(* Configuration file for the "netplex" program. *)

netplex {
  controller {
    max_level = "debug";    (* Log level *)
    logging {
      type = "stderr";    (* Log to stderr *)
    }
  };
  service {
    name = "nethttpd";
    protocol {
      (* This section creates the socket *)
      name = "http";
      address {
	type = "internet";
	bind = "0.0.0.0:4444";
      };
(*
      address {
	type = "internet";
	bind = "[::1]:4445";   (* IPv6 example *)
      }
 *)
    };
    processor {
      (* This section specifies how to process data of the socket *)
      type = "nethttpd";
      access_log = "debug";  (* or "off" or "enabled" *)
      suppress_broken_pipe = true;
      host {
	(* Think of Apache's "virtual hosts" *)
	pref_name = "localhost";
	pref_port = 4444;
	names = "*:0";   (* Which requests are matched here: all *)
	uri {
	  path = "/";
	  service {
	    type = "file";
	    docroot = "/usr";
	    media_types_file = "/etc/mime.types";
	    enable_listings = true;
	  }
	};
	uri {
	  path = "/adder";  (* This path is bound to the adder *)
	  service {
	    type = "dynamic";
	    handler = "adder";
	  }
	}
      };
      tls {
        (* this is pretty good security: 112 bits minimum but with almost all
           clients 128 or 256 bits. Perfect forward secrecy is given priority
           over compatibility. (NB. 3DES-CBC is enabled for WinXP only.
           The strange part "-RSA:+RSA" removes RSA key exchange first and
           re-adds it as last choice, so that ECDHE and DHE have precedence.)
           Test your settings at ssllabs.com!
        *)
        algorithms = "%SERVER_PRECEDENCE:SECURE128:+SECURE192:+3DES-CBC:-RSA:+RSA";
        dh_params {
	  pkcs3_file = "dhparams"; (* This is a must-have for DHE *)
        };
        x509 {
          trust {
            (* The certificate of the CA *)
            crt_file = "certs/x509-ca.pem";
          };
          key {
            (* The crt_file contains your certificate plus any intermediate
               certificates needed for the chain (in this order), but not
               the CA certificate.
             *)
            crt_file = "certs/x509-server.pem";
            (* If the key is PEM-encoded it must not be password-protected
               (i.e. no "DEK-Info" line). We only support passwords for
               PKCS-8-encoded keys.
            *)
            key_file = "certs/x509-server-key.pem";
          };
(* (* if you need a second certificate, e.g. for a second domain or for
      rolling over to a renewed certificate *)
          key {
            crt_file = "certs/x509-server2.pem";
            key_file = "certs/x509-server2-key.pem";
          };
*)
        };
      };
    };
    workload_manager {
      type = "dynamic";
      max_jobs_per_thread = 1;  (* Everything else is senseless *)
      min_free_jobs_capacity = 1;
      max_free_jobs_capacity = 1;
      max_threads = 20;
    };
  }
}