|
<!--
|
|
Wt Configuration File.
|
|
|
|
The Wt configuration file manages, for every Wt application, settings
|
|
for session management, debugging, directory for runtime information
|
|
such as session sockets, and some security settings.
|
|
|
|
Settings may be specified globally, or for a single application path.
|
|
|
|
The path should be as configured in the Wt build process, where it
|
|
defaults to /etc/wt/wt_config.xml. It can be overridden in the environment
|
|
variable WT_CONFIG_XML, or with the -c startup option of wthttpd.
|
|
|
|
The values listed here are the default values, which are used when the
|
|
declaration is missing or no configuration file is used.
|
|
-->
|
|
|
|
<server>
|
|
|
|
<!-- Default application settings
|
|
|
|
The special location "*" always matches. See below for an example
|
|
of settings specific to a single application.
|
|
-->
|
|
<application-settings location="*">
|
|
|
|
<!-- Session management. -->
|
|
<session-management>
|
|
<!-- Every session runs within a dedicated process.
|
|
|
|
This mode guarantees kernel-level session privacy, but as every
|
|
session requires a seperate process, it is also an easy target
|
|
for DoS attacks if not shielded by access control.
|
|
|
|
It is also a convenient mode during development, as it is easy
|
|
to enable disable debugging using valgrind, and it always starts
|
|
the latest deployed executable for a new session.
|
|
|
|
Note: currently only supported using the FastCGI connector
|
|
-->
|
|
|
|
<!--
|
|
<dedicated-process>
|
|
<max-num-sessions>100</max-num-sessions>
|
|
</dedicated-process>
|
|
-->
|
|
|
|
<!-- Multiple sessions within one process.
|
|
|
|
This mode spawns a number of processes, and sessions are
|
|
allocated randomly to one of these processes (you should not
|
|
use this for dynamic FCGI servers, but only in conjunction
|
|
with a fixed number of static FCGI servers.
|
|
|
|
This requires careful programming, as memory corruption in one
|
|
session will kill all of the sessions in the same process. You
|
|
should debug extensively using valgrind. Also, it is your
|
|
responsibility to keep session state not interfering and
|
|
seperated.
|
|
|
|
On the other hand, sessions are inexpensive, and this mode
|
|
suffers far less from DoS attacks than dedicated-process mode.
|
|
Use it for non-critical and well-debugged web applications.
|
|
|
|
Note: wthttpd always uses exactly one process
|
|
-->
|
|
<shared-process>
|
|
<num-processes>1</num-processes>
|
|
</shared-process>
|
|
|
|
<!-- Session tracking strategy.
|
|
|
|
Possible values:
|
|
Auto: cookies is available, otherwise URL rewriting
|
|
URL: only URL rewriting
|
|
-->
|
|
<tracking>URL</tracking>
|
|
|
|
<!-- How reload should be handled.
|
|
|
|
When reload should (or rather, may) spawn a new session, then
|
|
even in the case cookies are not used for session management,
|
|
the URL will not be cluttered with a sessionid.
|
|
However, WApplication::refresh() will never be called.
|
|
-->
|
|
<reload-is-new-session>false</reload-is-new-session>
|
|
|
|
<!-- Session timeout (seconds).
|
|
|
|
When a session remains inactive for this amount of time, it is
|
|
cleaned up.
|
|
-->
|
|
<timeout>600</timeout>
|
|
|
|
<!-- Server push timeout (seconds).
|
|
|
|
When using server-initiated updates, the client uses
|
|
long-polling requests. Proxies (including reverse
|
|
proxies) are notorious for silently closing idle
|
|
requests; the client therefore cancels the request
|
|
periodically and issues a new one. This timeout sets
|
|
the frequency.
|
|
-->
|
|
<server-push-timeout>50</server-push-timeout>
|
|
</session-management>
|
|
|
|
<!-- Settings that apply only to the FastCGI connector.
|
|
|
|
To configure the wthttpd connector, use command line options, or
|
|
configure default options in /etc/wt/wthttpd
|
|
-->
|
|
<connector-fcgi>
|
|
<!-- Valgrind path
|
|
|
|
If debugging is enabled and this path is not empty, then valgrind
|
|
will be started for every shared process, or for every session
|
|
which has ?debug appended to the command line.
|
|
|
|
The variable is slighly misnamed. Not only a path can be set,
|
|
but also options, like for example:
|
|
|
|
/usr/bin/valgrind - -leak-check=full
|
|
-->
|
|
<valgrind-path></valgrind-path>
|
|
|
|
<!-- Run directory
|
|
|
|
Path used by Wt to do session management.
|
|
-->
|
|
<run-directory>${RUNDIR}</run-directory>
|
|
|
|
<!-- Number of threads per process
|
|
|
|
This configures the size of the thread pool. You may
|
|
want to change this value if you would like to support
|
|
reentrant event loops, where you block one event loop
|
|
using WDialog::exec() or related static
|
|
methods. Everytime you enter such an event loop, one
|
|
thread is blocked, and therefore the total number of
|
|
sessions that reliably can do this is limited to the
|
|
number of thread you have (minus one to unblock).
|
|
|
|
For the built-in http connector, there is a similar
|
|
config option that is specified in the whttpd config
|
|
file or on the command line (-t).
|
|
|
|
The default value is 1.
|
|
-->
|
|
<num-threads>1</num-threads>
|
|
|
|
</connector-fcgi>
|
|
|
|
<!-- Settings that apply only to the MS IIS ISAPI connector.
|
|
|
|
To configure the wthttpd connector, use command line options, or
|
|
configure default options in /etc/wt/wthttpd
|
|
-->
|
|
<connector-isapi>
|
|
<!-- Number of threads per process
|
|
|
|
This configures the number of threads that will be used
|
|
to handle Wt requests. The IIS internal threads are never
|
|
used to do any processing; all requests are forwarded to
|
|
be handled in this threadpool. Rather than to configure a
|
|
so-called 'web-garden' in IIS, increase this number. The
|
|
ISAPI connector will not work correctly when a web-garden
|
|
is configured.
|
|
|
|
You may want to change this value if you would like to
|
|
support more reentrant event loops, where you block one
|
|
event loop using WDialog::exec() or related static
|
|
methods. Everytime you enter such an event loop, one
|
|
thread is blocked, and therefore the total number of
|
|
sessions that reliably can do this is limited to the
|
|
number of thread you have (minus one to unblock).
|
|
|
|
You may also want to increase this number if your Wt
|
|
application is regularly waiting for IO (databases, network,
|
|
files, ...). If this number is too low, all threads could
|
|
be waiting for IO operations to complete while your CPU
|
|
is idle. Increasing the number of threads may help.
|
|
|
|
Computing intensive applications may also increase this number,
|
|
even though it is better to offload computations to a helper
|
|
thread and user server push or a WTimer to check for
|
|
completion of the task in order to keep your GUI responsive
|
|
during the computations.
|
|
|
|
The default value is 10.
|
|
-->
|
|
<num-threads>10</num-threads>
|
|
|
|
<!-- Maximum Request Size spooled in memory (Kb)
|
|
|
|
Normally, Wt keeps incoming requests (POST data) in memory.
|
|
However, malicious users could send a big POST and as such
|
|
use up all memory of your HTTP server. With this parameter,
|
|
you tune how big a request can be before Wt spools it in a
|
|
file before processing it. Legitimate big POST messages may
|
|
occur when users are expected to upload files.
|
|
|
|
See also max-request-size.
|
|
|
|
The default value is 128K, which is more than enough for
|
|
any interactive Wt event.
|
|
-->
|
|
<max-memory-request-size>128</max-memory-request-size>
|
|
</connector-isapi>
|
|
|
|
<!-- Javascript debug options
|
|
|
|
Values:
|
|
- true: JavaScript errors are not caught but the browser
|
|
built-in debug options are used
|
|
- stack: JavaScript errors are caught but also a stack trace
|
|
is printed, useful for diagnosing a problem in production
|
|
- false: JavaScript errors are caught and a simple error message
|
|
is printed to indicate that something is terribly wrong
|
|
-->
|
|
<debug>false</debug>
|
|
|
|
<!-- Log file
|
|
|
|
When the log file is empty, or omitted, logging is done to
|
|
stderr. This may end up in the web server error log file
|
|
(e.g. for apache + fastcgi module), or on stderr (e.g. for
|
|
the built-in httpd).
|
|
-->
|
|
<log-file></log-file>
|
|
|
|
<!-- Logger configuration
|
|
|
|
This configures the logger. With the default configuration,
|
|
everything except for debugging messages are logged.
|
|
|
|
The configuration is a string that defines rules for
|
|
enabling or disabling certain logging. It is a white-space
|
|
delimited list of rules, and each rule is of the form:
|
|
|
|
[-]level : enables (or disables) logging of messages of
|
|
the given level; '*' is a wild-card that matches all
|
|
levels
|
|
|
|
[-]level:scope : enables (or disables) logging of
|
|
messages of the given level and scope; '*' is a wild-card
|
|
that matches all levels or scopes. The default
|
|
configuration is "* -debug", i.e. by default everything
|
|
is logged, except for "debug" messages.
|
|
|
|
Some other examples:
|
|
|
|
"* -debug debug:wthttp": logs everything, including
|
|
debugging messages of scope "wthttp", but no other
|
|
debugging messages.
|
|
|
|
"* -info -debug": disables logging of info messages
|
|
in addition to debugging messages.
|
|
|
|
Note debugging messages are only emitted when debugging
|
|
has been enabled while building Wt.
|
|
-->
|
|
<log-config>* -debug</log-config>
|
|
|
|
<!-- Maximum HTTP request size (Kb)
|
|
|
|
Maximum size of an incoming POST request. This value must be
|
|
increased when the user is allowed to upload files.
|
|
-->
|
|
<max-request-size>128</max-request-size>
|
|
|
|
<!-- Session id length (number of characters) -->
|
|
<session-id-length>16</session-id-length>
|
|
|
|
<!-- DoS prevention: limit plain HTML sessions
|
|
|
|
This is a simple measure which avoids Denial-of-Service
|
|
attacks on plain HTML sessions, which are easy to mount in
|
|
particular in the case of progressive bootstrap mode.
|
|
|
|
This setting may be used to keep the ratio of plain HTML
|
|
versus Ajax sessions under a certain ratio. Typically, most
|
|
of your sessions will be Ajax sessions, and only a tiny
|
|
fraction (e.g. less than 5%) will be plain HTML
|
|
sessions. This ratio is only enforced when more than 20 sessions
|
|
have been created.
|
|
-->
|
|
<plain-ajax-sessions-ratio-limit>1</plain-ajax-sessions-ratio-limit>
|
|
|
|
<!-- DoS prevention: adds a puzzle to validate Ajax sessions
|
|
|
|
This is a simple measure which avoids Denial-of-Service
|
|
attacks on Ajax sessions.
|
|
|
|
When enabled, a puzzle needs to be solved in the first Ajax
|
|
request which eliminates agents that do not build a proper
|
|
DOM tree.
|
|
-->
|
|
<ajax-puzzle>false</ajax-puzzle>
|
|
|
|
<!-- Send the XHTML mime type when appropriate
|
|
|
|
Wt renders XHTML1 (XML variant of HTML) that is backward-compatible
|
|
with HTML. Using XHTML, Wt is capable of supporting XHTML-only
|
|
features such as embedded SVG or MathML.
|
|
|
|
When enabled, JWt sets an XHTML mime-type
|
|
(application/xhtml+xml) when the browser reports support
|
|
for it. Most notably, Internet Explorer does not support
|
|
it. Because XHTML and HTML are slightly different with
|
|
respect to default CSS rules, you may want to disable
|
|
sending the XHTML mime-type alltogether, at least if you
|
|
are not using SVG (used by the WPaintedWidget). -->
|
|
<send-xhtml-mime-type>false</send-xhtml-mime-type>
|
|
|
|
<!-- Do strict serialization of events.
|
|
|
|
By default events are queued at the client-side, and
|
|
transmitted to the server so that at any time only one
|
|
request/response is pending. This scheme has a quality that
|
|
resembles TCP: on a low-latency link you allow the
|
|
transmission of many smaller requests, while on a high
|
|
latency link, events will be propagated less often, but in
|
|
batches.
|
|
|
|
In any case, this scheme does not drop events, no matter
|
|
how quickly they are generated.
|
|
|
|
In rare cases, the scheme may result in unwanted behaviour,
|
|
because the client-side is allowed to be slighly out of
|
|
sync at the time an event is recorded with the server-side
|
|
(and more so on high-latency links). The drastic
|
|
alternative is to discard events while a response is
|
|
pending, and can be configured by setting this option to
|
|
true.
|
|
-->
|
|
<strict-event-serialization>false</strict-event-serialization>
|
|
|
|
<!-- Enables web socket.
|
|
|
|
By default Ajax and long polling are used to communicate
|
|
between server and browser.
|
|
|
|
By enabling web socket support, if the browser supports
|
|
WebSockets, then WebSocket is the protocol used for
|
|
communication between client and server. WebSockets are
|
|
currently only supported by the built-in httpd Connector,
|
|
which acts as both an HTTP and WebSocket server. The WebSocket
|
|
protocol is intentionally not compatible with HTTP, through
|
|
a special hand-shake mechanism, and requires
|
|
that all (reverse) proxy servers also have explicit support
|
|
for this protocol.
|
|
|
|
This feature is still experimental: the Web Sockets RFC is
|
|
still a draft. Wt implements up to version 17 of the draft
|
|
(latest as of November 2011).
|
|
-->
|
|
<web-sockets>false</web-sockets>
|
|
|
|
<!-- Redirect message shown for browsers without JavaScript support
|
|
|
|
By default, Wt will use an automatic redirect to start the
|
|
application when the browser does not support
|
|
JavaScript. However, browsers are not required to follow
|
|
the redirection, and in some situations (when using XHTML),
|
|
such automatic redirection is not supported.
|
|
|
|
This configures the text that is shown in the anchor which
|
|
the user may click to be redirected to a basic HTML version
|
|
of your application.
|
|
-->
|
|
<redirect-message>Load basic HTML</redirect-message>
|
|
|
|
<!-- Whether we are sitting behind a reverse proxy
|
|
|
|
When deployed behind a reverse proxy (such as Apache or Squid),
|
|
the server location is not read from the "Host" header,
|
|
but from the X-Forwarded-For header, if present.
|
|
-->
|
|
<behind-reverse-proxy>false</behind-reverse-proxy>
|
|
|
|
<!-- Whether inline CSS is allowed.
|
|
|
|
Some Wt widgets will insert CSS rules in the the inline
|
|
stylesheet when first used. This can be disabled using this
|
|
configuration option.
|
|
|
|
Note: some widgets, such as WTreeView and WTableView,
|
|
dynamically manipulate rules in this stylesheet, and will
|
|
no longer work properly when inline-css is disabled.
|
|
-->
|
|
<inline-css>true</inline-css>
|
|
|
|
<!-- The timeout before showing the loading indicator.
|
|
|
|
The value is specified in ms.
|
|
-->
|
|
<indicator-timeout>500</indicator-timeout>
|
|
|
|
<!-- Ajax user agent list
|
|
|
|
Wt considers three types of sessions:
|
|
- Ajax sessions: use Ajax and JavaScript
|
|
- plain HTML sessions: use plain old server GETs and POSTs
|
|
- bots: have clean internal paths and no persistent sessions
|
|
|
|
By default, Wt does a browser detection to distinguish between
|
|
the first two: if a browser supports JavaScript (and has it
|
|
enabled), and has an Ajax DOM API, then Ajax sessions are chosen,
|
|
otherwise plain HTML sessions.
|
|
|
|
Here, you may indicate which user agents should or should
|
|
not receive an Ajax session regardless of what they report as
|
|
capabilities.
|
|
|
|
Possible values for 'mode' or "white-list" or "black-list". A
|
|
white-list will only treat the listed agents as supporting Ajax,
|
|
all other agents will be served plain HTML sessions. A black-list
|
|
will always server plain HTML sessions to listed agents and
|
|
otherwise rely on browser capability detection.
|
|
|
|
Each <user-agent> is a regular expression.
|
|
-->
|
|
<user-agents type="ajax" mode="black-list">
|
|
<!-- <user-agent>.*Crappy browser.*</user-agent> -->
|
|
</user-agents>
|
|
|
|
<!-- Bot user agent list
|
|
|
|
Here, you can specify user agents that should be should be
|
|
treated as bots.
|
|
|
|
Each <user-agent> is a regular expression.
|
|
-->
|
|
<user-agents type="bot">
|
|
<user-agent>.*Googlebot.*</user-agent>
|
|
<user-agent>.*msnbot.*</user-agent>
|
|
<user-agent>.*Slurp.*</user-agent>
|
|
<user-agent>.*Crawler.*</user-agent>
|
|
<user-agent>.*Bot.*</user-agent>
|
|
<user-agent>.*ia_archiver.*</user-agent>
|
|
<user-agent>.*Twiceler.*</user-agent>
|
|
</user-agents>
|
|
|
|
<!-- Whether the progressive bootstrap is used.
|
|
|
|
The default bootstrap method first senses whether there is Ajax
|
|
support, and only then creates the application.
|
|
|
|
The progressive bootstrap method first renders a plain HTML
|
|
version and later upgrades to an Ajax version.
|
|
-->
|
|
<progressive-bootstrap>false</progressive-bootstrap>
|
|
|
|
<!-- Set session-ID cookie
|
|
|
|
In its default (and recommended) configuration, Wt does not
|
|
rely on cookies for session tracking.
|
|
|
|
Wt has several mechanisms in place to prevent session ID stealing:
|
|
- for an Ajax session, the session ID is not shown in the URL,
|
|
avoiding session ID stealing through a referer attack.
|
|
- in case the session ID is present in the URL (e.g. for a plain
|
|
HTML session), Wt will redirect links to images or external
|
|
anchors through an intermediate page that censors the session ID
|
|
|
|
In case of the loss of a session ID, the impact is minimized:
|
|
- a full page refresh is not supported if the client IP address
|
|
changes or the user-agent changes
|
|
- an Ajax update is protected by other state which is not exposed
|
|
in the URL
|
|
|
|
To still enable a full page refresh when the client IP address
|
|
changes, an additional cookie may be set which is used only
|
|
for this purpose, and can be enabled using this setting.
|
|
-->
|
|
<session-id-cookie>false</session-id-cookie>
|
|
|
|
<!-- Runtime Properties
|
|
|
|
These properties may be used to adapt applications to their
|
|
deployment environment. Typical use is for paths to resources
|
|
that may or may not be shared between several applications.
|
|
-->
|
|
<properties>
|
|
<!-- baseURL property
|
|
|
|
The absolute URL at which the application is deployed
|
|
(known to the user). This is needed only in two scenarios.
|
|
|
|
a) use of relative URLs in included XHTML
|
|
|
|
When you use relative URLs for images, etc... in
|
|
literal XHTML fragments (e.g. in WTemplate), which need
|
|
to resolve against the deployment path of the
|
|
application. This will not work as expected in the
|
|
presence of an internal application path. This URL is
|
|
set as base URL in the HTML, against which relative
|
|
URLs are resolved so that these work correctly
|
|
regardless of the internal path. It is also used
|
|
explicitly in any URL generated by the library.
|
|
|
|
b) widgetset mode deployments
|
|
|
|
Another situation in which you need to define the baseURL is
|
|
when deploying a widgetset mode application behind a reverse
|
|
proxy. A widgetset mode application uses only absolute URLs
|
|
because it may be hosted in a web page from an entirely
|
|
different domain.
|
|
|
|
By default, no baseURL is specified, in which case Wt will
|
|
avoid using absolute URLs. Relative URLs passed in API calls
|
|
will be "fixed" so that they resolve against the location of the
|
|
application deploy path, even in the presence of an
|
|
internal path.
|
|
-->
|
|
<!-- <property name="baseURL">"http://mysite.com/app</property> -->
|
|
|
|
<!-- resourcesURL property
|
|
|
|
The URL at which the resources/ folder is deployed that
|
|
comes distributed with Wt and contains auxiliary files
|
|
used to primarily for styles and themes.
|
|
|
|
The default value is 'resources/'
|
|
-->
|
|
<property name="resourcesURL">resources/</property>
|
|
|
|
<!-- extBaseURL property
|
|
|
|
Used in conjunction with Ext:: widgets, and points to the
|
|
URL of Ext JavaScript and resource files (css, images).
|
|
See the documentation for the Ext namespace for details.
|
|
|
|
The default value is 'ext/'
|
|
-->
|
|
<property name="extBaseURL">ext/</property>
|
|
|
|
<!-- favicon property
|
|
|
|
By default, a browser will try to fetch a /favicon.ico icon
|
|
from the root of your web server which is used as an icon
|
|
for your application. You can specify an alternative location
|
|
by setting this property, or for an individual application
|
|
entry point by passing a location to WServer::addEntryPoint().
|
|
-->
|
|
<!-- <property name="favicon">images/favicon.ico</property> -->
|
|
</properties>
|
|
|
|
</application-settings>
|
|
|
|
|
|
<!-- Override settings for specific applications.
|
|
|
|
Location refers to physical filesystem location of the
|
|
application. The application prints this location (which
|
|
corresponds to argv[0]) to the log file on startup, and this
|
|
should match exactly.
|
|
-->
|
|
<!--
|
|
<application-settings
|
|
location="/var/www/localhost/wt-examples/hello.wt">
|
|
</application-settings>
|
|
-->
|
|
</server>
|