sys httpd¶

sys httpd(1) BIG-IP TMSH Manual sys httpd(1)

NAME
httpd - Configures the HTTP daemon for the BIG-IP(r) system.

MODULE
sys

SYNTAX
Configure the httpd component within the sys module using the following
syntax.

CREATE/MODIFY
modify httpd
options:
allow [add | delete | none |replace-all-with] {
hostname or IP address ...
}
auth-name [string]
auth-pam-dashboard-timeout [off | on]
auth-pam-idle-timeout [integer]
auth-pam-validate-ip [off | on]
description [string]
fastcgi-timeout [integer]
hostname-lookup [double | off | on]
include [string]
log-level [alert | crit | debug | emerg | error | info | notice | warn]
redirect-http-to-https [disabled | enabled]
request-header-max-timeout [integer]
request-header-min-rate [integer]
request-header-timeout [integer]
request-body-max-timeout [integer]
request-body-min-rate [integer]
request-body-timeout [integer]
ssl-ca-cert-file [string]
ssl-certchainfile [string]
ssl-certfile [string]
ssl-certkeyfile [string]
ssl-ciphersuite [string]
ssl-include [string]
ssl-protocol [string]
ssl-port [integer]
ssl-verify-client [no | require | optional | optional-no-ca]
ssl-verify-depth [integer]
ssl-ocsp-enable [on | off]
ssl-ocsp-default-responder [string]
ssl-ocsp-override-responder [on | off]
ssl-ocsp-responder-timeout [integer]
ssl-ocsp-response-max-age [integer]
ssl-ocsp-response-time-skew [integer]

edit httpd
options:
all-properties
non-default-properties

DISPLAY
list httpd
list httpd [option name]
show running-config httpd
show running-config httpd [option name]
options:
all-properties
non-default-properties
one-line

DESCRIPTION
You can use the httpd component to configure the HTTP daemon for the
system.

Important: F5 Networks recommends that users of the Configuration
utility exit the utility before changes are made to the system using
the httpd component. This is because making changes to the system using
this component causes a restart of the httpd daemon. Additionally,
restarting the httpd daemon creates the necessity for a restart of the
Configuration utility.

EXAMPLES
modify httpd { ssl-certfile [string] ssl-certkeyfile [string] }

Changes the SSL certificate and the SSL key. Note that when you
change the SSL key, you must also change the SSL certificate.

modify httpd auth-pam-idle-timeout 43200

Sets the PAM idle timeout to half a day (in seconds).

modify httpd allow replace-all-with {172.27.0.0/255.255.0.0}

Replaces the existing list of hosts that can connect to the httpd
daemon with the hosts in the range, 172.27.0.0/255.255.0.0.

OPTIONS
allow
Configures IP addresses and hostnames for the HTTP clients from
which the httpd daemon accepts requests. The default value is All.

Warning: Using the value none resets the httpd daemon to allow all
HTTP clients access to the system; therefore, F5 Networks
recommends that you do not use the value none.

auth-name
Specifies the name for the authentication realm. The default value
is BIG-IP.

auth-pam-dashboard-timeout
Specifies whether idle timeout while viewing the dashboard is
enforced or not. The default value is off.

auth-pam-idle-timeout
Specifies the number of seconds of inactivity that can elapse
before the GUI session is automatically logged out. The default
value is 1200 seconds.

auth-pam-validate-ip
Specifies whether the check for consistent inbound IP for the
entire web session is enforced or not. The default value is on.

description
User defined description.

fast-cgitimeout
Specifies, in seconds, the timeout for FastCGI. The default value
is 300 seconds.

hostname-lookup
The default value is off.

include
The default value is none.

Warning: Do not use this option without assistance from the F5
Technical Support team. The system does not validate the commands
issued using this option. If you use the include option
incorrectly, you put the functionality of the system at risk.

log-level
Specifies the minimum httpd message level to include in the system
log. The default value is warn.

redirect-http-to-https
Specifies whether the system should redirect HTTP requests
targeted at the configuration utility to HTTPS. The default value
is disabled.

request-header-max-timeout
Specifies, in seconds, the maximum time allowed to receive all of
the request headers, if the request-header-min-rate option is
used, in which case the timeout is extended as more data arrives.
Ignored if request-header-min-rate is not used. A value of 0 means
no limit. The default value is 40.

request-header-min-rate
Specifies, in bytes per second, the minimum average rate at which
the request headers must be received. A value of 0 means no limit.
The default value is 500.

request-header-timeout
Specifies, in seconds, the time allowed to receive all of the
request headers. A value of 0 means no limit. If you use the
request-header-min-rate option, this represents the initial value
for the timeout, which will be extended as more data arrives. The
default value is 20.

Warning: This includes the time needed to complete the initial SSL
handshake. If the user's browser is configured to query
certificate revocation lists and the CRL server is not reachable,
the initial SSL handshake may take a significant time until the
browser gives up waiting for the CRL.

request-body-max-timeout
Specifies, in seconds, the maximum time allowed to receive all of
the request body, if the request-body-min-rate option is used, in
which case the timeout is extended as more data arrives. Ignored
if request-body-min-rate is not used. A value of 0 means no limit.
The default value is 0.

request-body-min-rate
Specifies, in bytes per second, the minimum average rate at which
the request body must be received. A value of 0 means no limit.
The default value is 500.

request-body-timeout
Specifies, in seconds, the time allowed for reading all of the
request body. This includes the time needed to do any SSL
renegotiation. A value of 0 means no limit. If you use the
request-body-min-rate option, this represents the initial value
for the timeout, which will be extended as more data arrives. The
default value is 60.

ssl-ca-cert-file
Specifies the name of the file that contains the SSL Certificate
Authority (CA) certificate file. The default value is none.

ssl-certchainfile
Specifies the name of the file that contains the SSL certificate
chain. The default value is none.

ssl-certfile
Specifies the name of the file that contains the SSL certificate.
The default value is /etc/httpd/conf/ssl.crt/server.crt.

Note that the path to the file must start with either
/etc/httpd/conf/ssl.crt/ or /config/httpd/conf/ssl.crt/, unless
the path is a relative path. If the path is a relative path, then
it must start with conf/ssl.crt/.

ssl-certkeyfile
Specifies the name of the file that contains the SSL certificate
key. The default value is /etc/httpd/conf/ssl.key/server.key.

Note that the path to the file must start with either
/etc/httpd/conf/ssl.key/ or /config/httpd/conf/ssl.key/, unless
the path is a relative path. If the path is a relative path, then
it must start with conf/ssl.key/.

When you change the key file, you must also change the certificate
file. For example, use the following command sequence to change
the key: modify httpd { ssl-certfile [string] ssl-certkeyfile
[string] }

ssl-ciphersuite
Specifies the ciphers that the system uses. The default value is
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA"

ssl-include
The default value is none.

Warning: Do not use this option without assistance from the F5
Technical Support team. The system does not validate the commands
issued using this option. If you use the ssl-include option
incorrectly, you put the functionality of the system at risk.

ssl-protocol
The list of SSL protocols to accept on the management console. A
space-separated list of tokens in the format accepted by the
Apache mod_ssl SSLProtocol directive.

The default value is all -SSLv2 -SSLv3.

ssl-port
The SSL port to run the management console. It is a number in the
range of 1 and 65535.

The default value is 443.

ssl-ocsp-default-responder
Specifies the default responder URI for OCSP validation. The
default is http://localhost.localdomain. The value for the
default responder should always be preceded with http://.

ssl-ocsp-enable
Specifies OCSP validation of the client certificate chain. The
default is off.

ssl-ocsp-override-responder
Specifies the force use of default responder URI for OCSP
validation. The default is off.

ssl-ocsp-responder-timeout
Specifies the maximum allowable time in seconds for OCSP response.
The default is 300 seconds.

ssl-ocsp-response-max-age
Specifies the maximum allowable age ("freshness") for OCSP
responses. The default value (-1) does not enforce a maximum age,
which means that OCSP responses are considered valid as long as
their nextUpdate field is in the future.

ssl-ocsp-response-time-skew
Specifies the maximum allowable time skew in seconds for OCSP
response validation. The default is 300 seconds.

ssl-verify-client
Specifies if the client certificate needs to be verified for SSL
session establishment. The default is no.

ssl-verify-depth
Specifies maximum depth of CA certificates in client certificate
verification. The default is 10.