--- title: config.json properties --- ## Configuration SVR.JS can be configured by modifying _config.json_ file. ### _config.json_ properties The _config.json_ file contains various properties that you can customize to configure SVR.JS according to your specific requirements. Below are the available properties: #### General Configuration - _users_ (Array of Objects, SVR.JS 3.0.0 or newer) - Users list for HTTP authentication. Use _svrpasswd_ tool to add, modify or delete users. - _name_: User name for HTTP authentication (String) - _pass_: Salted hash of the password (default SHA256 with appended salt, String) - _salt_: Salt used to generate the SHA256 hash (String) - _pbkdf2_: Flag used to determine, if hash is PBKDF2 (Boolean, SVR.JS 3.7.0 or newer) - _scrypt_: Flag used to determine, if hash is scrypt (Boolean, SVR.JS 3.7.0 or newer) - _port_ (Number or String, required) - HTTP port for SVR.JS to listen on. For SVR.JS 3.6.0 and later, it can also be a Unix socket or Windows named pipe. For SVR.JS 3.9.0 and later, this can also be an IP address along with a port like _"192.168.0.2:80"_ or like _"\[fdad:8948:1053::2\]:80"_ - _pubport_ (Number, required) - Public HTTP port for SVR.JS to display. It is also used in HTTP to HTTPS redirect. - _sport_ (Number or String) - HTTPS port for SVR.JS to listen on. For SVR.JS 3.6.0 and later, it can also be a Unix socket or Windows named pipe. For SVR.JS 3.9.0 and later, this can also be an IP address along with a port like _"192.168.0.2:80"_ or like _"\[fdad:8948:1053::2\]:80"_ - _spubport_ (Number) - Public HTTPS port for SVR.JS to display. It is also used in HTTP to HTTPS redirect. #### SSL Configuration - _secure_ (Boolean, SVR.JS 3.0.0 or newer) - Option to enable HTTPS. - _cert_ (String, required for HTTPS) - Path to the SSL certificate file. Path is relative to SVR.JS installation directory, unless absolute path is specified. - _key_ (String, required for HTTPS) - Path to the RSA/ECDSA private key file. Path is relative to SVR.JS installation directory, unless absolute path is specified. - _sni_ (Object, SVR.JS 3.0.0 or newer) - SNI certificate paths for multiple domain names. - _{domain_name}_: Object with properties _cert_ and _key_ (path to SSL certificate and private key). - _enableOCSPStapling_ (Boolean, SVR.JS 3.4.9 or newer) - Option to enable OCSP stapling. - _useClientCertificate_ (Boolean, SVR.JS 3.14.0 or newer) - Option to require client to provide its certificate. - _rejectUnauthorizedClientCertificates_ (Boolean, SVR.JS 3.14.0 or newer) - Option to disable verification of client certificates. - _cipherSuite_ (String, SVR.JS 3.14.0 or newer) - Specification of cipher suites, replacing the default. For more information, see [Node.JS documentation](https://nodejs.org/docs/latest/api/tls.html#modifying-the-default-tls-cipher-suite). - _ecdhCurve_ (String, SVR.JS 3.14.0 or newer) - Specification of ECDH curves, for example `P-521:P-384:P-256`. Set the parameter to `auto` to select the curve automatically. You can use `openssl ecparam -list_curves` command to obtain available ECDH curves. - _signatureAlgorithms_ (String, SVR.JS 3.14.0 or newer) - Colon-seperated list for signature algorithms supported by the server. The list may contain digest algorithms (e.g. `SHA256`, `MD5`), public key algorithms (e.g. `RSA-PSS`, `ECDSA`), combinations of both (e.g. `RSA+SHA384`) or TLS v1.3 scheme names (e.g. `rsa_pss_pss_sha512`). For more information, see [OpenSSL man pages](https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set1_sigalgs_list.html). - _tlsMinVersion_ (String, SVR.JS 3.14.0 or newer) - Minimum TLS version, it can be `TLSv1.3`, `TLSv1.2`, `TLSv1.1`, or `TLSv1`. It is not recommended to set it less than TLSv1.2, unless it's required for interoperability. This is because of security vulnerabilities of TLS v1.1 and TLS v1. - _tlsMaxVersion_ (String, SVR.JS 3.14.0 or newer) - Maximum TLS version, it can be `TLSv1.3`, `TLSv1.2`, `TLSv1.1`, or `TLSv1`. #### Domain and Redirect Configuration - _domain_ (String) - Domain for SVR.JS to display. (In SVR.JS 2.x, it was _domian_) - _wwwredirect_ (Boolean) - Option to enable redirects to domain name that begins with "www.". You need to first set _domain_ property in order for this option to have effect. This property didn't work in SVR.JS versions from 3.3.0 to 3.14.4 #### Error Pages and Logging Configuration - _page404_ (String) - Path to a custom 404 error page (after pages defined in _errorPages_ property). - _errorPages_ (Array; SVR.JS 3.8.0 or newer) - Custom error pages configuration. - _scode_: HTTP status code specification for error page (Number, SVR.JS 3.8.0 or newer). - _path_: Path for error page (String, SVR.JS 3.8.0 or newer). - _host_: Applicable host name for this error page (optional; String, SVR.JS 3.8.0 or newer). - _ip_: Applicable IP address for this error page. Use this property to specify destination server IP address instead of _host_ property to prevent _Host_ header attacks. (optional; String, SVR.JS 3.14.1 or newer). - _serverAdministratorEmail_ (String, SVR.JS 3.0.0 or newer) - Server administrator e-mail address to be displayed in default 5xx error pages. - _enableLogging_ (Boolean) - Option to enable saving logs to a log file. #### HTTP Configuration - _enableCompression_ (Boolean, SVR.JS 3.0.0 or newer) - Option to enable HTTP compression. - _enableHTTP2_ (Boolean) - Option to enable HTTP/2. - _enableDirectoryListing_ (Boolean) - Option to enable directory listing. If disabled, it returns a 403 error page. - _enableDirectoryListingWithDefaultHead_ (Boolean) - Option to enable default header and footer on directory listing. - _nonStandardCodes_ (Array of Objects) - Non-standard status codes configuration: - _scode_: Non-standard status code to apply. (Number) - _url_: URL to which this status code applies (after URL rewriting; String). - _regex_: Regex string (e.g. `"/^\\/index\\.php(?:$|[\\/?#])/"`) for matching the source URL (after URL rewriting) this status code applies to (with or without the query string). (Regex String, SVR.JS 3.0.0 or newer) - _location_: URL to which it is redirected on 301 and 302 status codes. (String) - _realm_: HTTP authentication realm on 401 status code. (String, SVR.JS 3.0.0 or newer) - _disableBruteProtection_: Option to disable brute force protection on 401 status code. (Boolean, SVR.JS 3.4.8 or newer) - _host_: Applicable host name for this status code. (optional; String, SVR.JS 3.8.0 or newer) - _ip_: Applicable IP address for this status code. Use this property to specify destination server IP address instead of _host_ property to prevent _Host_ header attacks. (optional; String, SVR.JS 3.14.1 or newer) - _userList_: Allowed users for HTTP authentication. (optional; Array of Strings, SVR.JS 3.8.0 or newer) - _dontCompress_ (Array of Regex Strings, SVR.JS 3.0.0 or newer) - URLs for which HTTP compression will be disabled. - _enableIPSpoofing_ (Boolean, SVR.JS 3.0.0 or newer) - Option to enable identifiying client's originating IP address through the _X-Forwarded-For_ header (**for use in websites hidden behind a reverse proxy**, not recommeded if you're not using SVR.JS behind a reverse proxy, since hackers can spoof client IP address via this header). - _enableETag_ (Boolean, SVR.JS 3.6.1 or newer) - Option to enable ETags. - _customHeaders_ (Object, SVR.JS 3.0.0 or newer) - Custom HTTP headers (configured as a JavaScript object) with a _{path}_ template representing the request path (after URL rewriting). - _http2Settings_ (Object, SVR.JS 3.14.0 or newer) - HTTP/2 protocol settings object. See [Node.JS documentation](https://nodejs.org/docs/latest/api/http2.html#settings-object) for more information. - _headerTableSize_: Maximum number of bytes used for header compression. Minimum value is 0. Maximum value is 232-1. Default is 4096 (Number, SVR.JS 3.14.0 or newer). - _enablePush_: Option to enable HTTP/2 Push Streams. It is enabled by default (Boolean, SVR.JS 3.14.0 or newer). - _initialWindowSize_: Sender's initial window size in bytes for stream-level flow control. Minimum value is 0. Maximum value is 232-1. Default is 65535 (Number, SVR.JS 3.14.0 or newer). - _maxFrameSize_: Largest frame payload size in bytes. Minimum value is 16384. Maximum value is 224-1. Default is 16384 (Number, SVR.JS 3.14.0 or newer). - _maxConcurrentStreams_: Maximum number of concurrent streams allowed on HTTP/2 session. Minimum value is 0. Maximum value is 232-1. Default is 232-1 (Number, SVR.JS 3.14.0 or newer). - _maxHeaderListSize_: Maximum size (uncompressed octets) of acceptable header list. Minimum value is 0. Maximum value is 232-1. Default is 65535 (Number, SVR.JS 3.14.0 or newer). - _maxHeaderSize_: Alias for _maxHeaderListSize_ (Number, SVR.JS 3.14.0 or newer). - _enableConnectProtocol_: Option to enable the "Extended Connect Protocol" defined by RFC 8441 (Number, SVR.JS 3.14.0 or newer). - _customSettings_: Additional settings not implemented yet in Node.JS and its underlying libraries. Object key defines the numeric value of the settings type (as defined in the "HTTP/2 SETTINGS" registry established by RFC 7540). Object values define actual numeric value of the settings. Settings types should be greater than 6 and less than 216-1. Values should be in range from 0 to 232-1. Currently you can specify up to 10 custom settings (Object, SVR.JS 3.14.0 or newer). #### Security Configuration - _blacklist_ (Array of Strings) - Block list of IP addresses and CIDR ranges. - _disableServerSideScriptExpose_ (Boolean, SVR.JS 3.0.0 or newer) - Option to disable exposing SVR.JS script, server-side JavaScript, SVR.JS mods, and Node.JS modules. **It's strongly recommended to set this property to _true_ if you're using SVR.JS server-side JavaScript.** If you want to additionally prevent fingerprinting SVR.JS by accessing _/serverSideScript.js_, you can add URL rewrite rule, that defines rewriting of _/serverSideScript.js_ to a non-existent page. - _enableRemoteLogBrowsing_ (Boolean, SVR.JS 3.0.0 or newer) - Option to enable browsing server logs from an HTTP client. Applicable only when you're not using custom web root. **It's not recommended to enable this, because it provides valuable information for attackerss, unless you're protecting _log_ folder with HTTP authentication.** - _exposeServerVersion_ (Boolean) - Option to expose the server version via _Server_ header. If it is disabled, the header will have "SVR.JS" value. - _rewriteDirtyURLs_ (Boolean, SVR.JS 3.7.0 or newer) - Option to rewrite "dirty" URLs (those filtered by path sanitizer) instead of redirecting them. - _exposeModsInErrorPages_ (Boolean, SVR.JS 3.4.29, 3.9.1 or newer) - Option to expose SVR.JS mod information through default error pages (for example in _SVR.JS RedBrick/2.4.2 on forum.svrjs.org_ signature). Mod information is never exposed through _Server_ header (just SVR.JS information). #### Virtual Host Configuration - _enableDirectoryListingVHost_ (Array of Objects; SVR.JS 3.8.0 or newer) - Array containing options to enable directory listings for specific virtual hosts. - _host_: Applicable host name for this rule (String, SVR.JS 3.8.0 or newer). - _ip_: Applicable IP address for this rule. Use this property to specify destination server IP address instead of _host_ property to prevent _Host_ header attacks. (optional; String, SVR.JS 3.14.1 or newer). - _enabled_: Has the same effect as _enableDirectoryListing_ (Boolean, SVR.JS 3.8.0 or newer). - _customHeadersVHost_ (Array of Objects; SVR.JS 3.8.0 or newer) - Array containing custom headers for specific virtual hosts. - _host_: Applicable host name for this rule (String, SVR.JS 3.8.0 or newer). - _ip_: Applicable IP address for this rule. Use this property to specify destination server IP address instead of _host_ property to prevent _Host_ header attacks. (optional; String, SVR.JS 3.14.1 or newer). - _headers_: Has the same effect as _customHeaders_ property (Object, SVR.JS 3.8.0 or newer). - _wwwrootPostfixesVHost_ (Array of Objects; SVR.JS 3.14.0 or newer) - Array containing web root postfixes assigned for each virtual host. For example: the source URL is _/page.html_ and postfix is _svrjs_; the rewritten URL is _/svrjs/page.html_. URL rewriting (with rules defined in the _rewriteMap_ property) will be processed after assigning web root postfixes. - _host_: Applicable host name for this prefix (String, SVR.JS 3.14.0 or newer). - _ip_: Applicable IP address for this prefix. Use this property to specify destination server IP address instead of _host_ property to prevent _Host_ header attacks. (optional; String, SVR.JS 3.14.1 or newer). - _postfix_: Postfix inserted before the request URL (String, SVR.JS 3.14.0 or newer). - _skipRegex_: Regex string (e.g. `"/^\\/index\\.php(?:$|[\\/?#])/"`) for matching request URLs to skip (optional; Regex String, SVR.JS 3.14.0 or newer). - _wwwrootPostfixPrefixesVHost_ (Array of Strings; SVR.JS 3.14.0 or newer) - Array containing URL strings to insert before web root postfix (for all hosts). For example: the source URL is _/cgi-bin/gitweb.cgi_, postfix is _svrjs_ and the postfix prefix is _/cgi-bin_; the rewritten URL is _/cgi-bin/svrjs/gitweb.cgi_. - _allowPostfixDoubleSlashes_ (Boolean, SVR.JS 3.14.4 or newer) - Option to allow double slashes, when inserting web root postfixes. If set to `false`, double slashes are removed by postfix insertion function. It may create issues with double slash URLs not having prefixes. #### Miscellaneous Configuration - _rewriteMap_ (Array of Objects, SVR.JS 3.0.0 or newer) - Map for URL rewriting engine. Entries of the array are URL rewrite rules. - _definingRegex_: Regex string (e.g. `"/^\\/index\\.php(?:$|[\\/?#])/"`) for matching the source URL it applies to (Regex String, SVR.JS 3.0.0 or newer). - _host_: Applicable host name for this URL rewriting rule (optional; String, SVR.JS 3.8.0 or newer). - _ip_: Applicable IP address for this URL rewriting rule. Use this property to specify destination server IP address instead of _host_ property to prevent _Host_ header attacks. (optional; String, SVR.JS 3.14.1 or newer). - _append_: String to append after the end of URL (optional; String, SVR.JS 3.0.0 or newer). - _isNotDirectory_: Option to disable rewrite rule, when directory defined by the path exists (optional; Boolean, SVR.JS 3.13.0 or newer). - _isNotFile_: Option to disable rewrite rule, when file defined by the path exists (optional; Boolean, SVR.JS 3.13.0 or newer). - _allowDoubleSlashes_: Option to allow double slashes in the URL. If set to `false`, then URL rewriter removes double slashes. You may use `\\/{1,2}` instead of `\\/` in URL rewriting regular expressions (optional; Boolean, SVR.JS 3.14.4 or newer). - _replacements_: Regex string (e.g. `"/^\\/index\\.php(?:$|[\\/?#])/"`) replacements (Array of Objects, SVR.JS 3.0.0 or newer). - _regex_: Regex string (e.g. `"/^\\/index\\.php(?:$|[\\/?#])/"`) for matching the source URL this replacement applies to (Regex String, SVR.JS 3.0.0 or newer). - _replacement_: Replacement string (you can use for example "_$1_" for first capturing group; String, SVR.JS 3.0.0 or newer). - _disableNonEncryptedServer_ (Boolean, SVR.JS 3.0.0 or newer) - Option to disable the HTTP server if the HTTPS server is running. - _disableToHTTPSRedirect_ (Boolean, SVR.JS 3.0.0 or newer) - Option to disable redirects from the HTTP server to the HTTPS server. - _allowStatus_ (Boolean, SVR.JS 3.0.0 or newer) - Option to enable _/svrjsstatus.svr_ page for monitoring server status (by default it's enabled). - _wwwroot_ (String, SVR.JS 3.0.0 or newer) - Path to the root directory from which SVR.JS serves files and loads its server-side JavaScript. Defaults to the directory on which SVR.JS resides. - _disableUnusedWorkerTermination_ (Boolean, SVR.JS 3.7.0 or newer) - Option to disable termination of unused SVR.JS workers. - _useWebRootServerSideScript_ (Boolean, SVR.JS 3.9.0 or newer) - Option to use server-side JavaScript in web root. If it is set to _false_, the server-side JavaScript is loaded from SVR.JS installation directory. - _disableTrailingSlashRedirects_ (Boolean, SVR.JS 3.12.0 or newer) - Option to disable redirects from URLs referencing to directories (but without a trailing slash) to URL with a trailing slash. For forwards proxy applications and SVR.JS 3.14.9 and earlier, it needs to be _true_, or else the server will just do redirect loops. - _environmentVariables_ (Object, SVR.JS 3.12.0 or newer) - Envrionment variables. These can be used for CGI web applications and server-side JavaScript. - _allowDoubleSlashes_ (Boolean, SVR.JS 3.14.4 or newer) - Option to allow double slashes in the URL. If set to `false`, double slashes are removed by URL sanitizer. Double slashes at the beginning of path (e.g. in _//config.json_) are always removed. Doesn't affect URL rewriting, in that case please configure the _allowDoubleSlashes_ property in the URL rewriting rule. It may allow some configuration file leaks, if web root is in the SVR.JS installation directory. - _optOutOfStatisticsServer_ (Boolean, SVR.JS 3.15.6 or newer) - Option to opt out of sending data to the statistics server. You can use this option to increase the privacy of SVR.JS. #### Deprecated and Removed Properties The following properties are deprecated or removed in newer versions of SVR.JS, and modifying them might not have any effect on the server: - _timestamp_ (Number, **DON'T CHANGE**) - Timestamp of server starting. (This property should not be modified.) - _version_ (String, removed in SVR.JS 3.4.0, **DON'T CHANGE**) - SVR.JS version (This property is no longer used and should not be modified.) #### Example Configuration Here's an example _config.json_ file illustrating some of the available properties: ```json { "port": 8080, "pubport": 80, "sport": 8443, "spubport": 443, "domain": "example.com", "wwwroot": "/var/www/html", "wwwredirect": true, "page404": "custom_404.html", "enableLogging": true, "enableDirectoryListing": true, "enableCompression": true, "enableHTTP2": true, "enableETag": true, "secure": true, "cert": "path/to/certificate.crt", "key": "path/to/private.key", "exposeServerVersion": false, "exposeModsInErrorPages": false, "disableServerSideScriptExpose": true, "enableIPSpoofing": true, "allowStatus": false, "useWebRootServerSideScript": false, "rewriteMap": [ { "definingRegex": "/^\\/serverSideScript\\.js(?:$|[#?])/", "replacements": [ { "regex": "/^\\/serverSideScript\\.js($|[#?])/", "replacement": "/NONEXISTENT_PAGE$1" } ] }, { "definingRegex": "/^\\/old-url$/", "replacements": [ { "regex": "/^\\/old-url$/", "replacement": "/new-url" } ] } ], "customHeaders": { "X-Frame-Options": "DENY", "X-Content-Type-Options": "nosniff" } } ```