HTTP/2 and TLS¶
SWS provides HTTP/2 protocol and TLS support.
This feature is disabled by default and can be activated via the boolean -t, --http2 option as well as string arguments --http2-tls-cert (TLS certificate file path) and --http2-tls-key (private key file path).
Safe TLS defaults¶
SWS comes with safe TLS defaults for underlying cryptography.
- Cipher suites:
- TLS1.3:
TLS13_AES_256_GCM_SHA384 TLS13_AES_128_GCM_SHA256 TLS13_CHACHA20_POLY1305_SHA256 - TLS1.2:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS1.3:
- Key exchange groups:
X25519,SECP256R1andSECP384R1
- Protocol versions:
- TLS
1.2and1.3
- TLS
These defaults are safe and useful for most use cases. See Rustls safe defaults for more details.
Private key file formats¶
Only the following private key file formats are supported:
- RSA Private Key: A DER-encoded plaintext RSA private key as specified in PKCS#1/RFC3447.
- PKCS8 Private Key: A DER-encoded plaintext private key as specified in PKCS#8/RFC5958.
- EC Private Key: A Sec1-encoded plaintext private key as specified in RFC5915.
Example¶
Tips
- Either
--host,--portand--roothave defaults (optional values) so they can be specified or omitted as required. - Don't forget to adjust the proper
--portvalue for the HTTP/2 & TLS feature. - When this feature is enabled (
--http2=true) then the security headers are also enabled automatically. - The server provides Termination Signal handling with Graceful Shutdown ability by default.
static-web-server \
--host 127.0.0.1 \
--port 8787 \
--root ./my-public-dir \
--http2 true \
--http2-tls-cert ./my-tls.cert \
--http2-tls-key ./my-tls.key