/etc/wt/wt_config.xml is in libwt-common 3.3.4+dfsg-6ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 | <!--
Wt Configuration File.
The Wt configuration file manages, for every Wt application, settings
for session management, debugging, directory for runtime information
such as session sockets, and some security settings.
Settings may be specified globally, or for a single application path.
The path should be as configured in the Wt build process, where it
defaults to /etc/wt/wt_config.xml. It can be overridden in the environment
variable WT_CONFIG_XML, or with the -c startup option of wthttp.
The values listed here are the default values, which are used when the
declaration is missing or no configuration file is used.
-->
<server>
<!-- Default application settings
The special location "*" always matches. See below for an example
of settings specific to a single application.
-->
<application-settings location="*">
<!-- Session management. -->
<session-management>
<!-- Every session runs within a dedicated process.
This mode guarantees kernel-level session privacy, but as every
session requires a seperate process, it is also an easy target
for DoS attacks if not shielded by access control.
Note: currently only supported by the wtfcgi and wthttp
connectors.
-->
<!--
<dedicated-process>
<max-num-sessions>100</max-num-sessions>
</dedicated-process>
-->
<!-- Multiple sessions within one process.
This mode spawns a number of processes, and sessions are
allocated randomly to one of these processes (you should not
use this for dynamic FCGI servers, but only in conjunction
with a fixed number of static FCGI servers.
This requires careful programming, as memory corruption in one
session will kill all of the sessions in the same process. You
should debug extensively using valgrind. Also, it is your
responsibility to keep session state not interfering and
seperated.
On the other hand, sessions are inexpensive, and this mode
suffers far less from DoS attacks than dedicated-process mode.
Use it for non-critical and well-debugged web applications.
Note: the wthttp connector will ignore the num-processes
setting and use only process.
-->
<shared-process>
<num-processes>1</num-processes>
</shared-process>
<!-- Session tracking strategy.
Possible values:
Auto: cookies is available, otherwise URL rewriting
URL: only URL rewriting
It is recommended to stick to URL rewriting for session
tracking as this is more secure (it avoids the risk of attacks
like CSRF or BREACH), and also provides proper support for
concurrent sessions in a single browser.
-->
<tracking>URL</tracking>
<!-- How reload should be handled.
When reload should (or rather, may) spawn a new session, then
even in the case cookies are not used for session management,
the URL will not be cluttered with a sessionid.
However, WApplication::refresh() will never be called.
-->
<reload-is-new-session>true</reload-is-new-session>
<!-- Session timeout (seconds).
When a session remains inactive for this amount of time, it is
cleaned up.
-->
<timeout>600</timeout>
<!-- Server push timeout (seconds).
When using server-initiated updates, the client uses
long-polling requests. Proxies (including reverse
proxies) are notorious for silently closing idle
requests; the client therefore cancels the request
periodically and issues a new one. This timeout sets
the frequency.
-->
<server-push-timeout>50</server-push-timeout>
</session-management>
<!-- Settings that apply only to the FastCGI connector.
To configure the wthttp connector, use command line options, or
configure default options in /etc/wt/wthttpd
-->
<connector-fcgi>
<!-- Valgrind path
If debugging is enabled and this path is not empty, then valgrind
will be started for every shared process, or for every session
which has ?debug appended to the command line.
The variable is slighly misnamed. Not only a path can be set,
but also options, like for example:
/usr/bin/valgrind - -leak-check=full
-->
<valgrind-path></valgrind-path>
<!-- Run directory
Path used by Wt to do session management.
-->
<run-directory>/var/run/wt</run-directory>
<!-- Number of threads per process
This configures the size of the thread pool. You may
want to change this value if you would like to support
reentrant event loops, where you block one event loop
using WDialog::exec() or related static
methods. Everytime you enter such an event loop, one
thread is blocked, and therefore the total number of
sessions that reliably can do this is limited to the
number of thread you have (minus one to unblock).
For the built-in http connector, there is a similar
config option that is specified in the whttpd config
file or on the command line (-t).
The default value is 1.
-->
<num-threads>1</num-threads>
</connector-fcgi>
<!-- Settings that apply only to the MS IIS ISAPI connector.
To configure the wthttp connector, use command line options, or
configure default options in /etc/wt/wthttpd
-->
<connector-isapi>
<!-- Number of threads per process
This configures the number of threads that will be used
to handle Wt requests. The IIS internal threads are never
used to do any processing; all requests are forwarded to
be handled in this threadpool. Rather than to configure a
so-called 'web-garden' in IIS, increase this number. The
ISAPI connector will not work correctly when a web-garden
is configured.
You may want to change this value if you would like to
support more reentrant event loops, where you block one
event loop using WDialog::exec() or related static
methods. Everytime you enter such an event loop, one
thread is blocked, and therefore the total number of
sessions that reliably can do this is limited to the
number of thread you have (minus one to unblock).
You may also want to increase this number if your Wt
application is regularly waiting for IO (databases, network,
files, ...). If this number is too low, all threads could
be waiting for IO operations to complete while your CPU
is idle. Increasing the number of threads may help.
Computing intensive applications may also increase this number,
even though it is better to offload computations to a helper
thread and user server push or a WTimer to check for
completion of the task in order to keep your GUI responsive
during the computations.
The default value is 10.
-->
<num-threads>10</num-threads>
<!-- Maximum Request Size spooled in memory (Kb)
Normally, Wt keeps incoming requests (POST data) in memory.
However, malicious users could send a big POST and as such
use up all memory of your HTTP server. With this parameter,
you tune how big a request can be before Wt spools it in a
file before processing it. Legitimate big POST messages may
occur when users are expected to upload files.
See also max-request-size.
The default value is 128K, which is more than enough for
any interactive Wt event.
-->
<max-memory-request-size>128</max-memory-request-size>
</connector-isapi>
<!-- Javascript debug options
Values:
- naked: JavaScript errors are not caught at all
- false: JavaScript errors are caught and a simple error message
is printed to indicate that something is terribly wrong
- stack: equivalent to 'false'
- true: JavaScript errors are rethrown after server-side logging
Unless the value is 'naked',
WApplication::handleJavaScriptError() is called which by
default logs the error and terminates the session.
-->
<debug>false</debug>
<!-- Log file
When the log file is empty, or omitted, logging is done to
stderr. This may end up in the web server error log file
(e.g. for apache + fastcgi module), or on stderr (e.g. for
the built-in httpd).
-->
<log-file></log-file>
<!-- Logger configuration
This configures the logger. With the default configuration,
everything except for debugging messages are logged.
The configuration is a string that defines rules for
enabling or disabling certain logging. It is a white-space
delimited list of rules, and each rule is of the form:
[-]level : enables (or disables) logging of messages of
the given level; '*' is a wild-card that matches all
levels
[-]level:scope : enables (or disables) logging of
messages of the given level and scope; '*' is a wild-card
that matches all levels or scopes. The default
configuration is "* -debug", i.e. by default everything
is logged, except for "debug" messages.
Some other examples:
"* -debug debug:wthttp": logs everything, including
debugging messages of scope "wthttp", but no other
debugging messages.
"* -info -debug": disables logging of info messages
in addition to debugging messages.
Note debugging messages are only emitted when debugging
has been enabled while building Wt.
-->
<log-config>* -debug</log-config>
<!-- Maximum HTTP request size (Kb)
Maximum size of an incoming POST request. This value must be
increased when the user is allowed to upload files.
-->
<max-request-size>128</max-request-size>
<!-- Session id length (number of characters) -->
<session-id-length>16</session-id-length>
<!-- DoS prevention: limit plain HTML sessions
This is a simple measure which avoids Denial-of-Service
attacks on plain HTML sessions, which are easy to mount in
particular in the case of progressive bootstrap mode.
This setting may be used to keep the ratio of plain HTML
versus Ajax sessions under a certain ratio. Typically, most
of your sessions will be Ajax sessions, and only a tiny
fraction (e.g. less than 5%) will be plain HTML
sessions. This ratio is only enforced when more than 20 sessions
have been created.
-->
<plain-ajax-sessions-ratio-limit>1</plain-ajax-sessions-ratio-limit>
<!-- DoS prevention: adds a puzzle to validate Ajax sessions
This is a simple measure which avoids Denial-of-Service
attacks on Ajax sessions.
When enabled, a puzzle needs to be solved in the first Ajax
request which eliminates agents that do not build a proper
DOM tree.
-->
<ajax-puzzle>false</ajax-puzzle>
<!-- Do strict serialization of events.
By default events are queued at the client-side, and
transmitted to the server so that at any time only one
request/response is pending. This scheme has a quality that
resembles TCP: on a low-latency link you allow the
transmission of many smaller requests, while on a high
latency link, events will be propagated less often, but in
batches.
In any case, this scheme does not drop events, no matter
how quickly they are generated.
In rare cases, the scheme may result in unwanted behaviour,
because the client-side is allowed to be slighly out of
sync at the time an event is recorded with the server-side
(and more so on high-latency links). The drastic
alternative is to discard events while a response is
pending, and can be configured by setting this option to
true.
-->
<strict-event-serialization>false</strict-event-serialization>
<!-- Enables web socket.
By default Ajax and long polling are used to communicate
between server and browser.
By enabling web socket support, if the browser supports
WebSockets, then WebSocket is the protocol used for
communication between client and server. WebSockets are
currently only supported by the built-in httpd Connector,
which acts as both an HTTP and WebSocket server. The WebSocket
protocol is intentionally not compatible with HTTP, through
a special hand-shake mechanism, and requires
that all (reverse) proxy servers also have explicit support
for this protocol.
This feature is still experimental: the Web Sockets RFC is
still a draft. Wt implements up to version 17 of the draft
(latest as of November 2011).
-->
<web-sockets>false</web-sockets>
<!-- Enables the detection of webgl-capabilites.
When this is enabled, the browser will try to create a
webgl-context when loading to verify that it is possible. This
is neccesary when using WGLWidget.
This can take up some load time. When your application does not
use WGLWidget, this option can be set to false. It will improve
the initial loading time of the web-application.
-->
<webgl-detection>true</webgl-detection>
<!-- Redirect message shown for browsers without JavaScript support
By default, Wt will use an automatic redirect to start the
application when the browser does not support
JavaScript. However, browsers are not required to follow
the redirection, and in some situations (when using XHTML),
such automatic redirection is not supported.
This configures the text that is shown in the anchor which
the user may click to be redirected to a basic HTML version
of your application.
-->
<redirect-message>Load basic HTML</redirect-message>
<!-- Whether we are sitting behind a reverse proxy
When deployed behind a reverse proxy (such as Apache or Squid),
the server location is not read from the "Host" header,
but from the X-Forwarded-For header, if present.
This option is required to make e.g. clientAddress() return the
correct address.
-->
<behind-reverse-proxy>false</behind-reverse-proxy>
<!-- Whether inline CSS is allowed.
Some Wt widgets will insert CSS rules in the the inline
stylesheet when first used. This can be disabled using this
configuration option.
Note: some widgets, such as WTreeView and WTableView,
dynamically manipulate rules in this stylesheet, and will
no longer work properly when inline-css is disabled.
-->
<inline-css>true</inline-css>
<!-- The timeout before showing the loading indicator.
The value is specified in ms.
-->
<indicator-timeout>500</indicator-timeout>
<!-- The timeout for processing a double click event.
The value is specified in ms.
-->
<double-click-timeout>200</double-click-timeout>
<!-- Ajax user agent list
Wt considers three types of sessions:
- Ajax sessions: use Ajax and JavaScript
- plain HTML sessions: use plain old server GETs and POSTs
- bots: have clean internal paths and no persistent sessions
By default, Wt does a browser detection to distinguish between
the first two: if a browser supports JavaScript (and has it
enabled), and has an Ajax DOM API, then Ajax sessions are chosen,
otherwise plain HTML sessions.
Here, you may indicate which user agents should or should
not receive an Ajax session regardless of what they report as
capabilities.
Possible values for 'mode' or "white-list" or "black-list". A
white-list will only treat the listed agents as supporting Ajax,
all other agents will be served plain HTML sessions. A black-list
will always server plain HTML sessions to listed agents and
otherwise rely on browser capability detection.
Each <user-agent> is a regular expression.
-->
<user-agents type="ajax" mode="black-list">
<!-- <user-agent>.*Crappy browser.*</user-agent> -->
</user-agents>
<!-- Bot user agent list
Here, you can specify user agents that should be should be
treated as bots.
Each <user-agent> is a regular expression.
-->
<user-agents type="bot">
<user-agent>.*Googlebot.*</user-agent>
<user-agent>.*msnbot.*</user-agent>
<user-agent>.*Slurp.*</user-agent>
<user-agent>.*Crawler.*</user-agent>
<user-agent>.*Bot.*</user-agent>
<user-agent>.*ia_archiver.*</user-agent>
<user-agent>.*Twiceler.*</user-agent>
</user-agents>
<!-- Configures different rendering engines for certain browsers.
Currently this is only used to select IE7 compatible rendering
engine for IE8, which solves problems of unreliable and slow
rendering performance for VML which Microsoft broke in IE8.
Before 3.3.0, the default value was IE8=IE7, but since 3.3.0
this has been changed to an empty string (i.e. let IE8 use the
standard IE8 rendering engine) to take advantage of IE8's
improved CSS support. If you make heavy use of VML, you may need
to revert to IE8=IE7.
-->
<UA-Compatible></UA-Compatible>
<!-- Configures whether the progressive bootstrap method is used.
The default bootstrap method first senses whether there is Ajax
support, and only then creates the application.
The progressive bootstrap method first renders a plain HTML
version and later upgrades to an Ajax version.
(Not to be confused with the Twitter Bootstrap theme)
-->
<progressive-bootstrap>false</progressive-bootstrap>
<!-- Set session-ID cookie
In its default (and recommended) configuration, Wt does not
rely on cookies for session tracking.
Wt has several mechanisms in place to prevent session ID stealing:
- for an Ajax session, the session ID is not shown in the URL,
avoiding session ID stealing through a referer attack.
- in case the session ID is present in the URL (e.g. for a plain
HTML session), Wt will redirect links to images or external
anchors through an intermediate page that censors the session ID
In case of the loss of a session ID, the impact is minimized:
- a full page refresh is not supported if the client IP address
changes or the user-agent changes
- an Ajax update is protected by other state which is not exposed
in the URL
To still enable a full page refresh when the client IP address
changes, an additional cookie may be set which is used only
for this purpose, and can be enabled using this setting.
-->
<session-id-cookie>false</session-id-cookie>
<!-- Configure cookie checks
By default, Wt will test for cookie support using JavaScript.
Because cookie manipulation from JavaScript is a common security
risk vector, some prefer to disable these checks.
-->
<cookie-checks>true</cookie-checks>
<!-- Configure meta headers
The user-agent allows optional filtering based on the
user-agent, using a regular expression. You can have multiple
set-meta-headers definitions.
-->
<meta-headers user-agent=".*MSIE.*">
<meta name="robots" content="noindex" />
</meta-headers>
<!-- Runtime Properties
These properties may be used to adapt applications to their
deployment environment. Typical use is for paths to resources
that may or may not be shared between several applications.
-->
<properties>
<!-- baseURL property
The absolute URL at which the application is deployed
(known to the user). This is needed only in two scenarios.
a) use of relative URLs in included XHTML
When you use relative URLs for images, etc... in
literal XHTML fragments (e.g. in WTemplate), which need
to resolve against the deployment path of the
application. This will not work as expected in the
presence of an internal application path. This URL is
set as base URL in the HTML, against which relative
URLs are resolved so that these work correctly
regardless of the internal path. It is also used
explicitly in any URL generated by the library.
b) widgetset mode deployments
Another situation in which you need to define the baseURL is
when deploying a widgetset mode application behind a reverse
proxy. A widgetset mode application uses only absolute URLs
because it may be hosted in a web page from an entirely
different domain.
By default, no baseURL is specified, in which case Wt will
avoid using absolute URLs. Relative URLs passed in API calls
will be "fixed" so that they resolve against the location of the
application deploy path, even in the presence of an
internal path.
-->
<!-- <property name="baseURL">"http://mysite.com/app</property> -->
<!-- resourcesURL property
The URL at which the resources/ folder is deployed that
comes distributed with Wt and contains auxiliary files
used to primarily for styles and themes.
The default value is 'resources/'
-->
<property name="resourcesURL">resources/</property>
<!-- extBaseURL property
Used in conjunction with Ext:: widgets, and points to the
URL of Ext JavaScript and resource files (css, images).
See the documentation for the Ext namespace for details.
The default value is 'ext/'
-->
<property name="extBaseURL">ext/</property>
<!-- favicon property
By default, a browser will try to fetch a /favicon.ico icon
from the root of your web server which is used as an icon
for your application. You can specify an alternative location
by setting this property, or for an individual application
entry point by passing a location to WServer::addEntryPoint().
-->
<!-- <property name="favicon">images/favicon.ico</property> -->
</properties>
</application-settings>
<!-- Override settings for specific applications.
Location refers to physical filesystem location of the
application. The application prints this location (which
corresponds to argv[0]) to the log file on startup, and this
should match exactly.
-->
<!--
<application-settings
location="/var/www/localhost/wt-examples/hello.wt">
</application-settings>
-->
</server>
|