sys httpd¶

sys httpd(1) BIG-IP TMSH Manual sys httpd(1)

NAME
httpd - Configures the HTTP daemon for the BIG-IP(r) system.

MODULE
sys

SYNTAX
Configure the httpd component within the sys module using the following syntax.

CREATE/MODIFY
modify httpd
options:
allow [add | delete | none |replace-all-with] {
hostname or IP address ...
}
auth-name [string]
auth-pam-dashboard-timeout [off | on]
auth-pam-idle-timeout [integer]
auth-pam-validate-ip [off | on]
description [string]
fastcgi-timeout [integer]
hostname-lookup [double | off | on]
include [string]
log-level [alert | crit | debug | emerg | error | info | notice | warn]
redirect-http-to-https [disabled | enabled]
request-header-max-timeout [integer]
request-header-min-rate [integer]
request-header-timeout [integer]
request-body-max-timeout [integer]
request-body-min-rate [integer]
request-body-timeout [integer]
ssl-ca-cert-file [string]
ssl-certchainfile [string]
ssl-certfile [string]
ssl-certkeyfile [string]
ssl-ciphersuite [string]
ssl-include [string]
ssl-protocol [string]
ssl-port [integer]
ssl-verify-client [no | require | optional | optional-no-ca]
ssl-verify-depth [integer]
ssl-ocsp-enable [on | off]
ssl-ocsp-default-responder [string]
ssl-ocsp-override-responder [on | off]
ssl-ocsp-responder-timeout [integer]
ssl-ocsp-response-max-age [integer]
ssl-ocsp-response-time-skew [integer]

edit httpd
options:
all-properties
non-default-properties

DISPLAY
list httpd
list httpd [option name]
show running-config httpd
show running-config httpd [option name]
options:
all-properties
non-default-properties
one-line

DESCRIPTION
You can use the httpd component to configure the HTTP daemon for the system.

Important: F5 Networks recommends that users of the Configuration utility exit the utility before changes are
made to the system using the httpd component. This is because making changes to the system using this
component causes a restart of the httpd daemon. Additionally, restarting the httpd daemon creates the
necessity for a restart of the Configuration utility.

EXAMPLES
modify httpd { ssl-certfile [string] ssl-certkeyfile [string] }

Changes the SSL certificate and the SSL key. Note that when you change the SSL key, you must also change
the SSL certificate.

modify httpd auth-pam-idle-timeout 43200

Sets the PAM idle timeout to half a day (in seconds).

modify httpd allow replace-all-with {172.27.0.0/255.255.0.0}

Replaces the existing list of hosts that can connect to the httpd daemon with the hosts in the range,
172.27.0.0/255.255.0.0.

OPTIONS
allow
Configures IP addresses and hostnames for the HTTP clients from which the httpd daemon accepts requests.
The default value is All.

Warning: Using the value none resets the httpd daemon to allow NO HTTP clients access to the system;
therefore, F5 Networks recommends that you do not use the value none.

auth-name
Specifies the name for the authentication realm. The default value is BIG-IP.

auth-pam-dashboard-timeout
Specifies whether idle timeout while viewing the dashboard is enforced or not. The default value is off.

auth-pam-idle-timeout
Specifies the number of seconds of inactivity that can elapse before the GUI session is automatically
logged out. The default value is 1200 seconds.

auth-pam-validate-ip
Specifies whether the check for consistent inbound IP for the entire web session is enforced or not. The
default value is on.

description
User defined description.

fast-cgitimeout
Specifies, in seconds, the timeout for FastCGI. The default value is 300 seconds.

fips-cipher-version
Read-only field for internal use. Non-zero value indicates that ssl-ciphersuite has been set to FIPS
140-2 compliant defaults. The value 1 indicates that the ciphersuite is
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA".
User changes to ssl-ciphersuite will not affect this field. This field is relevant only when FIPS 140-2
compliance is enabled in the license.

hostname-lookup
The default value is off.

include
The default value is none.

Warning: Do not use this option without assistance from the F5 Technical Support team. The system does
not validate the commands issued using this option. If you use the include option incorrectly, you put
the functionality of the system at risk.

log-level
Specifies the minimum httpd message level to include in the system log. The default value is warn.

redirect-http-to-https
Specifies whether the system should redirect HTTP requests targeted at the configuration utility to
HTTPS. The default value is disabled.

request-header-max-timeout
Specifies, in seconds, the maximum time allowed to receive all of the request headers, if the request-
header-min-rate option is used, in which case the timeout is extended as more data arrives. Ignored if
request-header-min-rate is not used. A value of 0 means no limit. The default value is 40.

request-header-min-rate
Specifies, in bytes per second, the minimum average rate at which the request headers must be received. A
value of 0 means no limit. The default value is 500.

request-header-timeout
Specifies, in seconds, the time allowed to receive all of the request headers. A value of 0 means no
limit. If you use the request-header-min-rate option, this represents the initial value for the timeout,
which will be extended as more data arrives. The default value is 20.

Warning: This includes the time needed to complete the initial SSL handshake. If the user's browser is
configured to query certificate revocation lists and the CRL server is not reachable, the initial SSL
handshake may take a significant time until the browser gives up waiting for the CRL.

request-body-max-timeout
Specifies, in seconds, the maximum time allowed to receive all of the request body, if the request-body-
min-rate option is used, in which case the timeout is extended as more data arrives. Ignored if request-
body-min-rate is not used. A value of 0 means no limit. The default value is 0.

request-body-min-rate
Specifies, in bytes per second, the minimum average rate at which the request body must be received. A
value of 0 means no limit. The default value is 500.

request-body-timeout
Specifies, in seconds, the time allowed for reading all of the request body. This includes the time
needed to do any SSL renegotiation. A value of 0 means no limit. If you use the request-body-min-rate
option, this represents the initial value for the timeout, which will be extended as more data arrives.
The default value is 60.

ssl-ca-cert-file
Specifies the name of the file that contains the SSL Certificate Authority (CA) certificate file. The
default value is none.

ssl-certchainfile
Specifies the name of the file that contains the SSL certificate chain. The default value is none.

ssl-certfile
Specifies the name of the file that contains the SSL certificate. The default value is
/etc/httpd/conf/ssl.crt/server.crt.

Note that the path to the file must start with either /etc/httpd/conf/ssl.crt/ or
/config/httpd/conf/ssl.crt/, unless the path is a relative path. If the path is a relative path, then it
must start with conf/ssl.crt/.

ssl-certkeyfile
Specifies the name of the file that contains the SSL certificate key. The default value is
/etc/httpd/conf/ssl.key/server.key.

Note that the path to the file must start with either /etc/httpd/conf/ssl.key/ or
/config/httpd/conf/ssl.key/, unless the path is a relative path. If the path is a relative path, then it
must start with conf/ssl.key/.

When you change the key file, you must also change the certificate file. For example, use the following
command sequence to change the key: modify httpd { ssl-certfile [string] ssl-certkeyfile [string] }

ssl-ciphersuite
Specifies the ciphers that the system uses. The default value is
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA"

ssl-include
The default value is none.

Warning: Do not use this option without assistance from the F5 Technical Support team. The system does
not validate the commands issued using this option. If you use the ssl-include option incorrectly, you
put the functionality of the system at risk.

ssl-protocol
The list of SSL protocols to accept on the management console. A space-separated list of tokens in the
format accepted by the Apache mod_ssl SSLProtocol directive.

The default value is all -SSLv2 -SSLv3.

ssl-port
The SSL port to run the management console. It is a number in the range of 1 and 65535.

The default value is 443.

ssl-ocsp-default-responder
Specifies the default responder URI for OCSP validation. The default is http://localhost.localdomain.
The value for the default responder should always be preceded with http://.

ssl-ocsp-enable
Specifies OCSP validation of the client certificate chain. The default is off.

ssl-ocsp-override-responder
Specifies the force use of default responder URI for OCSP validation. The default is off.

ssl-ocsp-responder-timeout
Specifies the maximum allowable time in seconds for OCSP response. The default is 300 seconds.

ssl-ocsp-response-max-age
Specifies the maximum allowable age ("freshness") for OCSP responses. The default value (-1) does not
enforce a maximum age, which means that OCSP responses are considered valid as long as their nextUpdate
field is in the future.

ssl-ocsp-response-time-skew
Specifies the maximum allowable time skew in seconds for OCSP response validation. The default is 300
seconds.

ssl-verify-client
Specifies if the client certificate needs to be verified for SSL session establishment. The default is
no.

ssl-verify-depth
Specifies maximum depth of CA certificates in client certificate verification. The default is 10.