SVR.JS documentation
Configuration
config.json properties

config.json properties

The config.json file contains various properties that you can customize to configure SVR.JS according to your specific requirements. Below are the available properties:

General Configuration

  • users (Array of Objects, SVR.JS 3.0.0 or newer)
    • Users list for HTTP authentication. Use svrpasswd tool to add, modify or delete users.
      • name: User name for HTTP authentication (String)
      • pass: Salted hash of the password (default SHA256 with appended salt, String)
      • salt: Salt used to generate the SHA256 hash (String)
      • pbkdf2: Flag used to determine, if hash is PBKDF2 (Boolean, SVR.JS 3.7.0 or newer)
      • scrypt: Flag used to determine, if hash is scrypt (Boolean, SVR.JS 3.7.0 or newer)
  • port (Number or String, required)
    • HTTP port for SVR.JS to listen on. For SVR.JS 3.6.0 and later, it can also be a Unix socket or Windows named pipe. For SVR.JS 3.9.0 and later, this can also be an IP address along with a port like "192.168.0.2:80" or like "[fdad:8948:1053::2]:80"
  • pubport (Number, required)
    • Public HTTP port for SVR.JS to display. It is also used in HTTP to HTTPS redirect.
  • sport (Number or String)
    • HTTPS port for SVR.JS to listen on. For SVR.JS 3.6.0 and later, it can also be a Unix socket or Windows named pipe. For SVR.JS 3.9.0 and later, this can also be an IP address along with a port like "192.168.0.2:80" or like "[fdad:8948:1053::2]:80"
  • spubport (Number)
    • Public HTTPS port for SVR.JS to display. It is also used in HTTP to HTTPS redirect.

SSL Configuration

  • secure (Boolean, SVR.JS 3.0.0 or newer)
    • Option to enable HTTPS.
  • cert (String, required for HTTPS)
    • Path to the SSL certificate file. Path is relative to SVR.JS installation directory, unless absolute path is specified.
  • key (String, required for HTTPS)
    • Path to the RSA/ECDSA private key file. Path is relative to SVR.JS installation directory, unless absolute path is specified.
  • sni (Object, SVR.JS 3.0.0 or newer)
    • SNI certificate paths for multiple domain names.
      • {domain_name}: Object with properties cert and key (path to SSL certificate and private key).
  • enableOCSPStapling (Boolean, SVR.JS 3.4.9 or newer)
    • Option to enable OCSP stapling.
  • useClientCertificate (Boolean, SVR.JS 3.14.0 or newer)
    • Option to require client to provide its certificate.
  • rejectUnauthorizedClientCertificates (Boolean, SVR.JS 3.14.0 or newer)
    • Option to disable verification of client certificates.
  • cipherSuite (String, SVR.JS 3.14.0 or newer)
  • ecdhCurve (String, SVR.JS 3.14.0 or newer)
    • Specification of ECDH curves, for example P-521:P-384:P-256. Set the parameter to auto to select the curve automatically. You can use openssl ecparam -list_curves command to obtain available ECDH curves.
  • signatureAlgorithms (String, SVR.JS 3.14.0 or newer)
    • Colon-seperated list for signature algorithms supported by the server. The list may contain digest algorithms (e.g. SHA256, MD5), public key algorithms (e.g. RSA-PSS, ECDSA), combinations of both (e.g. RSA+SHA384) or TLS v1.3 scheme names (e.g. rsa_pss_pss_sha512). For more information, see OpenSSL man pages (opens in a new tab).
  • tlsMinVersion (String, SVR.JS 3.14.0 or newer)
    • Minimum TLS version, it can be TLSv1.3, TLSv1.2, TLSv1.1, or TLSv1. It is not recommended to set it less than TLSv1.2, unless it's required for interoperability. This is because of security vulnerabilities of TLS v1.1 and TLS v1.
  • tlsMaxVersion (String, SVR.JS 3.14.0 or newer)
    • Maximum TLS version, it can be TLSv1.3, TLSv1.2, TLSv1.1, or TLSv1.

Domain and Redirect Configuration

  • domain (String)
    • Domain for SVR.JS to display. (In SVR.JS 2.x, it was domian)
  • wwwredirect (Boolean)
    • Option to enable redirects to domain name that begins with "www (opens in a new tab).". You need to first set domain property in order for this option to have effect. This property didn't work in SVR.JS versions from 3.3.0 to 3.14.4

Error Pages and Logging Configuration

  • page404 (String)
    • Path to a custom 404 error page (after pages defined in errorPages property).
  • errorPages (Array; SVR.JS 3.8.0 or newer)
    • Custom error pages configuration.
      • scode: HTTP status code specification for error page (Number, SVR.JS 3.8.0 or newer).
      • path: Path for error page (String, SVR.JS 3.8.0 or newer).
      • host: Applicable host name for this error page (optional; String, SVR.JS 3.8.0 or newer).
      • ip: Applicable IP address for this error page. Use this property to specify destination server IP address instead of host property to prevent Host header attacks. (optional; String, SVR.JS 3.14.1 or newer).
  • serverAdministratorEmail (String, SVR.JS 3.0.0 or newer)
    • Server administrator e-mail address to be displayed in default 5xx error pages.
  • enableLogging (Boolean)
    • Option to enable saving logs to a log file.

HTTP Configuration

  • enableCompression (Boolean, SVR.JS 3.0.0 or newer)
    • Option to enable HTTP compression.
  • enableHTTP2 (Boolean)
    • Option to enable HTTP/2.
  • enableDirectoryListing (Boolean)
    • Option to enable directory listing. If disabled, it returns a 403 error page.
  • enableDirectoryListingWithDefaultHead (Boolean)
    • Option to enable default header and footer on directory listing.
  • nonStandardCodes (Array of Objects)
    • Non-standard status codes configuration:
      • scode: Non-standard status code to apply. (Number)
      • url: URL to which this status code applies (after URL rewriting; String).
      • regex: Regex string (e.g. "/^\\/index\\.php(?:$|[\\/?#])/") for matching the source URL (after URL rewriting) this status code applies to (with or without the query string). (Regex String, SVR.JS 3.0.0 or newer)
      • location: URL to which it is redirected on 301 and 302 status codes. (String)
      • realm: HTTP authentication realm on 401 status code. (String, SVR.JS 3.0.0 or newer)
      • disableBruteProtection: Option to disable brute force protection on 401 status code. (Boolean, SVR.JS 3.4.8 or newer)
      • host: Applicable host name for this status code. (optional; String, SVR.JS 3.8.0 or newer)
      • ip: Applicable IP address for this status code. Use this property to specify destination server IP address instead of host property to prevent Host header attacks. (optional; String, SVR.JS 3.14.1 or newer)
      • userList: Allowed users for HTTP authentication. (optional; Array of Strings, SVR.JS 3.8.0 or newer)
  • dontCompress (Array of Regex Strings, SVR.JS 3.0.0 or newer)
    • URLs for which HTTP compression will be disabled.
  • enableIPSpoofing (Boolean, SVR.JS 3.0.0 or newer)
    • Option to enable identifiying client's originating IP address through the X-Forwarded-For header (for use in websites hidden behind a reverse proxy, not recommeded if you're not using SVR.JS behind a reverse proxy, since hackers can spoof client IP address via this header).
  • enableETag (Boolean, SVR.JS 3.6.1 or newer)
    • Option to enable ETags.
  • customHeaders (Object, SVR.JS 3.0.0 or newer)
    • Custom HTTP headers (configured as a JavaScript object) with a {path} template representing the request path (after URL rewriting).
  • http2Settings (Object, SVR.JS 3.14.0 or newer)
    • HTTP/2 protocol settings object. See Node.JS documentation (opens in a new tab) for more information.
      • headerTableSize: Maximum number of bytes used for header compression. Minimum value is 0. Maximum value is 232-1. Default is 4096 (Number, SVR.JS 3.14.0 or newer).
      • enablePush: Option to enable HTTP/2 Push Streams. It is enabled by default (Boolean, SVR.JS 3.14.0 or newer).
      • initialWindowSize: Sender's initial window size in bytes for stream-level flow control. Minimum value is 0. Maximum value is 232-1. Default is 65535 (Number, SVR.JS 3.14.0 or newer).
      • maxFrameSize: Largest frame payload size in bytes. Minimum value is 16384. Maximum value is 224-1. Default is 16384 (Number, SVR.JS 3.14.0 or newer).
      • maxConcurrentStreams: Maximum number of concurrent streams allowed on HTTP/2 session. Minimum value is 0. Maximum value is 232-1. Default is 232-1 (Number, SVR.JS 3.14.0 or newer).
      • maxHeaderListSize: Maximum size (uncompressed octets) of acceptable header list. Minimum value is 0. Maximum value is 232-1. Default is 65535 (Number, SVR.JS 3.14.0 or newer).
      • maxHeaderSize: Alias for maxHeaderListSize (Number, SVR.JS 3.14.0 or newer).
      • enableConnectProtocol: Option to enable the "Extended Connect Protocol" defined by RFC 8441 (Number, SVR.JS 3.14.0 or newer).
      • customSettings: Additional settings not implemented yet in Node.JS and its underlying libraries. Object key defines the numeric value of the settings type (as defined in the "HTTP/2 SETTINGS" registry established by RFC 7540). Object values define actual numeric value of the settings. Settings types should be greater than 6 and less than 216-1. Values should be in range from 0 to 232-1. Currently you can specify up to 10 custom settings (Object, SVR.JS 3.14.0 or newer).

Security Configuration

  • blacklist (Array of Strings)
    • Block list of IP addresses and CIDR ranges.
  • disableServerSideScriptExpose (Boolean, SVR.JS 3.0.0 or newer)
    • Option to disable exposing SVR.JS script, server-side JavaScript, SVR.JS mods, and Node.JS modules. It's strongly recommended to set this property to true if you're using SVR.JS server-side JavaScript. If you want to additionally prevent fingerprinting SVR.JS by accessing /serverSideScript.js, you can add URL rewrite rule, that defines rewriting of /serverSideScript.js to a non-existent page.
  • enableRemoteLogBrowsing (Boolean, SVR.JS 3.0.0 or newer)
    • Option to enable browsing server logs from an HTTP client. Applicable only when you're not using custom web root. It's not recommended to enable this, because it provides valuable information for attackerss, unless you're protecting log folder with HTTP authentication.
  • exposeServerVersion (Boolean)
    • Option to expose the server version via Server header. If it is disabled, the header will have "SVR.JS" value.
  • rewriteDirtyURLs (Boolean, SVR.JS 3.7.0 or newer)
    • Option to rewrite "dirty" URLs (those filtered by path sanitizer) instead of redirecting them.
  • exposeModsInErrorPages (Boolean, SVR.JS 3.4.29, 3.9.1 or newer)
    • Option to expose SVR.JS mod information through default error pages (for example in SVR.JS RedBrick/2.4.2 on forum.svrjs.org signature). Mod information is never exposed through Server header (just SVR.JS information).

Virtual Host Configuration

  • enableDirectoryListingVHost (Array of Objects; SVR.JS 3.8.0 or newer)
    • Array containing options to enable directory listings for specific virtual hosts.
      • host: Applicable host name for this rule (String, SVR.JS 3.8.0 or newer).
      • ip: Applicable IP address for this rule. Use this property to specify destination server IP address instead of host property to prevent Host header attacks. (optional; String, SVR.JS 3.14.1 or newer).
      • enabled: Has the same effect as enableDirectoryListing (Boolean, SVR.JS 3.8.0 or newer).
  • customHeadersVHost (Array of Objects; SVR.JS 3.8.0 or newer)
    • Array containing custom headers for specific virtual hosts.
      • host: Applicable host name for this rule (String, SVR.JS 3.8.0 or newer).
      • ip: Applicable IP address for this rule. Use this property to specify destination server IP address instead of host property to prevent Host header attacks. (optional; String, SVR.JS 3.14.1 or newer).
      • headers: Has the same effect as customHeaders property (Object, SVR.JS 3.8.0 or newer).
  • wwwrootPostfixesVHost (Array of Objects; SVR.JS 3.14.0 or newer)
    • Array containing web root postfixes assigned for each virtual host. For example: the source URL is /page.html and postfix is svrjs; the rewritten URL is /svrjs/page.html. URL rewriting (with rules defined in the rewriteMap property) will be processed after assigning web root postfixes.
      • host: Applicable host name for this prefix (String, SVR.JS 3.14.0 or newer).
      • ip: Applicable IP address for this prefix. Use this property to specify destination server IP address instead of host property to prevent Host header attacks. (optional; String, SVR.JS 3.14.1 or newer).
      • postfix: Postfix inserted before the request URL (String, SVR.JS 3.14.0 or newer).
      • skipRegex: Regex string (e.g. "/^\\/index\\.php(?:$|[\\/?#])/") for matching request URLs to skip (optional; Regex String, SVR.JS 3.14.0 or newer).
  • wwwrootPostfixPrefixesVHost (Array of Strings; SVR.JS 3.14.0 or newer)
    • Array containing URL strings to insert before web root postfix (for all hosts). For example: the source URL is /cgi-bin/gitweb.cgi, postfix is svrjs and the postfix prefix is /cgi-bin; the rewritten URL is /cgi-bin/svrjs/gitweb.cgi.
  • allowPostfixDoubleSlashes (Boolean, SVR.JS 3.14.4 or newer)
    • Option to allow double slashes, when inserting web root postfixes. If set to false, double slashes are removed by postfix insertion function. It may create issues with double slash URLs not having prefixes.

Miscellaneous Configuration

  • rewriteMap (Array of Objects, SVR.JS 3.0.0 or newer)
    • Map for URL rewriting engine. Entries of the array are URL rewrite rules.
      • definingRegex: Regex string (e.g. "/^\\/index\\.php(?:$|[\\/?#])/") for matching the source URL it applies to (Regex String, SVR.JS 3.0.0 or newer).
      • host: Applicable host name for this URL rewriting rule (optional; String, SVR.JS 3.8.0 or newer).
      • ip: Applicable IP address for this URL rewriting rule. Use this property to specify destination server IP address instead of host property to prevent Host header attacks. (optional; String, SVR.JS 3.14.1 or newer).
      • append: String to append after the end of URL (optional; String, SVR.JS 3.0.0 or newer).
      • isNotDirectory: Option to disable rewrite rule, when directory defined by the path exists (optional; Boolean, SVR.JS 3.13.0 or newer).
      • isNotFile: Option to disable rewrite rule, when file defined by the path exists (optional; Boolean, SVR.JS 3.13.0 or newer).
      • allowDoubleSlashes: Option to allow double slashes in the URL. If set to false, then URL rewriter removes double slashes. You may use \\/{1,2} instead of \\/ in URL rewriting regular expressions (optional; Boolean, SVR.JS 3.14.4 or newer).
      • replacements: Regex string (e.g. "/^\\/index\\.php(?:$|[\\/?#])/") replacements (Array of Objects, SVR.JS 3.0.0 or newer).
        • regex: Regex string (e.g. "/^\\/index\\.php(?:$|[\\/?#])/") for matching the source URL this replacement applies to (Regex String, SVR.JS 3.0.0 or newer).
        • replacement: Replacement string (you can use for example "$1" for first capturing group; String, SVR.JS 3.0.0 or newer).
  • disableNonEncryptedServer (Boolean, SVR.JS 3.0.0 or newer)
    • Option to disable the HTTP server if the HTTPS server is running.
  • disableToHTTPSRedirect (Boolean, SVR.JS 3.0.0 or newer)
    • Option to disable redirects from the HTTP server to the HTTPS server.
  • allowStatus (Boolean, SVR.JS 3.0.0 or newer)
    • Option to enable /svrjsstatus.svr page for monitoring server status (by default it's enabled).
  • wwwroot (String, SVR.JS 3.0.0 or newer)
    • Path to the root directory from which SVR.JS serves files and loads its server-side JavaScript. Defaults to the directory on which SVR.JS resides.
  • disableUnusedWorkerTermination (Boolean, SVR.JS 3.7.0 or newer)
    • Option to disable termination of unused SVR.JS workers.
  • useWebRootServerSideScript (Boolean, SVR.JS 3.9.0 or newer)
    • Option to use server-side JavaScript in web root. If it is set to false, the server-side JavaScript is loaded from SVR.JS installation directory.
  • disableTrailingSlashRedirects (Boolean, SVR.JS 3.12.0 or newer)
    • Option to disable redirects from URLs referencing to directories (but without a trailing slash) to URL with a trailing slash. For forwards proxy applications and SVR.JS 3.14.9 and earlier, it needs to be true, or else the server will just do redirect loops.
  • environmentVariables (Object, SVR.JS 3.12.0 or newer)
    • Envrionment variables. These can be used for CGI web applications and server-side JavaScript.
  • allowDoubleSlashes (Boolean, SVR.JS 3.14.4 or newer)
    • Option to allow double slashes in the URL. If set to false, double slashes are removed by URL sanitizer. Double slashes at the beginning of path (e.g. in //config.json) are always removed. Doesn't affect URL rewriting, in that case please configure the allowDoubleSlashes property in the URL rewriting rule. It may allow some configuration file leaks, if web root is in the SVR.JS installation directory.
  • optOutOfStatisticsServer (Boolean, SVR.JS 3.15.6 or newer)
    • Option to opt out of sending data to the statistics server. You can use this option to increase the privacy of SVR.JS.

Deprecated and Removed Properties

The following properties are deprecated or removed in newer versions of SVR.JS, and modifying them might not have any effect on the server:

  • timestamp (Number, DON'T CHANGE)
    • Timestamp of server starting. (This property should not be modified.)
  • version (String, removed in SVR.JS 3.4.0, DON'T CHANGE)
    • SVR.JS version (This property is no longer used and should not be modified.)

Example Configuration

Here's an example config.json file illustrating some of the available properties:

{
	"port": 8080,
	"pubport": 80,
	"sport": 8443,
	"spubport": 443,
	"domain": "example.com",
	"wwwroot": "/var/www/html",
	"wwwredirect": true,
	"page404": "custom_404.html",
	"enableLogging": true,
	"enableDirectoryListing": true,
	"enableCompression": true,
	"enableHTTP2": true,
	"enableETag": true,
	"secure": true,
	"cert": "path/to/certificate.crt",
	"key": "path/to/private.key",
	"exposeServerVersion": false,
	"exposeModsInErrorPages": false,
	"disableServerSideScriptExpose": true,
	"enableIPSpoofing": true,
	"allowStatus": false,
	"useWebRootServerSideScript": false,
	"rewriteMap": [
		{
			"definingRegex": "/^\\/serverSideScript\\.js(?:$|[#?])/",
			"replacements": [
				{
					"regex": "/^\\/serverSideScript\\.js($|[#?])/",
					"replacement": "/NONEXISTENT_PAGE$1"
				}
			]
		},
		{
			"definingRegex": "/^\\/old-url$/",
			"replacements": [
				{
					"regex": "/^\\/old-url$/",
					"replacement": "/new-url"
				}
			]
		}
	],
	"customHeaders": {
		"X-Frame-Options": "DENY",
		"X-Content-Type-Options": "nosniff"
	}
}
Client-initiated secure renegotiationCustom error pages