BaToSay Shell

BATOSAY Shell
Server IP : 170.10.162.208 / Your IP : 216.73.216.181
Web Server : LiteSpeed
System : Linux altar19.supremepanel19.com 4.18.0-553.69.1.lve.el8.x86_64 #1 SMP Wed Aug 13 19:53:59 UTC 2025 x86_64
User : deltahospital ( 1806)
PHP Version : 7.4.33
Disable Function : NONE
MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : OFF | Pkexec : OFF
Directory : /home/deltahospital/test.delta-hospital.com/
Upload File :
[ HOME ]
Current File : /home/deltahospital/test.delta-hospital.com/man1.tar
xmllint.1000064400000033172150535761270006336 0ustar00'\" t
.\"     Title: xmllint
.\"    Author: John Fleck <jfleck@inkstain.net>
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 06/12/2024
.\"    Manual: xmllint Manual
.\"    Source: libxml2
.\"  Language: English
.\"
.TH "XMLLINT" "1" "06/12/2024" "libxml2" "xmllint Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
xmllint \- command line XML tool
.SH "SYNOPSIS"
.HP \w'\fBxmllint\fR\ 'u
\fBxmllint\fR [\fB\-\-version\fR | \fB\-\-debug\fR | \fB\-\-quiet\fR | \fB\-\-shell\fR | \fB\-\-xpath\ "\fR\fB\fIXPath_expression\fR\fR\fB"\fR | \fB\-\-debugent\fR | \fB\-\-copy\fR | \fB\-\-recover\fR | \fB\-\-nodict\fR | \fB\-\-noent\fR | \fB\-\-noout\fR | \fB\-\-nonet\fR | \fB\-\-path\ "\fR\fB\fIPATH(S)\fR\fR\fB"\fR | \fB\-\-load\-trace\fR | \fB\-\-htmlout\fR | \fB\-\-nowrap\fR | \fB\-\-valid\fR | \fB\-\-postvalid\fR | \fB\-\-dtdvalid\ \fR\fB\fIURL\fR\fR | \fB\-\-dtdvalidfpi\ \fR\fB\fIFPI\fR\fR | \fB\-\-timing\fR | \fB\-\-output\ \fR\fB\fIFILE\fR\fR | \fB\-\-repeat\fR | \fB\-\-insert\fR | \fB\-\-compress\fR | \fB\-\-html\fR | \fB\-\-xmlout\fR | \fB\-\-push\fR | \fB\-\-memory\fR | \fB\-\-max\-ampl\ \fR\fB\fIINTEGER\fR\fR | \fB\-\-maxmem\ \fR\fB\fINBBYTES\fR\fR | \fB\-\-nowarning\fR | \fB\-\-noblanks\fR | \fB\-\-nocdata\fR | \fB\-\-format\fR | \fB\-\-encode\ \fR\fB\fIENCODING\fR\fR | \fB\-\-dropdtd\fR | \fB\-\-nsclean\fR | \fB\-\-testIO\fR | \fB\-\-catalogs\fR | \fB\-\-nocatalogs\fR | \fB\-\-auto\fR | \fB\-\-xinclude\fR | \fB\-\-noxincludenode\fR | \fB\-\-loaddtd\fR | \fB\-\-dtdattr\fR | \fB\-\-stream\fR | \fB\-\-walker\fR | \fB\-\-pattern\ \fR\fB\fIPATTERNVALUE\fR\fR | \fB\-\-relaxng\ \fR\fB\fISCHEMA\fR\fR | \fB\-\-schema\ \fR\fB\fISCHEMA\fR\fR | \fB\-\-c14n\fR | \fB\-\-pedantic\fR] {\fIXML\-FILE(S)\fR... | \-}
.HP \w'\fBxmllint\fR\ 'u
\fBxmllint\fR \fB\-\-help\fR
.SH "DESCRIPTION"
.PP
The
\fBxmllint\fR
program parses one or more
XML
files, specified on the command line as
\fIXML\-FILE\fR
(or the standard input if the filename provided is
\fB\-\fR
)\&. It prints various types of output, depending upon the options selected\&. It is useful for detecting errors both in
XML
code and in the
XML
parser itself\&.
.PP
\fBxmllint\fR
is included in
\fBlibxml\fR(3)\&.
.SH "OPTIONS"
.PP
\fBxmllint\fR
accepts the following options (in alphabetical order):
.PP
\fB\-\-auto\fR
.RS 4
Generate a small document for testing purposes\&.
.RE
.PP
\fB\-\-catalogs\fR
.RS 4
Use the
SGML
catalog(s) from
\fBSGML_CATALOG_FILES\fR\&. Otherwise
XML
catalogs starting from
/etc/xml/catalog
or, more specifically,
${sysconfdir}/xml/catalog
are used by default\&.
.RE
.PP
\fB\-\-compress\fR
.RS 4
Turn on
\fBgzip\fR(1)
compression of output\&.
.RE
.PP
\fB\-\-copy\fR
.RS 4
Test the internal copy implementation\&.
.RE
.PP
\fB\-\-c14n\fR
.RS 4
Use the W3C
XML
Canonicalisation (C14N) to serialize the result of parsing to
stdout\&. It keeps comments in the result\&.
.RE
.PP
\fB\-\-dtdvalid \fR\fB\fIURL\fR\fR
.RS 4
Use the
DTD
specified by an
\fIURL\fR
for validation\&.
.RE
.PP
\fB\-\-dtdvalidfpi \fR\fB\fIFPI\fR\fR
.RS 4
Use the
DTD
specified by a Formal Public Identifier
\fIFPI\fR
for validation, note that this will require a catalog exporting that Formal Public Identifier to work\&.
.RE
.PP
\fB\-\-debug\fR
.RS 4
Parse a file and output an annotated tree of the in\-memory version of the document\&.
.RE
.PP
\fB\-\-debugent\fR
.RS 4
Debug the entities defined in the document\&.
.RE
.PP
\fB\-\-dropdtd\fR
.RS 4
Remove
DTD
from output\&.
.RE
.PP
\fB\-\-dtdattr\fR
.RS 4
Fetch external
DTD
and populate the tree with inherited attributes\&.
.RE
.PP
\fB\-\-encode \fR\fB\fIENCODING\fR\fR
.RS 4
Output in the given encoding\&. Note that this works for full document not fragments or result from XPath queries\&.
.RE
.PP
\fB\-\-format\fR
.RS 4
Reformat and reindent the output\&. The
\fBXMLLINT_INDENT\fR
environment variable controls the indentation\&. The default value is two spaces " ")\&.
.RE
.PP
\fB\-\-help\fR
.RS 4
Print out a short usage summary for
\fBxmllint\fR\&.
.RE
.PP
\fB\-\-html\fR
.RS 4
Use the
HTML
parser\&.
.RE
.PP
\fB\-\-htmlout\fR
.RS 4
Output results as an
HTML
file\&. This causes
\fBxmllint\fR
to output the necessary
HTML
tags surrounding the result tree output so the results can be displayed/viewed in a browser\&.
.RE
.PP
\fB\-\-insert\fR
.RS 4
Test for valid insertions\&.
.RE
.PP
\fB\-\-loaddtd\fR
.RS 4
Fetch an external
DTD\&.
.RE
.PP
\fB\-\-load\-trace\fR
.RS 4
Display all the documents loaded during the processing to
stderr\&.
.RE
.PP
\fB\-\-max\-ampl \fR\fB\fIINTEGER\fR\fR
.RS 4
Set the maximum amplification factor which protects against exponential entity expansion ("billion laughs")\&. The default value is 5\&. Documents making heavy use of entity expansion may require a higher value\&.
.RE
.PP
\fB\-\-maxmem \fR\fB\fINNBYTES\fR\fR
.RS 4
Test the parser memory support\&.
\fINNBYTES\fR
is the maximum number of bytes the library is allowed to allocate\&. This can also be used to make sure batch processing of
XML
files will not exhaust the virtual memory of the server running them\&.
.RE
.PP
\fB\-\-memory\fR
.RS 4
Parse from memory\&.
.RE
.PP
\fB\-\-noblanks\fR
.RS 4
Drop ignorable blank spaces\&.
.RE
.PP
\fB\-\-nocatalogs\fR
.RS 4
Do not use any catalogs\&.
.RE
.PP
\fB\-\-nocdata\fR
.RS 4
Substitute CDATA section by equivalent text nodes\&.
.RE
.PP
\fB\-\-nodict\fR
.RS 4
Don\*(Aqt use dictionaries (parser option XML_PARSE_NODICT)\&. Only for debugging\&.
.RE
.PP
\fB\-\-noent\fR
.RS 4
Substitute entity values for entity references\&. By default,
\fBxmllint\fR
leaves entity references in place\&.
.RE
.PP
\fB\-\-nonet\fR
.RS 4
Do not use the Internet to fetch
DTDs or entities\&.
.RE
.PP
\fB\-\-noout\fR
.RS 4
Suppress output\&. By default,
\fBxmllint\fR
outputs the result tree\&.
.RE
.PP
\fB\-\-nowarning\fR
.RS 4
Do not emit warnings from the parser and/or validator\&.
.RE
.PP
\fB\-\-nowrap\fR
.RS 4
Do not output
HTML
doc wrapper\&.
.RE
.PP
\fB\-\-noxincludenode\fR
.RS 4
Do XInclude processing but do not generate XInclude start and end nodes\&.
.RE
.PP
\fB\-\-nsclean\fR
.RS 4
Remove redundant namespace declarations\&.
.RE
.PP
\fB\-\-output \fR\fB\fIFILE\fR\fR
.RS 4
Define a file path where
\fBxmllint\fR
will save the result of parsing\&. Usually the programs build a tree and save it on
stdout, with this option the result
XML
instance will be saved onto a file\&.
.RE
.PP
\fB\-\-path "\fR\fB\fIPATH(S)\fR\fR\fB"\fR
.RS 4
Use the (space\- or colon\-separated) list of filesystem paths specified by
\fIPATHS\fR
to load
DTDs or entities\&. Enclose space\-separated lists by quotation marks\&.
.RE
.PP
\fB\-\-pattern \fR\fB\fIPATTERNVALUE\fR\fR
.RS 4
Used to exercise the pattern recognition engine, which can be used with the reader interface to the parser\&. It allows to select some nodes in the document based on an XPath (subset) expression\&. Used for debugging\&.
.RE
.PP
\fB\-\-pedantic\fR
.RS 4
Enable additional warnings\&.
.RE
.PP
\fB\-\-postvalid\fR
.RS 4
Validate after parsing has completed\&.
.RE
.PP
\fB\-\-push\fR
.RS 4
Use the push mode of the parser\&.
.RE
.PP
\fB\-\-quiet\fR
.RS 4
Don\*(Aqt print informational messages to stderr\&.
.RE
.PP
\fB\-\-recover\fR
.RS 4
Output any parsable portions of an invalid document\&.
.RE
.PP
\fB\-\-relaxng \fR\fB\fISCHEMA\fR\fR
.RS 4
Use RelaxNG file named
\fISCHEMA\fR
for validation\&.
.RE
.PP
\fB\-\-repeat\fR
.RS 4
Repeat 100 times, for timing or profiling\&.
.RE
.PP
\fB\-\-schema \fR\fB\fISCHEMA\fR\fR
.RS 4
Use a W3C
XML
Schema file named
\fISCHEMA\fR
for validation\&.
.RE
.PP
\fB\-\-shell\fR
.RS 4
Run a navigating shell\&. Details on available commands in shell mode are below (see
the section called \(lqSHELL COMMANDS\(rq)\&.
.RE
.PP
\fB\-\-xpath "\fR\fB\fIXPath_expression\fR\fR\fB"\fR
.RS 4
Run an XPath expression given as argument and print the result\&. In case of a nodeset result, each node in the node set is serialized in full in the output\&. In case of an empty node set the "XPath set is empty" result will be shown and exit code 11 will be returned\&.\&. This feature is EXPERIMENTAL\&. Implementation details can change without futher notice\&.
.RE
.PP
\fB\-\-stream\fR
.RS 4
Use streaming
API
\- useful when used in combination with
\fB\-\-relaxng\fR
or
\fB\-\-valid\fR
options for validation of files that are too large to be held in memory\&.
.RE
.PP
\fB\-\-testIO\fR
.RS 4
Test user input/output support\&.
.RE
.PP
\fB\-\-timing\fR
.RS 4
Output information about the time it takes
\fBxmllint\fR
to perform the various steps\&.
.RE
.PP
\fB\-\-valid\fR
.RS 4
Determine if the document is a valid instance of the included Document Type Definition (DTD)\&. A
DTD
to be validated against also can be specified at the command line using the
\fB\-\-dtdvalid\fR
option\&. By default,
\fBxmllint\fR
also checks to determine if the document is well\-formed\&.
.RE
.PP
\fB\-\-version\fR
.RS 4
Display the version of
\fBlibxml\fR(3)
used\&.
.RE
.PP
\fB\-\-walker\fR
.RS 4
Test the walker module, which is a reader interface but for a document tree, instead of using the reader
API
on an unparsed document it works on an existing in\-memory tree\&. Used for debugging\&.
.RE
.PP
\fB\-\-xinclude\fR
.RS 4
Do XInclude processing\&.
.RE
.PP
\fB\-\-xmlout\fR
.RS 4
Used in conjunction with
\fB\-\-html\fR\&. Usually when
HTML
is parsed the document is saved with the
HTML
serializer\&. But with this option the resulting document is saved with the
XML
serializer\&. This is primarily used to generate
XHTML
from
HTML
input\&.
.RE
.SH "SHELL COMMANDS"
.PP
\fBxmllint\fR
offers an interactive shell mode invoked with the
\fB\-\-shell\fR
command\&. Available commands in shell mode include (in alphabetical order):
.PP
\fBbase\fR
.RS 4
Display
XML
base of the node\&.
.RE
.PP
\fBbye\fR
.RS 4
Leave the shell\&.
.RE
.PP
\fBcat \fR\fB\fINODE\fR\fR
.RS 4
Display the given node or the current one\&.
.RE
.PP
\fBcd \fR\fB\fIPATH\fR\fR
.RS 4
Change the current node to the given path (if unique) or root if no argument is given\&.
.RE
.PP
\fBdir \fR\fB\fIPATH\fR\fR
.RS 4
Dumps information about the node (namespace, attributes, content)\&.
.RE
.PP
\fBdu \fR\fB\fIPATH\fR\fR
.RS 4
Show the structure of the subtree under the given path or the current node\&.
.RE
.PP
\fBexit\fR
.RS 4
Leave the shell\&.
.RE
.PP
\fBhelp\fR
.RS 4
Show this help\&.
.RE
.PP
\fBload \fR\fB\fIFILENAME\fR\fR
.RS 4
Load a new document with the given filename\&.
.RE
.PP
\fBls \fR\fB\fIPATH\fR\fR
.RS 4
List contents of the given path or the current directory\&.
.RE
.PP
\fBpwd\fR
.RS 4
Display the path to the current node\&.
.RE
.PP
\fBquit\fR
.RS 4
Leave the shell\&.
.RE
.PP
\fBsave \fR\fB\fIFILENAME\fR\fR
.RS 4
Save the current document to the given filename or to the original name\&.
.RE
.PP
\fBvalidate\fR
.RS 4
Check the document for errors\&.
.RE
.PP
\fBwrite \fR\fB\fIFILENAME\fR\fR
.RS 4
Write the current node to the given filename\&.
.RE
.SH "ENVIRONMENT"
.PP
\fBSGML_CATALOG_FILES\fR
.RS 4
SGML
catalog behavior can be changed by redirecting queries to the user\*(Aqs own set of catalogs\&. This can be done by setting the
\fBSGML_CATALOG_FILES\fR
environment variable to a list of catalogs\&. An empty one should deactivate loading the default catalog\&.
.RE
.PP
\fBXML_CATALOG_FILES\fR
.RS 4
XML
catalog behavior can be changed by redirecting queries to the user\*(Aqs own set of catalogs\&. This can be done by setting the
\fBXML_CATALOG_FILES\fR
environment variable to a space\-separated list of catalogs\&. Use percent\-encoding to escape spaces or other characters\&. An empty variable should deactivate loading the default catalog\&.
.RE
.PP
\fBXML_DEBUG_CATALOG\fR
.RS 4
Setting the environment variable
\fBXML_DEBUG_CATALOG\fR
to
\fInon\-zero\fR
using the
\fBexport\fR
command outputs debugging information related to catalog operations\&.
.RE
.PP
\fBXMLLINT_INDENT\fR
.RS 4
Setting the environment variable
\fBXMLLINT_INDENT\fR
controls the indentation\&. The default value is two spaces " "\&.
.RE
.SH "DIAGNOSTICS"
.PP
\fBxmllint\fR
return codes provide information that can be used when calling it from scripts\&.
.PP
\fB0\fR
.RS 4
No error
.RE
.PP
\fB1\fR
.RS 4
Unclassified
.RE
.PP
\fB2\fR
.RS 4
Error in
DTD
.RE
.PP
\fB3\fR
.RS 4
Validation error
.RE
.PP
\fB4\fR
.RS 4
Validation error
.RE
.PP
\fB5\fR
.RS 4
Error in schema compilation
.RE
.PP
\fB6\fR
.RS 4
Error writing output
.RE
.PP
\fB7\fR
.RS 4
Error in pattern (generated when
\fB\-\-pattern\fR
option is used)
.RE
.PP
\fB9\fR
.RS 4
Out of memory error
.RE
.PP
\fB10\fR
.RS 4
XPath evaluation error
.RE
.PP
\fB11\fR
.RS 4
XPath result is empty
.RE
.SH "SEE ALSO"
.PP
\fBlibxml\fR(3)
.PP
More information can be found at
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBlibxml\fR(3)
web page
\m[blue]\fB\%https://gitlab.gnome.org/GNOME/libxml2\fR\m[]
.RE
.sp
.SH "AUTHORS"
.PP
\fBJohn Fleck\fR <\&jfleck@inkstain\&.net\&>
.RS 4
Author.
.RE
.PP
\fBZiying Sherwin\fR <\&sherwin@nlm\&.nih\&.gov\&>
.RS 4
Author.
.RE
.PP
\fBHeiko Rupp\fR <\&hwr@pilhuhn\&.de\&>
.RS 4
Author.
.RE
.SH "COPYRIGHT"
.br
Copyright \(co 2001, 2004
.br
xml2-config.1000064400000002351150535761270006767 0ustar00.TH xml2-config 1 "3 April 2022" Version 1.2.0
.SH NAME
xml2-config - script to get information about the installed version of libxml2
.SH SYNOPSIS
.B xml2-config
[\-\-prefix\fI[=DIR]\fP] [\-\-libs] [\-\-cflags] [\-\-version] [\-\-help]
.SH DESCRIPTION
\fIxml2-config\fP is a tool that is used to determine the compile and
linker flags that should be used to compile and link programs that use
\fIlibxml2\fP.
.SH OPTIONS
\fIxml2-config\fP accepts the following options:
.TP 8
.B  \-\-version
Print the currently installed version of \fIlibxml2\fP on the standard output.
.TP 8
.B  \-\-libs
Print the linker flags that are necessary to link a \fIlibxml2\fP program.
Add \-\-dynamic after \-\-libs to print only shared library linking
information.
.TP 8
.B  \-\-cflags
Print the compiler flags that are necessary to compile a \fIlibxml2\fP program.
.TP 8
.B  \-\-prefix=PREFIX
If specified, use PREFIX instead of the installation prefix that
\fIlibxml2\fP was built with when computing the output for the
\-\-cflags and \-\-libs options. This option must be specified before
any \-\-libs or \-\-cflags options.
.SH AUTHOR
This manual page was written by Fredrik Hallenberg <hallon@lysator.liu.se>,
for the Debian GNU/linux system (but may be used by others).
xmlcatalog.1000064400000020734150535761270007002 0ustar00'\" t
.\"     Title: xmlcatalog
.\"    Author: John Fleck <jfleck@inkstain.net>
.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/>
.\"      Date: 06/12/2024
.\"    Manual: xmlcatalog Manual
.\"    Source: libxml2
.\"  Language: English
.\"
.TH "XMLCATALOG" "1" "06/12/2024" "libxml2" "xmlcatalog Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
xmlcatalog \- Command line tool to parse and manipulate XML or SGML catalog files\&.
.SH "SYNOPSIS"
.HP \w'\fBxmlcatalog\fR\ 'u
\fBxmlcatalog\fR [\fB\-\-sgml\fR | \fB\-\-shell\fR | \fB\-\-convert\fR | \fB\-\-create\fR | \fB\-\-del\ \fR\fB\fIVALUE(S)\fR\fR | [\ \fB\-\-add\ \fR\fB\fITYPE\fR\fR\fB\ \fR\fB\fIORIG\fR\fR\fB\ \fR\fB\fIREPLACE\fR\fR\fB\ \fR\ |\ \fB\-\-add\ \fR\fB\fIFILENAME\fR\fR] | \fB\-\-noout\fR | \fB\-\-no\-super\-update\fR | [\fB\-v\fR\ |\ \fB\-\-verbose\fR]] {\fICATALOGFILE\fR} {\fIENTITIES\fR...}
.SH "DESCRIPTION"
.PP
\fBxmlcatalog\fR
is a command line application allowing users to monitor and manipulate
XML
and
SGML
catalogs\&. It is included in
\fBlibxml\fR(3)\&.
.PP
Its functions can be invoked from a single command from the command line, or it can perform multiple functions in interactive mode\&. It can operate on both
XML
and
SGML
files\&.
.SH "OPTIONS"
.PP
\fBxmlcatalog\fR
accepts the following options (in alphabetical order):
.PP
\fB\-\-add \fR\fB\fITYPE\fR\fR\fB \fR\fB\fIORIG\fR\fR\fB \fR\fB\fIREPLACE\fR\fR\fB \fR
.RS 4
Add an entry to
CATALOGFILE\&.
\fITYPE\fR
indicates the type of entry\&. Possible types are:
\fIpublic\fR, \fIsystem\fR, \fIuri\fR, \fIrewriteSystem\fR, \fIrewriteURI\fR, \fIdelegatePublic\fR, \fIdelegateSystem\fR, \fIdelegateURI\fR, \fInextCatalog\fR\&.
\fIORIG\fR
is the original reference to be replaced, and
\fIREPLACE\fR
is the
URI
of the replacement entity to be used\&. The
\fB\-\-add\fR
option will not overwrite
CATALOGFILE, outputting to
stdout, unless
\fB\-\-noout\fR
is used\&. The
\fB\-\-add\fR
will always take three parameters even if some of the
XML
catalog constructs will have only a single argument\&.
.RE
.PP
\fB\-\-add \fR\fB\fIFILENAME\fR\fR
.RS 4
If the
\fB\-\-add\fR
option is used following the
\fB\-\-sgml\fR
option, only a single argument, a
\fIFILENAME\fR, is used\&. This is used to add the name of a catalog file to an
SGML
supercatalog, a file that contains references to other included
SGML
catalog files\&.
.RE
.PP
\fB\-\-convert\fR
.RS 4
Convert SGML catalog to XML\&.
.RE
.PP
\fB\-\-create\fR
.RS 4
Create a new
XML
catalog\&. Outputs to
stdout, ignoring
\fIfilename\fR
unless
\fB\-\-noout\fR
is used, in which case it creates a new catalog file
\fIfilename\fR\&.
.RE
.PP
\fB\-\-del \fR\fB\fIVALUE(S)\fR\fR
.RS 4
Remove entries from
\fICATALOGFILE\fR
matching
\fIVALUE(S)\fR\&. The
\fB\-\-del\fR
option will not overwrite
\fICATALOGFILE\fR, outputting to
stdout, unless
\fB\-\-noout\fR
is used\&.
.RE
.PP
\fB\-\-noout\fR
.RS 4
Save output to the named file rather than outputting to
stdout\&.
.RE
.PP
\fB\-\-no\-super\-update\fR
.RS 4
Do not update the
SGML
super catalog\&.
.RE
.PP
\fB\-\-shell\fR
.RS 4
Run a shell allowing interactive queries on catalog file
\fICATALOGFILE\fR\&. For the set of available commands see
the section called \(lqSHELL COMMANDS\(rq\&.
.RE
.PP
\fB\-\-sgml\fR
.RS 4
Uses
SGML
super catalogs for
\fB\-\-add\fR
and
\fB\-\-del\fR
options\&.
.RE
.PP
\fB\-v\fR, \fB\-\-verbose\fR
.RS 4
Output debugging information\&.
.RE
.PP
Invoking
\fBxmlcatalog\fR
non\-interactively without a designated action (imposed with options like
\fB\-\-add\fR) will result in a lookup of the catalog entry for
\fIENTITIES\fR
in the catalog denoted with
\fICATALOGFILE\fR\&. The corresponding entries will be output to the command line\&. This mode of operation, together with
\fB\-\-shell\fR
mode and non\-modifying (i\&.e\&. without
\fB\-\-noout\fR) direct actions, allows for a special shortcut of the void
\fICATALOGFILE\fR
specification (possibly expressed as "" in the shell environment) appointing the default system catalog\&. That simplifies the handling when its exact location is irrelevant but the respective built\-in still needs to be consulted\&.
.SH "SHELL COMMANDS"
.PP
Invoking
\fBxmlcatalog\fR
with the
\fB\-\-shell \fR\fB\fICATALOGFILE\fR\fR
option opens a command line shell allowing interactive access to the catalog file identified by
\fICATALOGFILE\fR\&. Invoking the shell provides a command line prompt after which the following commands (described in alphabetical order) can be entered\&.
.PP
\fBadd \fR\fB\fITYPE\fR\fR\fB \fR\fB\fIORIG\fR\fR\fB \fR\fB\fIREPLACE\fR\fR\fB \fR
.RS 4
Add an entry to the catalog file\&.
\fITYPE\fR
indicates the type of entry\&. Possible types are:
\fIpublic\fR, \fIsystem\fR, \fIuri\fR, \fIrewriteSystem\fR, \fIrewriteURI\fR, \fIdelegatePublic\fR, \fIdelegateSystem\fR, \fIdelegateURI\fR, \fInextCatalog\fR\&.
\fIORIG\fR
is the original reference to be replaced, and
\fIREPLACE\fR
is the
URI
of the replacement entity to be used\&. The
\fB\-\-add\fR
option will not overwrite
CATALOGFILE, outputting to
stdout, unless
\fB\-\-noout\fR
is used\&. The
\fB\-\-add\fR
will always take three parameters even if some of the
XML
catalog constructs will have only a single argument\&.
.RE
.PP
\fBdebug\fR
.RS 4
Print debugging statements showing the steps
\fBxmlcatalog\fR
is executing\&.
.RE
.PP
\fBdel \fR\fB\fIVALUE(S)\fR\fR
.RS 4
Remove the catalog entry corresponding to
\fIVALUE(S)\fR\&.
.RE
.PP
\fBdump\fR
.RS 4
Print the current catalog\&.
.RE
.PP
\fBexit\fR
.RS 4
Quit the shell\&.
.RE
.PP
\fBpublic \fR\fB\fIPUBLIC\-ID\fR\fR
.RS 4
Execute a Formal Public Identifier lookup of the catalog entry for
\fIPUBLIC\-ID\fR\&. The corresponding entry will be output to the command line\&.
.RE
.PP
\fBquiet\fR
.RS 4
Stop printing debugging statements\&.
.RE
.PP
\fBsystem \fR\fB\fISYSTEM\-ID\fR\fR
.RS 4
Execute a Formal Public Identifier lookup of the catalog entry for
\fISYSTEM\-ID\fR\&. The corresponding entry will be output to the command line\&.
.RE
.SH "ENVIRONMENT"
.PP
\fBXML_CATALOG_FILES\fR
.RS 4
XML
catalog behavior can be changed by redirecting queries to the user\*(Aqs own set of catalogs\&. This can be done by setting the
\fBXML_CATALOG_FILES\fR
environment variable to a space\-separated list of catalogs\&. Use percent\-encoding to escape spaces or other characters\&. An empty variable should deactivate loading the default catalog from
/etc/xml/catalog
or, more specifically,
${sysconfdir}/xml/catalog\&.
.RE
.SH "DIAGNOSTICS"
.PP
\fBxmlcatalog\fR
return codes provide information that can be used when calling it from scripts\&.
.PP
\fB0\fR
.RS 4
No error
.RE
.PP
\fB1\fR
.RS 4
Failed to remove an entry from the catalog
.RE
.PP
\fB2\fR
.RS 4
Failed to save to the catalog, check file permissions
.RE
.PP
\fB3\fR
.RS 4
Failed to add an entry to the catalog
.RE
.PP
\fB4\fR
.RS 4
Failed to look up an entry in the catalog
.RE
.SH "SEE ALSO"
.PP
\fBlibxml\fR(3)
.PP
More information can be found at
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBlibxml\fR(3)
web page
\m[blue]\fB\%https://gitlab.gnome.org/GNOME/libxml2\fR\m[]
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
\fBlibxml\fR(3)
catalog support web page at
\m[blue]\fB\%https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Catalog-support\fR\m[]
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
James Clark\*(Aqs
SGML
catalog page
\m[blue]\fB\%http://www.jclark.com/sp/catalog.htm\fR\m[]
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
OASIS
XML
catalog specification
\m[blue]\fB\%http://www.oasis-open.org/committees/entity/spec.html\fR\m[]
.RE
.sp
.SH "AUTHOR"
.PP
\fBJohn Fleck\fR <\&jfleck@inkstain\&.net\&>
.RS 4
Author.
.RE
.SH "COPYRIGHT"
.br
Copyright \(co 2001, 2004
.br
nghttp.1000064400000015336150536145170006151 0ustar00.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "NGHTTP" "1" "Jun 17, 2025" "1.66.0" "nghttp2"
.SH NAME
nghttp \- HTTP/2 client
.SH SYNOPSIS
.sp
\fBnghttp\fP [OPTIONS]... <URI>...
.SH DESCRIPTION
.sp
HTTP/2 client
.INDENT 0.0
.TP
.B <URI>
Specify URI to access.
.UNINDENT
.SH OPTIONS
.INDENT 0.0
.TP
.B \-v, \-\-verbose
Print   debug   information   such  as   reception   and
transmission of frames and name/value pairs.  Specifying
this option multiple times increases verbosity.
.UNINDENT
.INDENT 0.0
.TP
.B \-n, \-\-null\-out
Discard downloaded data.
.UNINDENT
.INDENT 0.0
.TP
.B \-O, \-\-remote\-name
Save  download  data  in  the  current  directory.   The
filename is  derived from  URI.  If  URI ends  with \(aq\fI/\fP\(aq,
\(aqindex.html\(aq  is used  as a  filename.  Not  implemented
yet.
.UNINDENT
.INDENT 0.0
.TP
.B \-t, \-\-timeout=<DURATION>
Timeout each request after <DURATION>.  Set 0 to disable
timeout.
.UNINDENT
.INDENT 0.0
.TP
.B \-w, \-\-window\-bits=<N>
Sets the stream level initial window size to 2**<N>\-1.
.UNINDENT
.INDENT 0.0
.TP
.B \-W, \-\-connection\-window\-bits=<N>
Sets  the  connection  level   initial  window  size  to
2**<N>\-1.
.UNINDENT
.INDENT 0.0
.TP
.B \-a, \-\-get\-assets
Download assets  such as stylesheets, images  and script
files linked  from the downloaded resource.   Only links
whose  origins are  the same  with the  linking resource
will be downloaded.   nghttp prioritizes resources using
HTTP/2 dependency  based priority.  The  priority order,
from highest to lowest,  is html itself, css, javascript
and images.
.UNINDENT
.INDENT 0.0
.TP
.B \-s, \-\-stat
Print statistics.
.UNINDENT
.INDENT 0.0
.TP
.B \-H, \-\-header=<HEADER>
Add a header to the requests.  Example: \fI\%\-H\fP\(aq:method: PUT\(aq
.UNINDENT
.INDENT 0.0
.TP
.B \-\-trailer=<HEADER>
Add a trailer header to the requests.  <HEADER> must not
include pseudo header field  (header field name starting
with \(aq:\(aq).  To  send trailer, one must use  \fI\%\-d\fP option to
send request body.  Example: \fI\%\-\-trailer\fP \(aqfoo: bar\(aq.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-cert=<CERT>
Use  the specified  client certificate  file.  The  file
must be in PEM format.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-key=<KEY>
Use the  client private key  file.  The file must  be in
PEM format.
.UNINDENT
.INDENT 0.0
.TP
.B \-d, \-\-data=<PATH>
Post FILE to server. If \(aq\-\(aq  is given, data will be read
from stdin.
.UNINDENT
.INDENT 0.0
.TP
.B \-m, \-\-multiply=<N>
Request each URI <N> times.  By default, same URI is not
requested twice.  This option disables it too.
.UNINDENT
.INDENT 0.0
.TP
.B \-u, \-\-upgrade
Perform HTTP Upgrade for HTTP/2.  This option is ignored
if the request URI has https scheme.  If \fI\%\-d\fP is used, the
HTTP upgrade request is performed with OPTIONS method.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-extpri=<PRI>
Sets RFC 9218 priority of  given URI.  <PRI> must be the
wire format  of priority  header field  (e.g., \(dqu=3,i\(dq).
This  option  can  be  used  multiple  times,  and  N\-th
\fI\%\-\-extpri\fP option sets priority of N\-th URI in the command
line.  If  the number  of this option  is less  than the
number of  URI, the last  option value is  repeated.  If
there  is   no  \fI\%\-\-extpri\fP  option,  urgency   is  3,  and
incremental is false.
.UNINDENT
.INDENT 0.0
.TP
.B \-M, \-\-peer\-max\-concurrent\-streams=<N>
Use  <N>  as  SETTINGS_MAX_CONCURRENT_STREAMS  value  of
remote endpoint as if it  is received in SETTINGS frame.
.sp
Default: \fB100\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-c, \-\-header\-table\-size=<SIZE>
Specify decoder  header table  size.  If this  option is
used  multiple times,  and the  minimum value  among the
given values except  for last one is  strictly less than
the last  value, that minimum  value is set  in SETTINGS
frame  payload  before  the   last  value,  to  simulate
multiple header table size change.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-encoder\-header\-table\-size=<SIZE>
Specify encoder header table size.  The decoder (server)
specifies  the maximum  dynamic table  size it  accepts.
Then the negotiated dynamic table size is the minimum of
this option value and the value which server specified.
.UNINDENT
.INDENT 0.0
.TP
.B \-b, \-\-padding=<N>
Add at  most <N>  bytes to a  frame payload  as padding.
Specify 0 to disable padding.
.UNINDENT
.INDENT 0.0
.TP
.B \-r, \-\-har=<PATH>
Output HTTP  transactions <PATH> in HAR  format.  If \(aq\-\(aq
is given, data is written to stdout.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-color
Force colored log output.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-continuation
Send large header to test CONTINUATION.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-content\-length
Don\(aqt send content\-length header field.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-hexdump
Display the  incoming traffic in  hexadecimal (Canonical
hex+ASCII display).  If SSL/TLS  is used, decrypted data
are used.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-push
Disable server push.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-max\-concurrent\-streams=<N>
The  number of  concurrent  pushed  streams this  client
accepts.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-expect\-continue
Perform an Expect/Continue handshake:  wait to send DATA
(up to  a short  timeout)  until the server sends  a 100
Continue interim response. This option is ignored unless
combined with the \fI\%\-d\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-y, \-\-no\-verify\-peer
Suppress  warning  on  server  certificate  verification
failure.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ktls
Enable ktls.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-version
Display version information and exit.
.UNINDENT
.INDENT 0.0
.TP
.B \-h, \-\-help
Display this help and exit.
.UNINDENT
.sp
The <SIZE> argument is an integer and an optional unit (e.g., 10K is
10 * 1024).  Units are K, M and G (powers of 1024).
.sp
The <DURATION> argument is an integer and an optional unit (e.g., 1s
is 1 second and 500ms is 500 milliseconds).  Units are h, m, s or ms
(hours, minutes, seconds and milliseconds, respectively).  If a unit
is omitted, a second is used as unit.
.SH SEE ALSO
.sp
\fBnghttpd(1)\fP, \fBnghttpx(1)\fP, \fBh2load(1)\fP
.SH AUTHOR
Tatsuhiro Tsujikawa
.SH COPYRIGHT
2012, 2015, 2016, Tatsuhiro Tsujikawa
.\" Generated by docutils manpage writer.
.
h2load.1000064400000036640150536145240006015 0ustar00.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "H2LOAD" "1" "Jun 17, 2025" "1.66.0" "nghttp2"
.SH NAME
h2load \- HTTP/2 benchmarking tool
.SH SYNOPSIS
.sp
\fBh2load\fP [OPTIONS]... [URI]...
.SH DESCRIPTION
.sp
benchmarking tool for HTTP/2 server
.INDENT 0.0
.TP
.B <URI>
Specify URI to access.   Multiple URIs can be specified.
URIs are used  in this order for each  client.  All URIs
are used, then  first URI is used and then  2nd URI, and
so  on.  The  scheme, host  and port  in the  subsequent
URIs, if present,  are ignored.  Those in  the first URI
are used solely.  Definition of a base URI overrides all
scheme, host or port values.
.UNINDENT
.SH OPTIONS
.INDENT 0.0
.TP
.B \-n, \-\-requests=<N>
Number of  requests across all  clients.  If it  is used
with \fI\%\-\-timing\-script\-file\fP option,  this option specifies
the number of requests  each client performs rather than
the number of requests  across all clients.  This option
is ignored if timing\-based  benchmarking is enabled (see
\fI\%\-\-duration\fP option).
.sp
Default: \fB1\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-c, \-\-clients=<N>
Number  of concurrent  clients.   With  \fI\%\-r\fP option,  this
specifies the maximum number of connections to be made.
.sp
Default: \fB1\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-t, \-\-threads=<N>
Number of native threads.
.sp
Default: \fB1\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-i, \-\-input\-file=<PATH>
Path of a file with multiple URIs are separated by EOLs.
This option will disable URIs getting from command\-line.
If \(aq\-\(aq is given as <PATH>, URIs will be read from stdin.
URIs are used  in this order for each  client.  All URIs
are used, then  first URI is used and then  2nd URI, and
so  on.  The  scheme, host  and port  in the  subsequent
URIs, if present,  are ignored.  Those in  the first URI
are used solely.  Definition of a base URI overrides all
scheme, host or port values.
.UNINDENT
.INDENT 0.0
.TP
.B \-m, \-\-max\-concurrent\-streams=<N>
Max  concurrent  streams  to issue  per  session.   When
http/1.1  is used,  this  specifies the  number of  HTTP
pipelining requests in\-flight.
.sp
Default: \fB1\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-f, \-\-max\-frame\-size=<SIZE>
Maximum frame size that the local endpoint is willing to
receive.
.sp
Default: \fB16K\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-w, \-\-window\-bits=<N>
Sets the stream level initial window size to (2**<N>)\-1.
For QUIC, <N> is capped to 26 (roughly 64MiB).
.sp
Default: \fB30\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-W, \-\-connection\-window\-bits=<N>
Sets  the  connection  level   initial  window  size  to
(2**<N>)\-1.
.sp
Default: \fB30\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-H, \-\-header=<HEADER>
Add/Override a header to the requests.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ciphers=<SUITE>
Set  allowed cipher  list  for TLSv1.2  or earlier.   The
format of the string is described in OpenSSL ciphers(1).
.sp
Default: \fBECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-RSA\-AES256\-GCM\-SHA384\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls13\-ciphers=<SUITE>
Set allowed cipher list for  TLSv1.3.  The format of the
string is described in OpenSSL ciphers(1).
.sp
Default: \fBTLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_SHA256\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-p, \-\-no\-tls\-proto=<PROTOID>
Specify ALPN identifier of the  protocol to be used when
accessing http URI without SSL/TLS.
Available protocols: h2c and http/1.1
.sp
Default: \fBh2c\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-d, \-\-data=<PATH>
Post FILE to  server.  The request method  is changed to
POST.   For  http/1.1 connection,  if  \fI\%\-d\fP  is used,  the
maximum number of in\-flight pipelined requests is set to
1.
.UNINDENT
.INDENT 0.0
.TP
.B \-r, \-\-rate=<N>
Specifies  the  fixed  rate  at  which  connections  are
created.   The   rate  must   be  a   positive  integer,
representing the  number of  connections to be  made per
rate period.   The maximum  number of connections  to be
made  is  given  in  \fI\%\-c\fP   option.   This  rate  will  be
distributed among  threads as  evenly as  possible.  For
example,  with   \fI\%\-t\fP2  and   \fI\%\-r\fP4,  each  thread   gets  2
connections per period.  When the rate is 0, the program
will run  as it  normally does, creating  connections at
whatever variable rate it  wants.  The default value for
this option is 0.  \fI\%\-r\fP and \fI\%\-D\fP are mutually exclusive.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-rate\-period=<DURATION>
Specifies the time  period between creating connections.
The period  must be a positive  number, representing the
length of the period in time.  This option is ignored if
the rate option is not used.  The default value for this
option is 1s.
.UNINDENT
.INDENT 0.0
.TP
.B \-D, \-\-duration=<DURATION>
Specifies the main duration for the measurements in case
of timing\-based  benchmarking.  \fI\%\-D\fP  and \fI\%\-r\fP  are mutually
exclusive.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-warm\-up\-time=<DURATION>
Specifies the  time  period  before  starting the actual
measurements, in  case  of  timing\-based benchmarking.
Needs to provided along with \fI\%\-D\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-T, \-\-connection\-active\-timeout=<DURATION>
Specifies  the maximum  time that  h2load is  willing to
keep a  connection open,  regardless of the  activity on
said connection.  <DURATION> must be a positive integer,
specifying the amount of time  to wait.  When no timeout
value is  set (either  active or inactive),  h2load will
keep  a  connection  open indefinitely,  waiting  for  a
response.
.UNINDENT
.INDENT 0.0
.TP
.B \-N, \-\-connection\-inactivity\-timeout=<DURATION>
Specifies the amount  of time that h2load  is willing to
wait to see activity  on a given connection.  <DURATION>
must  be a  positive integer,  specifying the  amount of
time  to wait.   When no  timeout value  is set  (either
active or inactive), h2load  will keep a connection open
indefinitely, waiting for a response.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-timing\-script\-file=<PATH>
Path of a file containing one or more lines separated by
EOLs.  Each script line is composed of two tab\-separated
fields.  The first field represents the time offset from
the start of execution, expressed as a positive value of
milliseconds  with microsecond  resolution.  The  second
field represents the URI.  This option will disable URIs
getting from  command\-line.  If \(aq\-\(aq is  given as <PATH>,
script lines will be read  from stdin.  Script lines are
used in order for each client.   If \fI\%\-n\fP is given, it must
be less  than or  equal to the  number of  script lines,
larger values are clamped to the number of script lines.
If \fI\%\-n\fP is not given,  the number of requests will default
to the  number of  script lines.   The scheme,  host and
port defined in  the first URI are  used solely.  Values
contained  in  other  URIs,  if  present,  are  ignored.
Definition of a  base URI overrides all  scheme, host or
port   values.   \fI\%\-\-timing\-script\-file\fP   and  \fI\%\-\-rps\fP   are
mutually exclusive.
.UNINDENT
.INDENT 0.0
.TP
.B \-B, \-\-base\-uri=(<URI>|unix:<PATH>)
Specify URI from which the scheme, host and port will be
used  for  all requests.   The  base  URI overrides  all
values  defined either  at  the command  line or  inside
input files.  If argument  starts with \(dqunix:\(dq, then the
rest  of the  argument will  be treated  as UNIX  domain
socket path.   The connection is made  through that path
instead of TCP.   In this case, scheme  is inferred from
the first  URI appeared  in the  command line  or inside
input files as usual.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-alpn\-list=<LIST>
Comma delimited list of  ALPN protocol identifier sorted
in the  order of preference.  That  means most desirable
protocol comes  first.  The parameter must  be delimited
by a single comma only  and any white spaces are treated
as a part of protocol string.
.sp
Default: \fBh2,http/1.1\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-h1
Short        hand        for        \fI\%\-\-alpn\-list\fP=http/1.1
\fI\%\-\-no\-tls\-proto\fP=http/1.1,    which   effectively    force
http/1.1 for both http and https URI.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-header\-table\-size=<SIZE>
Specify decoder header table size.
.sp
Default: \fB4K\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-encoder\-header\-table\-size=<SIZE>
Specify encoder header table size.  The decoder (server)
specifies  the maximum  dynamic table  size it  accepts.
Then the negotiated dynamic table size is the minimum of
this option value and the value which server specified.
.sp
Default: \fB4K\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file=<PATH>
Write per\-request information to a file as tab\-separated
columns: start  time as  microseconds since  epoch; HTTP
status code;  microseconds until end of  response.  More
columns may be added later.  Rows are ordered by end\-of\-
response  time when  using  one worker  thread, but  may
appear slightly  out of order with  multiple threads due
to buffering.  Status code is \-1 for failed streams.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-qlog\-file\-base=<PATH>
Enable qlog output and specify base file name for qlogs.
Qlog is emitted  for each connection.  For  a given base
name   \(dqbase\(dq,    each   output   file    name   becomes
\(dqbase.M.N.sqlog\(dq where M is worker ID and N is client ID
(e.g. \(dqbase.0.3.sqlog\(dq).  Only effective in QUIC runs.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-connect\-to=<HOST>[:<PORT>]
Host and port to connect  instead of using the authority
in <URI>.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-rps=<N>
Specify request  per second for each  client.  \fI\%\-\-rps\fP and
\fI\%\-\-timing\-script\-file\fP are mutually exclusive.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-groups=<GROUPS>
Specify the supported groups.
.sp
Default: \fBX25519:P\-256:P\-384:P\-521\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-udp\-gso
Disable UDP GSO.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-max\-udp\-payload\-size=<SIZE>
Specify the maximum outgoing UDP datagram payload size.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ktls
Enable ktls.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-sni=<DNSNAME>
Send  <DNSNAME> in  TLS  SNI, overriding  the host  name
specified in URI.
.UNINDENT
.INDENT 0.0
.TP
.B \-v, \-\-verbose
Output debug information.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-version
Display version information and exit.
.UNINDENT
.INDENT 0.0
.TP
.B \-h, \-\-help
Display this help and exit.
.UNINDENT
.sp
The <SIZE> argument is an integer and an optional unit (e.g., 10K is
10 * 1024).  Units are K, M and G (powers of 1024).
.sp
The <DURATION> argument is an integer and an optional unit (e.g., 1s
is 1 second and 500ms is 500 milliseconds).  Units are h, m, s or ms
(hours, minutes, seconds and milliseconds, respectively).  If a unit
is omitted, a second is used as unit.
.SH OUTPUT
.INDENT 0.0
.TP
.B requests
.INDENT 7.0
.TP
.B total
The number of requests h2load was instructed to make.
.TP
.B started
The number of requests h2load has started.
.TP
.B done
The number of requests completed.
.TP
.B succeeded
The number of requests completed successfully.  Only HTTP status
code 2xx or3xx are considered as success.
.TP
.B failed
The number of requests failed, including HTTP level failures
(non\-successful HTTP status code).
.TP
.B errored
The number of requests failed, except for HTTP level failures.
This is the subset of the number reported in \fBfailed\fP and most
likely the network level failures or stream was reset by
RST_STREAM.
.TP
.B timeout
The number of requests whose connection timed out before they were
completed.   This  is  the  subset   of  the  number  reported  in
\fBerrored\fP\&.
.UNINDENT
.TP
.B status codes
The number of status code h2load received.
.TP
.B traffic
.INDENT 7.0
.TP
.B total
The number of bytes received from the server \(dqon the wire\(dq.  If
requests were made via TLS, this value is the number of decrypted
bytes.
.TP
.B headers
The  number  of response  header  bytes  from the  server  without
decompression.  The  \fBspace savings\fP shows efficiency  of header
compression.  Let \fBdecompressed(headers)\fP to the number of bytes
used for header fields after decompression.  The \fBspace savings\fP
is calculated  by (1 \- \fBheaders\fP  / \fBdecompressed(headers)\fP) *
100.  For HTTP/1.1, this is usually  0.00%, since it does not have
header compression.  For HTTP/2, it shows some insightful numbers.
.TP
.B data
The number of response body bytes received from the server.
.UNINDENT
.TP
.B time for request
.INDENT 7.0
.TP
.B min
The minimum time taken for request and response.
.TP
.B max
The maximum time taken for request and response.
.TP
.B mean
The mean time taken for request and response.
.TP
.B sd
The standard deviation of the time taken for request and response.
.TP
.B +/\- sd
The fraction of the number of requests within standard deviation
range (mean +/\- sd) against total number of successful requests.
.UNINDENT
.TP
.B time for connect
.INDENT 7.0
.TP
.B min
The minimum time taken to connect to a server including TLS
handshake.
.TP
.B max
The maximum time taken to connect to a server including TLS
handshake.
.TP
.B mean
The mean time taken to connect to a server including TLS
handshake.
.TP
.B sd
The standard deviation of the time taken to connect to a server.
.TP
.B +/\- sd
The  fraction  of  the   number  of  connections  within  standard
deviation range (mean  +/\- sd) against total  number of successful
connections.
.UNINDENT
.TP
.B time for 1st byte (of (decrypted in case of TLS) application data)
.INDENT 7.0
.TP
.B min
The minimum time taken to get 1st byte from a server.
.TP
.B max
The maximum time taken to get 1st byte from a server.
.TP
.B mean
The mean time taken to get 1st byte from a server.
.TP
.B sd
The standard deviation of the time taken to get 1st byte from a
server.
.TP
.B +/\- sd
The fraction of the number of connections within standard
deviation range (mean +/\- sd) against total number of successful
connections.
.UNINDENT
.TP
.B req/s
.INDENT 7.0
.TP
.B min
The minimum request per second among all clients.
.TP
.B max
The maximum request per second among all clients.
.TP
.B mean
The mean request per second among all clients.
.TP
.B sd
The standard deviation of request per second among all clients.
server.
.TP
.B +/\- sd
The fraction of the number of connections within standard
deviation range (mean +/\- sd) against total number of successful
connections.
.UNINDENT
.UNINDENT
.SH FLOW CONTROL
.sp
h2load sets large flow control window by default, and effectively
disables flow control to avoid under utilization of server
performance.  To set smaller flow control window, use \fI\%\-w\fP and
\fI\%\-W\fP options.  For example, use \fB\-w16 \-W16\fP to set default
window size described in HTTP/2 protocol specification.
.SH SEE ALSO
.sp
\fBnghttp(1)\fP, \fBnghttpd(1)\fP, \fBnghttpx(1)\fP
.SH AUTHOR
Tatsuhiro Tsujikawa
.SH COPYRIGHT
2012, 2015, 2016, Tatsuhiro Tsujikawa
.\" Generated by docutils manpage writer.
.
nghttpd.1000064400000012511150536145370006307 0ustar00.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "NGHTTPD" "1" "Jun 17, 2025" "1.66.0" "nghttp2"
.SH NAME
nghttpd \- HTTP/2 server
.SH SYNOPSIS
.sp
\fBnghttpd\fP [OPTION]... <PORT> [<PRIVATE_KEY> <CERT>]
.SH DESCRIPTION
.sp
HTTP/2 server
.INDENT 0.0
.TP
.B <PORT>
Specify listening port number.
.UNINDENT
.INDENT 0.0
.TP
.B <PRIVATE_KEY>
Set  path  to  server\(aqs private  key.   Required  unless
\fI\%\-\-no\-tls\fP is specified.
.UNINDENT
.INDENT 0.0
.TP
.B <CERT>
Set  path  to  server\(aqs  certificate.   Required  unless
\fI\%\-\-no\-tls\fP is specified.
.UNINDENT
.SH OPTIONS
.INDENT 0.0
.TP
.B \-a, \-\-address=<ADDR>
The address to bind to.  If not specified the default IP
address determined by getaddrinfo is used.
.UNINDENT
.INDENT 0.0
.TP
.B \-D, \-\-daemon
Run in a background.  If \fI\%\-D\fP is used, the current working
directory is  changed to \(aq\fI/\fP\(aq.  Therefore  if this option
is used, \fI\%\-d\fP option must be specified.
.UNINDENT
.INDENT 0.0
.TP
.B \-V, \-\-verify\-client
The server  sends a client certificate  request.  If the
client did  not return  a certificate, the  handshake is
terminated.   Currently,  this  option just  requests  a
client certificate and does not verify it.
.UNINDENT
.INDENT 0.0
.TP
.B \-d, \-\-htdocs=<PATH>
Specify document root.  If this option is not specified,
the document root is the current working directory.
.UNINDENT
.INDENT 0.0
.TP
.B \-v, \-\-verbose
Print debug information  such as reception/ transmission
of frames and name/value pairs.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-tls
Disable SSL/TLS.
.UNINDENT
.INDENT 0.0
.TP
.B \-c, \-\-header\-table\-size=<SIZE>
Specify decoder header table size.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-encoder\-header\-table\-size=<SIZE>
Specify encoder header table size.  The decoder (client)
specifies  the maximum  dynamic table  size it  accepts.
Then the negotiated dynamic table size is the minimum of
this option value and the value which client specified.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-color
Force colored log output.
.UNINDENT
.INDENT 0.0
.TP
.B \-p, \-\-push=<PATH>=<PUSH_PATH,...>
Push  resources <PUSH_PATH>s  when <PATH>  is requested.
This option  can be used repeatedly  to specify multiple
push  configurations.    <PATH>  and   <PUSH_PATH>s  are
relative  to   document  root.   See   \fI\%\-\-htdocs\fP  option.
Example: \fI\%\-p\fP/=/foo.png \fI\%\-p\fP/doc=/bar.css
.UNINDENT
.INDENT 0.0
.TP
.B \-b, \-\-padding=<N>
Add at  most <N>  bytes to a  frame payload  as padding.
Specify 0 to disable padding.
.UNINDENT
.INDENT 0.0
.TP
.B \-m, \-\-max\-concurrent\-streams=<N>
Set the maximum number of  the concurrent streams in one
HTTP/2 session.
.sp
Default: \fB100\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-n, \-\-workers=<N>
Set the number of worker threads.
.sp
Default: \fB1\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-e, \-\-error\-gzip
Make error response gzipped.
.UNINDENT
.INDENT 0.0
.TP
.B \-w, \-\-window\-bits=<N>
Sets the stream level initial window size to 2**<N>\-1.
.UNINDENT
.INDENT 0.0
.TP
.B \-W, \-\-connection\-window\-bits=<N>
Sets  the  connection  level   initial  window  size  to
2**<N>\-1.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-dh\-param\-file=<PATH>
Path to file that contains  DH parameters in PEM format.
Without  this   option,  DHE   cipher  suites   are  not
available.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-early\-response
Start sending response when request HEADERS is received,
rather than complete request is received.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-trailer=<HEADER>
Add a trailer  header to a response.   <HEADER> must not
include pseudo header field  (header field name starting
with \(aq:\(aq).  The  trailer is sent only if  a response has
body part.  Example: \fI\%\-\-trailer\fP \(aqfoo: bar\(aq.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-hexdump
Display the  incoming traffic in  hexadecimal (Canonical
hex+ASCII display).  If SSL/TLS  is used, decrypted data
are used.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-echo\-upload
Send back uploaded content if method is POST or PUT.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-mime\-types\-file=<PATH>
Path  to file  that contains  MIME media  types and  the
extensions that represent them.
.sp
Default: \fB/etc/mime.types\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-content\-length
Don\(aqt send content\-length header field.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ktls
Enable ktls.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-version
Display version information and exit.
.UNINDENT
.INDENT 0.0
.TP
.B \-h, \-\-help
Display this help and exit.
.UNINDENT
.sp
The <SIZE> argument is an integer and an optional unit (e.g., 10K is
10 * 1024).  Units are K, M and G (powers of 1024).
.SH SEE ALSO
.sp
\fBnghttp(1)\fP, \fBnghttpx(1)\fP, \fBh2load(1)\fP
.SH AUTHOR
Tatsuhiro Tsujikawa
.SH COPYRIGHT
2012, 2015, 2016, Tatsuhiro Tsujikawa
.\" Generated by docutils manpage writer.
.
nghttpx.1000064400000261721150536145440006342 0ustar00.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "NGHTTPX" "1" "Jun 17, 2025" "1.66.0" "nghttp2"
.SH NAME
nghttpx \- HTTP/2 proxy
.SH SYNOPSIS
.sp
\fBnghttpx\fP [OPTIONS]... [<PRIVATE_KEY> <CERT>]
.SH DESCRIPTION
.sp
A reverse proxy for HTTP/3, HTTP/2, and HTTP/1.
.INDENT 0.0
.TP
.B <PRIVATE_KEY>
Set  path  to  server\(aqs private  key.   Required  unless
\(dqno\-tls\(dq parameter is used in \fI\%\-\-frontend\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B <CERT>
Set  path  to  server\(aqs  certificate.   Required  unless
\(dqno\-tls\(dq  parameter is  used in  \fI\%\-\-frontend\fP option.
.UNINDENT
.SH OPTIONS
.sp
The options are categorized into several groups.
.SS Connections
.INDENT 0.0
.TP
.B \-b, \-\-backend=(<HOST>,<PORT>|unix:<PATH>)[;[<PATTERN>[:...]][[;<PARAM>]...]
Set  backend  host  and   port.   The  multiple  backend
addresses are  accepted by repeating this  option.  UNIX
domain socket  can be  specified by prefixing  path name
with \(dqunix:\(dq (e.g., unix:/var/run/backend.sock).
.sp
Optionally, if <PATTERN>s are given, the backend address
is  only  used  if  request matches  the  pattern.   The
pattern  matching is  closely  designed  to ServeMux  in
net/http package of  Go programming language.  <PATTERN>
consists of  path, host +  path or just host.   The path
must start  with \(dq\fI/\fP\(dq.  If  it ends with \(dq\fI/\fP\(dq,  it matches
all  request path  in  its subtree.   To  deal with  the
request  to the  directory without  trailing slash,  the
path which ends  with \(dq\fI/\fP\(dq also matches  the request path
which  only  lacks  trailing  \(aq\fI/\fP\(aq  (e.g.,  path  \(dq\fI/foo/\fP\(dq
matches request path  \(dq\fI/foo\fP\(dq).  If it does  not end with
\(dq\fI/\fP\(dq, it  performs exact match against  the request path.
If  host  is given,  it  performs  a match  against  the
request host.   For a  request received on  the frontend
listener with  \(dqsni\-fwd\(dq parameter enabled, SNI  host is
used instead of a request host.  If host alone is given,
\(dq\fI/\fP\(dq is  appended to it,  so that it matches  all request
paths  under the  host  (e.g., specifying  \(dqnghttp2.org\(dq
equals  to \(dqnghttp2.org/\(dq).   CONNECT method  is treated
specially.  It  does not have  path, and we  don\(aqt allow
empty path.  To workaround  this, we assume that CONNECT
method has \(dq\fI/\fP\(dq as path.
.sp
Patterns with  host take  precedence over  patterns with
just path.   Then, longer patterns take  precedence over
shorter ones.
.sp
Host  can  include \(dq*\(dq  in  the  left most  position  to
indicate  wildcard match  (only suffix  match is  done).
The \(dq*\(dq must match at least one character.  For example,
host    pattern    \(dq*.nghttp2.org\(dq    matches    against
\(dqwww.nghttp2.org\(dq  and  \(dqgit.ngttp2.org\(dq, but  does  not
match  against  \(dqnghttp2.org\(dq.   The exact  hosts  match
takes precedence over the wildcard hosts match.
.sp
If path  part ends with  \(dq*\(dq, it is treated  as wildcard
path.  The  wildcard path  behaves differently  from the
normal path.  For normal path,  match is made around the
boundary of path component  separator,\(dq\fI/\fP\(dq.  On the other
hand, the wildcard  path does not take  into account the
path component  separator.  All paths which  include the
wildcard  path  without  last  \(dq*\(dq as  prefix,  and  are
strictly longer than wildcard  path without last \(dq*\(dq are
matched.  \(dq*\(dq  must match  at least one  character.  For
example,  the   pattern  \(dq\fI/foo*\fP\(dq  matches   \(dq\fI/foo/\fP\(dq  and
\(dq\fI/foobar\fP\(dq.  But it does not match \(dq\fI/foo\fP\(dq, or \(dq\fI/fo\fP\(dq.
.sp
If <PATTERN> is omitted or  empty string, \(dq\fI/\fP\(dq is used as
pattern,  which  matches  all request  paths  (catch\-all
pattern).  The catch\-all backend must be given.
.sp
When doing  a match, nghttpx made  some normalization to
pattern, request host and path.  For host part, they are
converted to lower case.  For path part, percent\-encoded
unreserved characters  defined in RFC 3986  are decoded,
and any  dot\-segments (\(dq..\(dq  and \(dq.\(dq)   are resolved and
removed.
.sp
For   example,   \fI\%\-b\fP\(aq127.0.0.1,8080;nghttp2.org/httpbin/\(aq
matches the  request host \(dqnghttp2.org\(dq and  the request
path \(dq\fI/httpbin/get\fP\(dq, but does not match the request host
\(dqnghttp2.org\(dq and the request path \(dq\fI/index.html\fP\(dq.
.sp
The  multiple <PATTERN>s  can  be specified,  delimiting
them            by           \(dq:\(dq.             Specifying
\fI\%\-b\fP\(aq127.0.0.1,8080;nghttp2.org:www.nghttp2.org\(aq  has  the
same  effect  to specify  \fI\%\-b\fP\(aq127.0.0.1,8080;nghttp2.org\(aq
and \fI\%\-b\fP\(aq127.0.0.1,8080;www.nghttp2.org\(aq.
.sp
The backend addresses sharing same <PATTERN> are grouped
together forming  load balancing  group.
.sp
Several parameters <PARAM> are accepted after <PATTERN>.
The  parameters are  delimited  by  \(dq;\(dq.  The  available
parameters       are:      \(dqproto=<PROTO>\(dq,       \(dqtls\(dq,
\(dqsni=<SNI_HOST>\(dq,         \(dqfall=<N>\(dq,        \(dqrise=<N>\(dq,
\(dqaffinity=<METHOD>\(dq,    \(dqdns\(dq,    \(dqredirect\-if\-not\-tls\(dq,
\(dqupgrade\-scheme\(dq,                        \(dqmruby=<PATH>\(dq,
\(dqread\-timeout=<DURATION>\(dq,   \(dqwrite\-timeout=<DURATION>\(dq,
\(dqgroup=<GROUP>\(dq,  \(dqgroup\-weight=<N>\(dq, \(dqweight=<N>\(dq,  and
\(dqdnf\(dq.    The  parameter   consists   of  keyword,   and
optionally followed by \(dq=\(dq  and value.  For example, the
parameter \(dqproto=h2\(dq consists of the keyword \(dqproto\(dq and
value \(dqh2\(dq.  The parameter \(dqtls\(dq consists of the keyword
\(dqtls\(dq  without value.   Each parameter  is described  as
follows.
.sp
The backend application protocol  can be specified using
optional  \(dqproto\(dq   parameter,  and   in  the   form  of
\(dqproto=<PROTO>\(dq.  <PROTO> should be one of the following
list  without  quotes:  \(dqh2\(dq, \(dqhttp/1.1\(dq.   The  default
value of <PROTO> is  \(dqhttp/1.1\(dq.  Note that usually \(dqh2\(dq
refers to HTTP/2  over TLS.  But in this  option, it may
mean HTTP/2  over cleartext TCP unless  \(dqtls\(dq keyword is
used (see below).
.sp
TLS  can   be  enabled  by  specifying   optional  \(dqtls\(dq
parameter.  TLS is not enabled by default.
.sp
With \(dqsni=<SNI_HOST>\(dq parameter, it can override the TLS
SNI  field  value  with  given  <SNI_HOST>.   This  will
default to the backend <HOST> name
.sp
The  feature  to detect  whether  backend  is online  or
offline can be enabled  using optional \(dqfall\(dq and \(dqrise\(dq
parameters.   Using  \(dqfall=<N>\(dq  parameter,  if  nghttpx
cannot connect  to a  this backend <N>  times in  a row,
this  backend  is  assumed  to be  offline,  and  it  is
excluded from load balancing.  If <N> is 0, this backend
never  be excluded  from load  balancing whatever  times
nghttpx cannot connect  to it, and this  is the default.
There is  also \(dqrise=<N>\(dq parameter.  After  backend was
excluded from load balancing group, nghttpx periodically
attempts to make a connection to the failed backend, and
if the  connection is made  successfully <N> times  in a
row, the backend is assumed to  be online, and it is now
eligible  for load  balancing target.   If <N>  is 0,  a
backend  is permanently  offline, once  it goes  in that
state, and this is the default behaviour.
.sp
The     session     affinity    is     enabled     using
\(dqaffinity=<METHOD>\(dq  parameter.   If  \(dqip\(dq is  given  in
<METHOD>, client  IP based session affinity  is enabled.
If \(dqcookie\(dq  is given in <METHOD>,  cookie based session
affinity is  enabled.  If  \(dqnone\(dq is given  in <METHOD>,
session affinity  is disabled, and this  is the default.
The session  affinity is  enabled per <PATTERN>.   If at
least  one backend  has  \(dqaffinity\(dq  parameter, and  its
<METHOD> is not \(dqnone\(dq,  session affinity is enabled for
all backend  servers sharing the same  <PATTERN>.  It is
advised  to  set  \(dqaffinity\(dq parameter  to  all  backend
explicitly if session affinity  is desired.  The session
affinity  may   break  if   one  of  the   backend  gets
unreachable,  or   backend  settings  are   reloaded  or
replaced by API.
.sp
If   \(dqaffinity=cookie\(dq    is   used,    the   additional
configuration                is                required.
\(dqaffinity\-cookie\-name=<NAME>\(dq must be  used to specify a
name     of     cookie      to     use.      Optionally,
\(dqaffinity\-cookie\-path=<PATH>\(dq can  be used to  specify a
path   which   cookie    is   applied.    The   optional
\(dqaffinity\-cookie\-secure=<SECURE>\(dq  controls  the  Secure
attribute of a cookie.  The default value is \(dqauto\(dq, and
the Secure attribute is  determined by a request scheme.
If a request scheme is \(dqhttps\(dq, then Secure attribute is
set.  Otherwise, it  is not set.  If  <SECURE> is \(dqyes\(dq,
the  Secure attribute  is  always set.   If <SECURE>  is
\(dqno\(dq,   the   Secure   attribute  is   always   omitted.
\(dqaffinity\-cookie\-stickiness=<STICKINESS>\(dq       controls
stickiness  of   this  affinity.   If   <STICKINESS>  is
\(dqloose\(dq, removing or adding a backend server might break
the affinity  and the  request might  be forwarded  to a
different backend server.   If <STICKINESS> is \(dqstrict\(dq,
removing the designated  backend server breaks affinity,
but adding  new backend server does  not cause breakage.
If  the designated  backend server  becomes unavailable,
new backend server is chosen  as if the request does not
have  an  affinity  cookie.   <STICKINESS>  defaults  to
\(dqloose\(dq.
.sp
By default, name resolution of backend host name is done
at  start  up,  or reloading  configuration.   If  \(dqdns\(dq
parameter   is  given,   name  resolution   takes  place
dynamically.  This is useful  if backend address changes
frequently.   If  \(dqdns\(dq  is given,  name  resolution  of
backend   host   name   at  start   up,   or   reloading
configuration is skipped.
.sp
If \(dqredirect\-if\-not\-tls\(dq parameter  is used, the matched
backend  requires   that  frontend  connection   is  TLS
encrypted.  If it isn\(aqt, nghttpx responds to the request
with 308  status code, and  https URI the  client should
use instead  is included in Location  header field.  The
port number in  redirect URI is 443 by  default, and can
be  changed using  \fI\%\-\-redirect\-https\-port\fP option.   If at
least one  backend has  \(dqredirect\-if\-not\-tls\(dq parameter,
this feature is enabled  for all backend servers sharing
the   same   <PATTERN>.    It    is   advised   to   set
\(dqredirect\-if\-no\-tls\(dq    parameter   to    all   backends
explicitly if this feature is desired.
.sp
If \(dqupgrade\-scheme\(dq  parameter is used along  with \(dqtls\(dq
parameter, HTTP/2 :scheme pseudo header field is changed
to \(dqhttps\(dq from \(dqhttp\(dq when forwarding a request to this
particular backend.  This is  a workaround for a backend
server  which  requires  \(dqhttps\(dq :scheme  pseudo  header
field on TLS encrypted connection.
.sp
\(dqmruby=<PATH>\(dq  parameter  specifies  a  path  to  mruby
script  file  which  is  invoked when  this  pattern  is
matched.  All backends which share the same pattern must
have the same mruby path.
.sp
\(dqread\-timeout=<DURATION>\(dq and \(dqwrite\-timeout=<DURATION>\(dq
parameters  specify the  read and  write timeout  of the
backend connection  when this  pattern is  matched.  All
backends which share the same pattern must have the same
timeouts.  If these timeouts  are entirely omitted for a
pattern,            \fI\%\-\-backend\-read\-timeout\fP           and
\fI\%\-\-backend\-write\-timeout\fP are used.
.sp
\(dqgroup=<GROUP>\(dq  parameter specifies  the name  of group
this backend address belongs to.  By default, it belongs
to  the unnamed  default group.   The name  of group  is
unique   per   pattern.   \(dqgroup\-weight=<N>\(dq   parameter
specifies the  weight of  the group.  The  higher weight
gets  more frequently  selected  by  the load  balancing
algorithm.  <N> must be  [1, 256] inclusive.  The weight
8 has 4 times more weight  than 2.  <N> must be the same
for  all addresses  which  share the  same <GROUP>.   If
\(dqgroup\-weight\(dq is  omitted in an address,  but the other
address  which  belongs  to  the  same  group  specifies
\(dqgroup\-weight\(dq,   its    weight   is   used.     If   no
\(dqgroup\-weight\(dq  is  specified  for  all  addresses,  the
weight of a group becomes 1.  \(dqgroup\(dq and \(dqgroup\-weight\(dq
are ignored if session affinity is enabled.
.sp
\(dqweight=<N>\(dq  parameter  specifies  the  weight  of  the
backend  address  inside  a  group  which  this  address
belongs  to.  The  higher  weight  gets more  frequently
selected by  the load balancing algorithm.   <N> must be
[1,  256] inclusive.   The  weight 8  has  4 times  more
weight  than weight  2.  If  this parameter  is omitted,
weight  becomes  1.   \(dqweight\(dq  is  ignored  if  session
affinity is enabled.
.sp
If \(dqdnf\(dq parameter is  specified, an incoming request is
not forwarded to a backend  and just consumed along with
the  request body  (actually a  backend server  never be
contacted).  It  is expected  that the HTTP  response is
generated by mruby  script (see \(dqmruby=<PATH>\(dq parameter
above).  \(dqdnf\(dq is an abbreviation of \(dqdo not forward\(dq.
.sp
Since \(dq;\(dq and \(dq:\(dq are  used as delimiter, <PATTERN> must
not contain  these characters.  In order  to include \(dq:\(dq
in  <PATTERN>,  one  has  to  specify  \(dq%3A\(dq  (which  is
percent\-encoded  from of  \(dq:\(dq) instead.   Since \(dq;\(dq  has
special  meaning  in shell,  the  option  value must  be
quoted.
.sp
Default: \fB127.0.0.1,80\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-f, \-\-frontend=(<HOST>,<PORT>|unix:<PATH>)[[;<PARAM>]...]
Set  frontend  host and  port.   If  <HOST> is  \(aq*\(aq,  it
assumes  all addresses  including  both  IPv4 and  IPv6.
UNIX domain  socket can  be specified by  prefixing path
name  with  \(dqunix:\(dq (e.g.,  unix:/var/run/nghttpx.sock).
This  option can  be used  multiple times  to listen  to
multiple addresses.
.sp
This option  can take  0 or  more parameters,  which are
described  below.   Note   that  \(dqapi\(dq  and  \(dqhealthmon\(dq
parameters are mutually exclusive.
.sp
Optionally, TLS  can be disabled by  specifying \(dqno\-tls\(dq
parameter.  TLS is enabled by default.
.sp
If \(dqsni\-fwd\(dq parameter is  used, when performing a match
to select a backend server,  SNI host name received from
the client  is used  instead of  the request  host.  See
\fI\%\-\-backend\fP option about the pattern match.
.sp
To  make this  frontend as  API endpoint,  specify \(dqapi\(dq
parameter.   This   is  disabled  by  default.    It  is
important  to  limit the  access  to  the API  frontend.
Otherwise, someone  may change  the backend  server, and
break your services,  or expose confidential information
to the outside the world.
.sp
To  make  this  frontend  as  health  monitor  endpoint,
specify  \(dqhealthmon\(dq  parameter.   This is  disabled  by
default.  Any  requests which come through  this address
are replied with 200 HTTP status, without no body.
.sp
To accept  PROXY protocol  version 1  and 2  on frontend
connection,  specify  \(dqproxyproto\(dq parameter.   This  is
disabled by default.
.sp
To  receive   HTTP/3  (QUIC)  traffic,   specify  \(dqquic\(dq
parameter.  It  makes nghttpx listen on  UDP port rather
than  TCP   port.   UNIX   domain  socket,   \(dqapi\(dq,  and
\(dqhealthmon\(dq  parameters  cannot   be  used  with  \(dqquic\(dq
parameter.
.sp
Default: \fB*,3000\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backlog=<N>
Set listen backlog size.
.sp
Default: \fB65536\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-address\-family=(auto|IPv4|IPv6)
Specify  address  family  of  backend  connections.   If
\(dqauto\(dq is given, both IPv4  and IPv6 are considered.  If
\(dqIPv4\(dq is  given, only  IPv4 address is  considered.  If
\(dqIPv6\(dq is given, only IPv6 address is considered.
.sp
Default: \fBauto\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-http\-proxy\-uri=<URI>
Specify      proxy       URI      in       the      form
\X'tty: link http:/'\fI\%http:/\fP\X'tty: link'/[<USER>:<PASS>@]<PROXY>:<PORT>.    If   a   proxy
requires  authentication,  specify  <USER>  and  <PASS>.
Note that  they must be properly  percent\-encoded.  This
proxy  is used  when the  backend connection  is HTTP/2.
First,  make  a CONNECT  request  to  the proxy  and  it
connects  to the  backend  on behalf  of nghttpx.   This
forms  tunnel.   After  that, nghttpx  performs  SSL/TLS
handshake with  the downstream through the  tunnel.  The
timeouts when connecting and  making CONNECT request can
be     specified    by     \fI\%\-\-backend\-read\-timeout\fP    and
\fI\%\-\-backend\-write\-timeout\fP options.
.UNINDENT
.SS Performance
.INDENT 0.0
.TP
.B \-n, \-\-workers=<N>
Set the number of worker threads.
.sp
Default: \fB1\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-single\-thread
Run everything in one  thread inside the worker process.
This   feature   is   provided  for   better   debugging
experience,  or  for  the platforms  which  lack  thread
support.   If  threading  is disabled,  this  option  is
always enabled.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-read\-rate=<SIZE>
Set maximum  average read  rate on  frontend connection.
Setting 0 to this option means read rate is unlimited.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-read\-burst=<SIZE>
Set  maximum read  burst  size  on frontend  connection.
Setting  0  to this  option  means  read burst  size  is
unlimited.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-write\-rate=<SIZE>
Set maximum  average write rate on  frontend connection.
Setting 0 to this option means write rate is unlimited.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-write\-burst=<SIZE>
Set  maximum write  burst size  on frontend  connection.
Setting  0 to  this  option means  write  burst size  is
unlimited.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-worker\-read\-rate=<SIZE>
Set maximum average read rate on frontend connection per
worker.  Setting  0 to  this option  means read  rate is
unlimited.  Not implemented yet.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-worker\-read\-burst=<SIZE>
Set maximum  read burst size on  frontend connection per
worker.  Setting 0 to this  option means read burst size
is unlimited.  Not implemented yet.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-worker\-write\-rate=<SIZE>
Set maximum  average write  rate on  frontend connection
per worker.  Setting  0 to this option  means write rate
is unlimited.  Not implemented yet.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-worker\-write\-burst=<SIZE>
Set maximum write burst  size on frontend connection per
worker.  Setting 0 to this option means write burst size
is unlimited.  Not implemented yet.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-worker\-frontend\-connections=<N>
Set maximum number  of simultaneous connections frontend
accepts.  Setting 0 means unlimited.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-connections\-per\-host=<N>
Set  maximum number  of  backend concurrent  connections
(and/or  streams in  case  of HTTP/2)  per origin  host.
This option  is meaningful when \fI\%\-\-http2\-proxy\fP  option is
used.   The  origin  host  is  determined  by  authority
portion of  request URI (or :authority  header field for
HTTP/2).   To  limit  the   number  of  connections  per
frontend        for       default        mode,       use
\fI\%\-\-backend\-connections\-per\-frontend\fP\&.
.sp
Default: \fB8\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-connections\-per\-frontend=<N>
Set  maximum number  of  backend concurrent  connections
(and/or streams  in case of HTTP/2)  per frontend.  This
option  is   only  used  for  default   mode.   0  means
unlimited.  To limit the  number of connections per host
with          \fI\%\-\-http2\-proxy\fP         option,          use
\fI\%\-\-backend\-connections\-per\-host\fP\&.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-rlimit\-nofile=<N>
Set maximum number of open files (RLIMIT_NOFILE) to <N>.
If 0 is given, nghttpx does not set the limit.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-rlimit\-memlock=<N>
Set maximum number of bytes of memory that may be locked
into  RAM.  If  0 is  given,  nghttpx does  not set  the
limit.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-request\-buffer=<SIZE>
Set buffer size used to store backend request.
.sp
Default: \fB16K\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-response\-buffer=<SIZE>
Set buffer size used to store backend response.
.sp
Default: \fB128K\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-fastopen=<N>
Enables  \(dqTCP Fast  Open\(dq for  the listening  socket and
limits the  maximum length for the  queue of connections
that have not yet completed the three\-way handshake.  If
value is 0 then fast open is disabled.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-kqueue
Don\(aqt use  kqueue.  This  option is only  applicable for
the platforms  which have kqueue.  For  other platforms,
this option will be simply ignored.
.UNINDENT
.SS Timeout
.INDENT 0.0
.TP
.B \-\-frontend\-http2\-idle\-timeout=<DURATION>
Specify idle timeout for HTTP/2 frontend connection.  If
no active streams exist for this duration, connection is
closed.
.sp
Default: \fB3m\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-frontend\-http3\-idle\-timeout=<DURATION>
Specify idle timeout for HTTP/3 frontend connection.  If
no active streams exist for this duration, connection is
closed.
.sp
Default: \fB3m\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-frontend\-write\-timeout=<DURATION>
Specify write timeout for all frontend connections.
.sp
Default: \fB30s\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-frontend\-keep\-alive\-timeout=<DURATION>
Specify   keep\-alive   timeout   for   frontend   HTTP/1
connection.
.sp
Default: \fB1m\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-frontend\-header\-timeout=<DURATION>
Specify  duration  that the  server  waits  for an  HTTP
request  header fields  to be  received completely.   On
timeout, HTTP/1 and HTTP/2  connections are closed.  For
HTTP/3,  the  stream  is shutdown,  and  the  connection
itself is left intact.
.sp
Default: \fB1m\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-stream\-read\-timeout=<DURATION>
Specify  read timeout  for HTTP/2  streams.  0  means no
timeout.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-stream\-write\-timeout=<DURATION>
Specify write  timeout for  HTTP/2 streams.  0  means no
timeout.
.sp
Default: \fB1m\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-read\-timeout=<DURATION>
Specify read timeout for backend connection.
.sp
Default: \fB1m\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-write\-timeout=<DURATION>
Specify write timeout for backend connection.
.sp
Default: \fB30s\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-connect\-timeout=<DURATION>
Specify  timeout before  establishing TCP  connection to
backend.
.sp
Default: \fB30s\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-keep\-alive\-timeout=<DURATION>
Specify   keep\-alive   timeout    for   backend   HTTP/1
connection.
.sp
Default: \fB2s\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-listener\-disable\-timeout=<DURATION>
After accepting  connection failed,  connection listener
is disabled  for a given  amount of time.   Specifying 0
disables this feature.
.sp
Default: \fB30s\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-frontend\-http2\-setting\-timeout=<DURATION>
Specify  timeout before  SETTINGS ACK  is received  from
client.
.sp
Default: \fB10s\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-http2\-settings\-timeout=<DURATION>
Specify  timeout before  SETTINGS ACK  is received  from
backend server.
.sp
Default: \fB10s\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-backend\-max\-backoff=<DURATION>
Specify  maximum backoff  interval.  This  is used  when
doing health  check against offline backend  (see \(dqfail\(dq
parameter  in \fI\%\-\-backend\fP  option).   It is  also used  to
limit  the  maximum   interval  to  temporarily  disable
backend  when nghttpx  failed to  connect to  it.  These
intervals are calculated  using exponential backoff, and
consecutive failed attempts increase the interval.  This
option caps its maximum value.
.sp
Default: \fB2m\fP
.UNINDENT
.SS SSL/TLS
.INDENT 0.0
.TP
.B \-\-ciphers=<SUITE>
Set allowed  cipher list  for frontend  connection.  The
format of the string is described in OpenSSL ciphers(1).
This option  sets cipher suites for  TLSv1.2 or earlier.
Use \fI\%\-\-tls13\-ciphers\fP for TLSv1.3.
.sp
Default: \fBECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-RSA\-AES256\-GCM\-SHA384\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls13\-ciphers=<SUITE>
Set allowed  cipher list  for frontend  connection.  The
format of the string is described in OpenSSL ciphers(1).
This  option  sets  cipher   suites  for  TLSv1.3.   Use
\fI\%\-\-ciphers\fP for TLSv1.2 or earlier.
.sp
Default: \fBTLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-client\-ciphers=<SUITE>
Set  allowed cipher  list for  backend connection.   The
format of the string is described in OpenSSL ciphers(1).
This option  sets cipher suites for  TLSv1.2 or earlier.
Use \fI\%\-\-tls13\-client\-ciphers\fP for TLSv1.3.
.sp
Default: \fBECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-RSA\-AES256\-GCM\-SHA384\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls13\-client\-ciphers=<SUITE>
Set  allowed cipher  list for  backend connection.   The
format of the string is described in OpenSSL ciphers(1).
This  option  sets  cipher   suites  for  TLSv1.3.   Use
\fI\%\-\-tls13\-client\-ciphers\fP for TLSv1.2 or earlier.
.sp
Default: \fBTLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ecdh\-curves=<LIST>
Set  supported  curve  list  for  frontend  connections.
<LIST> is a  colon separated list of curve  NID or names
in the preference order.  The supported curves depend on
the  linked  OpenSSL  library.  This  function  requires
OpenSSL >= 1.0.2.
.sp
Default: \fBX25519:P\-256:P\-384:P\-521\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-k, \-\-insecure
Don\(aqt  verify backend  server\(aqs  certificate  if TLS  is
enabled for backend connections.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-cacert=<PATH>
Set path to trusted CA  certificate file.  It is used in
backend  TLS connections  to verify  peer\(aqs certificate.
The file must be in PEM format.  It can contain multiple
certificates.  If  the linked  OpenSSL is  configured to
load  system  wide  certificates,  they  are  loaded  at
startup regardless of this option.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-private\-key\-passwd\-file=<PATH>
Path  to file  that contains  password for  the server\(aqs
private key.   If none is  given and the private  key is
password protected it\(aqll be requested interactively.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-subcert=<KEYPATH>:<CERTPATH>[[;<PARAM>]...]
Specify  additional certificate  and  private key  file.
nghttpx will  choose certificates based on  the hostname
indicated by client using TLS SNI extension.  If nghttpx
is  built with  OpenSSL  >= 1.0.2,  the shared  elliptic
curves (e.g., P\-256) between  client and server are also
taken into  consideration.  This allows nghttpx  to send
ECDSA certificate  to modern clients, while  sending RSA
based certificate to older  clients.  This option can be
used  multiple  times.
.sp
Additional parameter  can be specified in  <PARAM>.  The
available <PARAM> is \(dqsct\-dir=<DIR>\(dq.
.sp
\(dqsct\-dir=<DIR>\(dq  specifies the  path to  directory which
contains        *.sct        files        for        TLS
signed_certificate_timestamp extension (RFC 6962).  This
feature   requires   OpenSSL   >=   1.0.2.    See   also
\fI\%\-\-tls\-sct\-dir\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-dh\-param\-file=<PATH>
Path to file that contains  DH parameters in PEM format.
Without  this   option,  DHE   cipher  suites   are  not
available.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-alpn\-list=<LIST>
Comma delimited list of  ALPN protocol identifier sorted
in the  order of preference.  That  means most desirable
protocol comes  first.  The parameter must  be delimited
by a single comma only  and any white spaces are treated
as a part of protocol string.
.sp
Default: \fBh2,http/1.1\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-verify\-client
Require and verify client certificate.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-verify\-client\-cacert=<PATH>
Path  to file  that contains  CA certificates  to verify
client certificate.  The file must be in PEM format.  It
can contain multiple certificates.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-verify\-client\-tolerate\-expired
Accept  expired  client  certificate.   Operator  should
handle  the expired  client  certificate  by some  means
(e.g.,  mruby  script).   Otherwise, this  option  might
cause a security risk.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-client\-private\-key\-file=<PATH>
Path to  file that contains  client private key  used in
backend client authentication.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-client\-cert\-file=<PATH>
Path to  file that  contains client certificate  used in
backend client authentication.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls\-min\-proto\-version=<VER>
Specify minimum SSL/TLS protocol.   The name matching is
done in  case\-insensitive manner.  The  versions between
\fI\%\-\-tls\-min\-proto\-version\fP and  \fI\%\-\-tls\-max\-proto\-version\fP are
enabled.  If the protocol list advertised by client does
not  overlap  this range,  you  will  receive the  error
message \(dqunknown protocol\(dq.  If a protocol version lower
than TLSv1.2 is specified, make sure that the compatible
ciphers are  included in \fI\%\-\-ciphers\fP option.   The default
cipher  list  only   includes  ciphers  compatible  with
TLSv1.2 or above.  The available versions are:
TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
.sp
Default: \fBTLSv1.2\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls\-max\-proto\-version=<VER>
Specify maximum SSL/TLS protocol.   The name matching is
done in  case\-insensitive manner.  The  versions between
\fI\%\-\-tls\-min\-proto\-version\fP and  \fI\%\-\-tls\-max\-proto\-version\fP are
enabled.  If the protocol list advertised by client does
not  overlap  this range,  you  will  receive the  error
message \(dqunknown protocol\(dq.  The available versions are:
TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
.sp
Default: \fBTLSv1.3\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls\-ticket\-key\-file=<PATH>
Path to file that contains  random data to construct TLS
session ticket  parameters.  If aes\-128\-cbc is  given in
\fI\%\-\-tls\-ticket\-key\-cipher\fP, the  file must  contain exactly
48    bytes.     If     aes\-256\-cbc    is    given    in
\fI\%\-\-tls\-ticket\-key\-cipher\fP, the  file must  contain exactly
80  bytes.   This  options  can be  used  repeatedly  to
specify  multiple ticket  parameters.  If  several files
are given,  only the  first key is  used to  encrypt TLS
session  tickets.  Other  keys are  accepted but  server
will  issue new  session  ticket with  first key.   This
allows  session  key  rotation.  Please  note  that  key
rotation  does  not  occur automatically.   User  should
rearrange  files or  change options  values and  restart
nghttpx gracefully.   If opening  or reading  given file
fails, all loaded  keys are discarded and  it is treated
as if none  of this option is given.  If  this option is
not given or an error  occurred while opening or reading
a file,  key is  generated every  1 hour  internally and
they are  valid for  12 hours.   This is  recommended if
ticket  key sharing  between  nghttpx  instances is  not
required.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls\-ticket\-key\-memcached=<HOST>,<PORT>[;tls]
Specify address  of memcached  server to get  TLS ticket
keys for  session resumption.   This enables  shared TLS
ticket key between  multiple nghttpx instances.  nghttpx
does not set TLS ticket  key to memcached.  The external
ticket key generator is required.  nghttpx just gets TLS
ticket  keys  from  memcached, and  use  them,  possibly
replacing current set  of keys.
Batosay - 2023
IDNSEO Team