Configuration Directives¶

charset="STRING"

Character set to use with text MIME types, default"UTF-8".If the default unicode charset causes trouble, try"iso-8859-1".

check-referer=<true|false>

Enable check for external sites referencing material on your web server.For more information on referrers, seemerecat(8).Disabled by default.

check-symlinks=<true|false>

For increased security, set this to true. Unless running chrooted inwhich case this is not really necessary. Disabled by default.

chroot=<true|false>

Change web server root toWEBDIR,or the current directory, if noWEBDIRis given as argument. Chrooting is a security measure and means thatmerecat.confcannot access files outside it, unless files are bind mounted, orsimilar into the chroot. Disabled by default.

compression-level=-1..9

Control the compression level of the built-in Apache-like mod_deflate.The default value is -1, which gives a reasonable compromize betweenspeed and compression. To disable compression set this to0and to get maximum compression,9.

The default setting,-1,means all "text/*" MIME type files, larger than 256 bytes, arecompressed before sending to the client.

directory=DIR

If no WEBDIR is given on the command line this option can be used tochange the web server document root. Defaults to the current directory.When chrooting this is the root directory, see thedata-directorydirective for more help.

data-directory=DIR

This setting is only relevant when chrooting, it adjusts the web serverdocument root relative to thedirectorydirective.

global-passwd=<true|false>

Set this to true to protect the entire directory tree with asingle.htpasswdand/or.htaccessfile. When unset, which is the default,merecat.conflooks for a local.htpasswdand.htaccessfile, or serves the file without password.

hostname=HOSTNAME

The hostname to bind to when multihoming. For more details on this, seebelow discussion.

list-dotfiles=<true|false>

If dotfiles should be skipped in directory listings. Disabled by default.

local-pattern="PATTERN"

Used withcheck-referer,seemerecat(8)for more details.

max-age=SEC

Controls the global max-age setting, in seconds, set in the HTTP/1.1"Cache-Control:max-age"header, returned with all responses. The default setting is disabledsince v2.32 and the user is recommended to use per-resource cachecontrol. See the server location directive for details.

port=PORT

The web server Internet port to listen to, defaults to 80, or 443 whenHTTPS is enabled. See thesslsection below for more on configuring an HTTPS server.

url-pattern="PATTERN"

Used withcheck-referer,seemerecat(8)for more details.

username="NAME"

Set username to drop privileges to after startup. Defaults to "nobody"which usually is defined on all UNIX systems.

virtual-host=<true|false>

Enable virtual hosting, disabled by default. For more information onthis, seemerecat(8).

user-agent-deny="PATTERN"

Wildcard pattern to deny access to illicit hammering bots. When set amatching user-agent will receive a 403 for all its requests. Use forinstance"**SemrushBot**"or"**SemrushBot**|**MJ12Bot**|**DotBot**"to match multiple user-agents.

The default is disabled, i.e. all user-agents are allowed.

cgi"PATTERN"{

Wildcard pattern for CGI programs, for instance"**.cgi"or"**.cgi|/cgi-bin/*".See the dedicated CGI section inmerecat(8)for more on this.

enabled=<true|false>

The CGI module is disabled by default.

limit=NUM

Maximum number of allowed simultaneous CGI programs. Default 1.

}

 

php"PATTERN"{

Wildcard pattern for PHP scripts, for instance"**.php*"or"**.php5*|**.php4*|**.php*".Notice the trailing*,it is very important otherwise any HTTP GET request with arguments willfail.

enabled=<true|false>

The PHP module is disabled by default.

cgi-path="/path/to/php-cgi"

Default is"/usr/bin/php-cgi"

}

 

ssi"PATTERN"{

Wildcard pattern for triggering SSI, for instance"**.shtml"or"**.shtml|**.stm|**.shtm".

enabled=<true|false>

The SSI module is disabled by default.

cgi-path="/path/to/ssi"

Default is"cgi-bin/ssi".Seessi(8)for more information.

silent=<true|false>

This setting can be used to silence “[an error occurred while processingthe directive]”, shown when an error occurrs during SSI processing.Default disabled (false).

}

 

ssl{

protocol="PROTOCOL"

Minimum SSL/TLS protocol level to enable. Can be one of:SSLv3,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3.The default minimum protocol isTLSv1.1.Note, some (Linux) distributions haveSSLv3disabled by default in their OpenSSL packages.

ciphers="CIPHERS"

The preferred list of ciphers the server supports. For a list ofavailable ciphers, see theciphers(1)man page. The default covers both TLSv1.3 (new ciphersuite) andolder cipher list:

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256: \
HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4:!DHE-RSA-CAMELLIA256-SHA:             \
!DHE-RSA-CAMELLIA128-SHA:!ECDHE-RSA-CHACHA20-POLY1305:                      \
!DHE-RSA-CHACHA20-POLY1305:!DHE-RSA-AES256-CCM8:!DHE-RSA-AES256-CCM:        \
!DHE-RSA-AES128-CCM8:!DHE-RSA-AES128-CCM

certfile=/path/to/cert.pem

Public part of HTTPS certificate, optionally with full certificatechain. E.g.,fullchain.pemif you use Let's Encrypt. Only PEM format is supported.

keyfile=/path/to/key.pem

Private key of HTTPS certificate, e.g.,privkey.pemif you use Let's Encrypt. Only PEM format is supported.

Note:This file must be kept private and should not be in the WEBROOTdirectory.

dhfile=/path/th/dhparam.pem

Optional Diffie-Hellman parameters. Not secret, unlike thekeyfilethedhfilecan be published online, if necessary. Create one like this:

openssl dhparam -out dhparam.pem 2048

}

 

servername{

port=PORT

Server port to listen to.

ssl{...}

Same as the global settings, above, only for this server.

location"PATTERN"{

path=path/to/rewrite

If a server location directive is found it has precedence overanyredirector virtual host. It is primarily used to rewrite, or redirect,requests inside the current server context.

E.g., for handlingcertbotHTTP-01 renewal, use this in the port 80 server context. Anyother path will be redirected to HTTPS, using the belowredirectdirective:

location "/.well-known/acme-challenge/**" {
    path = "letsencrypt/.well-known/acme-challenge/"
}

redirect"PATTERN"{

code=CODE

HTTP redirect code to use, default: 301. Supported codes are: 301, 302,303, 307.

location="proto://$host:port$request_uri$args"

Location to return for redirect, e.g. to redirect all request for HTTPto HTTPS for the same (virtual) host:

redirect "/**" {
    code = 301
    location = "https://$host$request_uri$args"
}

}

 

}