# Configuration Parameters for HEAVY.AI Web Server Following are the parameters for runtime settings on HeavyAI Web Server. The parameter syntax provides both the implied value and the default value as appropriate. Optional arguments are in square brackets, while implied and default values are in parentheses. | Flag | Description | Default | | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `additional-file-upload-extensions ` | Denote additional file extensions for uploads. Has no effect if `--enable-upload-extension-check` is not set. | | | `allow-any-origin` |

Allows for a CORS exception to the same-origin policy. Required to be true if Immerse is hosted on a different domain or subdomain hosting heavy\_web\_server and heavydb.

Allowing any origin is a less secure mode than what heavy\_web\_server requires by default.

| `--allow-any-origin = false` | | `-b \| backend-url ` | URL to http-port on heavydb. Change to avoid collisions with other services. | `http://localhost:6278` | | `-B \| binary-backend-url ` | URL to http-binary-port on heavydb. | `http://localhost:6276` | | `cert string` | Certificate file for HTTPS. Change for testing and debugging. | `cert.pem` | | `-c \| config ` | Path to HeavyDB configuration file. Change for testing and debugging. | | | `-d \| data ` | Path to HeavyDB data directory. Change for testing and debugging. | `data` | | `data-catalog ` | Path to data catalog directory. | n/a | | `docs string` | Path to documentation directory. Change if you move your documentation files to another directory. | `docs` | | `enable-binary-thrift` | Use the binary thrift protocol. | TRUE\[1] | | `enable-browser-logs [=arg]` |

Enable access to current log files via web browser. Only super users (while logged in) can access log files.

Log files are available at http\[s]://host:port/logs/log\_name.

The web server log files:
ACCESS - http\[s]://host:port/logs/access
ALL - http\[s]://host:port/logs/all


HeavyDB log files:
INFO - http\[s]://host:port/logs/info
WARNING - http\[s]://host:port/logs/warning
ERROR - http\[s]://host:port/logs/

| FALSE\[0] | | `enable-cert-verification` | TLS certificate verification is a security measure that can be disabled for the cases of TLS certificates not issued by a trusted certificate authority. If using a locally or unofficially generated TLS certificate to secure the connection between heavydb and heavy\_web\_server, this parameter must be set to false. heavy\_web\_server expects a trusted certificate authority by default. | `--enable-cert-verification = true` | | `enable-cross-domain [=arg]` | Enable frontend cross-domain authentication. Cross-domain session cookies require the `SameSite = None; Secure` headers. Can only be used with HTTPS domains; requires `enable-https` to be true. | FALSE\[0] | | | | | | `enable-https` | Enable HTTPS support. Change to enable secure HTTP. | | | `enable-https-authentication` | Enable PKI authentication. | | | `enable-https-redirect [=arg]` |

Enable a new port that heavy\_web\_server listens on for incoming HTTP requests. When received, it returns a redirect response to the HTTPS port and protocol, so that browsers are immediately and transparently redirected. Use to provide an HEAVY.AI front end that can run on both the HTTP protocol () on default HTTP port 80, and on the primary HTTPS protocol () on default https port 443, and have requests to the HTTP protocol automatically redirected to HTTPS. Without this, requests to HTTP fail. Assuming heavy\_web\_server can attach to ports below 1024, the configuration would be:
enable-https-redirect = TRUE
http-to-https-redirect-port = 80

| FALSE\[0] | | `enable-non-kernel-time-query-interrupt` | Enable non-kernel-time query interrupt. | TRUE\[1] | | `enable-runtime-query-interrupt` | Enbale runtime query interrupt. | TRUE\[1] | | | | | | `enable-upload-extension-check` | Disables restrictive file extension upload check. | | | `encryption-key-file-path ` | Path to the file containing the credential payload cipher key. Key must be 256 bits in length. | | | `-f \| frontend string` | Path to frontend directory. Change if you move the location of your frontend UI files. | `frontend` | | `http-to-https-redirect-port = arg` |

Configures the http (incoming) port used by enable-https-redirect. The port option specifies the redirect port number. Use to provide an HEAVY.AI front end that can run on both the HTTP protocol () on default HTTP port 80, and on the primary HTTPS protocol () on default https port 443, and have requests to the HTTP protocol automatically redirected to HTTPS. Without this, requests to HTTP fail. Assuming heavy\_web\_server can attach to ports below 1024, the configuration would be: enable-https-redirect = TRUE
http-to-https-redirect-port = 80

| 6280 | | `idle-session-duration = arg` | Idle session default, in minutes. | 60 | | `jupyter-prefix-string ` | Jupyter Hub base\_url for Jupyter integration. | /jupyter | | `jupyter-url-string ` | URL for Jupyter integration. | | | -j \|`jwt-key-file` |

Path to a key file for client session encryption.

The file is expected to be a PEM-formatted ( .pem ) certificate file containing the unencrypted private key in PKCS #1, PCKS #8, or ASN.1 DER form.

Example PEM file creation using OpenSSL.

Required only if using a high-availability server configuration or another server configuration that requires an instance of Immerse to talk to multiple heavy\_web\_server instances.

Each heavy\_web\_server instance needs to use the same encryption key to encrypt and decrypt client session information which is used for session persistence ("sessionization") in Immerse.

| | | `key ` | Key file for HTTPS. Change for testing and debugging. | `key.pem` | | `max-tls-version` | Refers to the version of TLS encryption used to secure web protocol connections. Specifies a maximum TLS version. | | | `min-tls-version` | Refers to the version of TLS encryption used to secure web protocol connections. Specifies a minimum TLS version. | `--min-tls-version = VersionTLS12` | | `peer-cert ` | Peer CA certificate PKI authentication. | `peercert.pem` | | `-p \| port int` | Frontend server port. Change to avoid collisions with other services. | 6273 | | `-r \| read-only` | Enable read-only mode. Prevent changes to the data. | | | `secure-acao-uri` | If set, ensures that all `Access-Allow-Origin` headers are set to the value provided. | | | `servers-json ` | Path to servers.json. Change for testing and debugging. | | | `session-id-header ` | Session ID header. | `immersesid` | | `ssl-cert ` | SSL validated public certificate. | `sslcert.pem` | | `ssl-private-key ` | SSL private key file. | `sslprivate.key` | | `strip-x-headers ` | List of custom X http request headers to be removed from incoming requests. Use `--strip-x-headers=""`to allow all X headers through. | `[X-HeavyDB-Username]` | | `timeout duration` |

Maximum request duration in #h#m#s format. For example 0h30m0s represents a duration of 30 minutes. Controls the maximum duration of individual HTTP requests. Used to manage resource exhaustion caused by improperly closed connections.

This also limits the execution time of queries made over the Thrift HTTP transport. Increase the duration if queries are expected to take longer than the default duration of one hour; for example, if you COPY FROM a large file when using heavysql with the HTTP transport.

| `1h0m0s` | | `tls-cipher-suites ` |

Refers to the combination of algorithms used in TLS encryption to secure web protocol connections.

All available TLS cipher suites compatible with HTTP/2:

  • TLS\_RSA\_WITH\_RC4\_128\_SHA
  • TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA
  • TLS\_ECDHE\_RSA\_WITH\_AES\_128\_
    GCM\_SHA256
  • TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_
    GCM\_SHA256
  • TLS\_ECDHE\_RSA\_WITH\_AES\_256\_
    GCM\_SHA384
  • TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_
    GCM\_SHA384
  • TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_
    POLY1305
  • TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_
    POLY1305
  • TLS\_AES\_128\_GCM\_SHA256
  • TLS\_AES\_256\_GCM\_SHA384
  • TLS\_CHACHA20\_POLY1305\_SHA256

  • TLS\_FALLBACK\_SCSV

    \\

    Limit security vulnerabilities by specifying the allowed TLS ciphers in the encryption used to secure web protocol connections.

|

The following cipher suites are accepted by default:

  • TLS\_ECDHE\_RSA\_WITH\_AES\_128\_
    GCM\_SHA256
  • TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_
    GCM\_SHA256
  • TLS\_ECDHE\_RSA\_WITH\_AES\_256\_
    GCM\_SHA384
  • TLS\_RSA\_WITH\_AES\_256\_GCM\_
    SHA384
| | `tls-curves ` |

Refers to the types of Elliptic Curve Cryptography (ECC) used in TLS encryption to secure web protocol connections.

All available TLS elliptic Curve IDs:

  • secp256r1 (Curve ID P256)
  • CurveP256 (Curve ID P256)
  • secp384r1 (Curve ID P384)
  • CurveP384 (Curve ID P384)
  • secp521r1 (Curve ID P521)
  • CurveP521 (Curve ID P521)
  • x25519 (Curve ID X25519)

  • X25519 (Curve ID X25519)

    Limit security vulnerabilities by specifying the allowed TLS cipher suites in the encryption used to secure web protocol connections.

|

The following TLS curves are accepted by default:

  • CurveP521
  • CurveP384
  • CurveP256
| | `tmpdir string` | Path for temporary file storage. Used as a staging location for file uploads. Consider locating this directory on the same file system as the HEAVY.AI data directory. If not specified on the command line, `heavyai_web_server` recognizes the standard `TMPDIR` environment variable as well as a specific `HEAVYAI_TMPDIR` environment variable, the latter of which takes precedence. If you use neither the command-line argument nor one of the environment variables, the default, `/tmp/` is used. | `/tmp` | | `ultra-secure-mode` | Enables secure mode that sets `Access-Allow-Origin` headers to `--secure-acao-uri`and sets security headers like `X-Frame-Options`, `Content-Security-Policy`, and `Strict-Transport-Security`. | | | `-v \| verbose` | Enable verbose logging. Adds log messages for debugging purposes. | | | `version` | Return version. | |