By default, CommandBox will open your browser with the host and port of the server. You can customize the exact URL that opens. This setting will be appended to the current host and port.
Or you can completely override the URL if your setting starts with http://
.
For Multi-Site, the openBrowserURL can be configured on a per-site basis in the sites
object of the server.json
or in a .site.json
file. The browser will not open automatically, but this setting will control the options in the tray menu and the server open
command.
The syntax on this page is deprecated. It will still work for the foreseeable future, but we recommend using the instead which is much more powerful and allows multiple bindings.
The start
command will scan your system and find a random port that is not currently in use to start the server on. This ensures that multiple embedded servers can run at the same time on the same host without collisions. Ensure any redirects in your applications take the port into account.
For , any port and host settings can be configured on a per-site basis in the sites
object of the server.json
or in a .site.json
file.
You may want to set a specific port to use-- even port 80 if nothing else is using it. Pass the HTTP port parameter to the start command like so:
It is also possible to save the default port in your server.json
. Add a web.http.port
property, or issue the following command:
Now every time you start
your server, the same port will be used.
If the server won't start or is unreachable, make sure it's port is free with your operating system's netstat
command. On Unix-based OS's:
You can start your server to listen for SSL connections too.
You can customize what SSL protocols your HTTPS listener will respond to with the following XNIO option. Supply a comma-delimited list of valid protocols.
HTTP/2 is a newer standard of HTTP supported by all modern browsers. HTTP/2 is enabled by default any time you are using an HTTP/HTTPS listener, however all major browsers will only allow the server to negotiate HTTP/2 over an HTTPS connection. HTTP/2 runs over the same port and only changes the exchange between the server and browser. You can disable HTTP/2 support like so:
If you want to confirm whether your browser is using HTTP/2, you can open your debugging tools and look at the network requests. You may need to add the "protocol" column in the UI. HTTP/2 will usually show up as something like "h2" in the protocol column.
You can start your server to listen for AJP connections too.
Your application may rely on a specific host name other than the default of 127.0.0.1
. You can set the host to anything you like, but you must add a host
file entry that resolves your host name to an IP address assigned to your network adapter (usually 127.0.0.1)
If you have multiple IP addresses assigned to your PC, you can bind the server to a specific IP using the host
parameter.
A server configuration can only have one host entry. If you require your server to be available on multiple IP addresses of the machine it runs on, you can set the host to 0.0.0.0. This will effectively bind the server to all network interfaces (including local).
Or save in server.json
Most modern browsers allow you to make up any subdomain you want before localhost such as mySite.localhost
and will simply resolve them to localhost
(127.0.0.1
) even without a hosts file entry. CommandBox now supports using these domains and will bind your server's ports to localhost even without using the commandbox-hostupdater
module.
CommandBox's AJP listener (provided by Undertow) is already protected against the . However, if you would like to set utp an AJP secret as well to ensure all requests coming into the AJP listener are from a trusted source, you can do by setting the web.ajp.secret
property.
For this to work, you must also configure your AJP proxy in your web server to send the same secret! For requests received to the AJP listener which do not contain the secret, a 403
status code will be returned. You can customize the output of the 403 page via the settings.
The AJP secret is implemented via a . Feel free to add your own server rule instead of this setting if you want to customize how it works.
The syntax on this page is deprecated. It will still work for the foreseeable future, but we recommend using the new bindings
object instead which is much more powerful and allows multiple bindings.
Turning on SSL in your web server will will enable SSL without an approved SSL certificate. If you need an official certificate so you don't have to confirm your SSL connection you can add these entries
The cert file and private key can be a PEM encoded file, or a DER-format binary file.
You can also use a PFX file (PKCS #8) by specifying it in the web.ssl.certFile
setting and then put the password for the PFX file in the web.ssl.keyPass
setting. You won't use the web.ssl.keyFile
setting for a PFX since the private key is contained in the main file.
For Multi-Site, SSL Server Cert settings can be configured on a per-site basis in the sites
object of the server.json
or in a .site.json
file.
Although free certificates are available (e.g LetsEncrypt) this is not very convenient, because these certs are valid only for three months. Automatic renewal it is difficult if your dev site is not accessible from the web. For a few dollars a year (< 10) you can apply for a domain validated certificate from companies like Comodo, RapidSSL, Trustwave, Digicert, Geotrust and others or a reseller for these certs. For a domain validated certificate you need a valid domain which is under your control which means (depending on provider):
mail is sent to domain owner
or mail is sent to well-known administrative contact in the domain, e.g. (admin@, postmaster@, etc.)
or you can publish a DNS TXT record
So, now you have a valid domain, you have to generate a SSL key and a SSL Certificate Signing Request. With the CSR you can apply for the certificate. Generating a key and CSR with openSSL
This will generate output and some questions, and will finally result in a key file named dev_mydomain_com.key
and a certificate signing request (csr) named dev_mydomain_com.csr
You have to enter Country Name, State and City. Organization Name is preferably the same as the domain owner. Organizational Unit Name will not be checked, so enter something simple such as ICT Common Name is the host name for your site, such as dev.mydomain.com
You can skip Email Address and optional company name. For development you don't need a challenge password, which means your key file is NOT protected. But don't give this key to others or protect it with a challenge password. If you protect your key you have to server set web.SSL.keyPass=MyChallengePassword
Now you have a CSR, which you can submit at your SSL provider. They will send you a certificate file (*.csr), and probably one or more intermediate certificates. Create a new my.csr
file and copy everything from your certificate file into it, and append the intermediate certificate(s). Now you have a valid my.csr
certificate file and a key file. Place both files in a location accessible for your CommandBox and enter the corresponding paths to web.SSL.certFile
and web.SSL.keyFile
The syntax on this page is deprecated. It will still work for the foreseeable future, but we recommend using the new bindings
object instead which is much more powerful and allows multiple bindings.
You can configure the IP, Port, and hostnames for your servers in the bindings
object, which is new in CommandBox 6.0. Whereas the legacy syntax defaults to binding to localhost
, bindings will default to all IPs or 0.0.0.0
which is more consistent without mainstream web servers work.
The bindings
object goes inside your web
object in server.json
and for Multi-Site servers, you can also specify bindings
in each site as well.
There are 3 types of bindings, some of which have additional information that is specific to them
HTTP
SSL
HTTP/2 support
Server certs
Client certs
AJP
AJP secret
Each type of binding is represented by an object of that name inside the bindings
object. Everything is optional, so only specify what you need
Every binding has
IP address (can be *
or 0.0.0.0
which means All IPs)
Port
zero or more hostnames (An empty string or *
will match all hostnames)
Note, hostnames are only really used for Multi-Site servers. If you only have a single site defined, all traffic will be served by that site regardless of the hostname of the incoming request.
The default key to use is called listen
. You can specify JUST a port, which will default to all IPs and all hostnames:
We can also specify the IP address as an IP or a *
or 0.0.0.0
before the port delimited by a colon:
As an alternative to the listen
key, you can specify IP
and port
keys. This can be handy if you plan to override just part of a binding via env vars.
This syntax is mutually exclusive with the listen
key.
Add in as many hostnames as you need as a comma-delimited list or an array
More than one HTTP binding would look like this, where the same object is used, but inside of an array.
AJP
bindings work the same as the HTTP
binding examples above, but can have the addition of a secret
key. All AJP connections to this port will need to come bearing the required secret.
Technically, HTTP/2 can be enabled on either HTTP
or SSL
bindings, but most browsers will only negotiate HTTP/2 over SSL
.
HTTP/2 is enabled by default. The legacy web.http2enable
flag is still obeyed and will be applied to any bindings in that block unless otherwise overridden.
To configure a single SSL Server cert, you can specify the following keys inside the binding:
certFile
- A PEM-encoded DER cert or a PFX file
keyFile
- THe Private key (not used for PFX)
keyPass
- The key pass or PFX pass. Blank if not used
To configure multiple SSL certs on the same binding, use a certs
array of objects containing the same keys above for each cert you want to specify.
CommandBox will automatically use SNI (Server name Indication) to choose the correct cert to use when negotiating the SSL handshake based on the hostnames in each cert's
Subject Common Name (CN)
SAN (subject alternative names)
CommandBox will also handle SNI for wildcard certs as well.
If using Client Cert authentication, you can also specify client certs for each SSL binding in an object called clientCert
. This object can have the following child keys:
mode
CACertFiles
CATrustStoreFile
CATrustStorePass
SSLRenegotiationEnable
For more information on how to configure and use client certs, check out our guide here.