Configuration Parameters for HEAVY.AI Web Server

Flag

Description

Default

additional-file-upload-extensions <string>

Denote additional file extensions for uploads. Has no effect if --enable-upload-extension-check is not set.

allow-any-origin

Allows for a CORS exception to the same-origin policy. Required to be true if Immerse is hosted on a different domain or subdomain hosting heavy_web_server and heavydb.

Allowing any origin is a less secure mode than what heavy_web_server requires by default.

--allow-any-origin = false

-b | backend-url <string>

URL to http-port on heavydb. Change to avoid collisions with other services.

http://localhost:6278

-B | binary-backend-url <string>

URL to http-binary-port on heavydb.

http://localhost:6276

cert string

Certificate file for HTTPS. Change for testing and debugging.

cert.pem

-c | config <string>

Path to HeavyDB configuration file. Change for testing and debugging.

-d | data <string>

Path to HeavyDB data directory. Change for testing and debugging.

data

data-catalog <string>

Path to data catalog directory.

n/a

docs string

Path to documentation directory. Change if you move your documentation files to another directory.

docs

enable-binary-thrift

Use the binary thrift protocol.

TRUE[1]

enable-browser-logs [=arg]

Enable access to current log files via web browser. Only super users (while logged in) can access log files.

Log files are available at http[s]://host:port/logs/log_name.

The web server log files: ACCESS - http[s]://host:port/logs/access ALL - http[s]://host:port/logs/all

HeavyDB log files: INFO - http[s]://host:port/logs/info WARNING - http[s]://host:port/logs/warning ERROR - http[s]://host:port/logs/

FALSE[0]

enable-cert-verification

TLS certificate verification is a security measure that can be disabled for the cases of TLS certificates not issued by a trusted certificate authority. If using a locally or unofficially generated TLS certificate to secure the connection between heavydb and heavy_web_server, this parameter must be set to false. heavy_web_server expects a trusted certificate authority by default.

--enable-cert-verification = true

enable-cross-domain [=arg]

Enable frontend cross-domain authentication. Cross-domain session cookies require the SameSite = None; Secure headers. Can only be used with HTTPS domains; requires enable-https to be true.

FALSE[0]

enable-https

Enable HTTPS support. Change to enable secure HTTP.

enable-https-authentication

Enable PKI authentication.

enable-https-redirect [=arg]

Enable a new port that heavy_web_server listens on for incoming HTTP requests. When received, it returns a redirect response to the HTTPS port and protocol, so that browsers are immediately and transparently redirected. Use to provide an HEAVY.AI front end that can run on both the HTTP protocol (http://my-heavyai-frontend.com) on default HTTP port 80, and on the primary HTTPS protocol (https://my-heavyai-frontend.com) on default https port 443, and have requests to the HTTP protocol automatically redirected to HTTPS. Without this, requests to HTTP fail. Assuming heavy_web_server can attach to ports below 1024, the configuration would be: enable-https-redirect = TRUE http-to-https-redirect-port = 80

FALSE[0]

enable-non-kernel-time-query-interrupt

Enable non-kernel-time query interrupt.

TRUE[1]

enable-runtime-query-interrupt

Enbale runtime query interrupt.

TRUE[1]

enable-upload-extension-check

Disables restrictive file extension upload check.

encryption-key-file-path <string>

Path to the file containing the credential payload cipher key. Key must be 256 bits in length.

-f | frontend string

Path to frontend directory. Change if you move the location of your frontend UI files.

frontend

http-to-https-redirect-port = arg

Configures the http (incoming) port used by enable-https-redirect. The port option specifies the redirect port number. Use to provide an HEAVY.AI front end that can run on both the HTTP protocol (http://my-heavyai-frontend.com) on default HTTP port 80, and on the primary HTTPS protocol (https://my-heavyai-frontend.com) on default https port 443, and have requests to the HTTP protocol automatically redirected to HTTPS. Without this, requests to HTTP fail. Assuming heavy_web_server can attach to ports below 1024, the configuration would be: enable-https-redirect = TRUE http-to-https-redirect-port = 80

6280

idle-session-duration = arg

Idle session default, in minutes.

60

jupyter-prefix-string <string>

Jupyter Hub base_url for Jupyter integration.

/jupyter

jupyter-url-string <string>

URL for Jupyter integration.

-j |jwt-key-file

Path to a key file for client session encryption.

The file is expected to be a PEM-formatted ( .pem ) certificate file containing the unencrypted private key in PKCS #1, PCKS #8, or ASN.1 DER form.

Example PEM file creation using OpenSSL.

Required only if using a high-availability server configuration or another server configuration that requires an instance of Immerse to talk to multiple heavy_web_server instances.

Each heavy_web_server instance needs to use the same encryption key to encrypt and decrypt client session information which is used for session persistence ("sessionization") in Immerse.

key <string>

Key file for HTTPS. Change for testing and debugging.

key.pem

max-tls-version

Refers to the version of TLS encryption used to secure web protocol connections. Specifies a maximum TLS version.

min-tls-version

Refers to the version of TLS encryption used to secure web protocol connections. Specifies a minimum TLS version.

--min-tls-version = VersionTLS12

peer-cert <string>

Peer CA certificate PKI authentication.

peercert.pem

-p | port int

Frontend server port. Change to avoid collisions with other services.

6273

-r | read-only

Enable read-only mode. Prevent changes to the data.

secure-acao-uri

If set, ensures that all Access-Allow-Origin headers are set to the value provided.

servers-json <string>

Path to servers.json. Change for testing and debugging.

session-id-header <string>

Session ID header.

immersesid

ssl-cert <string>

SSL validated public certificate.

sslcert.pem

ssl-private-key <string>

SSL private key file.

sslprivate.key

strip-x-headers <strings>

List of custom X http request headers to be removed from incoming requests. Use --strip-x-headers=""to allow all X headers through.

[X-HeavyDB-Username]

timeout duration

Maximum request duration in #h#m#s format. For example 0h30m0s represents a duration of 30 minutes. Controls the maximum duration of individual HTTP requests. Used to manage resource exhaustion caused by improperly closed connections. This also limits the execution time of queries made over the Thrift HTTP transport. Increase the duration if queries are expected to take longer than the default duration of one hour; for example, if you COPY FROM a large file when using heavysql with the HTTP transport.

1h0m0s

tls-cipher-suites <strings>

Refers to the combination of algorithms used in TLS encryption to secure web protocol connections.

All available TLS cipher suites compatible with HTTP/2:

• TLS_RSA_WITH_RC4_128_SHA

• TLS_RSA_WITH_AES_128_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_128_ GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_ GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_ GCM_SHA384

• TLS_ECDHE_ECDSA_WITH_AES_256_ GCM_SHA384

• TLS_ECDHE_RSA_WITH_CHACHA20_ POLY1305

• TLS_ECDHE_ECDSA_WITH_CHACHA20_ POLY1305

• TLS_AES_128_GCM_SHA256

• TLS_AES_256_GCM_SHA384

• TLS_CHACHA20_POLY1305_SHA256

• TLS_FALLBACK_SCSV

  <code></code>

  Limit security vulnerabilities by specifying the allowed TLS ciphers in the encryption used to secure web protocol connections.

The following cipher suites are accepted by default:

• TLS_ECDHE_RSA_WITH_AES_128_ GCM_SHA256

• TLS_ECDHE_ECDSA_WITH_AES_128_ GCM_SHA256

• TLS_ECDHE_RSA_WITH_AES_256_ GCM_SHA384

• TLS_RSA_WITH_AES_256_GCM_ SHA384

tls-curves <strings>

Refers to the types of Elliptic Curve Cryptography (ECC) used in TLS encryption to secure web protocol connections.

All available TLS elliptic Curve IDs:

• secp256r1 (Curve ID P256)

• CurveP256 (Curve ID P256)

• secp384r1 (Curve ID P384)

• CurveP384 (Curve ID P384)

• secp521r1 (Curve ID P521)

• CurveP521 (Curve ID P521)

• x25519 (Curve ID X25519)

• X25519 (Curve ID X25519)

  Limit security vulnerabilities by specifying the allowed TLS cipher suites in the encryption used to secure web protocol connections.

The following TLS curves are accepted by default:

• CurveP521

• CurveP384

• CurveP256

tmpdir string

Path for temporary file storage. Used as a staging location for file uploads. Consider locating this directory on the same file system as the HEAVY.AI data directory. If not specified on the command line, heavyai_web_server recognizes the standard TMPDIR environment variable as well as a specific HEAVYAI_TMPDIR environment variable, the latter of which takes precedence. If you use neither the command-line argument nor one of the environment variables, the default, /tmp/ is used.

/tmp

ultra-secure-mode

Enables secure mode that sets Access-Allow-Origin headers to --secure-acao-uriand sets security headers like X-Frame-Options, Content-Security-Policy, and Strict-Transport-Security.

-v | verbose

Enable verbose logging. Adds log messages for debugging purposes.

version

Return version.