H2O

the optimized HTTP/1.x, HTTP/2, HTTP/3 server

Powered by Oktavia

Configure > Base Directives

This document describes the configuration directives common to all the protocols and handlers.

Description:

Maps host:port to the mappings of per-host configs.

The directive specifies the mapping between the authorities (the host or host:port section of an URL) and their configurations. The directive is mandatory, and must at least contain one entry.

When port is omitted, the entry will match the requests targetting the default ports (i.e. port 80 for HTTP, port 443 for HTTPS) with given hostname. Otherwise, the entry will match the requests targetting the specified port.

Since version 1.7, a wildcard character * can be used as the first component of the hostname. If used, they are matched using the rule defined in RFC 2818 Section 3.1. For example, *.example.com will match HTTP requests for both foo.example.com and bar.example.com.

For each HTTP request to be processed, the matching host entry is determined by the steps below:

  1. Among the host elements that do not use wildcards, find the first element that matches the host and port being specified by the URI.
  2. If none is found in the previous step, find a matching element among the entries that use wildcards.
  3. If none is found in the previous steps, use the first host element without a strict-match flag.

When the hostname of the HTTP request is unknown (i.e., processing an HTTP/1.0 request without a host header field), only the last step is being used.

Example. A host redirecting all HTTP requests to HTTPS
hosts:
  "www.example.com:80":
    listen:
      port: 80
    paths:
      "/":
        redirect: https://www.example.com/
  "www.example.com:443":
    listen:
      port: 443
      ssl:
        key-file: /path/to/ssl-key-file
        certificate-file: /path/to/ssl-certificate-file
    paths:
      "/":
        file.dir: /path/to/doc-root
Level:
global
Description:

Mapping of paths and their configurations.

The mapping is searched using prefix-match. The entry with the longest path is chosen when more than one matching paths were found. An 404 Not Found error is returned if no matching paths were found.

Example. Configuration with two paths
hosts:
  "www.example.com":
    listen:
      port: 80
    paths:
      "/":
        file.dir: /path/to/doc-root
      "/assets":
        file.dir: /path/to/assets

In releases prior to version 2.0, all the path entries are considered as directories. When H2O receives a request that exactly matches to an entry in paths that does not end with a slash, the server always returns a 301 redirect that appends a slash.

Since 2.0, it depends on the handler of the path whether if a 301 redirect that appends a slash is returned. Server administrators can take advantage of this change to define per-path configurations (see the examples in file.file and the FastCGI handler). file.dir is an exception that continues to perform the redirection; in case of the example above, access to /assets is redirected to /assets/.

Level:
host
Description:

Specifies the port at which the server should listen to.

In addition to specifying the port number, it is also possible to designate the bind address or the SSL and HTTP/3 (QUIC) configuration.

Example. Various ways of using the Listen Directive
# accept HTTP on port 80 on default address (both IPv4 and IPv6)
listen: 80

# accept HTTP on 127.0.0.1:8080
listen:
  host: 127.0.0.1
  port: 8080

# accept HTTPS on port 443
listen:
  port: 443
  ssl:
    key-file: /path/to/key-file
    certificate-file: /path/to/certificate-file

# accept HTTPS on port 443 (using PROXY protocol)
listen:
  port: 443
  ssl:
    key-file: /path/to/key-file
    certificate-file: /path/to/certificate-file
  proxy-protocol: ON

To configure HTTP/3 (QUIC), see HTTP/3.

Configuration Levels

The directive can be used either at global-level or at host-level. At least one listen directive must exist at the global level, or every host-level configuration must have at least one listen directive.

Incoming connections accepted by global-level listeners will be dispatched to one of the host-level contexts with the corresponding host:port, or to the first host-level context if none of the contexts were given host:port corresponding to the request.

Host-level listeners specify bind addresses specific to the host-level context. However it is permitted to specify the same bind address for more than one host-level contexts, in which case hostname-based lookup will be performed between the host contexts that share the address. The feature is useful for setting up a HTTPS virtual host using Server-Name Indication (RFC 6066).

Example. Using host-level listeners for HTTPS virtual-hosting
hosts:
  "www.example.com:443":
    listen:
      port: 443
      ssl:
        key-file: /path/to/www_example_com.key
        certificate-file: /path/to/www_example_com.crt
    paths:
      "/":
        file.dir: /path/to/doc-root_of_www_example_com
  "www.example.jp:443":
    listen:
      port: 443
      ssl:
        key-file: /path/to/www_example_jp.key
        certificate-file: /path/to/www_example_jp.crt
    paths:
      "/":
        file.dir: /path/to/doc-root_of_www_example_jp

SSL Attribute

The ssl attribute must be defined as a mapping, and recognizes the following attributes.

certificate-file:
Path of the SSL certificate file (mandatory). This attribute can specify a PEM file containing either an X.509 certificate chain or a raw public key. When the latter form is being used, RFC 7250 handshake will be used.
key-file:
Path of the SSL private key file (mandatory).
identity:
List of certificate / key pairs. This attribute can be used in place of certificate-file and key-file to specify more than one pair of certificates and keys. When a TLS handshake is performed, h2o uses the first pair that contains a compatible certificate / key. The last pair acts as the fallback.
Example. Using RSA and ECDSA certificates
ssl:
  identity:
  - key-file: /path/to/rsa.key
    certificate-file: /path/to/rsa.crt
  - key-file: /path/to/ecdsa.key
    certificate-file: /path/to/ecdsa.crt
minimum-version:
minimum protocol version, should be one of: SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3. Default is TLSv1.
min-version:
synonym of minimum-version (introduced in version 2.2)
maximum-version:
maximum protocol version. Introduced in version 2.2. Default is the maximum protocol version supported by the server.
max-version:
synonym of maximum-version.
cipher-suite:
list of cipher suites to be passed to OpenSSL via SSL_CTX_set_cipher_list (optional)
cipher-suite-tls1.3:
list of TLS 1.3 cipher suites to use; the list must be a YAML sequence where each element specifies the cipher suite using the name as registered to the IANA TLS Cipher Suite Registry; e.g., TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256.
cipher-preference:
side of the list that should be used for selecting the cipher-suite; should be either of: client, server. Default is client.
dh-file:
path of a PEM file containing the Diffie-Hellman parameters to be used. Use of the file is recommended for servers using Diffie-Hellman key agreement. (optional)
ocsp-update-interval:
interval for updating the OCSP stapling data (in seconds), or set to zero to disable OCSP stapling. Default is 14400 (4 hours).
ocsp-max-failures:
number of consecutive OCSP query failures before stopping to send OCSP stapling data to the client. Default is 3.
ech:
This experimental attribute controls the use of TLS Encrypted Client Hello extension (draft-15). The attribute takes a sequence of mappings, each of them defining one ECH configuration.
Example. Encrypted Clint hello
ssl:
  key-file: /path/to/rsa.key
  certificate-file: /path/to/rsa.crt
  ech:
  - key-file: /path/to/ech.key
    config-id: 11
    public-name: public-name.example.net
    cipher-suite: [ HKDF-SHA256/AES-128-GCM ]

The example above defines one ECH configuration that uses /path/to/ech.key as the semi-static ECDH key with a config-id of 11, with the public-name being public-name.example.net, and the HPKE SymmetricCipherSuite being HKDF-SHA256/AES-128-GCM.

In addition to these four attributes, following attributes may be specified.

max-name-length specifies the maximum-name-length field of an ECH confguration (default: 64).

advertise takes either YES (default) or NO as the argument. This argument indicates if given ECH configuration should be advertised as part of retry_configs (draft-ietf-tls-esni-15; section 5).

When removing a stale ECH configuration, its advertise attribute should be set at first to NO so that the stale configuration would not be advertised. Then, after waiting for the expiry of caches containing the stale configuration, the stale ECH configuration can be removed. This may take long depending on the TTL of the HTTPS / SVC DNS resource record advertising the configuration.

The ech attribute must be set only in the first ssl attribute that binds to a particular address.
neverbleed:
unless set to OFF, H2O isolates SSL private key operations to a different process by using Neverbleed. Default is ON.

ssl-session-resumption directive is provided for tuning parameters related to session resumption and session tickets.

The CC Attribute

The CC attribute specifies the congestion controller to be used for incoming HTTP connections.

For TCP connections, the congestion controller is set using the TCP_CONGESTION socket option on platforms that have support for that socket option. To find out the default and the list of supported congestion controllers, please refer to man 7 tcp. If the platform does not have support for that socket option, the attribute has no effect.

For QUIC connections, the congestion controller is one of Reno, Cubic, Pico. The default is Reno.

The Initcwnd Attribute

The initcwnd attribute specifies the initial congestion window of each incoming HTTP connection in the unit of packets. At the moment, this option only applies to QUIC. It has no effect for TCP connections.

The Proxy-Protocol Attribute

The proxy-protocol attribute (i.e. the value of the attribute must be either ON or OFF) specifies if the server should recognize the information passed via "the PROXY protocol in the incoming connections. The protocol is used by L4 gateways such as AWS Elastic Load Balancing to send peer address to the servers behind the gateways.

When set to ON, H2O standalone server tries to parse the first octets of the incoming connections as defined in version 1 of the specification, and if successful, passes the addresses obtained from the protocol to the web applications and the logging handlers. If the first octets do not accord with the specification, it is considered as the start of the SSL handshake or as the beginning of an HTTP request depending on whether if the ssl attribute has been used.

Default is OFF.

The Sndbuf and Rcvbuf Attributes

The sndbuf and rcvbuf attributes specify the send and receive buffer size for each TCP or UNIX socket used for accepting incoming HTTP connections. If set, the values of these attributes are applied to the sockets using SO_SNDBUF and SO_RCVBUF socket options.

These attributes have no effect for QUIC connections.

Listening to a Unix Socket

If the type attribute is set to unix, then the port attribute is assumed to specify the path of the unix socket to which the standalone server should bound. Also following attributes are recognized.

owner
username of the owner of the socket file. If omitted, the socket file will be owned by the launching user.
group
name of the group of the socket file. If omitted, group ID associated to the socket file will be the group ID of the owner.
permission
an octal number specifying the permission of the socket file. Many operating systems require write permission for connecting to the socket file. If omitted, the permission of the socket file will reflect the umask of the calling process.
Example. Listening to a Unix Socket accessible only by www-data
listen:
  type:       unix
  port:       /tmp/h2o.sock
  owner:      www-data
  permission: 600
Level:
global, host
Description:

Set capabilities to be added to the process before dropping root privileges.

This directive can be used only on Linux. The argument is a YAML sequence of capabilites, where each capability is a name that is accepted by cap_from_name. See man 7 capabilities for details.

Level:
global
Description:

Path of the file to which error logs should be appended.

Default is stderr.

If the path starts with |, the rest of the path is considered as a command to which the logs should be piped.

Example. Log errors to file
error-log: /path/to/error-log-file
Example. Log errors through pipe
error-log: "| rotatelogs /path/to/error-log-file.%Y%m%d 86400"
Level:
global
See also:
error-log.emit-request-errors
Description:

Sets whether if request-level errors should be emitted to the error log.

By setting the value to OFF and by using the %{error}x specifier of the access-log directive, it is possible to log request-level errors only to the access log.
Level:
global, host, path, extension
Default:
error-log.emit-request-errors: ON
See also:
access-log error-log
Description:

Maximum time (in seconds) that can be spent by a connection before it becomes ready to accept an HTTP request.

Times spent for receiving the PROXY protocol and TLS handshake are counted.
Level:
global
Default:
handshake-timeout: 10

"limit-request-body"

Description:

Maximum size of request body in bytes (e.g. content of POST).

Default is 1073741824 (1GB).

Level:
global
Description:

Maximum number of incoming connections to handle at once.

This includes TCP and QUIC connections.
Level:
global
Default:
max-connections: 1024
See also:
max-quic-connections soft-connection-limit
experimental

"max-quic-connections"

Description:

Maximum number of incoming QUIC connections to handle at once.

By default, maximum number of incoming connections is governed by max-connections regardless of the transport protocol (i.e., TCP or QUIC) being used.

This directive introduces an additional cap for incoming QUIC connections. By setting max-quic-connections to a value smaller than max-connections, it would be possible to serve incoming requests that arrive on top of TCP (i.e., HTTP/1 and HTTP/2) even when there are issues with handling QUIC connections.

Level:
global
See also:
num-quic-threads
Description:

Limits the number of delegations (i.e. fetching the response body from an alternate source as specified by the X-Reproxy-URL header).

Level:
global
Default:
max-delegations: 5
Description:

Limits the number of internal redirects.

Level:
global
Default:
max-reprocesses: 5
experimental

"neverbleed-offload"

Description:

Sets an offload engine to be used with neverbleed.

When neverbleed is in use, RSA private key operations can be offload to accelerators using the Intel QuickAssist technology.

This directive takes one of the three values that changes how the accelerators are used:

  • OFF - the accelerator is not used
  • QAT - use of QAT is enforced; startup will fail if the acclerator is unavailable
  • QAT-AUTO - QAT is used if available

Level:
global
Default:
neverbleed-offload: OFF
Description:

Maximum number of threads to run for name resolution.

Level:
global
Default:
num-name-resolution-threads: 32
since v2.0

"num-ocsp-updaters"

Description:

Maximum number of OCSP updaters.

OSCP Stapling is an optimization that speeds up the time spent for establishing a TLS connection. In order to staple OCSP information, a HTTP server is required to periodically contact the certificate authority. This directive caps the number of the processes spawn for collecting the information.

The use and the update interval of OCSP can be configured using the SSL attributes of the listen configuration directive.

Level:
global
Default:
num-ocsp-updaters: 10
Description:

Number of worker threads.

By default, the number of worker threads spawned by h2o is the number of the CPU cores connected to the system as obtained by getconf NPROCESSORS_ONLN.

This directive is used to override the behavior.

If the argument is a YAML scalar, it specifies in integer the number of worker threads to spawn.

If the argument is a YAML sequence, it specifies a list of CPU IDs on each of which one worker thread will be spawned and pinned. This mode can be used oly on systems that have pthread_setaffinity_np.

Level:
global
experimental

"num-quic-threads"

Description:

Restricts the number of worker threads that handle incoming QUIC connections.

By default, all worker threads handle incoming QUIC connections as well as TCP connections.

If num-threads was given a YAML sequence specifying the CPU IDs on which each worker thread will run, the threads pinned to first num-quic-threads threads will handle incoming QUIC connections.

Level:
global
See also:
max-quic-connections
Description:

Name of the file to which the process id of the server should be written.

Default is none.

Level:
global
Description:

Size of the queue used for TCP Fast Open.

TCP Fast Open is an extension to the TCP/IP protocol that reduces the time spent for establishing a connection. On Linux that support the feature, the default value is 4,096. On other platforms the default value is 0 (disabled).

Level:
global
since v2.0

"send-server-name"

Description:

Sets whether if the server response header should be sent or forwarded from backend.

By setting the value to (ON or OFF) indicating whether if the server response header should be sent. And by setting the value to preserve, it forwards the value received from the backend when proxying.

Level:
global
Default:
send-server-name: ON
See also:
server-name
since v2.0

"server-name"

Description:

Lets the user override the value of the server response header.

The default value is h2o/VERSION-NUMBER.
Level:
global
See also:
send-server-name
since v2.0

"setenv"

Description:

Sets one or more environment variables.

Environment variables are a set of key-value pairs containing arbitrary strings, that can be read from applications invoked by the standalone server (e.g. fastcgi handler, mruby handler) and the access logger.

The directive is applied from outer-level to inner-level. At each level, the directive is applied after the unsetenv directive at the corresponding level is applied.

Environment variables are retained through internal redirections.

Example. Setting an environment variable named FOO
setenv:
  FOO: "value_of_FOO"
Level:
global, host, path, extension
See also:
unsetenv
since v2.0

"unsetenv"

Description:

Unsets one or more environment variables.

The directive can be used to have an exception for the paths that have an environment variable set, or can be used to reset variables after an internal redirection.

Example. Setting environment variable for example.com excluding /specific-path
hosts:
  example.com:
    setenv:
      FOO: "value_of_FOO"
    paths:
      /specific-path:
        unsetenv:
          - FOO
      ...
Level:
global, host, path, extension
See also:
setenv
Description:

Specifies the client protocols to which H2O can send 1xx informational responses.

This directive can be used to forward 1xx informational responses (e.g., 103 Early Hints) generated by upstream servers or headers directive to the clients.

If the value is all, H2O always sends informational responses to the client whenever possible (i.e. unless the procotol is HTTP/1.0).

If the value is none, H2O never sends informational responses to the client.

If the value is except-h1, H2O sends informational if the protocol is not HTTP/1.x.

Level:
global
Default:
except-h1
Description:

Number of connections above which idle connections are closed agressively.

H2O accepts up to max-connections TCP connections and max-quic-connections QUIC connections. Once the number of connections reach these maximums, new connection attempts are ignored until existing connections close.

To reduce the possibility of the number of connections reaching the maximum and new connection attempts getting ignored, soft-connection-limit can be used to introduce another threshold. When soft-connection-limit is set, connections that have been idle at least for soft-connection-limit.min-age seconds will start to get closed until the number of connections becomes no greater than soft-connection-limit.

As the intention of this directive is to close connections more agressively under high load than usual, soft-connection-limit.min-age should be set to a smaller value than the other idle timeouts; e.g., http1-request-timeout, http2-idle-timeout.

Level:
global
Description:

Minimum amount of idle time to be guaranteed for HTTP connections even when the connections are closed agressively due to the number of connections exceeding soft-connection-limit.

See soft-connection-limit.

Level:
global
Default:
soft-connection-limit.min-age: 30
Description:

Knob for changing how TLS encryption is handled.

This directive takes one of the following values:

  • OFF - TLS encryption is handled in userspace and the encrypted bytes are sent to the kernel using a write (2) system call.
  • kernel - TLS encryption is offloaded to the kernel. When the network interface card supports TLS offloading, actual encryption might get offloaded to the interface, depending on the kernel configuration.
  • zerocopy - TLS encryption is handled in userspace, but if the encryption logic is capable of writing directly to main memory without polluting the cache, the encrypted data is passed to the kernel without copying (i.e., sendmsg (2) with MSG_ZEROCOPY socket option is used). Otherwise, this option is identical to OFF. This option minimizes cache pollution next to hardware offload.

Kernel option can be used only on Linux. Zerocopy is only available on Linux running on CPUs that support the necessary features; see picotls PR#384 and H2O PR#3007.

Level:
global
Default:
ssl-offload: OFF
See also:
proxy.zerocopy
Description:

Configures cache-based and ticket-based session resumption.

To reduce the latency introduced by the TLS (SSL) handshake, two methods to resume a previous encrypted session are defined by the Internet Engineering Task Force. H2O supports both of the methods: cache-based session resumption (defined in RFC 5246) and ticket-based session resumption (defined in RFC 5077).

Example. Various session-resumption configurations
# use both methods (storing data on internal memory)
ssl-session-resumption:
    mode: all

# use both methods (storing data on memcached running at 192.168.0.4:11211)
ssl-session-resumption:
    mode: all
    cache-store: memcached
    ticket-store: memcached
    cache-memcached-num-threads: 8
    memcached:
        host: 192.168.0.4
        port: 11211

# use ticket-based resumption only (with secrets used for encrypting the tickets stored in a file)
ssl-session-resumption:
    mode: ticket
    ticket-store: file
    ticket-file: /path/to/ticket-encryption-key.yaml

Defining the Methods Used

The mode attribute defines which methods should be used for resuming the TLS sessions. The value can be either of: off, cache, ticket, all. Default is all.

If set to off, session resumption will be disabled, and all TLS connections will be established via full handshakes. If set to all, both session-based and ticket-based resumptions will be used, with the preference given to the ticket-based resumption for clients supporting both the methods.

For each method, additional attributes can be used to customize their behaviors. Attributes that modify the behavior of the disabled method are ignored.

Attributes for Cache-based Resumption

Following attributes are recognized if the cache-based session resumption is enabled. Note that memcached attribute must be defined as well in case the memcached cache-store is used.

cache-store:

defines where the cache should be stored, must be one of: internal, memcached. Default is internal.

Please note that if you compiled h2o with OpenSSL 1.1.0 ~ 1.1.0f, session resumption with external cache store would fail due to bug of OpenSSL.

cache-memcached-num-threads:
defines the maximum number of threads used for communicating with the memcached server. Default is 1.
cache-memcached-prefix:
for the memcached store specifies the key prefix used to store the secrets on memcached. Default is h2o:ssl-session-cache:.

Attributes for Ticket-based Resumption

Ticket-based session resumption uses ticket encryption key(s) to encrypt the keys used for encrypting the data transmitted over TLS connections. To achieve forward-secrecy (i.e. protect past communications from being decrypted in case the ticket encryption key gets obtained by a third party), it is essential to periodically roll over the encyrption key.

Among the three types of stores supported for ticket-based session resumption, the internal store and memcached store implement automatic roll-over of the secrets. A new ticket encryption key is created every 1/4 of the session lifetime (defined by the lifetime attribute), and they expire (and gets removed) after 5/4 of the session lifetime elapse.

For the file store, it is the responsibility of the web-site administrator to periodically update the secrets. H2O monitors the file and reloads the secrets when the file is altered.

Following attributes are recognized if the ticket-based resumption is enabled.

ticket-store:
defines where the secrets for ticket-based resumption should be / is stored, must be one of: internal, file, memcached. Default is internal.
ticket-cipher:
for stores that implement automatic roll-over, specifies the cipher used for encrypting the tickets. The value must be one recognizable by EVP_get_cipherbyname. Default is aes-256-cbc.
ticket-hash:
for stores that implement automatic roll-over, specifies the cipher used for digitally-signing the tickets. The value must be one recognizable by EVP_get_digestbyname. Default is sha-256.
ticket-file:
for the file store specifies the file in which the secrets are stored
ticket-memcached-key:
for the memcached store specifies the key used to store the secrets on memcached. Default is h2o:ssl-session-ticket.

Format of the Ticket Encryption Key

Either as a file (specified by ticket-file attribute) or as a memcached entry (ticket-memcached-key), the encryption keys for the session tickets are stored as a sequence of YAML mappings. Each mapping must have all of the following attributes set.

name
a string of 32 hexadecimal characters representing the name of the ticket encryption key. The value is only used for identifying the key; it can be generated by calling a PRNG.
cipher
name of the symmetric cipher used to protect the session tickets. The only supported values are: aes-128-cbc and aes-256-cbc (the default).
hash
the hash algorithm to be used for validating the session tickets. The only supported value is: sha256.
key
concatenation of the key for the symmetric cipher and the HMAC, encoded as hexadecimal characters. The length of the string should be the sum of the cipher key length plus the hash key length, mulitplied by two (due to hexadicimal encoding); i.e. 96 bytes for aes-128-cbc/sha256 or 128 bytes for aes-256-cbc/sha256.
not_before
the time from when the key can be used for encrypting the session tickets. The value is encoded as milliseconds since epoch (Jan 1 1970). When rotating the encryption keys manually on multiple servers, you should set the not_before attribute of the newly added key to some time in the future, so that the all the servers will start using the new key at the same moment.
not_after
until when the key can be used for encrypting the session tickets

The following example shows a YAML file containing two session ticket encryption keys. The first entry is used for encrypting new keys on Jan 5 2018. The second entry is used for encrypting new keys on Jan 6 2018.

Example. session ticket key file
- name:       c173437296d6c2307fd39b40c944c227
  cipher:     aes-256-cbc
  hash:       sha256
  key:        e54210a0f6a6319aa155a33b8babd772319bad9f27903746dfbe6df7a4058485a8cedb057cfc5b70080cda2354fc3e13
  not_before: 1515110400000 # 2018-01-05 00:00:00.000
  not_after:  1515196799999 # 2018-01-05 23:59:59.999
- name:       bb1a15d75dc498624890dc5a7e164675
  cipher:     aes-256-cbc
  hash:       sha256
  key:        b4120bc903d6521fefa357ac322561fc97aa9e5ae5e18eade64832439b9095ab80f8429d6b50ff9c4c5eca1f90717d30
  not_before: 1515196800000 # 2018-01-06 00:00:00.000
  not_after:  1515283199999 # 2018-01-06 23:59:59.999

Other Attributes

Following attributes are common to cache-based and ticket-based session resumption.

lifetime:
defines the lifetime of a TLS session; when it expires the session cache entry is purged, and establishing a new connection will require a full TLS handshake. Default value is 3600 (in seconds).
memcached:
specifies the location of memcached used by the memcached stores. The value must be a mapping with host attribute specifying the address of the memcached server, and optionally a port attribute specifying the port number (default is 11211). By default, the memcached client uses the BINARY protocol. Users can opt-in to using the legacy ASCII protocol by adding a protocol attribute set to ASCII.
Level:
global
Description:

A boolean flag designating if the current host element should not be considered as the fallback element.

See hosts.
Level:
host
Default:
strict-match: OFF
Description:

A boolean flag designating if TCP socket listeners should be opened with the SO_REUSEPORT option.

Level:
global
Default:
tcp-reuseport: OFF
since v2.0

"temp-buffer-path"

Description:

Directory in which temporary buffer files are created.

H2O uses an internal structure called h2o_buffer_t for buffering various kinds of data (e.g. POST content, response from upstream HTTP or FastCGI server). When amount of the data allocated in the buffer exceeds the default value of 32MB, it starts allocating storage from the directory pointed to by the directive. The threshold can be tuned or disabled using the temp-buffer-threshold directive.

By using the directive, users can set the directory to one within a memory-backed file system (e.g. tmpfs) for speed, or specify a disk-based file system to avoid memory pressure.

Note that the directory must be writable by the running user of the server.

Level:
global
Default:
temp-buffer-path: "/tmp"
See also:
user temp-buffer-threshold
Description:

Minimum size to offload a large memory allocation to a temporary buffer.

Users can use this directive to tune the threshold for when the server should use temporary buffers. The minimum value accepted is 1MB (1048576) to avoid overusing these buffers, which will lead to performance degradation. If omitted, the default of 32MB is used.

The user can disable temporary buffers altogether by setting this threshold to OFF.

Level:
global
Default:
temp-buffer-threshold: "33554432"
See also:
temp-buffer-path
Description:

Username under which the server should handle incoming requests.

If the directive is omitted and if the server is started under root privileges, the server will attempt to setuid to nobody.

Level:
global
since v2.1

"crash-handler"

Description:

Script to invoke if h2o receives a fatal signal.

Note: this feature is only available when linking to the GNU libc.

The script is invoked if one of the SIGABRT, SIGBUS, SIGFPE, SIGILL or SIGSEGV signals is received by h2o.

h2o writes the backtrace as provided by backtrace() and backtrace_symbols_fd to the standard input of the program.

If the path is not absolute, it is prefixed with ${H2O_ROOT}/.

Level:
global
Default:
crash-handler: "${H2O_ROOT}/share/h2o/annotate-backtrace-symbols"
Description:

Whether h2o should wait for the crash handler pipe to close before exiting.

When this setting is ON, h2o will wait for the pipe to the crash handler to be closed before exiting. This can be useful if you use a custom handler that inspects the dying process.

Level:
global
Default:
crash-handler.wait-pipe-close: OFF
since v2.3

"stash"

Description:

Directive being used to store reusable YAML variables.

This directive does nothing itself, but can be used to store YAML variables and reuse those using YAML Alias.

Example. Reusing stashed variables across multiple hosts
stash:
  ssl: &ssl
    port: 443
  paths: &paths
    /:
      file.dir: /path/to/root
hosts:
  "example.com":
    listen:
      <<: &ssl
      ssl:
        certificate-file: /path/to/example.com.crt
        key-file:         /path/to/example.com.key
    paths: *paths
  "example.org":
    listen:
      <<: &ssl
      ssl:
        certificate-file: /path/to/example.org.crt
        key-file:         /path/to/example.org.key
    paths: *paths
Level:
global, host, path, extension