Update man pages

e6ae681f · Tatsuhiro Tsujikawa · 7e681dc9 · e6ae681f · e6ae681f · e6ae681f
Commit e6ae681f authored Oct 09, 2016 by Tatsuhiro Tsujikawa
6 changed files
--- a/doc/h2load.1
+++ b/doc/h2load.1
 .\" Man page generated from reStructuredText.
 .
-.TH "H2LOAD" "1" "Oct 08, 2016" "1.16.0-DEV" "nghttp2"
+.TH "H2LOAD" "1" "Oct 09, 2016" "1.16.0-DEV" "nghttp2"
 .SH NAME
 h2load \- HTTP/2 benchmarking tool
 .

--- a/doc/h2load.1.rst
+++ b/doc/h2load.1.rst
@@ -74,14 +74,14 @@ OPTIONS
 .. option:: -w, --window-bits=<N>

    Sets the stream level initial window size to (2\*\*<N>)-1.
-    For SPDY, 2**<N> is used instead.
+    For SPDY, 2\*\*<N> is used instead.

    Default: ``30``

 .. option:: -W, --connection-window-bits=<N>

    Sets  the  connection  level   initial  window  size  to
-    (2**<N>)-1.  For SPDY, if <N>  is strictly less than 16,
+    (2\*\*<N>)-1.  For SPDY, if <N>  is strictly less than 16,
    this option  is ignored.   Otherwise 2\*\*<N> is  used for
    SPDY.


--- a/doc/nghttp.1
+++ b/doc/nghttp.1
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTP" "1" "Oct 08, 2016" "1.16.0-DEV" "nghttp2"
+.TH "NGHTTP" "1" "Oct 09, 2016" "1.16.0-DEV" "nghttp2"
 .SH NAME
 nghttp \- HTTP/2 client
 .

--- a/doc/nghttpd.1
+++ b/doc/nghttpd.1
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPD" "1" "Oct 08, 2016" "1.16.0-DEV" "nghttp2"
+.TH "NGHTTPD" "1" "Oct 09, 2016" "1.16.0-DEV" "nghttp2"
 .SH NAME
 nghttpd \- HTTP/2 server
 .

--- a/doc/nghttpx.1
+++ b/doc/nghttpx.1
 .\" Man page generated from reStructuredText.
 .
-.TH "NGHTTPX" "1" "Oct 08, 2016" "1.16.0-DEV" "nghttp2"
+.TH "NGHTTPX" "1" "Oct 09, 2016" "1.16.0-DEV" "nghttp2"
 .SH NAME
 nghttpx \- HTTP/2 proxy
 .
@@ -55,7 +55,7 @@ The options are categorized into several groups.
 .SS Connections
 .INDENT 0.0
 .TP
-.B \-b, \-\-backend=(<HOST>,<PORT>|unix:<PATH>)[;[<PATTERN>[:...]][[;PARAM]...]
+.B \-b, \-\-backend=(<HOST>,<PORT>|unix:<PATH>)[;[<PATTERN>[:...]][[;<PARAM>]...]
 Set  backend  host  and   port.   The  multiple  backend
 addresses are  accepted by repeating this  option.  UNIX
 domain socket  can be  specified by prefixing  path name
@@ -183,7 +183,7 @@ Default: \fB127.0.0.1,80\fP
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-f, \-\-frontend=(<HOST>,<PORT>|unix:<PATH>)[[;PARAM]...]
+.B \-f, \-\-frontend=(<HOST>,<PORT>|unix:<PATH>)[[;<PARAM>]...]
 Set  frontend  host and  port.   If  <HOST> is  \(aq*\(aq,  it
 assumes  all addresses  including  both  IPv4 and  IPv6.
 UNIX domain  socket can  be specified by  prefixing path
@@ -542,12 +542,21 @@ password protected it\(aqll be requested interactively.
 .UNINDENT
 .INDENT 0.0
 .TP
-.B \-\-subcert=<KEYPATH>:<CERTPATH>
+.B \-\-subcert=<KEYPATH>:<CERTPATH>[[;<PARAM>]...]
 Specify  additional certificate  and  private key  file.
 nghttpx will  choose certificates based on  the hostname
 indicated  by  client  using TLS  SNI  extension.   This
 option  can  be  used  multiple  times.   To  make  OCSP
 stapling work, <CERTPATH> must be absolute path.
+.sp
+Additional parameter  can be specified in  <PARAM>.  The
+available <PARAM> is "sct\-dir=<DIR>".
+.sp
+"sct\-dir=<DIR>"  specifies the  path to  directory which
+contains        *.sct        files        for        TLS
+signed_certificate_timestamp extension (RFC 6962).  This
+feature   requires   OpenSSL   >=   1.0.2.    See   also
+\fI\%\-\-tls\-sct\-dir\fP option.
 .UNINDENT
 .INDENT 0.0
 .TP
@@ -790,6 +799,18 @@ Allow black  listed cipher  suite on  HTTP/2 connection.
 See  \fI\%https://tools.ietf.org/html/rfc7540#appendix\-A\fP  for
 the complete HTTP/2 cipher suites black list.
 .UNINDENT
+.INDENT 0.0
+.TP
+.B \-\-tls\-sct\-dir=<DIR>
+Specifies the  directory where  *.sct files  exist.  All
+*.sct   files   in  <DIR>   are   read,   and  sent   as
+extension_data of  TLS signed_certificate_timestamp (RFC
+6962)  to  client.   These   *.sct  files  are  for  the
+certificate   specified   in   positional   command\-line
+argument <CERT>, or  certificate option in configuration
+file.   For   additional  certificates,   use  \fI\%\-\-subcert\fP
+option.  This option requires OpenSSL >= 1.0.2.
+.UNINDENT
 .SS HTTP/2 and SPDY
 .INDENT 0.0
 .TP
@@ -1536,6 +1557,19 @@ If \fI\%\-\-tls\-ticket\-key\-file\fP is given, encryption key is read
 from the given file.  In this case, nghttpx does not rotate key
 automatically.  To rotate key, one has to restart nghttpx (see
 SIGNALS).
+.SH CERTIFICATE TRANSPARENCY
+.sp
+nghttpx supports TLS \fBsigned_certificate_timestamp\fP extension (\fI\%RFC
+6962\fP).  The relevant options
+are \fI\%\-\-tls\-sct\-dir\fP and \fBsct\-dir\fP parameter in
+\fI\%\-\-subcert\fP\&.  They takes a directory, and nghttpx reads all
+files whose extension is \fB\&.sct\fP under the directory.  The \fB*.sct\fP
+files are encoded as \fBSignedCertificateTimestamp\fP struct described
+in \fI\%section 3.2 of RFC 69662\fP\&.  This format is
+the same one used by \fI\%nginx\-ct\fP and \fI\%mod_ssl_ct\fP\&.
+\fI\%ct\-submit\fP can be
+used to submit certificates to log servers, and obtain the
+\fBSignedCertificateTimestamp\fP struct which can be used with nghttpx.
 .SH MRUBY SCRIPTING
 .sp
 \fBWARNING:\fP

--- a/doc/nghttpx.1.rst
+++ b/doc/nghttpx.1.rst
@@ -37,7 +37,7 @@ The options are categorized into several groups.
 Connections
 ~~~~~~~~~~~

-.. option:: -b, --backend=(<HOST>,<PORT>|unix:<PATH>)[;[<PATTERN>[:...]][[;PARAM]...]
+.. option:: -b, --backend=(<HOST>,<PORT>|unix:<PATH>)[;[<PATTERN>[:...]][[;<PARAM>]...]


    Set  backend  host  and   port.   The  multiple  backend
@@ -70,7 +70,7 @@ Connections

    Host  can  include "\*"  in  the  left most  position  to
    indicate  wildcard match  (only suffix  match is  done).
-    The "*" must match at least one character.  For example,
+    The "\*" must match at least one character.  For example,
    host    pattern    "\*.nghttp2.org"    matches    against
    "www.nghttp2.org"  and  "git.ngttp2.org", but  does  not
    match  against  "nghttp2.org".   The exact  hosts  match
@@ -166,7 +166,7 @@ Connections

    Default: ``127.0.0.1,80``

-.. option:: -f, --frontend=(<HOST>,<PORT>|unix:<PATH>)[[;PARAM]...]
+.. option:: -f, --frontend=(<HOST>,<PORT>|unix:<PATH>)[[;<PARAM>]...]

    Set  frontend  host and  port.   If  <HOST> is  '\*',  it
    assumes  all addresses  including  both  IPv4 and  IPv6.
@@ -496,7 +496,7 @@ SSL/TLS
    private key.   If none is  given and the private  key is
    password protected it'll be requested interactively.

-.. option:: --subcert=<KEYPATH>:<CERTPATH>
+.. option:: --subcert=<KEYPATH>:<CERTPATH>[[;<PARAM>]...]

    Specify  additional certificate  and  private key  file.
    nghttpx will  choose certificates based on  the hostname
@@ -504,6 +504,15 @@ SSL/TLS
    option  can  be  used  multiple  times.   To  make  OCSP
    stapling work, <CERTPATH> must be absolute path.

+    Additional parameter  can be specified in  <PARAM>.  The
+    available <PARAM> is "sct-dir=<DIR>".
+
+    "sct-dir=<DIR>"  specifies the  path to  directory which
+    contains        \*.sct        files        for        TLS
+    signed_certificate_timestamp extension (RFC 6962).  This
+    feature   requires   OpenSSL   >=   1.0.2.    See   also
+    :option:`--tls-sct-dir` option.
+
 .. option:: --dh-param-file=<PATH>

    Path to file that contains  DH parameters in PEM format.
@@ -719,6 +728,17 @@ SSL/TLS
    See  https://tools.ietf.org/html/rfc7540#appendix-A  for
    the complete HTTP/2 cipher suites black list.

+.. option:: --tls-sct-dir=<DIR>
+
+    Specifies the  directory where  \*.sct files  exist.  All
+    \*.sct   files   in  <DIR>   are   read,   and  sent   as
+    extension_data of  TLS signed_certificate_timestamp (RFC
+    6962)  to  client.   These   \*.sct  files  are  for  the
+    certificate   specified   in   positional   command-line
+    argument <CERT>, or  certificate option in configuration
+    file.   For   additional  certificates,   use  :option:`--subcert`
+    option.  This option requires OpenSSL >= 1.0.2.
+

 HTTP/2 and SPDY
 ~~~~~~~~~~~~~~~
@@ -1083,7 +1103,7 @@ HTTP
    Set file path  to custom error page  served when nghttpx
    originally  generates  HTTP  error status  code  <CODE>.
    <CODE> must be greater than or equal to 400, and at most
-    599.  If "*"  is used instead of <CODE>,  it matches all
+    599.  If "\*"  is used instead of <CODE>,  it matches all
    HTTP  status  code.  If  error  status  code comes  from
    backend server, the custom error pages are not used.

@@ -1407,6 +1427,24 @@ from the given file.  In this case, nghttpx does not rotate key
 automatically.  To rotate key, one has to restart nghttpx (see
 SIGNALS).

+CERTIFICATE TRANSPARENCY
+------------------------
+
+nghttpx supports TLS ``signed_certificate_timestamp`` extension (`RFC
+6962 <https://tools.ietf.org/html/rfc6962>`_).  The relevant options
+are :option:`--tls-sct-dir` and ``sct-dir`` parameter in
+:option:`--subcert`.  They takes a directory, and nghttpx reads all
+files whose extension is ``.sct`` under the directory.  The ``*.sct``
+files are encoded as ``SignedCertificateTimestamp`` struct described
+in `section 3.2 of RFC 69662
+<https://tools.ietf.org/html/rfc6962#section-3.2>`_.  This format is
+the same one used by `nginx-ct
+<https://github.com/grahamedgecombe/nginx-ct>`_ and `mod_ssl_ct
+<https://httpd.apache.org/docs/trunk/mod/mod_ssl_ct.html>`_.
+`ct-submit <https://github.com/grahamedgecombe/ct-submit>`_ can be
+used to submit certificates to log servers, and obtain the
+``SignedCertificateTimestamp`` struct which can be used with nghttpx.
+
 MRUBY SCRIPTING
 ---------------