Configuration Parameters for HEAVY.AI Web Server

Following are the parameters for runtime settings on HeavyAI Web Server. The parameter syntax provides both the implied value and the default value as appropriate. Optional arguments are in square brackets, while implied and default values are in parentheses.
Flag
Description
Default
additional-file-upload-extensions <string>
Denote additional file extensions for uploads. Has no effect if --enable-upload-extension-check is not set.
​
allow-any-origin
Allows for a CORS exception to the same-origin policy. Required to be true if Immerse is hosted on a different domain or subdomain hosting heavy_web_server and heavydb.
Allowing any origin is a less secure mode than what heavy_web_server requires by default.
--allow-any-origin = false
-b | backend-url <string>
URL to http-port on heavydb. Change to avoid collisions with other services.
http://localhost:6278
-B | binary-backend-url <string>
URL to http-binary-port on heavydb. 
http://localhost:6276
cert string
Certificate file for HTTPS. Change for testing and debugging.
cert.pem
-c | config <string>
Path to HeavyDB configuration file. Change for testing and debugging.
​
-d | data <string>
Path to HeavyDB data directory. Change for testing and debugging.
data
data-catalog <string>
Path to data catalog directory.
n/a
docs string
Path to documentation directory. Change if you move your documentation files to another directory.
docs
enable-binary-thrift
Use the binary thrift protocol.
 TRUE[1]
enable-browser-logs [=arg]
Enable access to current log files via web browser. Only super users (while logged in) can access log files.
Log files are available at http[s]://host:port/logs/log_name.

The web server log files:
ACCESS - http[s]://host:port/logs/access
ALL - http[s]://host:port/logs/all

HeavyDB log files:
INFO - http[s]://host:port/logs/info
WARNING - http[s]://host:port/logs/warning
ERROR - http[s]://host:port/logs/
FALSE[0]
enable-cert-verification
TLS certificate verification is a security measure that can be disabled for the cases of TLS certificates not issued by a trusted certificate authority. If using a locally or unofficially generated TLS certificate to secure the connection between heavydb and heavy_web_server, this parameter must be set to false. heavy_web_server expects a trusted certificate authority by default.
--enable-cert-verification = true
enable-cross-domain [=arg]
Enable frontend cross-domain authentication. Cross-domain session cookies require the SameSite = None; Secure headers. Can only be used with HTTPS domains; requires enable-https to be true.
FALSE[0]
​
 
​
enable-https
Enable HTTPS support. Change to enable secure HTTP.
​
enable-https-authentication
Enable PKI authentication.
​
enable-https-redirect [=arg]
Enable a new port that heavy_web_server listens on for incoming HTTP requests. When received, it returns a redirect response to the HTTPS port and protocol, so that browsers are immediately and transparently redirected. Use to provide an HEAVY.AI front end that can run on both the HTTP protocol (http://my-heavyai-frontend.com) on default HTTP port 80, and on the primary HTTPS protocol (https://my-heavyai-frontend.com) on default https port 443, and have requests to the HTTP protocol automatically redirected to HTTPS. Without this, requests to HTTP fail. Assuming heavy_web_server can attach to ports below 1024, the configuration would be:
enable-https-redirect = TRUE
http-to-https-redirect-port = 80
FALSE[0]
enable-non-kernel-time-query-interrupt
Enable non-kernel-time query interrupt.
 TRUE[1]
enable-runtime-query-interrupt
Enbale runtime query interrupt. 
TRUE[1]
​
​
​
enable-upload-extension-check
Disables restrictive file extension upload check.
​
encryption-key-file-path <string>
Path to the file containing the credential payload cipher key. Key must be 256 bits in length.
​
-f | frontend string
Path to frontend directory. Change if you move the location of your frontend UI files.
frontend
http-to-https-redirect-port = arg
Configures the http (incoming) port used by enable-https-redirect. The port option specifies the redirect port number. Use to provide an HEAVY.AI front end that can run on both the HTTP protocol (http://my-heavyai-frontend.com) on default HTTP port 80, and on the primary HTTPS protocol (https://my-heavyai-frontend.com) on default https port 443, and have requests to the HTTP protocol automatically redirected to HTTPS. Without this, requests to HTTP fail. Assuming heavy_web_server can attach to ports below 1024, the configuration would be: enable-https-redirect = TRUE
http-to-https-redirect-port = 80
6280
idle-session-duration = arg
Idle session default, in minutes.
60
jupyter-prefix-string <string>
Jupyter Hub base_url for Jupyter integration.
/jupyter
jupyter-url-string <string>
URL for Jupyter integration.
​
-j |jwt-key-file
Path to a key file for client session encryption.
The file is expected to be a PEM-formatted ( .pem ) certificate file containing the unencrypted private key in PKCS #1, PCKS #8, or ASN.1 DER form.
Example PEM file creation using OpenSSL.
Required only if using a high-availability server configuration or another server configuration that requires an instance of Immerse to talk to multiple heavy_web_server instances.
Each heavy_web_server instance needs to use the same encryption key to encrypt and decrypt client session information which is used for session persistence ("sessionization") in Immerse.
​
key <string>
Key file for HTTPS. Change for testing and debugging.
key.pem
max-tls-version
Refers to the version of TLS encryption used to secure web protocol connections. Specifies a maximum TLS version.
​
min-tls-version
Refers to the version of TLS encryption used to secure web protocol connections. Specifies a minimum TLS version.
--min-tls-version = VersionTLS12
peer-cert <string>
Peer CA certificate PKI authentication.
peercert.pem
-p | port int
Frontend server port. Change to avoid collisions with other services.
6273
-r | read-only
Enable read-only mode. Prevent changes to the data.
​
secure-acao-uri
If set, ensures that all Access-Allow-Origin headers are set to the value provided.
​
servers-json <string>
Path to servers.json. Change for testing and debugging.
​
session-id-header <string>
Session ID header.
immersesid
ssl-cert <string>
SSL validated public certificate.
sslcert.pem
ssl-private-key <string>
SSL private key file.
sslprivate.key
strip-x-headers <strings>
List of custom X http request headers to be removed from incoming requests. Use --strip-x-headers=""to allow all X headers through.
[X-HeavyDB-Username]
timeout duration
Maximum request duration in #h#m#s format. For example 0h30m0s represents a duration of 30 minutes. Controls the maximum duration of individual HTTP requests. Used to manage resource exhaustion caused by improperly closed connections.

This also limits the execution time of queries made over the Thrift HTTP transport. Increase the duration if queries are expected to take longer than the default duration of one hour; for example, if you COPY FROM a large file when using heavysql with the HTTP transport.
1h0m0s
tls-cipher-suites <strings>
Refers to the combination of algorithms used in TLS encryption to secure web protocol connections.
All available TLS cipher suites compatible with HTTP/2:
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_
GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_
GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_
GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_
GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_
POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_
POLY1305
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_FALLBACK_SCSV
<code></code>
Limit security vulnerabilities by specifying the allowed TLS ciphers in the encryption used to secure web protocol connections.
The following cipher suites are accepted by default:
TLS_ECDHE_RSA_WITH_AES_128_
GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_
GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_
GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_
SHA384
tls-curves <strings>
Refers to the types of Elliptic Curve Cryptography (ECC) used in TLS encryption to secure web protocol connections.
All available TLS elliptic Curve IDs:
secp256r1 (Curve ID P256)
CurveP256 (Curve ID P256)
secp384r1 (Curve ID P384)
CurveP384 (Curve ID P384)
secp521r1 (Curve ID P521)
CurveP521 (Curve ID P521)
x25519 (Curve ID X25519)
X25519 (Curve ID X25519)
Limit security vulnerabilities by specifying the allowed TLS cipher suites in the encryption used to secure web protocol connections.
The following TLS curves are accepted by default:
CurveP521
CurveP384
CurveP256
tmpdir string
Path for temporary file storage. Used as a staging location for file uploads. Consider locating this directory on the same file system as the HEAVY.AI data directory. If not specified on the command line, heavyai_web_server recognizes the standard TMPDIR environment variable as well as a specific HEAVYAI_TMPDIR environment variable, the latter of which takes precedence. If you use neither the command-line argument nor one of the environment variables, the default, /tmp/ is used.
/tmp
ultra-secure-mode
Enables secure mode that sets Access-Allow-Origin headers to --secure-acao-uriand sets security headers like X-Frame-Options, Content-Security-Policy, and Strict-Transport-Security.
​
-v | verbose
Enable verbose logging. Adds log messages for debugging purposes.
​
version
Return version.
​

Last modified 3mo ago

Flag	Description	Default
`additional-file-upload-extensions <string>`	Denote additional file extensions for uploads. Has no effect if `--enable-upload-extension-check` is not set.
`allow-any-origin`	Allows for a CORS exception to the same-origin policy. Required to be true if Immerse is hosted on a different domain or subdomain hosting heavy_web_server and heavydb. Allowing any origin is a less secure mode than what heavy_web_server requires by default.	`--allow-any-origin = false`
`-b \| backend-url <string>`	URL to http-port on heavydb. Change to avoid collisions with other services.	`http://localhost:6278`
`-B \| binary-backend-url <string>`	URL to http-binary-port on heavydb.	`http://localhost:6276`
`cert string`	Certificate file for HTTPS. Change for testing and debugging.	`cert.pem`
`-c \| config <string>`	Path to HeavyDB configuration file. Change for testing and debugging.
`-d \| data <string>`	Path to HeavyDB data directory. Change for testing and debugging.	`data`
`data-catalog <string>`	Path to data catalog directory.	n/a
`docs string`	Path to documentation directory. Change if you move your documentation files to another directory.	`docs`
`enable-binary-thrift`	Use the binary thrift protocol.	TRUE[1]
`enable-browser-logs [=arg]`	Enable access to current log files via web browser. Only super users (while logged in) can access log files. Log files are available at http[s]://host:port/logs/log_name. The web server log files: ACCESS - http[s]://host:port/logs/access ALL - http[s]://host:port/logs/all HeavyDB log files: INFO - http[s]://host:port/logs/info WARNING - http[s]://host:port/logs/warning ERROR - http[s]://host:port/logs/	FALSE[0]
`enable-cert-verification`	TLS certificate verification is a security measure that can be disabled for the cases of TLS certificates not issued by a trusted certificate authority. If using a locally or unofficially generated TLS certificate to secure the connection between heavydb and heavy_web_server, this parameter must be set to false. heavy_web_server expects a trusted certificate authority by default.	`--enable-cert-verification = true`
`enable-cross-domain [=arg]`	Enable frontend cross-domain authentication. Cross-domain session cookies require the `SameSite = None; Secure` headers. Can only be used with HTTPS domains; requires `enable-https` to be true.	FALSE[0]

`enable-https`	Enable HTTPS support. Change to enable secure HTTP.
`enable-https-authentication`	Enable PKI authentication.
`enable-https-redirect [=arg]`	Enable a new port that heavy_web_server listens on for incoming HTTP requests. When received, it returns a redirect response to the HTTPS port and protocol, so that browsers are immediately and transparently redirected. Use to provide an HEAVY.AI front end that can run on both the HTTP protocol (http://my-heavyai-frontend.com) on default HTTP port 80, and on the primary HTTPS protocol (https://my-heavyai-frontend.com) on default https port 443, and have requests to the HTTP protocol automatically redirected to HTTPS. Without this, requests to HTTP fail. Assuming heavy_web_server can attach to ports below 1024, the configuration would be: enable-https-redirect = TRUE http-to-https-redirect-port = 80	FALSE[0]
`enable-non-kernel-time-query-interrupt`	Enable non-kernel-time query interrupt.	TRUE[1]
`enable-runtime-query-interrupt`	Enbale runtime query interrupt.	TRUE[1]

`enable-upload-extension-check`	Disables restrictive file extension upload check.
`encryption-key-file-path <string>`	Path to the file containing the credential payload cipher key. Key must be 256 bits in length.
`-f \| frontend string`	Path to frontend directory. Change if you move the location of your frontend UI files.	`frontend`
`http-to-https-redirect-port = arg`	Configures the http (incoming) port used by enable-https-redirect. The port option specifies the redirect port number. Use to provide an HEAVY.AI front end that can run on both the HTTP protocol (http://my-heavyai-frontend.com) on default HTTP port 80, and on the primary HTTPS protocol (https://my-heavyai-frontend.com) on default https port 443, and have requests to the HTTP protocol automatically redirected to HTTPS. Without this, requests to HTTP fail. Assuming heavy_web_server can attach to ports below 1024, the configuration would be: enable-https-redirect = TRUE http-to-https-redirect-port = 80	6280
`idle-session-duration = arg`	Idle session default, in minutes.	60
`jupyter-prefix-string <string>`	Jupyter Hub base_url for Jupyter integration.	/jupyter
`jupyter-url-string <string>`	URL for Jupyter integration.
-j \|`jwt-key-file`	Path to a key file for client session encryption. The file is expected to be a PEM-formatted ( .pem ) certificate file containing the unencrypted private key in PKCS #1, PCKS #8, or ASN.1 DER form. Example PEM file creation using OpenSSL. Required only if using a high-availability server configuration or another server configuration that requires an instance of Immerse to talk to multiple heavy_web_server instances. Each heavy_web_server instance needs to use the same encryption key to encrypt and decrypt client session information which is used for session persistence ("sessionization") in Immerse.
`key <string>`	Key file for HTTPS. Change for testing and debugging.	`key.pem`
`max-tls-version`	Refers to the version of TLS encryption used to secure web protocol connections. Specifies a maximum TLS version.
`min-tls-version`	Refers to the version of TLS encryption used to secure web protocol connections. Specifies a minimum TLS version.	`--min-tls-version = VersionTLS12`
`peer-cert <string>`	Peer CA certificate PKI authentication.	`peercert.pem`
`-p \| port int`	Frontend server port. Change to avoid collisions with other services.	6273
`-r \| read-only`	Enable read-only mode. Prevent changes to the data.
`secure-acao-uri`	If set, ensures that all `Access-Allow-Origin` headers are set to the value provided.
`servers-json <string>`	Path to servers.json. Change for testing and debugging.
`session-id-header <string>`	Session ID header.	`immersesid`
`ssl-cert <string>`	SSL validated public certificate.	`sslcert.pem`
`ssl-private-key <string>`	SSL private key file.	`sslprivate.key`
`strip-x-headers <strings>`	List of custom X http request headers to be removed from incoming requests. Use `--strip-x-headers=""`to allow all X headers through.	`[X-HeavyDB-Username]`
`timeout duration`	Maximum request duration in `#h#m#s` format. For example `0h30m0s` represents a duration of 30 minutes. Controls the maximum duration of individual HTTP requests. Used to manage resource exhaustion caused by improperly closed connections. This also limits the execution time of queries made over the Thrift HTTP transport. Increase the duration if queries are expected to take longer than the default duration of one hour; for example, if you COPY FROM a large file when using heavysql with the HTTP transport.	`1h0m0s`
`tls-cipher-suites <strings>`	Refers to the combination of algorithms used in TLS encryption to secure web protocol connections. All available TLS cipher suites compatible with HTTP/2: `TLS_RSA_WITH_RC4_128_SHA` `TLS_RSA_WITH_AES_128_CBC_SHA` `TLS_ECDHE_RSA_WITH_AES_128_ GCM_SHA256` `TLS_ECDHE_ECDSA_WITH_AES_128_ GCM_SHA256` `TLS_ECDHE_RSA_WITH_AES_256_ GCM_SHA384` `TLS_ECDHE_ECDSA_WITH_AES_256_ GCM_SHA384` `TLS_ECDHE_RSA_WITH_CHACHA20_ POLY1305` `TLS_ECDHE_ECDSA_WITH_CHACHA20_ POLY1305` `TLS_AES_128_GCM_SHA256` `TLS_AES_256_GCM_SHA384` `TLS_CHACHA20_POLY1305_SHA256` `TLS_FALLBACK_SCSV` <code></code> Limit security vulnerabilities by specifying the allowed TLS ciphers in the encryption used to secure web protocol connections.	The following cipher suites are accepted by default: `TLS_ECDHE_RSA_WITH_AES_128_ GCM_SHA256` `TLS_ECDHE_ECDSA_WITH_AES_128_ GCM_SHA256` `TLS_ECDHE_RSA_WITH_AES_256_ GCM_SHA384` `TLS_RSA_WITH_AES_256_GCM_ SHA384`
`tls-curves <strings>`	Refers to the types of Elliptic Curve Cryptography (ECC) used in TLS encryption to secure web protocol connections. All available TLS elliptic Curve IDs: `secp256r1` (Curve ID P256) `CurveP256` (Curve ID P256) `secp384r1` (Curve ID P384) `CurveP384` (Curve ID P384) `secp521r1` (Curve ID P521) `CurveP521` (Curve ID P521) `x25519` (Curve ID X25519) `X25519` (Curve ID X25519) Limit security vulnerabilities by specifying the allowed TLS cipher suites in the encryption used to secure web protocol connections.	The following TLS curves are accepted by default: `CurveP521` `CurveP384` `CurveP256`
`tmpdir string`	Path for temporary file storage. Used as a staging location for file uploads. Consider locating this directory on the same file system as the HEAVY.AI data directory. If not specified on the command line, `heavyai_web_server` recognizes the standard `TMPDIR` environment variable as well as a specific `HEAVYAI_TMPDIR` environment variable, the latter of which takes precedence. If you use neither the command-line argument nor one of the environment variables, the default, `/tmp/` is used.	`/tmp`
`ultra-secure-mode`	Enables secure mode that sets `Access-Allow-Origin` headers to `--secure-acao-uri`and sets security headers like `X-Frame-Options`, `Content-Security-Policy`, and `Strict-Transport-Security`.
`-v \| verbose`	Enable verbose logging. Adds log messages for debugging purposes.
`version`	Return version.