wt_config.xml

1. <!--
2.    Wt Configuration File.
3.  
4.    The Wt configuration file manages, for every Wt application, settings
5.    for session management, debugging, directory for runtime information
6.    such as session sockets, and some security settings.
7.  
8.    Settings may be specified globally, or for a single application path.
9.  
10.    The path should be as configured in the Wt build process, where it
11.    defaults to /etc/wt/wt_config.xml. It can be overridden in the environment
12.    variable WT_CONFIG_XML, or with the -c startup option of wthttpd.
13.  
14.    The values listed here are the default values, which are used when the
15.    declaration is missing or no configuration file is used.
16.  -->
17.  
18. <server>
19.  
20.     <!-- Default application settings
21.  
22.      The special location "*" always matches. See below for an example
23.      of settings specific to a single application.
24.      -->
25.     <application-settings location="*">
26.  
27.         <!-- Session management. -->
28.         <session-management>
29.             <!-- Every session runs within a dedicated process.
30.  
31.               This mode guarantees kernel-level session privacy, but as every
32.               session requires a seperate process, it is also an easy target
33.               for DoS attacks if not shielded by access control.
34.  
35.               It is also a convenient mode during development, as it is easy
36.               to enable disable debugging using valgrind, and it always starts
37.               the latest deployed executable for a new session.
38.          
39.               Note: currently only supported using the FastCGI connector
40.              -->
41.             <!--
42.               <dedicated-process>
43.                 <max-num-sessions>100</max-num-sessions>
44.               </dedicated-process>
45.            -->
46.  
47.             <!-- Multiple sessions within one process.
48.  
49.               This mode spawns a number of processes, and sessions are
50.               allocated randomly to one of these processes (you should not
51.               use this for dynamic FCGI servers, but only in conjunction
52.               with a fixed number of static FCGI servers.
53.  
54.               This requires careful programming, as memory corruption in one
55.               session will kill all of the sessions in the same process. You
56.               should debug extensively using valgrind. Also, it is your
57.               responsibility to keep session state not interfering and
58.               seperated.
59.  
60.               On the other hand, sessions are inexpensive, and this mode
61.               suffers far less from DoS attacks than dedicated-process mode.
62.               Use it for non-critical and well-debugged web applications.
63.  
64.               Note: wthttpd always uses exactly one process
65.              -->
66.  
67.  
68.             <shared-process>
69.                 <num-processes>1</num-processes>
70.             </shared-process>
71.  
72.  
73.             <!-- Session tracking strategy.
74.  
75.               Possible values:
76.                 Auto: cookies is available, otherwise URL rewriting
77.                 URL:  only URL rewriting
78.              -->
79.             <tracking>Auto</tracking>
80.  
81.             <!-- How reload should be handled.
82.  
83.               When reload should (or rather, may) spawn a new session, then
84.               even in the case cookies are not used for session management,
85.               the URL will not be cluttered with a sessionid.
86.               However, WApplication::refresh() will never be called.
87.              -->
88.             <reload-is-new-session>false</reload-is-new-session>
89.  
90.             <!-- Session timeout (seconds).
91.  
92.               When a session remains inactive for this amount of time, it is
93.               cleaned up.
94.              -->
95.             <timeout>600</timeout>
96.  
97.             <!-- Server push timeout (seconds).
98.  
99.               When using server-initiated updates, the client uses
100.               long-polling requests. Proxies (including reverse
101.               proxies) are notorious for silently closing idle
102.               requests; the client therefore cancels the request
103.               periodically and issues a new one. This timeout sets
104.               the frequency.
105.              -->
106.             <server-push-timeout>50</server-push-timeout>
107.         </session-management>
108.  
109.         <!-- Settings that apply only to the FastCGI connector.
110.  
111.           To configure the wthttpd connector, use command line options, or
112.           configure default options in /etc/wt/wthttpd
113.          -->
114.         <connector-fcgi>
115.             <!-- Valgrind path
116.  
117.               If debugging is enabled and this path is not empty, then valgrind
118.               will be started for every shared process, or for every session
119.               which has ?debug appended to the command line.
120.  
121.               The variable is slighly misnamed. Not only a path can be set,
122.               but also options, like for example:
123.  
124.                 /usr/bin/valgrind - -leak-check=full
125.             -->
126.             <valgrind-path></valgrind-path>
127.  
128.             <!-- Run directory
129.  
130.               Path used by Wt to do session management.
131.              -->
132.             <run-directory>${RUNDIR}</run-directory>
133.  
134.             <!-- Number of threads per process
135.  
136.               This configures the size of the thread pool. You may
137.               want to change this value if you would like to support
138.               reentrant event loops, where you block one event loop
139.               using WDialog::exec() or related static
140.               methods. Everytime you enter such an event loop, one
141.               thread is blocked, and therefore the total number of
142.               sessions that reliably can do this is limited to the
143.               number of thread you have (minus one to unblock).
144.  
145.               For the built-in http connector, there is a similar
146.               config option that is specified in the whttpd config
147.               file or on the command line (-t).
148.  
149.               The default value is 1.
150.              -->
151.             <num-threads>1</num-threads>
152.  
153.         </connector-fcgi>
154.  
155.         <!-- Settings that apply only to the MS IIS ISAPI connector.
156.  
157.           To configure the wthttpd connector, use command line options, or
158.           configure default options in /etc/wt/wthttpd
159.          -->
160.         <connector-isapi>
161.             <!-- Number of threads per process
162.  
163.               This configures the number of threads that will be used
164.               to handle Wt requests. The IIS internal threads are never
165.               used to do any processing; all requests are forwarded to
166.               be handled in this threadpool. Rather than to configure a
167.               so-called 'web-garden' in IIS, increase this number. The
168.               ISAPI connector will not work correctly when a web-garden
169.               is configured.
170.  
171.               You may want to change this value if you would like to
172.               support more reentrant event loops, where you block one
173.               event loop using WDialog::exec() or related static
174.               methods. Everytime you enter such an event loop, one
175.               thread is blocked, and therefore the total number of
176.               sessions that reliably can do this is limited to the
177.               number of thread you have (minus one to unblock).
178.  
179.               You may also want to increase this number if your Wt
180.               application is regularly waiting for IO (databases, network,
181.               files, ...). If this number is too low, all threads could
182.               be waiting for IO operations to complete while your CPU
183.               is idle. Increasing the number of threads may help.
184.  
185.               Computing intensive applications may also increase this number,
186.               even though it is better to offload computations to a helper
187.               thread and user server push or a WTimer to check for
188.               completion of the task in order to keep your GUI responsive
189.               during the computations.
190.  
191.               The default value is 10.
192.              -->
193.             <num-threads>10</num-threads>
194.  
195.             <!-- Maximum Request Size spooled in memory (Kb)
196.        
197.               Normally, Wt keeps incoming requests (POST data) in memory.
198.               However, malicious users could send a big POST and as such
199.               use up all memory of your HTTP server. With this parameter,
200.               you tune how big a request can be before Wt spools it in a
201.               file before processing it. Legitimate big POST messages may
202.               occur when users are expected to upload files.
203.  
204.               See also max-request-size.
205.  
206.               The default value is 128K, which is more than enough for
207.               any interactive Wt event.
208.              -->
209.             <max-memory-request-size>128</max-memory-request-size>
210.         </connector-isapi>
211.  
212.         <!-- Javascript debug options
213.  
214.             Values:
215.             - true: JavaScript errors are not caught but the browser
216.                     built-in debug options are used
217.             - stack: JavaScript errors are caught but also a stack trace
218.                      is printed, useful for diagnosing a problem in production
219.             - false: JavaScript errors are caught and a simple error message
220.                      is printed to indicate that something is terribly wrong
221.          -->
222.         <debug>true</debug>
223.  
224.         <!-- Log file
225.  
226.           When the log file is empty, or omitted, logging is done to
227.           stderr. This may end up in the web server error log file
228.           (e.g. for apache + fastcgi module), or on stderr (e.g. for
229.           the built-in httpd).
230.         -->
231.         <log-file></log-file>
232.  
233.         <!-- Logger configuration
234.  
235.           This configures the logger. With the default configuration,
236.           everything except for debugging messages are logged.
237.  
238.           The configuration is a string that defines rules for
239.           enabling or disabling certain logging. It is a white-space
240.           delimited list of rules, and each rule is of the form:
241.  
242.             [-]level : enables (or disables) logging of messages of
243.             the given level; '*' is a wild-card that matches all
244.             levels
245.  
246.             [-]level:scope : enables (or disables) logging of
247.             messages of the given level and scope; '*' is a wild-card
248.             that matches all levels or scopes.  The default
249.             configuration is "* -debug", i.e. by default everything
250.             is logged, except for "debug" messages.
251.  
252.           Some other examples:
253.  
254.             "* -debug debug:wthttp": logs everything, including
255.             debugging messages of scope "wthttp", but no other
256.             debugging messages.
257.  
258.             "* -info -debug": disables logging of info messages
259.             in addition to debugging messages.
260.  
261.           Note debugging messages are only emitted when debugging
262.           has been enabled while building Wt.
263.          -->
264.         <log-config>* -debug</log-config>
265.  
266.         <!-- Maximum HTTP request size (Kb)
267.  
268.           Maximum size of an incoming POST request. This value must be
269.           increased when the user is allowed to upload files.
270.         -->
271.         <max-request-size>40960</max-request-size>
272.  
273.         <!-- Session id length (number of characters) -->
274.         <session-id-length>16</session-id-length>
275.  
276.         <!-- DoS prevention: limit plain HTML sessions
277.  
278.           This is a simple measure which avoids Denial-of-Service
279.           attacks on plain HTML sessions, which are easy to mount in
280.           particular in the case of progressive bootstrap mode.
281.  
282.           This setting may be used to keep the ratio of plain HTML
283.           versus Ajax sessions under a certain ratio. Typically, most
284.           of your sessions will be Ajax sessions, and only a tiny
285.           fraction (e.g. less than 5%) will be plain HTML
286.           sessions. This ratio is only enforced when more than 20 sessions
287.           have been created.
288.          -->
289.         <plain-ajax-sessions-ratio-limit>1</plain-ajax-sessions-ratio-limit>
290.  
291.         <!-- DoS prevention: adds a puzzle to validate Ajax sessions
292.  
293.           This is a simple measure which avoids Denial-of-Service
294.           attacks on Ajax sessions.
295.  
296.           When enabled, a puzzle needs to be solved in the first Ajax
297.           request which eliminates agents that do not build a proper
298.           DOM tree.
299.          -->
300.         <ajax-puzzle>false</ajax-puzzle>
301.  
302.         <!-- Do strict serialization of events.
303.  
304.           By default events are queued at the client-side, and
305.           transmitted to the server so that at any time only one
306.           request/response is pending. This scheme has a quality that
307.           resembles TCP: on a low-latency link you allow the
308.           transmission of many smaller requests, while on a high
309.           latency link, events will be propagated less often, but in
310.           batches.
311.  
312.           In any case, this scheme does not drop events, no matter
313.           how quickly they are generated.
314.  
315.           In rare cases, the scheme may result in unwanted behaviour,
316.           because the client-side is allowed to be slighly out of
317.           sync at the time an event is recorded with the server-side
318.           (and more so on high-latency links). The drastic
319.           alternative is to discard events while a response is
320.           pending, and can be configured by setting this option to
321.           true.
322.          -->
323.         <strict-event-serialization>false</strict-event-serialization>
324.  
325.         <!-- Enables web socket.
326.  
327.           By default Ajax and long polling are used to communicate
328.           between server and browser.
329.  
330.           By enabling web socket support, if the browser supports
331.           WebSockets, then WebSocket is the protocol used for
332.           communication between client and server. WebSockets are
333.           currently only supported by the built-in httpd Connector,
334.           which acts as both an HTTP and WebSocket server. The WebSocket
335.           protocol is intentionally not compatible with HTTP, through
336.           a special hand-shake mechanism, and requires
337.           that all (reverse) proxy servers also have explicit support
338.           for this protocol.
339.  
340.           This feature is still experimental: the Web Sockets RFC is
341.           still a draft. Wt implements up to version 17 of the draft
342.           (latest as of November 2011).
343.          -->
344.         <web-sockets>false</web-sockets>
345.  
346.         <!-- Redirect message shown for browsers without JavaScript support
347.  
348.           By default, Wt will use an automatic redirect to start the
349.           application when the browser does not support
350.           JavaScript. However, browsers are not required to follow
351.           the redirection, and in some situations (when using XHTML),
352.           such automatic redirection is not supported.
353.  
354.           This configures the text that is shown in the anchor which
355.           the user may click to be redirected to a basic HTML version
356.           of your application.
357.          -->
358.         <redirect-message>Load basic HTML</redirect-message>
359.  
360.         <!-- Whether we are sitting behind a reverse proxy
361.  
362.           When deployed behind a reverse proxy (such as Apache or Squid),
363.           the server location is not read from the "Host" header,
364.           but from the X-Forwarded-For header, if present.
365.          -->
366.         <behind-reverse-proxy>true</behind-reverse-proxy>
367.  
368.         <!-- Whether inline CSS is allowed.
369.  
370.           Some Wt widgets will insert CSS rules in the the inline
371.           stylesheet when first used. This can be disabled using this
372.           configuration option.
373.  
374.           Note: some widgets, such as WTreeView and WTableView,
375.           dynamically manipulate rules in this stylesheet, and will
376.           no longer work properly when inline-css is disabled.
377.          -->
378.         <inline-css>true</inline-css>
379.  
380.         <!-- The timeout before showing the loading indicator.
381.  
382.           The value is specified in ms.
383.          -->
384.         <indicator-timeout>500</indicator-timeout>
385.  
386.         <!-- The timeout for processing a double click event.
387.  
388.           The value is specified in ms.
389.          -->
390.         <double-click-timeout>200</double-click-timeout>
391.  
392.         <!-- Ajax user agent list
393.  
394.           Wt considers three types of sessions:
395.           - Ajax sessions: use Ajax and JavaScript
396.           - plain HTML sessions: use plain old server GETs and POSTs
397.           - bots: have clean internal paths and no persistent sessions
398.  
399.           By default, Wt does a browser detection to distinguish between
400.           the first two: if a browser supports JavaScript (and has it
401.           enabled), and has an Ajax DOM API, then Ajax sessions are chosen,
402.           otherwise plain HTML sessions.
403.  
404.           Here, you may indicate which user agents should or should
405.           not receive an Ajax session regardless of what they report as
406.           capabilities.
407.  
408.           Possible values for 'mode' or "white-list" or "black-list". A
409.           white-list will only treat the listed agents as supporting Ajax,
410.           all other agents will be served plain HTML sessions. A black-list
411.           will always server plain HTML sessions to listed agents and
412.           otherwise rely on browser capability detection.
413.  
414.           Each <user-agent> is a regular expression.
415.          -->
416.         <user-agents type="ajax" mode="black-list">
417.           <!-- <user-agent>.*Crappy browser.*</user-agent> -->
418.         </user-agents>
419.  
420.         <!-- Bot user agent list
421.  
422.           Here, you can specify user agents that should be should be
423.           treated as bots.
424.  
425.           Each <user-agent> is a regular expression.
426.          -->
427.         <user-agents type="bot">
428.           <user-agent>.*Googlebot.*</user-agent>
429.           <user-agent>.*msnbot.*</user-agent>
430.           <user-agent>.*Slurp.*</user-agent>
431.           <user-agent>.*Crawler.*</user-agent>
432.           <user-agent>.*Bot.*</user-agent>
433.           <user-agent>.*ia_archiver.*</user-agent>
434.           <user-agent>.*Twiceler.*</user-agent>
435.         </user-agents>
436.  
437.         <!-- Configures different rendering engines for certain browsers.
438.  
439.           Currently this is only used to select IE7 compatible rendering
440.           engine for IE8, which solves problems of unreliable and slow
441.           rendering performance for VML which Microsoft broke in IE8.
442.  
443.           Before 3.3.0, the default value was IE8=IE7, but since 3.3.0
444.           this has been changed to an empty string (i.e. let IE8 use the
445.           standard IE8 rendering engine) to take advantage of IE8's
446.           improved CSS support. If you make heavy use of VML, you may need
447.           to revert to IE8=IE7.
448.          -->
449.         <UA-Compatible></UA-Compatible>
450.  
451.         <!-- Configures whether the progressive bootstrap method is used.
452.  
453.           The default bootstrap method first senses whether there is Ajax
454.           support, and only then creates the application.
455.  
456.           The progressive bootstrap method first renders a plain HTML
457.           version and later upgrades to an Ajax version.
458.  
459.           (Not to be confused with the Twitter Bootstrap theme)
460.          -->
461.         <progressive-bootstrap>true</progressive-bootstrap>
462.  
463.         <!-- Set session-ID cookie
464.  
465.           In its default (and recommended) configuration, Wt does not
466.           rely on cookies for session tracking.
467.  
468.           Wt has several mechanisms in place to prevent session ID stealing:
469.           - for an Ajax session, the session ID is not shown in the URL,
470.             avoiding session ID stealing through a referer attack.
471.           - in case the session ID is present in the URL (e.g. for a plain
472.             HTML session), Wt will redirect links to images or external
473.             anchors through an intermediate page that censors the session ID
474.  
475.           In case of the loss of a session ID, the impact is minimized:
476.           - a full page refresh is not supported if the client IP address
477.             changes or the user-agent changes
478.           - an Ajax update is protected by other state which is not exposed
479.             in the URL
480.  
481.           To still enable a full page refresh when the client IP address
482.           changes, an additional cookie may be set which is used only
483.           for this purpose, and can be enabled using this setting.
484.          -->
485.         <session-id-cookie>true</session-id-cookie>
486.  
487.         <!-- Configure cookie checks
488.  
489.         By default, Wt will test for cookie support using JavaScript.
490.         Because cookie manipulation from JavaScript is a common security
491.         risk vector, some prefer to disable these checks.
492.        -->
493.         <cookie-checks>true</cookie-checks>
494.  
495.         <!-- Runtime Properties
496.    
497.           These properties may be used to adapt applications to their
498.           deployment environment. Typical use is for paths to resources
499.           that may or may not be shared between several applications.
500.          -->
501.         <properties>
502.             <!-- baseURL property
503.  
504.               The absolute URL at which the application is deployed
505.               (known to the user). This is needed only in two scenarios.
506.  
507.               a) use of relative URLs in included XHTML
508.  
509.               When you use relative URLs for images, etc... in
510.               literal XHTML fragments (e.g. in WTemplate), which need
511.               to resolve against the deployment path of the
512.               application. This will not work as expected in the
513.               presence of an internal application path.  This URL is
514.               set as base URL in the HTML, against which relative
515.               URLs are resolved so that these work correctly
516.               regardless of the internal path. It is also used
517.               explicitly in any URL generated by the library.
518.  
519.               b) widgetset mode deployments
520.  
521.               Another situation in which you need to define the baseURL is
522.               when deploying a widgetset mode application behind a reverse
523.               proxy. A widgetset mode application uses only absolute URLs
524.               because it may be hosted in a web page from an entirely
525.               different domain.
526.  
527.               By default, no baseURL is specified, in which case Wt will
528.               avoid using absolute URLs. Relative URLs passed in API calls
529.               will be "fixed" so that they resolve against the location of the
530.               application deploy path, even in the presence of an
531.               internal path.
532.              -->
533.             <!-- <property name="baseURL">"http://mysite.com/app</property> -->
534.  
535.             <!-- resourcesURL property
536.  
537.               The URL at which the resources/ folder is deployed that
538.               comes distributed with Wt and contains auxiliary files
539.               used to primarily for styles and themes.
540.  
541.               The default value is 'resources/'
542.              -->
543.             <property name="resourcesURL">../resources/</property>
544.  
545.             <!-- extBaseURL property
546.  
547.               Used in conjunction with Ext:: widgets, and points to the
548.               URL of Ext JavaScript and resource files (css, images).
549.               See the documentation for the Ext namespace for details.
550.  
551.               The default value is 'ext/'
552.              -->
553.             <property name="extBaseURL">ext/</property>
554.  
555.             <!-- favicon property
556.  
557.               By default, a browser will try to fetch a /favicon.ico icon
558.               from the root of your web server which is used as an icon
559.               for your application. You can specify an alternative location
560.               by setting this property, or for an individual application
561.               entry point by passing a location to WServer::addEntryPoint().
562.              -->
563.             <!-- <property name="favicon">images/favicon.ico</property> -->
564.         </properties>
565.  
566.     </application-settings>
567.  
568.  
569.     <!-- Override settings for specific applications.
570.  
571.       Location refers to physical filesystem location of the
572.       application. The application prints this location (which
573.       corresponds to argv[0]) to the log file on startup, and this
574.       should match exactly.
575.      -->
576.     <!--
577.    <application-settings
578.       location="/var/www/localhost/wt-examples/hello.wt">
579.    </application-settings>
580.    -->
581. </server>