Server configuration
nevisProxy server properties are configured via the four tags Service, Core, Timer, and Server. The Qos tag defines some frequently used attributes of Apache's quality of the service module mod_qos. By setting the Qos tag parameters, you enable a basic protection against denial of service (DoS) attacks. The Qos tag is optional.
Service
The attributes in the following table are only relevant for integration purposes and are mainly documented here as a reference. If nevisProxy is installed using the delivered package, none of these parameters need to be changed. The Service section does not contain any operation-relevant parameters (e.g., scaling).
Name | Type, Usage constraints, Defaults | Description |
---|---|---|
commandLine | string optional, advanced, supports variable replacement | The attribute 'commandLine' configures the command line arguments that will be used for starting the server. Example: commandLine="-X" starts the Apache server in debug mode. With the commandline argument NAVAJOgroup=<group-name> the group of the initial process can be configured. If configured, a 'setgid(..) call will be made. If an error occurs, an error message will be traced on 'stderr' but without terminating the process. |
hostTemplate | string required, advanced, supports variable replacement, default:/opt/nevisproxy/etc/host2.template | The attribute 'hostTemplate' specifies the path to the template file used for creating the host part of the generated Apache configuration file (httpd.conf). It is not recommended to change this setting. |
name | string optional, advanced, supports variable replacement default: isi3web | The attribute 'name' is a logical name. It is reserved for future use (e.g., running several services in one carrier server). This value should not be changed. |
spoolDir | string required, advanced, supports variable replacement default: <spool_dir> | The path of the spooldir, i.e., the directory that contains the directory 'logs' for log files and 'run' for runtime data. This value should not be changed (must not be an NFS-mounted directory). |
serverTemplate | string required, advanced, supports variable replacement default: /opt/nevisproxy/etc/server2.template | The attribute 'serverTemplate' specifies the path to the template file used to create the server part of the generated Apache 2 configuration file. Should not be changed. (Changing that file is a way of including additional Apache1/2 modules. However, that should not be necessary. Contact Nevis if you think you need additional modules.) |
verbose | boolean: true, false optional, troubleshooting default: false | The attribute 'verbose' specifies server verbosity. If set to 'true', the message of all caught exceptions is sent to the client. Should be set to 'false' in production. |
crashRecoveryStrategy | enum: recover, block, kill; default: recover | Specifies what should happen after a worker crash. By default, the child process is recovered by the parent process. This is the recommended strategy for classic deployments. If block is configured, after a worker crash every request will be blocked by 503 Service Unavailable status code. If kill is configured, the whole nevisproxy process (including the parent process) will be killed. This works only if the owner of the child process has the rights to kill the parent process (for example in some Kubernetes setups). If the parent cannot be killed, then the behaviour will be the same as block . The strategies block and kill are mainly designed for Kubernetes setups with an automated liveness monitoring, so the given pod can be terminated normally in case of a crash. If you set block or kill for a classic deployment, make sure to setup an automated procedure to restart nevisProxy after a crash. Note for testing: with the strategy block and kill , the blocking takes place only if at least one request is in processing when the crash occurs. |
Core
The attributes in the following table are only relevant for integration purposes and are mainly documented here for reference. If nevisProxy is installed using the delivered package, none of these parameters needs to be changed. The Core section does not contain any operation-relevant parameters.
workDir
Type: String
Usage Constraints: required
Default: <spool_dir>/run
The attribute workDir configures the directory for the internal files. Should not be changed (may not be an NFS-mounted directory).
Timer
Timers are used to trigger asynchronous functions like the periodic check of the session cache for expired sessions.
periodicity
Type: Integer
Unit: seconds
Default: 60
Configures the periodicity of the internal timer. A session with an absolute timeout of 2 hours would therefore have a real maximum lifetime of 2 hours and 60 seconds, in this case. Setting the value to a lower number, in turn, leads to more load.
OpenTelemetry
The OpenTelemetry integration is experimental, and prone to changes. Check regularly the release notes for updates.
The OpenTelemetry configuration tag integrates the OpenTelemetry standard to export observability data to a variety of open source and commercial backends.
This tag contains the tags Trace and Metrics.
Trace
The Trace configuration tag contains the values that are used to send tracing information to the OpenTelemetry service.
ExporterType
Type: Enum
Possible values: http
Default: http
Configures the protocol used for communicating with the traces endpoint.
ExporterAddress
Type: String
Usage Constraints: required if ExporterType is set to http
Syntax: <hostname>:<port>
Target URL to which the exporter sends spans. The /v1/traces
path is automatically attached to it.
PropagateContextExtract
Type: Boolean
Usage Constraints: optional
Default: true
If present, extracts the trace context from the HTTP request header and sets it as parent for the current span.
PropagateContextInject
Type: Boolean
Usage Constraints: optional
Default: true
Injects the current context (span ID, trace ID, etc) as a HTTP header to the request.
ResourceServiceName
Type: String
Usage Constraints: optional
Default: nevisproxy
Allows the configuration of the service.name
key-value pair resource attribute.
CaptureRequestHeaders
Type: String
Usage Constraints: optional
Default: Content-Type, Content-Length, User-Agent, Referer, Host, X-Forwarded-For
A comma-separated list of HTTP header names. HTTP client instrumentation will capture HTTP request header values for all configured header names.
CaptureResponseHeaders
Type: String
Usage Constraints: optional
Default: Content-Type, Content-Length, Content-Encoding, Location, Server, Connection, Keep-Alive, X-Forwarded-For
A comma-separated list of HTTP header names. HTTP client instrumentation will capture HTTP response header values for all configured header names.
Metrics
The Metrics configuration tag contains the values that are used to send metrics information to the OpenTelemetry service.
ExporterType
Type: Enum
Usage Constraints: optional
Possible values: http
Default: http
Configures the protocol used for communicating with the metrics endpoint.
ExporterAddress
Type: String
Usage Constraints: required if ExporterType is set to http
Syntax: <hostname>:<port>
Target URL to which the exporter sends metrics like number of session or used memory etc. The /v1/metrics
path is automatically attached to it.
Timeout
Type: Integer
Unit: milliseconds
Usage Constraints: optional
Default: 30000
Length of time the export can run before it is cancelled.
Interval
Type: Integer
Unit: seconds
Usage Constraints: optional
Default: 60
Number of seconds for the telemetric's metric reader to initiate metric collection.
ResourceServiceName
Type: String
Usage Constraints: optional
Default: nevisproxy
Allows the configuration of the service.name
key-value pair resource attribute.
Trace example
A request trace contains the following extra attributes:
url.full
: Request URLurl.scheme
: HTTP request schemeclient.address
: Client IP of the requestsession.id
: session ID of the requesthttp.request.method
: HTTP request methodhttp.header.request.<header_name>
: list of request headershttp.header.response.<header_name>
: list of response headershttp.response.status_code
: Status code of the response
A sample request trace:
2024-03-22T12:58:33.662Z info TracesExporter {"kind": "exporter", "data_type": "traces", "name": "logging", "resource spans": 1, "spans": 1}
2024-03-22T12:58:33.666Z info ResourceSpans #0
Resource SchemaURL:
Resource attributes:
-> telemetry.sdk.version: Str(1.12.0)
-> telemetry.sdk.name: Str(opentelemetry)
-> telemetry.sdk.language: Str(cpp)
-> service.version: Str(8.2405.0)
-> host.name: Str(localhost.localdomain)
-> service.name: Str(nevisproxy)
ScopeSpans #0
ScopeSpans SchemaURL:
InstrumentationScope nevisproxy
Span #0
Trace ID : afa1f2963d9321f770d70e745ccecda1
Parent ID :
ID : d1ddd32027068451
Name : /test/
Kind : Server
Start time : 2024-03-22 12:58:33.614221449 +0000 UTC
End time : 2024-03-22 12:58:33.616207439 +0000 UTC
Status code : Unset
Status message :
Attributes:
-> url.full: Str(https://localhost/test/)
-> url.scheme: Str(https)
-> http.request.method: Str(GET)
-> client.address: Str(10.0.2.15)
-> http.header.request.User-Agent: Str(Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0)
-> http.header.request.Cookie: Str(NPSession=9442007f0100QQwl9qElSUjnTlGkr9ROmDfW3vXtQQLzcr1JEFu1BuAFVI)
-> http.header.request.Host: Str(localhost)
-> session.id: Str(<NULL>)
-> http.response.status_code: Int(200)
-> http.header.response.Content-Type: Str(text/html)
{"kind": "exporter", "data_type": "traces", "name": "logging"}
Metrics example
The list of servlets providing metrics:
- LocalSessionStoreServlet
- MySQLSessionStoreServlet
- PostgreSQLSessionStoreServlet
- Http(s)ConnectorServlet
- Esauth4ConnectorServlet
- WebSocketServlet
While the session store servlets provide metrics about session usage:
nevisproxy.db.<db_type>.used
: number of active usersnevisproxy.db.<db_type>.timed_out
: number of timed out usersnevisproxy.db.<db_type>.deleted
: number of removed users (mysql and postgres)nevisproxy.db.<db_type>.zombies
: number of zombie entries (mysql and postgres)nevisproxy.db.local.memory.used
: used memory (only for local)nevisproxy.db.local.memory.available
: available memory (only for local)
The connectors provide metrics about their all of their configured resources availability and load:
nevisproxy.connector.http.<resource_name>.<resource_port>.reqPerSec
: Request per seconds on the given resourcenevisproxy.connector.http.<resource_name>.<resource_port>.valid
: Availability of the resourcenevisproxy.connector.http.<resource_name>.<resource_port>.load
: Load on the resource
Session store servlet metrics example
An example metrics provided by the LocalSessionStoreServlet:
2024-03-22T13:23:46.629Z info MetricsExporter {"kind": "exporter", "data_type": "metrics", "name": "logging", "resource metrics": 1, "metrics": 7, "data points": 14}
2024-03-22T13:23:46.630Z info ResourceMetrics #0
Resource SchemaURL:
Resource attributes:
-> telemetry.sdk.version: Str(1.12.0)
-> telemetry.sdk.name: Str(opentelemetry)
-> telemetry.sdk.language: Str(cpp)
-> service.version: Str(8.2405.0)
-> host.name: Str(localhost.localdomain)
-> service.name: Str(defaultInstance)
ScopeMetrics #1
ScopeMetrics SchemaURL:
InstrumentationScope LocalSessionStoreServlet
Metric #0
Descriptor:
-> Name: nevisproxy.db.local.memory.available
-> Description:
-> Unit: Bytes
-> DataType: Sum
-> IsMonotonic: false
-> AggregationTemporality: Cumulative
NumberDataPoints #0
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623341289 +0000 UTC
Value: 1073653984
NumberDataPoints #1
Data point attributes:
-> type: Str(nevis-product-analytics)
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623341289 +0000 UTC
Value: 1
Metric #1
Descriptor:
-> Name: nevisproxy.db.local.memory.used
-> Description:
-> Unit: Bytes
-> DataType: Sum
-> IsMonotonic: false
-> AggregationTemporality: Cumulative
NumberDataPoints #0
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623341289 +0000 UTC
Value: 81304
NumberDataPoints #1
Data point attributes:
-> type: Str(nevis-product-analytics)
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623341289 +0000 UTC
Value: 1
Metric #2
Descriptor:
-> Name: nevisproxy.db.local.timed_out
-> Description:
-> Unit:
-> DataType: Sum
-> IsMonotonic: false
-> AggregationTemporality: Cumulative
NumberDataPoints #0
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623341289 +0000 UTC
Value: 0
NumberDataPoints #1
Data point attributes:
-> type: Str(nevis-product-analytics)
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623341289 +0000 UTC
Value: 1
Metric #3
Descriptor:
-> Name: nevisproxy.db.local.used
-> Description:
-> Unit:
-> DataType: Sum
-> IsMonotonic: false
-> AggregationTemporality: Cumulative
NumberDataPoints #0
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623341289 +0000 UTC
Value: 0
NumberDataPoints #1
Data point attributes:
-> type: Str(nevis-product-analytics)
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623341289 +0000 UTC
Value: 1
{"kind": "exporter", "data_type": "metrics", "name": "logging"}
Connector servlet metrics example
An example metrics provided by the HttpConnectorServlet:
2024-03-22T13:23:46.629Z info MetricsExporter {"kind": "exporter", "data_type": "metrics", "name": "logging", "resource metrics": 1, "metrics": 7, "data points": 14}
2024-03-22T13:23:46.630Z info ResourceMetrics #0
Resource SchemaURL:
Resource attributes:
-> telemetry.sdk.version: Str(1.12.0)
-> telemetry.sdk.name: Str(opentelemetry)
-> telemetry.sdk.language: Str(cpp)
-> service.version: Str(8.2405.0)
-> host.name: Str(localhost.localdomain)
-> service.name: Str(defaultInstance)
ScopeMetrics #0
ScopeMetrics SchemaURL:
InstrumentationScope HttpConnectorServlet
Metric #0
Descriptor:
-> Name: nevisproxy.connector.http.localhost.8080.reqPerSec
-> Description:
-> Unit:
-> DataType: Sum
-> IsMonotonic: false
-> AggregationTemporality: Cumulative
NumberDataPoints #0
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623301228 +0000 UTC
Value: 0.000000
NumberDataPoints #1
Data point attributes:
-> type: Str(nevis-product-analytics)
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623301228 +0000 UTC
Value: 1.000000
Metric #1
Descriptor:
-> Name: nevisproxy.connector.http.localhost.8080.load
-> Description:
-> Unit:
-> DataType: Sum
-> IsMonotonic: false
-> AggregationTemporality: Cumulative
NumberDataPoints #0
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623301228 +0000 UTC
Value: 0
NumberDataPoints #1
Data point attributes:
-> type: Str(nevis-product-analytics)
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623301228 +0000 UTC
Value: 1
Metric #2
Descriptor:
-> Name: nevisproxy.connector.http.localhost.8080.valid
-> Description:
-> Unit:
-> DataType: Sum
-> IsMonotonic: false
-> AggregationTemporality: Cumulative
NumberDataPoints #0
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623301228 +0000 UTC
Value: 1
NumberDataPoints #1
Data point attributes:
-> type: Str(nevis-product-analytics)
StartTimestamp: 2024-03-22 13:22:06.61830423 +0000 UTC
Timestamp: 2024-03-22 13:23:46.623301228 +0000 UTC
Value: 1
Server
The Server configuration tag contains the values that are used for the server part of the generated Apache configuration. The next table describes the relevant attributes. Note that all these attributes support variable replacement.
All listed parameters are directives of the Apache carrier server. They are documented in the corresponding Apache documentation: official Apache documentation.
Name | Type, Usage constraints, Default | Description |
---|---|---|
User | string required, advanced default: @PROXY_RT_USER@ | The attribute User configures the owner of the running nevisProxy process. Should not be changed, as changes may lead to permission problems. If you set this attribute yourself, make sure that the ownership of the configuration, log files, and access to the binaries are set accordingly. |
Group | string required, advanced default: @PROXY_RT_GROUP@ | The attribute Group configures the process group of the current nevisProxy process. Should not be changed, as changes may lead to permission problems. If you set this attribute yourself, make sure that the ownership of the configuration, log files, and access to the binaries are set accordingly. |
KeepAlive | enum: on, off optional, advanced default: on | The attribute KeepAlive configures the HTTP keepalive behavior of the frontend connectors of nevisProxy. If set to "on", it enables HTTP persistent connections. The thread or process remains bound to the client and cannot be used by others during the time period defined by the attribute KeepAliveTimeout. |
KeepAliveTimeout | integer [seconds] optional scaling, advanced default: 5 | Defines the number of seconds Apache HTTPD will wait for a subsequent request before closing the connection. By adding the postfix ms the timeout can be also set in milliseconds. |
MaxKeepAliveRequests | integer optional, scaling default: 100 | The attribute MaxKeepAliveRequests limits the number of requests allowed per connection when the attribute KeepAlive is "on". If it is set to "0", an unlimited number of requests is allowed. It is recommended setting a high value for maximum server performance. |
MaxClients | integer optional, scaling default: 600 | MaxClients is the old name for the attribute MaxRequestWorkers. The attribute limits the number of simultaneous requests that will be served. |
MaxRequestsPerChild | integer optional, advanced default: 0 (unlimited) | MaxRequestsPerChild is the old name for the MaxConnectionsPerChild attribute. It limits the number of connections that an individual child server process will handle. After MaxRequestsPerChild connections, the child process will die. If the value of the attribute is "0", the process will never expire. Should not be changed. |
Timeout | integer [sec] optional, scaling default: 30 | Amount of time the server will wait for certain events before failing a request. |
LimitRequestLine | integer [byte] optional, security default: 5120 | Limits the size of the HTTP request line that will be accepted from the client. |
LimitRequestBody | integer [byte] optional, scaling default: 512000 | The attribute specifies the number of bytes that are allowed in a request body. It restricts the total size of the HTTP request body sent from the client. Allowed are integers from "0" (meaning unlimited) to "2147483647" (2GB). |
LimitRequestFields | integer [byte] optional, security default: 50 | Limits the number of HTTP request header fields that will be accepted from the client. Allowed are integers from "0" (meaning unlimited) to "32767". |
LimitRequestFieldsize | integer [byte] optional, security default: 5120 | Limits the size of the HTTP request header allowed from the client. |
LimitRequestParameters | integer optional, security default: 10’000 | The maximum number of parameters allowed in a request. |
Loglevel | enum optional, troubleshooting, default: notice | The Loglevel attribute adjusts the verbosity of the messages recorded in the error logs (see the ErrorLog attribute). The directive Loglevel can be used to configure per-module log levels. Specifying a level without a module name will reset the level for all modules to that level. Specifying a level with a module name will set the level for that module only. An example configuration to configure the removed SSLLogLevel directive might look like this: Loglevel="info ssl:debug". For the available options, see the official Apache documentation. |
ErrorLog | string required, advanced default: ""\|@PKG_HOME@/bin/bclogmgr size=1000000 archives=10 @PKG_VAR@/@PKG_INSTANCE@/logs/apache.log"" | Location where the server will log errors ("apache.log" by default). In the pkg default configuration, the file rotation of the error log is enabled using the bclogmgr . Note: The character ” must be escaped in XML using " . Notes about configuring a custom location: The directory containing the logs must exist when starting the instance. The nevisProxy user must be able to read and write in this directory. See its username and group in the <Server> element of the navajo.xml file. |
TransferLog | string optional, basic feature, default: ""\|@PKG_HOME@/bin/bclogmgr size=10000000 archives=10 @PKG_VAR@/@PKG_INSTANCE@/logs/access.log"" | Specifies the location of the access log file. In the pkg default configuration, the file rotation of the error log is enabled using the bclogmgr . Note: The character ” must be escaped in XML using " . Notes about configuring a custom location: The directory containing the logs must exist when starting the instance. The nevisProxy user must be able to read and write in this directory. See its username and group in the <Server> element of the navajo.xml file. See also Enabling the Apache transfer log. |
CustomLog | string optional, advanced feature, default: ""\|@PKG_HOME@/bin/qslog -f ISBDUkEa -x -u @PROXY_RT_USER@ -o @PKG_VAR@/@PKG_INSTANCE@/logs/stat.log" "%h %>s %b %D %{clID}e %k %{Event}e %{dTr1B}e"" | Configures an additional log facility. Note: The character ” must be escaped in XML using " . Notes about configuring a custom location: The directory containing the logs must exist when starting the instance. The nevisProxy user must be able to read and write in this directory. See its username and group in the <Server> element of the navajo.xml file. See also Using the Apache CustomLog. |
LogFormat | string optional, advanced default: ""%h %l %u %t \"%r\" %>s %b %{content-length}i %T \"%{Referer}i\" \"%{User-Agent}i\" trID=%{UNIQUE_ID}e"" | This attribute specifies the format of the access log file. Note: The character ” must be escaped in XML using " |
ServerName | string required, basic connectivity default: DNS name of the machine | The attribute ServerName sets the request scheme, hostname and port that the server uses to identify itself. Syntax: `[scheme://]domain-name |
ServerRoot | string required, advanced default: @PKG_VAR@/@PKG_INSTANCE@ | The attribute ServerRoot configures the root directory of the Apache web server. Should not be changed. |
ServerSignature | enum: On, Off, EMail optional default: Off | Configures the Apache directive "ServerSignature". Usually this should not be changed. |
ServerTokens | enum: Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full optional, advanced default: Prod | This attribute controls whether the Server response header field, which is sent back to clients, includes a description of the generic OS-type of the server as well as information about compiled-in modules. Possible values:
|
Include | string optional, advanced default: not set | Use this attribute to include any additional Apache configuration fragment. |
CoreDumpDirectory | string optional, troubleshooting default: not set | The attribute CoreDumpDirectory configures the directory to which the Apache web server writes core files. |
UseCanonicalName | enum: On, Off, DNS optional, troubleshooting default: On | Configures how the server determines its own name and port. For more information, see the official Apache documentation. |
ThreadStackSize | integer optional, scaling default: 1048576 | Defines the size in bytes of the stack used by threads handling client connection. See also Appendix G - Sizing Parameters in the Nevis Proxy. |
HttpProtocolOptions | string optional, advanced default: not set | Modifies restrictions on HTTP Request Messages.Syntax: `[Strict |
SSLPassPhraseDialog | string optional, advanced default: ‘builtin’ | The attribute SSLPassPhraseDialog configures the passphrase retriever used by mod_ssl. Only the "builtin" option is supported. For information on how the passwords for password protected keys are fetched, see the description of the bc-properties bc.security.PassPhrasePolicy and bc.security.PassPhraseDialog in the chapter Low-level properties. |
SSLSessionCacheTimeout | integer optional default: 300 | Defines the number of seconds before an SSL session expires in the Session Cache. This directive sets the timeout in seconds for the information stored in the global/inter-process SSL Session Cache, the OpenSSL internal memory cache and for sessions resumed by TLS session resumption (RFC 5077). It can be set as low as 15 for testing, but should be set to higher values like 300 in real life. If you use an own SSLCache or RemoteSSLCache, the system ignores the SSLSessionCacheTimeout parameter. |
SSLSessionCache | string , optional , default: shmcb:@PKG_VAR@/@PKG_INSTANCE@/run/apache_shmcb" | This attribute defines the TLS session cache. The following value options are available: "None" This setting disables the global/inter-process TLS session cache. It will incur a noticeable speed penalty and may cause problems if using certain browsers, particularly if client certificates are enabled. We do not recommend this setting. "Nonenotnull" This setting disables any global/inter-process TLS session cache. However, the setting does force OpenSSL to send a non-null session ID, to accommodate buggy clients that require one. "shmcb:/path/to/datafile[(size) This setting makes use of a high-performance cyclic buffer (approx. (size) bytes in size) inside a shared memory segment in RAM (established via/path/to/datafile*), to synchronize the local OpenSSL memory caches of the server processes. The default parameter of SSLSessionCache refers to the generated xml’s content. Removing the parameter sets the SSLSessionCache to none. |