Configuration Parameters for HEAVY.AI Web Server
Following are the parameters for runtime settings on HeavyAI Web Server. The parameter syntax provides both the implied value and the default value as appropriate. Optional arguments are in square brackets, while implied and default values are in parentheses.
Flag
Description
Default
additional-file-upload-extensions <string>
Denote additional file extensions for uploads. Has no effect if --enable-upload-extension-check
is not set.
allow-any-origin
Allows for a CORS exception to the same-origin policy. Required to be true if Immerse is hosted on a different domain or subdomain hosting heavy_web_server and heavydb.
Allowing any origin is a less secure mode than what heavy_web_server requires by default.
--allow-any-origin = false
-b | backend-url <string>
URL to http-port on heavydb. Change to avoid collisions with other services.
http://localhost:6278
-B | binary-backend-url <string>
URL to http-binary-port on heavydb.
http://localhost:6276
cert string
Certificate file for HTTPS. Change for testing and debugging.
cert.pem
-c | config <string>
Path to HeavyDB configuration file. Change for testing and debugging.
-d | data <string>
Path to HeavyDB data directory. Change for testing and debugging.
data
data-catalog <string>
Path to data catalog directory.
n/a
docs string
Path to documentation directory. Change if you move your documentation files to another directory.
docs
enable-binary-thrift
Use the binary thrift protocol.
TRUE[1]
enable-browser-logs [=arg]
Enable access to current log files via web browser. Only super users (while logged in) can access log files.
Log files are available at http[s]://host:port/logs/log_name.
The web server log files: ACCESS - http[s]://host:port/logs/access ALL - http[s]://host:port/logs/all
HeavyDB log files: INFO - http[s]://host:port/logs/info WARNING - http[s]://host:port/logs/warning ERROR - http[s]://host:port/logs/
FALSE[0]
enable-cert-verification
TLS certificate verification is a security measure that can be disabled for the cases of TLS certificates not issued by a trusted certificate authority. If using a locally or unofficially generated TLS certificate to secure the connection between heavydb and heavy_web_server, this parameter must be set to false. heavy_web_server expects a trusted certificate authority by default.
--enable-cert-verification = true
enable-cross-domain [=arg]
Enable frontend cross-domain authentication. Cross-domain session cookies require the SameSite = None; Secure
headers. Can only be used with HTTPS domains; requires enable-https
to be true.
FALSE[0]
enable-https
Enable HTTPS support. Change to enable secure HTTP.
enable-https-authentication
Enable PKI authentication.
enable-https-redirect [=arg]
Enable a new port that heavy_web_server listens on for incoming HTTP requests. When received, it returns a redirect response to the HTTPS port and protocol, so that browsers are immediately and transparently redirected. Use to provide an HEAVY.AI front end that can run on both the HTTP protocol (http://my-heavyai-frontend.com) on default HTTP port 80, and on the primary HTTPS protocol (https://my-heavyai-frontend.com) on default https port 443, and have requests to the HTTP protocol automatically redirected to HTTPS. Without this, requests to HTTP fail. Assuming heavy_web_server can attach to ports below 1024, the configuration would be: enable-https-redirect = TRUE http-to-https-redirect-port = 80
FALSE[0]
enable-non-kernel-time-query-interrupt
Enable non-kernel-time query interrupt.
TRUE[1]
enable-runtime-query-interrupt
Enbale runtime query interrupt.
TRUE[1]
enable-upload-extension-check
Disables restrictive file extension upload check.
encryption-key-file-path <string>
Path to the file containing the credential payload cipher key. Key must be 256 bits in length.
-f | frontend string
Path to frontend directory. Change if you move the location of your frontend UI files.
frontend
http-to-https-redirect-port = arg
Configures the http (incoming) port used by enable-https-redirect. The port option specifies the redirect port number. Use to provide an HEAVY.AI front end that can run on both the HTTP protocol (http://my-heavyai-frontend.com) on default HTTP port 80, and on the primary HTTPS protocol (https://my-heavyai-frontend.com) on default https port 443, and have requests to the HTTP protocol automatically redirected to HTTPS. Without this, requests to HTTP fail. Assuming heavy_web_server can attach to ports below 1024, the configuration would be: enable-https-redirect = TRUE http-to-https-redirect-port = 80
6280
idle-session-duration = arg
Idle session default, in minutes.
60
jupyter-prefix-string <string>
Jupyter Hub base_url for Jupyter integration.
/jupyter
jupyter-url-string <string>
URL for Jupyter integration.
-j |jwt-key-file
Path to a key file for client session encryption.
The file is expected to be a PEM-formatted ( .pem ) certificate file containing the unencrypted private key in PKCS #1, PCKS #8, or ASN.1 DER form.
Example PEM file creation using OpenSSL.
Required only if using a high-availability server configuration or another server configuration that requires an instance of Immerse to talk to multiple heavy_web_server instances.
Each heavy_web_server instance needs to use the same encryption key to encrypt and decrypt client session information which is used for session persistence ("sessionization") in Immerse.
key <string>
Key file for HTTPS. Change for testing and debugging.
key.pem
max-tls-version
Refers to the version of TLS encryption used to secure web protocol connections. Specifies a maximum TLS version.
min-tls-version
Refers to the version of TLS encryption used to secure web protocol connections. Specifies a minimum TLS version.
--min-tls-version = VersionTLS12
peer-cert <string>
Peer CA certificate PKI authentication.
peercert.pem
-p | port int
Frontend server port. Change to avoid collisions with other services.
6273
-r | read-only
Enable read-only mode. Prevent changes to the data.
secure-acao-uri
If set, ensures that all Access-Allow-Origin
headers are set to the value provided.
servers-json <string>
Path to servers.json. Change for testing and debugging.
session-id-header <string>
Session ID header.
immersesid
ssl-cert <string>
SSL validated public certificate.
sslcert.pem
ssl-private-key <string>
SSL private key file.
sslprivate.key
strip-x-headers <strings>
List of custom X http request headers to be removed from incoming requests. Use --strip-x-headers=""
to allow all X headers through.
[X-HeavyDB-Username]
timeout duration
Maximum request duration in #h#m#s
format. For example 0h30m0s
represents a duration of 30 minutes. Controls the maximum duration of individual HTTP requests. Used to manage resource exhaustion caused by improperly closed connections.
This also limits the execution time of queries made over the Thrift HTTP transport. Increase the duration if queries are expected to take longer than the default duration of one hour; for example, if you COPY FROM a large file when using heavysql with the HTTP transport.
1h0m0s
tls-cipher-suites <strings>
Refers to the combination of algorithms used in TLS encryption to secure web protocol connections.
All available TLS cipher suites compatible with HTTP/2:
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_ GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_ GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_ GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_ GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_ POLY1305
TLS_ECDHE_ECDSA_WITH_CHACHA20_ POLY1305
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_FALLBACK_SCSV
<code></code>
Limit security vulnerabilities by specifying the allowed TLS ciphers in the encryption used to secure web protocol connections.
The following cipher suites are accepted by default:
TLS_ECDHE_RSA_WITH_AES_128_ GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_ GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_ GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_ SHA384
tls-curves <strings>
Refers to the types of Elliptic Curve Cryptography (ECC) used in TLS encryption to secure web protocol connections.
All available TLS elliptic Curve IDs:
secp256r1
(Curve ID P256)CurveP256
(Curve ID P256)secp384r1
(Curve ID P384)CurveP384
(Curve ID P384)secp521r1
(Curve ID P521)CurveP521
(Curve ID P521)x25519
(Curve ID X25519)X25519
(Curve ID X25519)Limit security vulnerabilities by specifying the allowed TLS cipher suites in the encryption used to secure web protocol connections.
The following TLS curves are accepted by default:
CurveP521
CurveP384
CurveP256
tmpdir string
Path for temporary file storage. Used as a staging location for file uploads. Consider locating this directory on the same file system as the HEAVY.AI data directory. If not specified on the command line, heavyai_web_server
recognizes the standard TMPDIR
environment variable as well as a specific HEAVYAI_TMPDIR
environment variable, the latter of which takes precedence. If you use neither the command-line argument nor one of the environment variables, the default, /tmp/
is used.
/tmp
ultra-secure-mode
Enables secure mode that sets Access-Allow-Origin
headers to --secure-acao-uri
and sets security headers like X-Frame-Options
, Content-Security-Policy
, and Strict-Transport-Security
.
-v | verbose
Enable verbose logging. Adds log messages for debugging purposes.
version
Return version.
Last updated