1Overview 2===== 3 4CivetWeb is a small and easy to use web server. 5It may be embedded into C/C++ host applications or used as a stand-alone 6server. See `Embedding.md` for information on embedding CivetWeb into 7host applications. 8 9The stand-alone server is self-contained, and does not require any external 10software to run. Some Windows users may need to install the 11[Visual C++ Redistributable](http://www.microsoft.com/en-us/download/details.aspx?id=30679). 12 13 14Installation 15---- 16 17On Windows, UNIX and Mac, the CivetWeb stand-alone executable may be started 18from the command line. 19Running `CivetWeb` in a terminal, optionally followed by configuration parameters 20(`CivetWeb [OPTIONS]`) or a configuration file name (`CivetWeb [config_file_name]`), 21starts the web server. 22 23For UNIX and Mac, CivetWeb does not detach from the terminal. 24Pressing `Ctrl-C` keys will stop the server. 25 26On Windows, CivetWeb iconifies itself to the system tray icon when started. 27Right-clicking on the icon pops up a menu, where it is possible to stop 28CivetWeb, configure it, or install it as Windows service. 29 30When started without options, the server exposes the local directory at 31[http](http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) port 8080. 32Thus, the easiest way to share a folder on Windows is to copy `CivetWeb.exe` 33to this folder, double-click the exe, and launch a browser at 34[http://localhost:8080](http://localhost:8080). Note that 'localhost' should 35be changed to a machine's name if a folder is accessed from another computer. 36 37When started, CivetWeb first searches for the configuration file. 38If a configuration file is specified explicitly in the command line, i.e. 39`CivetWeb path_to_config_file`, then the specified configuration file is used. 40Otherwise, CivetWeb will search for the file `CivetWeb.conf` in the same directory that 41the executable is located, and use it. This configuration file is optional. 42 43The configuration file is a sequence of lines, each line containing one 44command line argument name and the corresponding value. 45Empty lines, and lines beginning with `#`, are ignored. 46Here is the example of a `CivetWeb.conf` file: 47 48 document_root c:\www 49 listening_ports 80,443s 50 ssl_certificate c:\CivetWeb\ssl_cert.pem 51 52When a configuration file is used, additional command line arguments may 53override the configuration file settings. 54All command line arguments must start with `-`. 55 56For example: The above `CivetWeb.conf` file is used, and CivetWeb started as 57`CivetWeb -document_root D:\web`. Then the `D:\web` directory will be served 58as document root, because command line options take priority over the 59configuration file. The configuration options section below provides a good 60overview of CivetWeb features. 61 62Note that configuration options on the command line must start with `-`, 63but their names are the same as in the config file. All option names are 64listed in the next section. Thus, the following two setups are equivalent: 65 66 # Using command line arguments 67 $ CivetWeb -listening_ports 1234 -document_root /var/www 68 69 # Using config file 70 $ cat CivetWeb.conf 71 listening_ports 1234 72 document_root /var/www 73 $ CivetWeb 74 75CivetWeb can also be used to modify `.htpasswd` passwords files: 76 77 CivetWeb -A <htpasswd_file> <realm> <user> <passwd> 78 79 80Configuration Options 81---- 82 83Below is a list of configuration options understood by CivetWeb. 84Every option is followed by it's default value. If a default value is not 85present, then the default is empty. 86 87## Pattern matching in configuration options 88 89CivetWeb uses shell-like glob patterns for several configuration options, 90e.g., CGI, SSI and Lua script files are recognized by the file name pattern. 91Pattern match starts at the beginning of the string, so essentially 92patterns are prefix patterns. Syntax is as follows: 93 94 ** Matches everything 95 * Matches everything but slash character, '/' 96 ? Matches any character 97 $ Matches the end of the string 98 | Matches if pattern on the left side or the right side matches. 99 100All other characters in the pattern match themselves. Examples: 101 102 **.cgi$ Any string that ends with .cgi 103 /foo Any string that begins with /foo 104 **a$|**b$ Any string that ends with a or b 105 106 107## Options from `civetweb.c` 108 109The following options are supported in `civetweb.c`. They can be used for 110the stand-alone executable as well as for applications embedding CivetWeb. 111The stand-alone executable supports some additional options: see *Options from `main.c`*. 112The options are explained in alphabetic order - for a quick start, check 113*document\_root*, *listening\_ports*, *error\_log\_file* and (for HTTPS) *ssl\_certificate*. 114 115### access\_control\_allow\_headers `*` 116Access-Control-Allow-Headers header field, used for cross-origin resource 117sharing (CORS) pre-flight requests. 118See the [Wikipedia page on CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). 119 120If set to an empty string, pre-flights will not allow additional headers. 121If set to "*", the pre-flight will allow whatever headers have been requested. 122If set to a comma separated list of valid HTTP headers, the pre-flight will return 123exactly this list as allowed headers. 124If set in any other way, the result is unspecified. 125 126### access\_control\_allow\_methods `*` 127Access-Control-Allow-Methods header field, used for cross-origin resource 128sharing (CORS) pre-flight requests. 129See the [Wikipedia page on CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). 130 131If set to an empty string, pre-flights will not be supported directly by the server, 132but scripts may still support pre-flights by handling the OPTIONS method properly. 133If set to "*", the pre-flight will allow whatever method has been requested. 134If set to a comma separated list of valid HTTP methods, the pre-flight will return 135exactly this list as allowed method. 136If set in any other way, the result is unspecified. 137 138### access\_control\_allow\_origin `*` 139Access-Control-Allow-Origin header field, used for cross-origin resource 140sharing (CORS). 141See the [Wikipedia page on CORS](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). 142 143### access\_control\_list 144An Access Control List (ACL) allows restrictions to be put on the list of IP 145addresses which have access to the web server. In the case of the CivetWeb 146web server, the ACL is a comma separated list of IP subnets, where each 147subnet is pre-pended by either a `-` or a `+` sign. A plus sign means allow, 148where a minus sign means deny. If a subnet mask is omitted, such as `-1.2.3.4`, 149this means to deny only that single IP address. 150 151If this value is not set, all accesses are allowed. Otherwise, the default 152setting is to deny all accesses. On each request the full list is traversed, and 153the last match wins. Examples: 154 155 +192.168.0.0/16,+fe80::/64 deny all accesses, allow 192.168.0.0/16 and fe80::/64 subnet 156 (The second one is valid only if IPv6 support is enabled) 157 158To learn more about subnet masks, see the 159[Wikipedia page on Subnetwork](http://en.wikipedia.org/wiki/Subnetwork). 160 161### access\_log\_file 162Path to a file for access logs. Either full path, or relative to the current 163working directory. If absent (default), then accesses are not logged. 164 165### additional\_header 166Send additional HTTP response header line for every request. 167The full header line including key and value must be specified, excluding the carriage return line feed. 168 169Example (used as command line option): 170`-additional_header "X-Frame-Options: SAMEORIGIN"` 171 172This option can be specified multiple times. All specified header lines will be sent. 173 174### allow\_index\_script\_resource `no` 175Index scripts (like `index.cgi` or `index.lua`) may have script handled resources. 176 177It this feature is activated, that /some/path/file.ext might be handled by: 178 1. /some/path/file.ext (with PATH\_INFO='/', if ext = cgi) 179 2. /some/path/index.lua with mg.request\_info.path\_info='/file.ext' 180 3. /some/path/index.cgi with PATH\_INFO='/file.ext' 181 4. /some/path/index.php with PATH\_INFO='/file.ext' 182 5. /some/index.lua with mg.request\_info.path\_info=='/path/file.ext' 183 6. /some/index.cgi with PATH\_INFO='/path/file.ext' 184 7. /some/index.php with PATH\_INFO='/path/file.ext' 185 8. /index.lua with mg.request\_info.path\_info=='/some/path/file.ext' 186 9. /index.cgi with PATH\_INFO='/some/path/file.ext' 187 10. /index.php with PATH\_INFO='/some/path/file.ext' 188 189Note: This example is valid, if the default configuration values for 190`index_files`, `cgi_pattern` and `lua_script_pattern` are used, 191and the server is built with CGI and Lua support enabled. 192 193If this feature is not activated, only the first file (/some/path/file.cgi) will be accepted. 194 195Note: This parameter affects only index scripts. A path like /here/script.cgi/handle/this.ext 196will call /here/script.cgi with PATH\_INFO='/handle/this.ext', no matter if this option is set to `yes` or `no`. 197 198This feature can be used to completely hide the script extension from the URL. 199 200### allow\_sendfile\_call `yes` 201This option can be used to enable or disable the use of the Linux `sendfile` system call. 202It is only available for Linux systems and only affecting HTTP (not HTTPS) connections 203if `throttle` is not enabled. 204While using the `sendfile` call will lead to a performance boost for HTTP connections, 205this call may be broken for some file systems and some operating system versions. 206 207### authentication\_domain `mydomain.com` 208Authorization realm used for HTTP digest authentication. This domain is 209used in the encoding of the `.htpasswd` authorization files as well. 210Changing the domain retroactively will render the existing passwords useless. 211 212### case\_sensitive `no` 213This option can be uset to enable case URLs for Windows servers. 214It is only available for Windows systems. Windows file systems are not case sensitive, 215but they still store the file name including case. 216If this option is set to `yes`, the comparison for URIs and Windows file names will be case sensitive. 217 218### cgi\_environment 219Extra environment variables to be passed to the CGI script in 220addition to standard ones. The list must be comma-separated list 221of name=value pairs, like this: `VARIABLE1=VALUE1,VARIABLE2=VALUE2`. 222 223### cgi\_interpreter 224Path to an executable to use as CGI interpreter for __all__ CGI scripts 225regardless of the script file extension. If this option is not set (which is 226the default), CivetWeb looks at first line of a CGI script, 227[shebang line](http://en.wikipedia.org/wiki/Shebang_(Unix\)), for an 228interpreter (not only on Linux and Mac but also for Windows). 229 230For example, if both PHP and Perl CGIs are used, then 231`#!/path/to/php-cgi.exe` and `#!/path/to/perl.exe` must be first lines of the 232respective CGI scripts. Note that paths should be either full file paths, 233or file paths relative to the current working directory of the CivetWeb 234server. If CivetWeb is started by mouse double-click on Windows, the current 235working directory is the directory where the CivetWeb executable is located. 236 237If all CGIs use the same interpreter, for example they are all PHP, it is 238more efficient to set `cgi_interpreter` to the path to `php-cgi.exe`. 239The shebang line in the CGI scripts can be omitted in this case. 240Note that PHP scripts must use `php-cgi.exe` as executable, not `php.exe`. 241 242### cgi\_interpreter\_args 243Optional additional arguments passed to a Windows CGI interpreter program. 244 245### cgi\_pattern `**.cgi$|**.pl$|**.php$` 246All files that match `cgi_pattern` are treated as CGI files. The default pattern 247allows CGI files be anywhere. To restrict CGIs to a certain directory, 248use `/path/to/cgi-bin/**.cgi` as the pattern. Note that the full file path is 249matched against the pattern, not the URI. 250 251Depending on the build configuration, additional patterns `cgi2_pattern`, 252`cgi3_pattern` and `cgi4_pattern` may be available. 253This allows to use different cgi interpreter programs (`cgi2_interpreter`, 254...), environments (`cgi2_environment` ...) and interpreter arguments 255(`cgi2_interpreter_argument`, ...). The default for all additional CGI file 256patterns is empty - they are not used unless they are configured explicitly. 257 258### cgi\_timeout\_ms 259Maximum allowed runtime for CGI scripts. CGI processes are terminated by 260the server after this time. The default is "no timeout", so scripts may 261run or block for undefined time. 262 263### decode\_query\_string `no` 264URL decode all query strings in the server. 265If you set this option to `yes`, all callbacks and scripts will only see the already 266decoded query string. If this option is set to `no`, all callbacks and scripts have to decode 267the query strings on their own, if they need to. Note that setting this option to `yes` is not 268compatible with submitting form data using "GET" requests (but it is compatible with submitting 269form data using the "POST" method; using "POST" is recommended for most use cases). 270 271### decode\_url `yes` 272The server should decode the URL, according to the HTTP standard. 273This means, `http://mydomain.com/this%20file.txt` will be decoded to `this file.txt` 274(%20 corresponds to the URL encoding of the space character). 275Set this option to `no` only if you are using callbacks exclusively and need access to the encoded URLs. 276 277### document\_root `.` 278A directory to serve. By default, the current working directory is served. 279The current directory is commonly referenced as dot (`.`). 280It is recommended to use an absolute path for document\_root, in order to 281avoid accidentally serving the wrong directory. 282 283### enable\_auth\_domain\_check `yes` 284When using absolute URLs, verify the host is identical to the authentication\_domain. 285If enabled, requests to absolute URLs will only be processed 286if they are directed to the domain. If disabled, absolute URLs to any host 287will be accepted. 288 289### enable\_directory\_listing `yes` 290Enable directory listing, either `yes` or `no`. 291 292### enable\_http2 `no` 293Enable HTTP2 protocol. Note: This option is only available, if the server has been 294compiled with the `USE_HTTP2` define. The CivetWeb server supports only a subset of 295all HTTP2 features. 296 297### enable\_keep\_alive `no` 298Enable connection keep alive, either `yes` or `no`. 299 300Allows clients to reuse TCP connection for subsequent HTTP requests, 301which improves performance. 302For this to work when using request handlers it is important to add the 303correct Content-Length HTTP header for each request. If this is forgotten the 304client will time out. 305 306Note: If you set keep\_alive to `yes`, you should set keep\_alive\_timeout\_ms 307to some value > 0 (e.g. 500). If you set keep\_alive to `no`, you should set 308keep\_alive\_timeout\_ms to 0. Currently, this is done as a default value, 309but this configuration is redundant. In a future version, the keep\_alive 310configuration option might be removed and automatically set to `yes` if 311a timeout > 0 is set. 312 313### enable\_websocket\_ping\_pong `no` 314If this configuration value is set to `yes`, the server will send a 315websocket PING message to a websocket client, once the timeout set by 316websocket\_timeout\_ms expires. Clients (Web browsers) supporting this 317feature will reply with a PONG message. 318 319If this configuration value is set to `no`, the websocket server will 320close the connection, once the timeout expires. 321 322Note: This configuration value only exists, if the server has been built 323with websocket support enabled. 324 325### error\_log\_file 326Path to a file for error logs. Either full path, or relative to the current 327working directory. If absent (default), then errors are not logged. 328 329### error\_pages 330This option may be used to specify a directory for user defined error pages. 331To specify a directory, make sure the name ends with a backslash (Windows) 332or slash (Linux, MacOS, ...). 333The error pages may be specified for an individual http status code (e.g., 334404 - page requested by the client not found), a group of http status codes 335(e.g., 4xx - all client errors) or all errors. The corresponding error pages 336must be called error404.ext, error4xx.ext or error.ext, whereas the file 337extension may be one of the extensions specified for the index_files option. 338See the [Wikipedia page on HTTP status codes](http://en.wikipedia.org/wiki/HTTP_status_code). 339 340### extra\_mime\_types 341Extra mime types, in the form `extension1=type1,exten-sion2=type2,...`. 342See the [Wikipedia page on Internet media types](http://en.wikipedia.org/wiki/Internet_media_type). 343Extension must include a leading dot. Example: 344`.cpp=plain/text,.java=plain/text` 345 346### global\_auth\_file 347Path to a global passwords file, either full path or relative to the current 348working directory. If set, per-directory `.htpasswd` files are ignored, 349and all requests are authorized against that file. 350 351The file has to include the realm set through `authentication_domain` and the 352password in digest format: 353 354 user:realm:digest 355 test:test.com:ce0220efc2dd2fad6185e1f1af5a4327 356 357Password files may be generated using `CivetWeb -A` as explained above, or 358online tools e.g. [this generator](http://www.askapache.com/online-tools/htpasswd-generator). 359 360### hide\_files\_patterns 361A pattern for the files to hide. Files that match the pattern will not 362show up in directory listing and return `404 Not Found` if requested. Pattern 363must be for a file name only, not including directory names. Example: 364 365 CivetWeb -hide_files_patterns secret.txt|**.hide 366 367Note: hide\_file\_patterns uses the pattern described above. If you want to 368hide all files with a certain extension, make sure to use **.extension 369(not just *.extension). 370 371### index\_files `index.xhtml,index.html,index.htm,index.cgi,index.shtml,index.php` 372Comma-separated list of files to be treated as directory index files. 373If more than one matching file is present in a directory, the one listed to the left 374is used as a directory index. 375 376In case built-in Lua support has been enabled, `index.lp,index.lsp,index.lua` 377are additional default index files, ordered before `index.cgi`. 378 379### keep\_alive\_timeout\_ms `500` or `0` 380Idle timeout between two requests in one keep-alive connection. 381If keep alive is enabled, multiple requests using the same connection 382are possible. This reduces the overhead for opening and closing connections 383when loading several resources from one server, but it also blocks one port 384and one thread at the server during the lifetime of this connection. 385Unfortunately, browsers do not close the keep-alive connection after loading 386all resources required to show a website. 387The server closes a keep-alive connection, if there is no additional request 388from the client during this timeout. 389 390Note: if enable\_keep\_alive is set to `no` the value of 391keep\_alive\_timeout\_ms should be set to `0`, if enable\_keep\_alive is set 392to `yes`, the value of keep\_alive\_timeout\_ms must be >0. 393Currently keep\_alive\_timeout\_ms is ignored if enable\_keep\_alive is no, 394but future versions may drop the enable\_keep\_alive configuration value and 395automatically use keep-alive if keep\_alive\_timeout\_ms is not 0. 396 397### linger\_timeout\_ms 398Set TCP socket linger timeout before closing sockets (SO\_LINGER option). 399The configured value is a timeout in milliseconds. Setting the value to 0 400will yield in abortive close (if the socket is closed from the server side). 401Setting the value to -1 will turn off linger. 402If the value is not set (or set to -2), CivetWeb will not set the linger 403option at all. 404 405Note: For consistency with other timeout configurations, the value is 406configured in milliseconds. However, the TCP socket layer usually only 407offers a timeout in seconds, so the value should be an integer multiple 408of 1000. 409 410### listening\_ports `8080` 411Comma-separated list of ports to listen on. If the port is SSL, a 412letter `s` must be appended, for example, `80,443s` will open 413port 80 and port 443, and connections on port 443 will be SSL-ed. 414For non-SSL ports, it is allowed to append letter `r`, meaning 'redirect'. 415Redirect ports will redirect all their traffic to the first configured 416SSL port. For example, if `listening_ports` is `80r,443s`, then all 417HTTP traffic coming at port 80 will be redirected to HTTPS port 443. 418 419It is possible to specify an IP address to bind to. In this case, 420an IP address and a colon must be pre-pended to the port number. 421For example, to bind to a loopback interface on port 80 and to 422all interfaces on HTTPS port 443, use `127.0.0.1:80,443s`. 423 424If the server is built with IPv6 support, `[::]:8080` can be used to 425listen to IPv6 connections to port 8080. IPv6 addresses of network 426interfaces can be specified as well, 427e.g. `[::1]:8080` for the IPv6 loopback interface. 428 429[::]:80 will bind to port 80 IPv6 only. In order to use port 80 for 430all interfaces, both IPv4 and IPv6, use either the configuration 431`80,[::]:80` (create one socket for IPv4 and one for IPv6 only), 432or `+80` (create one socket for both, IPv4 and IPv6). 433The `+` notation to use IPv4 and IPv6 will only work if no network 434interface is specified. Depending on your operating system version 435and IPv6 network environment, some configurations might not work 436as expected, so you have to test to find the configuration most 437suitable for your needs. In case `+80` does not work for your 438environment, you need to use `80,[::]:80`. 439 440It is possible to use network interface addresses (e.g., `192.0.2.3:80`, 441`[2001:0db8::1234]:80`). To get a list of available network interface 442addresses, use `ipconfig` (in a `cmd` window in Windows) or `ifconfig` 443(in a Linux shell). 444Alternatively, you could use the hostname for an interface. Check the 445hosts file of your operating system for a proper hostname 446(for Windows, usually found in C:\Windows\System32\drivers\etc\, 447for most Linux distributions: /etc/hosts). E.g., to bind the IPv6 448local host, you could use `ip6-localhost:80`. This translates to 449`[::1]:80`. Beside the hosts file, there are several other name 450resolution services. Using your hostname might bind you to the 451localhost or an external interface. You could also try `hostname.local`, 452if the proper network services are installed (Zeroconf, mDNS, Bonjour, 453Avahi). When using a hostname, you need to test in your particular network 454environment - in some cases, you might need to resort to a fixed IP address. 455 456If you want to use an ephemeral port (i.e. let the operating system choose 457a port number), use `0` for the port number. This will make it necessary to 458communicate the port number to clients via other means, for example mDNS 459(Zeroconf, Bonjour, Avahi). 460 461In case the server has been built with the `USE_X_DOM_SOCKET` option set, 462it can listen to unix domain sockets as well. They are specified by a 463lower case `x` followed by the domain socket path, e.g. `x/tmp/sockname`. 464Domain sockets do not require a port number, always use HTTP (not HTTPS) 465and never redirect. Thus `:` is not allowed, while `r` or `s` at the end 466of the configuration is interpreted as part of the domain socket path. 467The domain sochet path must be a valid path to a non-existing file on a 468Unix/Linux system. The CivetWeb process needs write/create access rights 469to create the domain socket in the Unix/Linux file system. 470Use only alphanumerical characters, underscore and `/` in a domain socket 471path (in particular, `,;:` must be avoided). 472 473All socket/protocol types may be combined, separated by `,`. 474E.g.: `127.0.0.1:80,[::1]:80,x/tmp/sockname` will listen to localhost 475http connections using IPv4, IPv6 and the domain socket `/tmp/sockname`. 476 477### lua\_background\_script 478Run a Lua script in the background, independent from any connection. 479The script is started before network access to the server is available. 480It can be used to prepare the document root (e.g., update files, compress 481files, ...), check for external resources, remove old log files, etc. 482 483The script can define callbacks to be notified when the server starts 484or stops. Furthermore, it can be used for log filtering or formatting. 485The Lua state remains open until the server is stopped. 486 487For a detailed descriotion of available Lua callbacks see section 488"Lua background script" below. 489 490### lua\_background\_script\_params 491Can add dynamic parameters to background script. 492Parameters mapped into 'mg.params' as table. 493Example: `paramName1=paramValue1,paramName2=2` 494 495### lua\_preload\_file 496This configuration option can be used to specify a Lua script file, which 497is executed before the actual web page script (Lua script, Lua server page 498or Lua websocket). It can be used to modify the Lua environment of all web 499page scripts, e.g., by loading additional libraries or defining functions 500required by all scripts. 501It may be used to achieve backward compatibility by defining obsolete 502functions as well. 503 504### lua\_script\_pattern `"**.lua$` 505A pattern for files that are interpreted as Lua scripts by the server. 506In contrast to Lua server pages, Lua scripts use plain Lua syntax. 507An example can be found in the test directory. 508 509### lua\_server\_page\_pattern `**.lp$|**.lsp$` 510Files matching this pattern are treated as Lua server pages. 511In contrast to Lua scripts, the content of a Lua server pages is delivered 512directly to the client. Lua script parts are delimited from the standard 513content by including them between <? and ?> tags. 514An example can be found in the test directory. 515 516### lua\_websocket\_pattern `"**.lua$` 517A pattern for websocket script files that are interpreted as Lua scripts by the server. 518 519### max\_request\_size `16384` 520Size limit for HTTP request headers and header data returned from CGI scripts, in Bytes. 521A buffer of the configured size is pre allocated for every worker thread. 522max\_request\_size limits the HTTP header, including query string and cookies, 523but it does not affect the HTTP body length. 524The server has to read the entire header from a client or from a CGI script, 525before it is able to process it. In case the header is longer than max\_request\_size, 526the request is considered as invalid or as DoS attack. 527The configuration value is approximate, the real limit might be a few bytes off. 528The minimum is 1024 (1 kB). 529 530### num\_threads `50` 531Number of worker threads. CivetWeb handles each incoming connection in a 532separate thread. Therefore, the value of this option is effectively the number 533of concurrent HTTP connections CivetWeb can handle. 534 535If there are more simultaneous requests (connection attempts), they are queued. 536Every connection attempt first needs to be accepted (up to a limit of 537`listen_backlog` waiting connections). Then it is accepted and queued for the next 538available worker thread (up to a limit of `connection_queue`). Finally a worker 539thread handles all requests received in a connection (up to `num_threads`). 540 541In case the clients are web browsers, it is recommended to use `num_threads` of 542at least 5, since browsers often establish multiple connections to load a single 543web page, including all linked documents (CSS, JavaScript, images, ...). 544 545### listen\_backlog `200` 546Maximum number of connections waiting to be accepted by the server operating system. 547Internally, this parameter is passed to the "listen" socket/system call. 548 549### connection\_queue `20` 550Maximum number of accepted connections waiting to be dispatched by a worker thread. 551 552### protect\_uri 553Comma separated list of URI=PATH pairs, specifying that given 554URIs must be protected with password files specified by PATH. 555All Paths must be full file paths. 556 557### put\_delete\_auth\_file 558Passwords file for PUT and DELETE requests. Without a password file, it will not 559be possible to PUT new files to the server or DELETE existing ones. PUT and 560DELETE requests might still be handled by Lua scripts and CGI paged. 561 562### request\_timeout\_ms `30000` 563Timeout for network read and network write operations, in milliseconds. 564If a client intends to keep long-running connection, either increase this 565value or (better) use keep-alive messages. 566 567### run\_as\_user 568Switch to given user credentials after startup. Usually, this option is 569required when CivetWeb needs to bind on privileged ports on UNIX. To do 570that, CivetWeb needs to be started as root. From a security point of view, 571running as root is not advisable, therefore this option can be used to drop 572privileges. Example: 573 574 civetweb -listening_ports 80 -run_as_user webserver 575 576### ssi\_pattern `**.shtml$|**.shtm$` 577All files that match `ssi_pattern` are treated as Server Side Includes (SSI). 578 579SSI is a simple interpreted server-side scripting language which is most 580commonly used to include the contents of another file in a web page. 581It can be useful when it is desirable to include a common piece 582of code throughout a website, for example, headers and footers. 583 584In order for a webpage to recognize an SSI-enabled HTML file, the filename 585should end with a special extension, by default the extension should be 586either `.shtml` or `.shtm`. These extensions may be changed using the 587`ssi_pattern` option. 588 589Unknown SSI directives are silently ignored by CivetWeb. Currently, two SSI 590directives are supported, `<!--#include ...>` and 591`<!--#exec "command">`. Note that the `<!--#include ...>` directive supports 592three path specifications: 593 594 <!--#include virtual="path"> Path is relative to web server root 595 <!--#include abspath="path"> Path is absolute or relative to 596 web server working dir 597 <!--#include file="path">, Path is relative to current document 598 <!--#include "path"> 599 600The `include` directive may be used to include the contents of a file or the 601result of running a CGI script. The `exec` directive is used to execute a 602command on a server, and show the output that would have been printed to 603stdout (the terminal window) otherwise. Example: 604 605 <!--#exec "ls -l" --> 606 607For more information on Server Side Includes, take a look at the Wikipedia: 608[Server Side Includes](http://en.wikipedia.org/wiki/Server_Side_Includes) 609 610### ssl\_ca\_file 611Path to a .pem file containing trusted certificates. The file may contain 612more than one certificate. 613 614### ssl\_ca\_path 615Name of a directory containing trusted CA certificates. Each file in the 616directory must contain only a single CA certificate. The files must be named 617by the subject name’s hash and an extension of “.0”. If there is more than one 618certificate with the same subject name they should have extensions ".0", ".1", 619".2" and so on respectively. 620 621### ssl\_cache\_timeout `-1` 622Allow caching of SSL/TLS sessions, so HTTPS connection from the same client 623to the same server can be established faster. A configuration value >0 activates 624session caching. The configuration value is the maximum lifetime of a cached 625session in seconds. 626The default is to deactivated session caching. 627 628### ssl\_certificate 629Path to the SSL certificate file. This option is only required when at least 630one of the `listening\_ports` is SSL. The file must be in PEM format, 631and it must have both, private key and certificate, see for example 632[ssl_cert.pem](https://github.com/civetweb/civetweb/blob/master/resources/ssl_cert.pem) 633A description how to create a certificate can be found in doc/OpenSSL.md 634 635### ssl\_certificate\_chain 636Path to an SSL certificate chain file. As a default, the ssl\_certificate file is used. 637 638### ssl\_cipher\_list 639List of ciphers to present to the client. Entries should be separated by 640colons, commas or spaces. 641 642 ALL All available ciphers 643 ALL:!eNULL All ciphers excluding NULL ciphers 644 AES128:!MD5 AES 128 with digests other than MD5 645 646See [this entry](https://www.openssl.org/docs/manmaster/apps/ciphers.html) in 647OpenSSL documentation for full list of options and additional examples. 648The OpenSSL cipher string uses different cipher names than IANA 649(see [this mapping](https://testssl.sh/openssl-iana.mapping.html)). 650 651In case CivetWeb is built with a TLS library other than OpenSSL 652(e.g., [mbedTLS](https://tls.mbed.org/supported-ssl-ciphersuites)), 653the cipher names may be different. 654 655### ssl\_default\_verify\_paths `yes` 656Loads default trusted certificates locations set at openssl compile time. 657 658### ssl\_protocol\_version `4` 659Sets the minimal accepted version of SSL/TLS protocol according to the table: 660 661Protocols | Value 662------------ | ------------- 663SSL2+SSL3+TLS1.0+TLS1.1+TLS1.2+TLS1.3 | 0 664SSL3+TLS1.0+TLS1.1+TLS1.2+TLS1.3 | 1 665TLS1.0+TLS1.1+TLS1.2+TLS1.3 | 2 666TLS1.1+TLS1.2+TLS1.3 | 3 667TLS1.2+TLS1.3 | 4 668TLS1.3 | 5 669 670TLS version 1.3 is only available if you are using an up-to-date TLS libary. 671The default setting has been changed from 0 to 4 in CivetWeb 1.14. 672 673### ssl\_short\_trust `no` 674Enables the use of short lived certificates. This will allow for the certificates 675and keys specified in `ssl_certificate`, `ssl_ca_file` and `ssl_ca_path` to be 676exchanged and reloaded while the server is running. 677 678In an automated environment it is advised to first write the new pem file to 679a different filename and then to rename it to the configured pem file name to 680increase performance while swapping the certificate. 681 682Disk IO performance can be improved when keeping the certificates and keys stored 683on a tmpfs (linux) on a system with very high throughput. 684 685### ssl\_verify\_depth `9` 686Sets maximum depth of certificate chain. If client's certificate chain is longer 687than the depth set here connection is refused. 688 689### ssl\_verify\_peer `no` 690Enable client's certificate verification by the server. 691 692### static\_file\_cache\_control 693Set the `Cache-Control` header of static files responses. 694The string value will be used directly. 695 696E.g. this config: 697 698`static_file_cache_control no-cache, max-age=31536000` 699 700Will result in this header being added: 701 702`Cache-Control: no-cache, max-age=31536000` 703 704This will take precedence over the static\_file\_max\_age option. 705 706### static\_file\_max\_age `3600` 707Set the maximum time (in seconds) a cache may store a static files. 708 709This option will set the `Cache-Control: max-age` value for static files. 710Dynamically generated content, i.e., content created by a script or callback, 711must send cache control headers by themselves. 712 713A value >0 corresponds to a maximum allowed caching time in seconds. 714This value should not exceed one year (RFC 2616, Section 14.21). 715A value of 0 will send "do not cache at all" headers for all static files. 716For values <0 and values >31622400 (366 days), the behaviour is undefined. 717 718### strict\_transport\_security\_max\_age 719 720Set the `Strict-Transport-Security` header, and set the `max-age` value. 721This instructs web browsers to interact with the server only using HTTPS, 722never by HTTP. If set, it will be sent for every request handled directly 723by the server, except scripts (CGI, Lua, ..) and callbacks. They must 724send HTTP headers on their own. 725 726The time is specified in seconds. If this configuration is not set, 727or set to -1, no `Strict-Transport-Security` header will be sent. 728For values <-1 and values >31622400, the behaviour is undefined. 729 730### tcp\_nodelay `0` 731Enable TCP_NODELAY socket option on client connections. 732 733If set the socket option will disable Nagle's algorithm on the connection 734which means that packets will be sent as soon as possible instead of waiting 735for a full buffer or timeout to occur. 736 737 0 Keep the default: Nagel's algorithm enabled 738 1 Disable Nagel's algorithm for all sockets 739 740### throttle 741Limit download speed for clients. `throttle` is a comma-separated 742list of key=value pairs, where key could be: 743 744 * limit speed for all connections 745 x.x.x.x/mask limit speed for specified subnet 746 [IPv6-addr]/mask limit speed for specified IPv6 subnet (needs square brackets) 747 uri_prefix_pattern limit speed for given URIs 748 749The value is a floating-point number of bytes per second, optionally 750followed by a `k` or `m` character, meaning kilobytes and 751megabytes respectively. A limit of 0 means unlimited rate. The 752last matching rule wins. Examples: 753 754 *=1k,10.0.0.0/8=0 limit all accesses to 1 kilobyte per second, 755 but give connections the from 10.0.0.0/8 subnet 756 unlimited speed 757 758 /downloads/=5k limit accesses to all URIs in `/downloads/` to 759 5 kilobytes per second. All other accesses are unlimited 760 761### url\_rewrite\_patterns 762Comma-separated list of URL rewrites in the form of 763`uri_pattern=file_or_directory_path`. When CivetWeb receives any request, 764it constructs the file name to show by combining `document_root` and the URI. 765However, if the rewrite option is used and `uri_pattern` matches the 766requested URI, then `document_root` is ignored. Instead, 767`file_or_directory_path` is used, which should be a full path name or 768a path relative to the web server's current working directory. Note that 769`uri_pattern`, as all CivetWeb patterns, is a prefix pattern. 770 771This makes it possible to serve many directories outside from `document_root`, 772redirect all requests to scripts, and do other tricky things. For example, 773to redirect all accesses to `.doc` files to a special script, do: 774 775 CivetWeb -url_rewrite_patterns **.doc$=/path/to/cgi-bin/handle_doc.cgi 776 777Or, to imitate support for user home directories, do: 778 779 CivetWeb -url_rewrite_patterns /~joe/=/home/joe/,/~bill=/home/bill/ 780 781### websocket\_root 782In case CivetWeb is built with Lua and websocket support, Lua scripts may 783be used for websockets as well. Since websockets use a different URL scheme 784(ws, wss) than other http pages (http, https), the Lua scripts used for 785websockets may also be served from a different directory. By default, 786the document\_root is used as websocket\_root as well. 787 788### websocket\_timeout\_ms 789Timeout for network read and network write operations for websockets, WS(S), 790in milliseconds. If this value is not set, the value of request\_timeout\_ms 791is used for HTTP(S) as well as for WS(S). In case websocket\_timeout\_ms is 792set, HTTP(S) and WS(S) can use different timeouts. 793 794Note: This configuration value only exists, if the server has been built 795with websocket support enabled. 796 797 798## Options from `main.c` 799 800The following options are supported in `main.c`, the additional source file for 801the stand-alone executable. These options are not supported by other applications 802embedding `civetweb.c`, unless they are added to the embedding application. 803 804### title 805Use the configured string as a server name. For Windows, this will be shown as 806the window title. 807 808### icon 809For Windows, show this icon file in the systray, replacing the CivetWeb standard 810icon. This option has no effect for Linux. 811 812### website 813For Windows, use this website as a link in the systray, replacing the default 814link for CivetWeb. 815 816### hide\_tray `no` 817For Windows: Do not show a tray icon. May be `yes` (hide) or `no` (show, default). 818 819### daemonize `no` 820This option is only available for Linux, if the server has been build with the 821`DAEMONIZE` compile options. Call (deprecated) `daemon()` BSD function to 822detach the server process from the controlling terminal and run it in the 823background as a system daemon. 824 825### add\_domain 826Option to load an additional configuration file, specifying an additional domain 827to host. To add multiple additional domains, use the add\_domain option 828multiple times with one configuration file for each domain. 829This option is available for Windows and Linux operating systems. 830 831Internally, the options are passed to the `mg_start_domain` API function. 832If you are not using `main.c`, you need to call this API function to activate 833and additional domain. 834 835Every domain configuration file may contain a subset of the options available for 836the main server configuration files, with some exceptions. Some configurations 837are per server while others are available for each domain. 838 839All port, socket, process and thread specific parameters are per server: 840`allow_sendfile_call`, `case_sensitive`, `connection_queue`, `decode_url`, 841`enable_http2`, `enable_keep_alive`, `enable_websocket_ping_pong`, 842`keep_alive_timeout_ms`, `linger_timeout_ms`, `listen_backlog`, 843`listening_ports`, `lua_background_script`, `lua_background_script_params`, 844`max_request_size`, `num_threads`, `request_timeout_ms`, `run_as_user`, 845`tcp_nodelay`, `throttle`, `websocket_timeout_ms` + all options from `main.c`. 846 847All other options can be set per domain. In particular 848`authentication_domain`, `document_root` and (for HTTPS) `ssl_certificate` 849must be set for each additional domain. 850 851While some options like `error_log_file` are per domain, the setting of the 852initial (main) domain may be used if the server could not determine the 853correct domain for a specific request. 854 855 856Scripting 857---- 858 859# Lua Scripts and Lua Server Pages 860Pre-built Windows and Mac CivetWeb binaries have built-in Lua scripting 861support as well as support for Lua Server Pages. 862 863Lua scripts (default extension: *.lua) use plain Lua syntax. 864The body of the script file is not sent directly to the client, 865the Lua script must send header and content of the web page by calling 866the function mg.write(text). 867 868Lua Server Pages (default extensions: *.lsp, *.lp) are html pages containing 869script elements similar to PHP, using the Lua programming language instead of 870PHP. Lua script elements must be enclosed in `<? ?>` blocks, and can appear 871anywhere on the page. Furthermore, Lua Server Pages offer the opportunity to 872insert the content of a variable by enclosing the Lua variable name in 873`<?= ?>` blocks, similar to PHP. 874For example, to print the current weekday name and the URI of the current 875page, one can write: 876 877 <p> 878 <span>Today is:</span> 879 <? mg.write(os.date("%A")) ?> 880 </p> 881 <p> 882 URI is <?=mg.request_info.uri?> 883 </p> 884 885From version 1.11, CivetWeb supports "Kepler Syntax" in addition to the 886traditional Lua pages syntax of CivetWeb. Kepler Syntax uses `<?lua ?>` 887or `<% %>` blocks for script elements (corresponding to `<? ?>` above) 888and `<?lua= ?>` or `<%= %>` for variable content (corresponding to `<?= ?>`). 889 890 <ul> 891 <% for key, value in pairs(mg.request_info) do %> 892 <li> <%= key %>: <%= value %> </li> 893 <% end %> 894 </ul> 895 896Currently the extended "Kepler Syntax" is available only for HTML (see 897note on HTTP headers below). 898 899Lua is known for it's speed and small size. The default Lua version for 900CivetWeb is Lua 5.2.4. The documentation for it can be found in the 901[Lua 5.2 reference manual](http://www.lua.org/manual/5.2/). However, 902CivetWeb can be built with Lua 5.1, 5.2, 5.3, 5.4 (currently pre-release) 903and LuaJIT. 904 905Note that this example uses function `mg.write()`, which sends data to the 906web client. Using `mg.write()` is the way to generate web content from inside 907Lua code. In addition to `mg.write()`, all standard Lua library functions 908are accessible from the Lua code (please check the reference manual for 909details). Lua functions working on files (e.g., `io.open`) use a path 910relative to the working path of the CivetWeb process. The web server content 911is located in the path `mg.document_root`. 912Information on the request is available in the `mg.request_info` 913object, like the request method, all HTTP headers, etcetera. 914 915[page2.lua](https://github.com/civetweb/civetweb/blob/master/test/page2.lua) 916is an example for a plain Lua script. 917 918[page2.lp](https://github.com/civetweb/civetweb/blob/master/test/page2.lp) 919is an example for a Lua Server Page. 920 921[page4kepler.lp](https://github.com/civetweb/civetweb/blob/master/test/page4kepler.lp) 922is a Lua Server Page showing "Kepler Syntax" in addition to traditional CivetWeb 923Lua Server Pages syntax. 924 925These examples show the content of the `mg.request_info` object as the page 926content. Please refer to `struct mg_request_info` definition in 927[CivetWeb.h](https://github.com/civetweb/civetweb/blob/master/include/civetweb.h) 928to see additional information on the elements of the `mg.request_info` object. 929 930CivetWeb also provides access to the [SQlite3 database](http://www.sqlite.org/) 931through the [LuaSQLite3 interface](http://lua.sqlite.org/index.cgi/doc/tip/doc/lsqlite3.wiki) 932in Lua. Examples are given in 933[page.lua](https://github.com/civetweb/civetweb/blob/master/test/page.lua) and 934[page.lp](https://github.com/civetweb/civetweb/blob/master/test/page.lp). 935 936 937CivetWeb exports the following functions to Lua: 938 939mg (table): 940 941 mg.read() -- reads a chunk from POST data, returns it as a string 942 mg.write(str) -- writes string to the client 943 mg.cry(str) -- logs error string to stderr 944 mg.include(filename, [pathtype]) -- include another Lua Page file (Lua Pages only) 945 -- pathtype can be "abs", "rel"/"file" or "virt[ual]" 946 -- like defined for SSI #include 947 mg.redirect(uri) -- redirect to internal URI 948 mg.onerror(msg) -- error handler, can be overridden 949 mg.auth_domain -- a string that holds the HTTP authentication domain 950 mg.document_root -- a string that holds the document root directory 951 mg.lua_type -- a string that holds the lua script type 952 mg.system -- a string that holds the operating system name 953 mg.version -- a string that holds CivetWeb version 954 mg.get_cookie(str, cookie) -- extract cookie from a string 955 mg.get_info(infotype) -- get server status information 956 mg.get_mime_type(filename) -- get MIME type of a file 957 mg.get_option(name) -- get configuration option value from name 958 mg.get_response_code_text(n)-- get response code text for n, nil otherwise 959 mg.get_var(str, varname, [occurance]) -- extract the first occurance of variable from (query) string 960 -- otherwise the nth occurance if supplied, nil if not found 961 mg.send_file(filename) -- send a file, including all required HTTP headers 962 mg.send_file_body(filename) -- send a file, excluding HTTP headers 963 mg.send_http_error(n,str) -- send http error code n with string body 964 mg.send_http_ok(mime,body) -- send http 200 OK with content-type mime and string body 965 mg.send_http_ok(mime,length)-- send http 200 OK with content-type mime and integer content-length length 966 mg.send_http_redirect(url,n)-- redirect to url with status code n 967 mg.split_form_data(form) -- returns a table of the split form data 968 mg.url_encode(str) -- URL encode a string 969 mg.url_decode(str, [form]) -- URL decode a string. If form=true, replace + by space. 970 mg.base64_encode(str) -- BASE64 encode a string 971 mg.base64_decode(str) -- BASE64 decode a string 972 mg.md5(str) -- return the MD5 hash of a string 973 mg.keep_alive(bool) -- allow/forbid to use http keep-alive for this request 974 mg.time([bool]) -- get the current unix timestamp with milliseconds 975 -- if bool is true then it is the time since startup 976 mg.trace(n,message,...) -- trace level n messages into tracefile 977 mg.uuid() -- generate a uuid 978 mg.random() -- get a random floating point number 979 mg.request_info -- a table with the following request information 980 .content_length -- Request content-length as a float 981 .content_type -- Request content-type, nil otherwise 982 .request_link -- Requested link 983 .request_uri -- Request URI 984 .uri -- Local request URI 985 .path_info -- Request URI, nil otherwise 986 .status -- Request status code, nil otherwise 987 .remote_addr -- IP address of the client as string 988 .remote_port -- remote port number 989 .server_port -- server port number 990 .request_method -- HTTP method (e.g.: GET, POST) 991 .http_version -- HTTP protocol version (e.g.: 1.1) 992 .http_headers -- Table of HTTP headers 993 .num_headers -- Number of headers 994 .query_string -- query string if present, nil otherwise 995 .script_name -- name of the Lua script, nil otherwise 996 .https -- true if accessed by https://, false otherwise 997 .remote_user -- user name if authenticated, nil otherwise 998 .auth_type -- Digest 999 .client_cert -- Table with ssl certificate infomation 1000 .subject -- Certificate subject 1001 .issuer -- Certificate issuer 1002 .serial -- Certificate serial number 1003 .finger -- Certificate finger 1004 1005If websocket and timers support is enabled then the following is also available: 1006 1007 mg.set_timeout(fn,delay,[interval]) -- call function after delay at an interval 1008 mg.set_interval(fn,delay,[interval]) -- call function after delay at an interval 1009 mg.websocket_root -- a string that holds the websocket root 1010 1011connect (function): 1012 1013 -- Connect to the remote TCP server. This function is an implementation 1014 -- of simple socket interface. It returns a socket object with three 1015 -- methods: send, recv, close, which are synchronous (blocking). 1016 -- connect() throws an exception on connection error. 1017 -- use_ssl is not implemented. 1018 connect(host, port, use_ssl) 1019 1020 -- Example of using connect() interface: 1021 local host = 'www.example.com' -- IP address or domain name 1022 local ok, sock = pcall(connect, host, 80, 0) 1023 if ok then 1024 sock:send('GET / HTTP/1.0\r\n' .. 1025 'Host: ' .. host .. '\r\n\r\n') 1026 local reply = sock:recv() 1027 sock:close() 1028 -- reply now contains the web page http://www.example.com/ 1029 end 1030 1031 1032All filename arguments are either absolute or relative to the CivetWeb working 1033directory (not the document root or the Lua script/page file). 1034 1035To serve a Lua Page, CivetWeb creates a Lua context. That context is used for 1036all Lua blocks within the page. That means, all Lua blocks on the same page 1037share the same context. If one block defines a variable, for example, that 1038variable is visible in all blocks that follow. 1039 1040 1041**Important note on HTTP headers:** 1042 1043Lua scripts MUST send HTTP headers themselves, e.g.: 1044 1045 mg.write('HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n') 1046 1047Lua Server Pages CAN send HTTP reply headers, like this: 1048 1049 HTTP/1.0 200 OK 1050 Content-Type: text/html 1051 1052 <html><body> 1053 ... the rest of the web page ... 1054 1055or using Lua code: 1056 1057 <? mg.write('HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n') ?> 1058 <html><body> 1059 ... the rest of the web page ... 1060 1061or Lua Server Pages generating HTML content MAY skip the HTTP header lines. 1062In this case, CivetWeb automatically creates a "200 OK"/"Content-Type: text/html" 1063reply header. In this case, the document must start with "<!DOCTYPE html>" 1064or "<html". 1065 1066Currently the extended "Kepler Syntax" is available only for text/html pages 1067not sending their own HTTP headers. Thus, "Kepler Syntax" can only be used for 1068HTML pages, while traditional CivetWeb syntax can be used to send a content-type 1069header and generate any kind of file. 1070 1071 1072## Websockets for Lua 1073CivetWeb offers support for websockets in Lua as well. In contrast to plain 1074Lua scripts and Lua server pages, Lua websocket scripts are shared by all clients. 1075 1076Lua websocket scripts must define the following functions: 1077 `ready(arg)` -- called after a connection has been established 1078 `data(arg)` -- called when the server receives data from the client 1079 `close(arg)` -- called when a websocket connection is closed 1080All function are called with one argument of type table with at least one field 1081"client" to identify the client. When "open" is called, the argument table additionally 1082contains the "request_info" table as defined above. For the "data" handler, an 1083additional field "data" is available. The functions "open", "ready" and "data" 1084must return true in order to keep the connection open. 1085 1086Lua websocket pages do support single shot (timeout) and interval timers. 1087 1088An example is shown in 1089[websocket.lua](https://github.com/civetweb/civetweb/blob/master/test/websocket.lua). 1090 1091## Lua background script 1092The Lua background script is loaded when the server is starting, 1093before any client is able to connect. It can be used for preparation and 1094maintenance tasks, e.g., for preparing the web contents, cleaning log files, 1095etc. 1096 1097The Name of the script file including path is configured as `lua_background_script`. 1098Additional parameters can be supplied using `lua_background_script_params`. 1099 1100The background script is loaded before the server is ready to start. 1101It may return a boolean value. If "false" in returned, the server will 1102not be started. Since the server is not fully initialized when the script is loaded, 1103some features of the "mg" library are not available yet. Use the "start()" callbacks 1104function instead. 1105 1106A Lua background script may define the following functions: 1107 `start()` -- called wnen the server is started 1108 `stop()` -- called when the server is stopped 1109 `log(req, res)` -- called when an access log entry is created 1110 1111The return values of `start` and `stop` are ignored. The `start` callback can be used 1112to create timers. 1113 1114The optional function `log` may be used to filter or format access log file entries. 1115The `request_info` table is supplied as first argument (content of this table: see above). 1116The second argument is the request processing result. It contains the number of bytes 1117`read` and `written` (incl. header information), the `processing_time` in seconds, 1118the `protocol` ("http", "https", "ws" or "wss"). For internally generated response and 1119response generated using the `mg_response_*()` API, it will contain the http `status` 1120code and a the response `http_headers` table (CGI response will not have all headers). 1121 1122The function can return a boolean value: true if the entry should be logged or false if not. 1123Alternatively it can return a string: this will be used as log message 1124(empty strings will not be logged). 1125 1126See example Lua script : 1127[background.lua](https://github.com/civetweb/civetweb/blob/master/test/lua_backbround_script_timer.lua). 1128 1129# Using CGI 1130 1131Unlike some other web servers, CivetWeb does not require CGI scripts to be located 1132in a special directory. CGI scripts files are recognized by the file name pattern 1133and can be anywhere. 1134 1135When using CGI, make sure your CGI file names match the `cgi\_pattern` parameter 1136configured for the server. 1137Furthermore, you must either configure a `cgi\_interpreter` to be used for all 1138CGI scripts, or all scripts must start with `#!` followed by the CGI 1139interpreter executable, e.g.: `#!/path/to/perl.exe` or `#!/bin/sh`. 1140 1141See `cgi\_pattern` and `cgi\_interpreter` for more details. 1142 1143It is possible to disable CGI completely by building the server with 1144the `NO\_CGI` define. Setting this define is required for operating 1145systems not supporting `fork/exec` or `CreateProcess` (since CGI is 1146based on creating child processes, it will not be available on such 1147operating systems for principle reasons). 1148 1149Every CGI request will spawn a new child process. Data sent from the 1150HTTP client to the server is passed to stdin of the child process, 1151while data written to stdout by the child process is sent back to the 1152HTTP client. 1153 1154In case a CGI script cannot handle a particular request, it might 1155write a short error message to stderr instead of writing to stdout. 1156This error message is added to the server error log. 1157 1158A script should not write to stderr after writing a reply header 1159to stdout. In case CGI libraries are writing to stderr (e.g., for 1160logging/debugging), the CGI script should redirect stderr to a 1161user defined log file at the beginning of the script. 1162 1163 1164FAQ 1165---- 1166 1167# Common Problems 1168- PHP doesn't work - getting empty page, or 'File not found' error. The 1169 reason for that is wrong paths to the interpreter. Remember that with PHP, 1170 the correct interpreter is `php-cgi.exe` (`php-cgi` on UNIX). 1171 Solution: specify the full path to the PHP interpreter, e.g.: 1172 `CivetWeb -cgi_interpreter /full/path/to/php-cgi` 1173 1174- `php-cgi` is unavailable, for example on Mac OS X. As long as the `php` binary is installed, you can run CGI programs in command line mode (see the example below). Note that in this mode, `$_GET` and friends will be unavailable, and you'll have to parse the query string manually using [parse_str](http://php.net/manual/en/function.parse-str.php) and the `QUERY_STRING` environmental variable. 1175 1176 #!/usr/bin/php 1177 <?php 1178 echo "Content-Type: text/html\r\n\r\n"; 1179 echo "Hello World!\n"; 1180 ?> 1181 1182- CivetWeb fails to start. If CivetWeb exits immediately when started, this 1183 usually indicates a syntax error in the configuration file 1184 (named `civetweb.conf` by default) or the command-line arguments. 1185 Syntax checking is omitted from CivetWeb to keep its size low. However, 1186 the Manual should be of help. Note: the syntax changes from time to time, 1187 so updating the config file might be necessary after executable update. 1188 Try to use the *error\_log\_file* option for details. 1189 1190- Embedding with OpenSSL on Windows might fail because of calling convention. 1191 To force CivetWeb to use `__stdcall` convention, add `/Gz` compilation 1192 flag in Visual Studio compiler. 1193