| 1 | # @http2/server πΈ
|
| 2 | Static HTTP/2 webserver for single page apps and progressive web apps.
|
| 3 |
|
| 4 | - HTTP/2, HTTP/1.1, and HTTP/1.0
|
| 5 | - Fallback for client side routing
|
| 6 | - Auto-generate HTTPS certificate for localhost development
|
| 7 | - Compression with Brotli, Zopfli (Gzip), and Deflate
|
| 8 | - Server Push manifests
|
| 9 | - Cache Digest
|
| 10 | - CORS
|
| 11 | - Service Workers
|
| 12 | - HTTP to HTTPS redirect
|
| 13 | - Immutable caching of revved files
|
| 14 | - Scalable, multi-processor clustering
|
| 15 |
|
| 16 | ## Installation
|
| 17 | ```
|
| 18 | npm i -g @http2/server
|
| 19 | ```
|
| 20 |
|
| 21 | ## CLI
|
| 22 | ```
|
| 23 | http2server <command> [options]
|
| 24 | ```
|
| 25 |
|
| 26 | #### `--version`, `-v`
|
| 27 | Display the current version number.
|
| 28 |
|
| 29 | #### `--help [command]`, `-h [command]`
|
| 30 | List global or command-specific options.
|
| 31 |
|
| 32 | ### Command: `start`
|
| 33 | Start the server
|
| 34 |
|
| 35 | Aliases: `run`, `up`, `launch`
|
| 36 |
|
| 37 | #### `$PORT`
|
| 38 | The environment variable `PORT` sets the network port for incoming HTTPS connections. This overrides `https.port` in the configuration file.
|
| 39 |
|
| 40 | The unencrypted HTTP port, used for redirects, is derived by setting the last three digits set to `080`. E.g. HTTPS `8443` -> HTTP `8080`, HTTPS `443` -> HTTP `80`.
|
| 41 |
|
| 42 | #### `--root [directory]`
|
| 43 | Base directory to serve static files from. Defaults to `./public`, if it exists, or `./` otherwise. This sets the `host.root` for any host that has left the option undefined the configuration file.
|
| 44 |
|
| 45 | #### `--config [file]`
|
| 46 | Configuration file with options. Defaults to `./http2server.config.js`, if it exists, or the default configuration otherwise. See the [Configuration](#configuration) section for details.
|
| 47 |
|
| 48 | #### `--open`
|
| 49 | Open browser window after starting the server. Default: `false`
|
| 50 |
|
| 51 | #### `--loglevel [level]`
|
| 52 | Sets the severity threshhold for log output. Choices: `silent`, `fatal`, `error`, `warn`, `info`, `debug`, or `trace`. Default: `info`
|
| 53 |
|
| 54 | ### Command: `stop`
|
| 55 | Shuts down the server by sending it the `SIGINT` signal.
|
| 56 |
|
| 57 | Aliases: `halt`, `exit`, `quit`, `kill`, `down`, `end`
|
| 58 |
|
| 59 | ### Command: `reload`
|
| 60 | Gracefully restart workers with a new configuration by sending the server the `SIGHUP` signal.
|
| 61 |
|
| 62 | Aliases: `restart`, `refresh`, `renew`, `update`, `cycle`, `load`
|
| 63 |
|
| 64 | ### Command: `test`
|
| 65 | Loads and validates a server configuration.
|
| 66 |
|
| 67 | Aliases: `verify`, `validate`, `check`, `configtest`, `lint`
|
| 68 |
|
| 69 | #### `--config [file]`
|
| 70 | Identical to the same option of the `start` command.
|
| 71 |
|
| 72 | ## Configuration
|
| 73 |
|
| 74 | See JSON schemas and defaults in [`src/configuration`](./src/configuration) for details.
|
| 75 |
|
| 76 | ## Server Push Manifest
|
| 77 |
|
| 78 | The manifest is a declares which files or URLs need to be pushed as dependencies for any request.
|
| 79 |
|
| 80 | Example: Push all CSS and JS files when serving the homepage.
|
| 81 |
|
| 82 | ```js
|
| 83 | { glob: '**/*.html', push: ['**/*.css', '**/*.js'] }
|
| 84 | ```
|
| 85 |
|
| 86 | The `glob` property matches the currently served file. It can be a string or an array of strings. The syntax is similar to Bash but with nice extras. See: [minimatch](https://github.com/isaacs/minimatch) and [micromatch](https://github.com/micromatch/micromatch#matching-features) for examples.
|
| 87 |
|
| 88 | ## Server Push with Cache Digests
|
| 89 | Page load time is a largely function of latency (round trip time Γ delays) and aggregate volume (number Γ size of assets).
|
| 90 |
|
| 91 | Latency is minimised by using HTTP/2 Server Push to deliver any necessary assets to the browser alongside the HTML. When the browser parses the HTML it does not need to make a round trip request to fetch styles, scripts, and other assets. They are already in its cache or actively being pushed by the server as quickly as network conditions allow.
|
| 92 |
|
| 93 | Volume is reduced by using strong compression (HPACK, Brotli, etc), and by avoiding sending redundant data.
|
| 94 |
|
| 95 | If all assets were pushed every time, a large amount of bandwidth would be wasted. HTTP/1 asset concatenation makes a tradeoff between reducing round trips (good) and re-transferring invalidated, large files (bad). For example having to re-tranfer an entire spritesheet or JavaScript bundle because of one little change.
|
| 96 |
|
| 97 | The HTTP/1 approach was to use file signatures (Etags) and timestamps to invalidate cached responses. This requires many expensive round trips where the browser checks with the server if any files have been modified.
|
| 98 |
|
| 99 | Cache Digests to the rescue! Using a clever technique, called Golomb-Rice Coded Bloom Filters, a compressed list of cached responses is sent by the browser to the server. Now the server can avoid pushing assets that are fresh in the browser's cache.
|
| 100 |
|
| 101 | With Server Push and Cache Digests the best practice is to have many small files that can be cached and updated atomically, instead of large, concatenated blobs.
|
| 102 |
|
| 103 | Browsers do not yet support cache digests natively so Service Workers and the Cache API are used to implement them. A cookie-based fallback is available for browsers that lack Service Worker support.
|
| 104 |
|
| 105 | ## HTTPS Certificate
|
| 106 | While the HTTP/2 specification allows unencrypted connections, web browsers strictly enforce HTTPS.
|
| 107 |
|
| 108 | If no certificate and key are provided, one pair will be auto-generated. The generated certificate is only valid for `localhost`. It is stored in `~/.http2server`. As a user convenience, the certificate is added as trusted to the operating system so browsers will accept the certificate. A password dialog may appear to confirm. This is currently only supported on macOS and Linux.
|
| 109 |
|
| 110 | In production use [Let's Encrypt](https://letsencrypt.org) or any other trusted, signed certificate.
|
| 111 |
|
| 112 | Intermediate certificates are stapled to the OCSP response to speed up the TLS handshake.
|
| 113 |
|
| 114 | ## Caching Policy
|
| 115 | By default files are served with the header `cache-control: public, must-revalidate`.
|
| 116 |
|
| 117 | File paths that match the patterns set by the `cacheControl.immutable` option are considered to never, ever change their contents. They are served with the header `cache-control: public, max-age=31536000, immutable`. This tells browsers never to revalidate these resources.
|
| 118 |
|
| 119 | Special named immutable patterns can be used as shorthand for complex but handy patterns.
|
| 120 | - `hex` β Matches hexadecimal hash revved files. Example: `layout-d41d8cd98f.css`
|
| 121 | - `emoji` β Matches emoji revved files. Example: `app.β½οΈ.js`
|
| 122 |
|
| 123 | ## See Also
|
| 124 | - [Unbundle](https://www.npmjs.com/package/@http2/unbundle) β Build tool for front-end JavaScript applications, designed for HTTP/2 Server Push and Cache Digests.
|
| 125 | - [Push Demo](https://gitlab.com/sebdeckers/push-demo) β Shows how to use this tool through a practical example.
|
| 126 |
|
| 127 | ## Colophon
|
| 128 | Made with β€οΈ by Sebastiaan Deckers in πΈπ¬ Singapore.
|