# Intro into HTTP HTTP plugin is used to pass `HTTP`/`HTTPS`/`fCGI`/`HTTP2(h2c)`/`HTTP3` requests to the PHP worker. ## Configuration reference {% code title=".rr.yaml" %} ```yaml version: "3" # HTTP plugin settings. http: # Host and port to listen on (e.g.: `127.0.0.1:8080`). # # This option is required. address: 127.0.0.1:8080 # Override HTTP error code for internal RR errors # # Default: 500 internal_error_code: 505 # HTTP access logs # # Default: false access_logs: false # Maximum incoming request size in megabytes. Zero means no limit. # # Default: 0 max_request_size: 256 # Send raw body (unescaped) to the PHP worker for the application/x-www-form-urlencoded content type # # Optional, default: false raw_body: false # Middleware for the HTTP plugin; order is important. Allowed values are: "headers", "gzip", "static", "sendfile", [SINCE 2.6] -> "new_relic", [SINCE 2.6] -> "http_metrics", [SINCE 2.7] -> "cache" # # Default value: [] middleware: [ "headers", "gzip" ] # Allow incoming requests only from the following subnets (https://en.wikipedia.org/wiki/Reserved_IP_addresses). # # Default: ["10.0.0.0/8", "127.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "::1/128", "fc00::/7", "fe80::/10"] trusted_subnets: [ "10.0.0.0/8", "127.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "::1/128", "fc00::/7", "fe80::/10", ] # File uploading settings. uploads: # Directory for file uploads. Empty value means to use $TEMP based on your OS. # # Default: "" dir: "/tmp" # Deny files with the following extensions to upload. # # Default: [".php", ".exe", ".bat"] forbid: [ ".php", ".exe", ".bat", ".sh" ] # [SINCE 2.6] Allow files with the following extensions to upload # # Default: empty allow: [ ".html", ".aaa" ] # Settings for "headers" middleware. headers: # Allows to control CORS headers. Additional headers "Vary: Origin", "Vary: Access-Control-Request-Method", # "Vary: Access-Control-Request-Headers" will be added to the server responses. Drop this section for this # feature disabling. cors: # Controls "Access-Control-Allow-Origin" header value (docs: https://mzl.la/2OgD4Qf). # # Default: "" allowed_origin: "*" # Controls "Access-Control-Allow-Headers" header value (docs: https://mzl.la/2OzDVvk). # # Default: "" allowed_headers: "*" # Controls "Access-Control-Allow-Methods" header value (docs: https://mzl.la/3lbwyXf). # # Default: "" allowed_methods: "GET,POST,PUT,DELETE" # Controls "Access-Control-Allow-Credentials" header value (docs: https://mzl.la/3ekJGaY). # # Default: false allow_credentials: true # Controls "Access-Control-Expose-Headers" header value (docs: https://mzl.la/3qAqgkF). # # Default: "" exposed_headers: "Cache-Control,Content-Language,Content-Type,Expires,Last-Modified,Pragma" # Controls "Access-Control-Max-Age" header value in seconds (docs: https://mzl.la/2PCSdvt). # # Default: 0 max_age: 600 # Automatically add headers to every request passed to PHP. # # Default: request: input: "custom-header" # Automatically add headers to every response. # # Default: response: X-Powered-By: "RoadRunner" # Settings for "static" middleware. static: # Path to the directory to serve # # Default: "." (current) dir: "." # File patterns to forbid # # Default: empty forbid: [ "" ] # ETag calculation (based on the body CRC32) # # Default: false calculate_etag: false # Weak ETag calculation (based only on the content-length CRC32) # # Default: false weak: false # Patterns to allow # # Default: empty allow: [ ".txt", ".php" ] # Request headers # # Default: empty request: input: "custom-header" # Response headers # # Default: empty response: output: "output-header" # Workers pool settings. pool: # Debug mode for the pool. In this mode, the pool will not pre-allocate the worker. A worker (only 1; num_workers ignored) will be allocated right after a request arrives. # # Default: false debug: false # Override server's command # # Default: empty command: "php my-super-app.php" # How many worker processes will be started. Zero (or nothing) means the number of logical CPUs. # # Default: 0 num_workers: 0 # Maximal count of worker executions. Zero (or nothing) means no limit. # # Default: 0 max_jobs: 0 # [2023.3.10] # Maximum size of the internal requests queue. After reaching the limit, all additional requests would be rejected with error. # # Default: 0 (no limit) max_queue_size: 0 # Timeout for worker allocation. Zero means 60s. # # Default: 60s allocate_timeout: 60s # Timeout for the reset operation. Zero means 60s. # # Default: 60s reset_timeout: 60s # Timeout for worker destroying before process killing. Zero means 60s. # # Default: 60s destroy_timeout: 60s # Timeout for streaming responses. Zero means 60s. # # Default: 60s stream_timeout: 60s # Supervisor is used to control HTTP workers (previous name was "limit", video: https://www.youtube.com/watch?v=NdrlZhyFqyQ). # "Soft" limits will not interrupt current request processing. "Hard" # limit on the contrary - interrupts the execution of the request. supervisor: # How often to check the state of the workers. # # Default: 5s watch_tick: 5s # Maximum time worker is allowed to live (soft limit). Zero means no limit. # # Default: 0s ttl: 0s # How long worker can spend in IDLE mode after first using (soft limit). Zero means no limit. # # Default: 0s idle_ttl: 10s # Maximal worker memory usage in megabytes (soft limit). Zero means no limit. # # Default: 0 max_worker_memory: 128 # Maximal job lifetime (hard limit). Zero means no limit. # # Default: 0s exec_ttl: 60s # SSL/TLS settings. ssl: # Host and port to listen on (e.g.: `127.0.0.1:443`). # # Default: ":443" address: "127.0.0.1:443" # Use ACME certificates provider (Let's encrypt) acme: # Directory to use as a certificate/pk, account info storage # # Optional. Default: rr_cache cache_dir: rr_le_certs # User email # # Used to create LE account. Mandatory. Error on empty. email: you-email-here@email # Alternate port for the HTTP challenge. Challenge traffic should be redirected to this port if overridden. # # Optional. Default: 80 alt_http_port: 80 # Alternate port for the tls-alpn-01 challenge. Challenge traffic should be redirected to this port if overridden. # # Optional. Default: 443. alt_tlsalpn_port: 443 # Challenge types # # Optional. Default: http-01. Possible values: http-01, tlsalpn-01 challenge_type: http-01 # Use production or staging endpoint. NOTE: try to use the staging endpoint to make sure that everything works correctly. # # Optional, but for production should be set to true. Default: false use_production_endpoint: true # List of your domains to obtain certificates # # Mandatory. Error on empty. domains: [ "your-cool-domain.here", "your-second-domain.here" ] # Automatic redirect from http:// to https:// schema. # # Default: false redirect: true # Path to the cert file. This option is required for SSL working. # # This option is required. cert: /ssl/server.crt # Path to the cert key file. # # This option is required. key: /ssl/server.key # Path to the root certificate authority file. # # This option is optional (required for the mTLS). root_ca: /ssl/root.crt # Client auth type (mTLS) # # This option is optional. Default value: no_client_certs. Possible values: request_client_cert, require_any_client_cert, verify_client_cert_if_given, require_and_verify_client_cert, no_client_certs client_auth_type: no_client_certs # FastCGI frontend support. fcgi: # FastCGI connection DSN. Supported TCP and Unix sockets. An empty value disables this. # # Default: "" address: tcp://0.0.0.0:7921 # HTTP/2 settings. http2: # HTTP/2 over non-encrypted TCP connection using H2C. # # Default: false h2c: false # Maximal concurrent streams count. # # Default: 128 max_concurrent_streams: 128 ``` {% endcode %} ## HTTPS You can enable HTTPS support by adding the `ssl` section to the `http` config. {% code title=".rr.yaml" %} ```yaml version: "3" http: address: 127.0.0.1:8080 ssl: # host and port separated by semicolon (default :443) address: :8892 redirect: false cert: fixtures/server.crt key: fixtures/server.key root_ca: root.crt ``` {% endcode %} ### Let's Encrypt RR can automatically obtain TLS certificates for your domain. The folder with your certs might be moved between servers, RR will check the `cache_dir` and obtain a new certificate if the old one is about to expire. RR will track your certificate's expiration date and refresh it automatically. {% code title=".rr.yaml" %} ```yaml version: "3" http: # other HTTP sections are omitted # ....... ssl: address: '0.0.0.0:443' # ACME section # # TLS provider acme: # directory to store your certificate and key from the LE # # Default: rr_cache_dir cache_dir: rr_le_certs # Your email # # Mandatory. Error on empty. email: you-email-here@email # Alternate port for the HTTP challenge (make sure, that you redirected traffic to the specified port from 80) # # Default: 80 alt_http_port: 80 # Alternate port for the TLS-ALPN challenge (make sure, that you redirected traffic to the specified port from 443) # # Default: 443 alt_tlsalpn_port: 443 # Challenge type to use # # Default: http-01 challenge_type: http-01 # Use staging or production endpoint # # Would be a good practice to test your setup, before obtaining a real certificate use_production_endpoint: false # List of your domains # # Mandatory. Error on empty domains: - your-cool-domains.here # other HTTP sections are omitted # ........ ``` {% endcode %} ### mTLS To enable [mTLS](https://www.cloudflare.com/en-gb/learning/access-management/what-is-mutual-tls/) use the following configuration: {% code title=".rr.yaml" %} ```yaml http: pool: num_workers: 1 max_jobs: 0 allocate_timeout: 60s destroy_timeout: 60s ssl: address: :8895 key: "server-key.pem" cert: "server-cert.pem" root_ca: "rootCA.pem" client_auth_type: require_and_verify_client_cert ``` {% endcode %} **Options for the `client_auth_type` are:** * `request_client_cert` * `require_any_client_cert` * `verify_client_cert_if_given` * `require_and_verify_client_cert` * `no_client_certs` ### Redirecting HTTP to HTTPS To enable an automatic redirect from `http://` to `https://` set `redirect` option to `true` (disabled by default). ### Root certificate authority support Root CA supported by the option in `.rr.yaml` {% code title=".rr.yaml" %} ```yaml version: "3" http: ssl: root_ca: root.crt ``` {% endcode %} ## HTTP/2 You can enable HTTP/2 support by adding the `http2` section to the `http` config. {% code title=".rr.yaml" %} ```yaml version: "3" http: address: 127.0.0.1:8080 http2: h2c: false max_concurrent_streams: 128 ``` {% endcode %} ### Upgrade connection from `HTTP/1.1` to `H2C` \[`v2.10.2`] Connection might be upgraded from the `http/1.1` to `h2c`: [rfc7540](https://datatracker.ietf.org/doc/html/rfc7540#section-3.4) **Headers, which should be sent to upgrade connection:** 1. `Upgrade`: `h2c` 2. `Connection`: `HTTP2-Settings` 3. `Connection`: `Upgrade` 4. `HTTP2-Settings`: `AAMAAABkAARAAAAAAAIAAAAA` [RFC](https://datatracker.ietf.org/doc/html/rfc7540#section-3.2.1) ### HTTP/2 Push Resources RoadRunner supports [HTTP/2 push](https://en.wikipedia.org/wiki/HTTP/2_Server_Push) via virtual headers provided by the PHP response. {% code title="script.php" %} ```php return $response->withAddedHeader('http2-push', '/test.js'); ``` {% endcode %} Note that the path of the resource must be related to the public application directory and must include `/` at the beginning. {% hint style="info" %} HTTP/2 push only works under HTTPS with the `static` service enabled. {% endhint %} ### H2C You can enable HTTP/2 support over non-encrypted TCP connection using H2C: {% code title=".rr.yaml" %} ```yaml version: "3" http: http2.h2c: true ``` {% endcode %} ## FastCGI FastCGI frontend support is available inside the HTTP module; you can enable it (disabled by default): {% code title=".rr.yaml" %} ```yaml version: "3" http: fcgi: # FastCGI connection DSN. Supported TCP and Unix sockets. address: tcp://0.0.0.0:6920 ``` {% endcode %} ## HTTP/3 HTTP/3 support is experimental and might change in the future. Docs are available in the [experimental](https://docs.roadrunner.dev/docs/experimental-features/experimental) section. ## Overriding HTTP default error code {% code title=".rr.yaml" %} ```yaml version: "3" http: # Override HTTP error code for internal RR errors (default: 500) internal_error_code: 505 ``` {% endcode %} The `http.internal_error_code` is used for `SoftJob`, allocation, TTL, network, and similar errors. For example, a load balancer might require a different code, so you may override the default. ## Middleware order Since all middleware components are independent, they can remove or update headers set by the [previous one](https://github.com/roadrunner-server/roadrunner/issues/1501). **Note that the request (imagine) comes from the right:** {% code title=".rr.yaml" %} ```yaml http: middleware: # RESPONSE FROM HERE --> [ "static", "gzip", "sendfile" ] # <-- REQUEST COMES FROM HERE ``` {% endcode %} So in this case, the request gets into the `sendfile` middleware, then `gzip`, and `static`. And vice versa from the response. ## Request queues RR has an internal queue for requests. The `allocate_timeout` is used to assign a worker to a request. If your worker runs for 1 minute but `allocate_timeout` is 30 seconds, after this timeout RR will start rejecting the first request in the queue, then another 30 seconds for the second, and so on. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.roadrunner.dev/docs/http/http.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.