify any given HTTP header and either assign a value or
delete the header completely.
[[caching]]
Caching
~~~~~~~
Cherokee allows to define per rule behaviors for content expiration
and caching.
Content Expiration
^^^^^^^^^^^^^^^^^^
This allows to manage the configuration of *HTTP Cache headers* used
to identify cacheable content.
HTTP/1.1 defines caching methods in HTTP. Cherokee-Admin can
automatically adjust the `Cache-Control` and `Expire` headers depending
on the values you have configured. The available options are:
. Not set: Does not write the caching headers.
. 1970: Corresponds to the Unix Epoch.
. 2038: Maximum date value representable in POSIX time.
. Custom Value: set a value by hand.
Additionaly, if a content expiration option is set, it is possible to
specify the way in which an intermediate cache should treat the
content, for situations such as when the content is requested to
Cherokee through an HTTP proxy. This is done through the `Management
by caches` setting, that can be specified to any of the following
values: `Not set`, `Private`, `Public`, `No Cache`.
If the setting is enabled, four additional parameters can be
individually turned on and off to fine tune the behavior:
. No Store: Prevents the retention of sensitive information. Caches must not store this content.
. No Transform: Forbid intermediate caches from transforming the content.
. Must Revalidate: The client must contact the server to revalidate the object.
. Proxies Revalidate: Proxy servers must contact the server to revalidate the object.
Cache
^^^^^
Cherokee has very sophisticated caching mechanisms, allowing to cache
anything (static files, dynamic content, or whatever) that passes
by. You can read more into the specifics of this feature in the
link:other_front_line_cache.html[Front-line Cache] documentation.
Three settings are available on a per-rule basis for the `Content
Caching` section: 'Leave unset', 'Allow' and 'Forbid'.
The 'Leave unset' option means that, whenever a rule is applied, it
will not change the status of the caching setting that has been
inherited from previously matched rules.
By default, contents that include cookies are not cached, but the
setting to allowing cache on a rule gives you the possibility to
disregard cookies using regular expressions (so that even that content
can be cached), while a 'Forbid' setting will guarantee that the
matched rule will not be cached no matter what.
[[security]]
Security
~~~~~~~~
This section will give access to access restriction settings and
authentication settings.
[[Logging]]
Logging
^^^^^^^
Here we can specify whether or not the requests that match this rule
should be logged. This can be useful in order to tidy up our log
files, since some rule matches might not provide any relevant logging
information
[[restrictions]]
Access Restrictions
^^^^^^^^^^^^^^^^^^^
* Only https::
This configuration entry determines that the directory will be
served by the secure server (*https*) only.
If you access directory /admin -or any sub-directory- through a
non-secure connection Cherokee will report a *426 Upgrade Required
error*.
* Allow From::
This parameter lets you set up which IP or IP ranges will be allowed
to access the directory contents . The remote client IP will be
checked with all the provided list and only if the IP matches with
some of the rules the access will be allowed.
This field accepts a comma separated list of *Host names*, *IP
addresses* or *IP ranges*. In the last two cases, both IPv4 and IPv6
addresses are valid entries.
[[examples]]
Examples
++++++++
- Allow access only from the IPv6 localhost address
+
----
Allow from ::1
----
- Allow access from the 127.0.0.0/8 network
+
----
Allow from 127.0.0.0/8
----
- or it could also we written like
+
----
Allow from 127.0.0.0/255.0.0.0
----
- It is also possible to use lists instead of a single IP or network
range. And there is even the possibility of mixing IPv4 and IPv6
addresses and networks if you want
+
----
Allow from 192.168.0.0/16, ::1, 10.0.0.1, 3ffe:3200::/24
----
[[authentication]]
Authentication
^^^^^^^^^^^^^^
This parameter allows to configure user/password protected entries. A
validator has to be used in each Auth entry in order to specify the
validation mechanism. The following `validators` are available:
- link:modules_validators_plain.html[plain] - **Plain text file**
+
Uses a plain flat file to perform HTTP authentication.
- link:modules_validators_htpasswd.html[htpasswd] - **Htpasswd file**
+
Uses an htpasswd file to perform HTTP authentication.
- link:modules_validators_htdigest.html[htdigest] - **Htdigest file**
+
Uses an htdigest-generated file to perform HTTP authentication.
- link:modules_validators_ldap.html[ldap] - **LDAP server**
+
Uses an LDAP directory to perform HTTP authentication.
- link:modules_validators_mysql.html[mysql] - **MySQL server**
+
Uses a MySQL database to perform HTTP authentication.
- link:modules_validators_pam.html[PAM] - **PAM Authentication**
+
Uses PAM to perform HTTP authentication.
- link:modules_validators_authlist.html[Fixed list] - ** Authentication lists**
+
Uses lists of users and passwords to perform HTTP authentication.
It is important to take into consideration that there are two different
authentication mechanisms:
* Basic
* Digest
Some link:modules_validators.html[validators] can only handle one of
those mechanisms because of technical limitations. In case the module supports
both of them, the interface allows to choose whether one or both are
to be used.
[[restrictions]]
Restriction
~~~~~~~~~~~
Both connection timeouts and bandwidth limits can be enforced through
this tab.
Connections Timeout
^^^^^^^^^^^^^^^^^^^
This allows to apply a custom timeout to any connection matching the
given rule.
Traffic Shaping
^^^^^^^^^^^^^^^
In order to limit the amount of traffic used for a specific rule you can set
up a traffic shaper. By default no traffic shaping will occur, all possible
network resources are used to facilitate the clients.
This parameter will not act globally, but per outgoing connection. Hence,
20 clients limited to 1kB/s will give 20kB/s as total outbound traffic.
To limit the amount of traffic a value in Bytes per second should be entered.