Skip to content

HTTP/2 and TLS

SWS provides HTTP/2 protocol and TLS support.

This feature is disabled by default and can be activated via the boolean -t, --http2 option as well as string arguments --http2-tls-cert (TLS certificate file path) and --http2-tls-key (private key file path).

Safe TLS defaults

SWS comes with safe TLS defaults for underlying cryptography.

  • Cipher suites:
    • TLS1.3:
      TLS13_AES_256_GCM_SHA384
      TLS13_AES_128_GCM_SHA256
      TLS13_CHACHA20_POLY1305_SHA256
      
    • TLS1.2:
      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
      
  • Key exchange groups:
    • X25519, SECP256R1 and SECP384R1
  • Protocol versions:
    • TLS 1.2 and 1.3

These defaults are safe and useful for most use cases. See Rustls safe defaults for more details.

Private key file formats

Only the following private key file formats are supported:

  • RSA Private Key: A DER-encoded plaintext RSA private key as specified in PKCS#1/RFC3447.
  • PKCS8 Private Key: A DER-encoded plaintext private key as specified in PKCS#8/RFC5958.
  • EC Private Key: A Sec1-encoded plaintext private key as specified in RFC5915.

Example

Tips

  • Either --host, --port and --root have defaults (optional values) so they can be specified or omitted as required.
  • Don't forget to adjust the proper --port value for the HTTP/2 & TLS feature.
  • When this feature is enabled (--http2=true) then the security headers are also enabled automatically.
  • The server provides Termination Signal handling with Graceful Shutdown ability by default.
static-web-server \
    --host 127.0.0.1 \
    --port 8787 \
    --root ./my-public-dir \
    --http2 true \
    --http2-tls-cert ./my-tls.cert \
    --http2-tls-key ./my-tls.key