The Web Server fieldset controls how this Yioop instance is served over the web: whether it manages its own SSL/TLS certificates, which domain names those certificates cover, and, when Yioop is running as its own web server, which user the server process runs as and which HTTP protocols it offers.
Some of these settings apply no matter how Yioop is served. Auto SSL Certs and Secure Domains are useful whether Yioop is served by its own built-in web server or sits behind Apache or nginx, because certificate renewal runs as a background media job in either case. Run As User and ALPN Protocols apply only when Yioop is serving the site through its own built-in web server, since otherwise the front web server owns the network ports and the protocol negotiation; those two fields are hidden when Yioop is running behind another web server.
Auto SSL Certs
- Auto SSL Certs
- When checked, Yioop automatically obtains and renews SSL/TLS certificates for the site from a certificate authority using the ACME protocol (the same protocol used by Let's Encrypt). ACME stands for Automatic Certificate Management Environment: a standard way for software to prove it controls a domain and be issued a certificate without a human having to request one by hand. When this box is unchecked, no certificates are obtained or renewed automatically, and you are responsible for installing and updating certificates yourself.
When Auto SSL Certs is checked, the Secure Domains list appears so you can say which names the certificate should cover. When it is unchecked, that list is hidden.
For automatic certificates to be obtained, the certificate authority must be able to reach this site over the public internet on port 80 to verify that you control each domain. The built-in web server answers that verification request automatically; behind Apache or nginx the front server must be configured to let Yioop answer requests under the .well-known/acme-challenge/ path on port 80.
Secure Domains
- Secure Domains
- The list of domain names the certificate should cover. Add a name by typing it into the box and pressing the Add button (or the Enter key); remove a name with its Remove button. A single certificate can cover several names, so a typical site lists its main domain together with the subdomains it answers on.
For a new installation this list is pre-filled with a suggestion based on the address you used to reach this page: the site's own domain together with its conventional www. and mta-sts. subdomains. For example, reaching the settings through https://example.com/ suggests example.com , www.example.com , and mta-sts.example.com . The suggestion is only a starting point shown before you save; edit it to match the names your site actually answers on, then save. Until you save, nothing is stored, so the suggestion does not take effect on its own.
The suggestion is left empty when the page is reached through a bare IP address or through localhost , since the www. and mta-sts. subdomains make no sense for those.
Internal Web Server Settings
The following settings apply only when Yioop is serving the site through its own built-in web server. They are hidden when Yioop is running behind Apache, nginx, or another front web server, which owns the network ports and protocol negotiation in that case.
Run As User
- Run As User
- The user account the web server process runs as after it has bound the privileged ports (80 and 443). Binding those ports requires starting the server with administrative privileges, but the long-running process should not keep them; naming a less-privileged user here lets the server drop to that user once the ports are bound. The field is pre-filled with the user that launched the instance as a sensible starting value. Leaving it blank means the server keeps running as whoever started it (no drop).
ALPN Protocols
- ALPN Protocols
- Which HTTP protocols the secure server offers to browsers. ALPN stands for Application-Layer Protocol Negotiation: a step in the TLS handshake where the browser and server agree on which protocol to speak. The choices are shown from newest to oldest.
- h3 — HTTP/3, which runs over QUIC on UDP port 443. When selected, the server opens a QUIC listener in addition to the normal TCP listener. HTTP/3 needs some optional components to be present; if they are missing, the server keeps serving over TCP and logs a note at startup.
- h2 — HTTP/2, which runs over TCP and is supported by all current browsers.
- http/1.1 — the long-standing HTTP version, offered as a fallback for older clients.
The protocols are advertised to browsers newest-first, so a browser chooses the most modern protocol it understands. By default h2 and http/1.1 are selected and h3 is left off; check h3 to also offer HTTP/3.
Bootstrap Certificate
The first time the built-in secure server starts without a managed certificate (for example on a fresh installation, where Auto SSL Certs is off by default), Yioop writes a temporary self-signed certificate so that port 443 can start serving. Browsers show a trust warning for a self-signed certificate, which is expected. With Auto SSL Certs turned on, this placeholder is replaced by a real certificate once one has been obtained. You can also install your own certificate to replace it.