This document clarifies different HTTP functionalities available in Quarkus.
Eclipse Vert.x supplies the fundamental HTTP layer. For Servlet support, Quarkus employs a customized Undertow version that operates on top of Vert.x, while Jakarta REST support is delivered through RESTEasy.
When Undertow is present, RESTEasy functions as a Servlet filter. In its absence, RESTEasy operates directly on Vert.x without involving Servlets.
If you are looking to use Quarkus for a web application, look at the Quarkus for the Web guide.
To serve static resources from the application jar, you must place them in the META-INF/resources directory of your application. This location
was chosen as it is the standard location for resources in jar files as defined by the Servlet spec. Even though
Quarkus can be used without Servlet, following this convention allows existing code that places its resources in this
location to function correctly.
Look at the Web dependency locator guide for details on how to use WebJars, mvnpm and importmaps
Static resources can be served from a local directory by installing an additional route in the Vert.x router.
For instance, to serve resources from the static/ directory relative to the current path at http://localhost:8080/static/,
you can install the following route:
package org.acme;
import io.quarkus.runtime.StartupEvent;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.handler.StaticHandler;
import jakarta.enterprise.event.Observes;
public class StaticResources {
void installRoute(@Observes StartupEvent startupEvent, Router router) {
router.route()
.path("/static/*")
.handler(StaticHandler.create("static/"));
}
}The response body of a static resource is not compressed by default.
You can enable the HTTP compression support by means of quarkus.http.enable-compression=true.
If compression support is enabled then the response body is compressed if the Content-Type header derived from the file name of a resource is a compressed media type as configured via quarkus.http.compress-media-types.
|
Tip
|
By default, the following list of media types is compressed: text/html, text/plain, text/xml, text/css, text/javascript, application/javascript, application/json, application/graphql+json and application/xhtml+xml.
|
|
Note
|
If the client does not indicate its support for HTTP compression in a request header, e.g. Accept-Encoding: deflate, gzip, br, then the response body is not compressed.
|
|
Tip
|
Brotli compression is not available by default. You can enable it by setting quarkus.http.compressors=deflate,gzip,br. In case of building native image, it adds around 1MB to your executable size.
|
Additionally, the index page for static resources can be changed from default index.html, the hidden files (e.g. dot files) can be indicated as not served, the range requests can be disabled, and the caching support (e.g. caching headers and file properties cache) can be configured.
By default, Quarkus will serve content from under the root context. If you want to change this you can use the
quarkus.http.root-path config key to set the context path.
If you are using Servlet you can control the Servlet context path via quarkus.servlet.context-path. This item is relative
to the http root above, and will only affect Servlet and things that run on top of Servlet. Most applications will
want to use the HTTP root as this affects everything that Quarkus serves.
If both are specified then all non-Servlet web endpoints will be relative to quarkus.http.root-path, while Servlet’s
will be served relative to {quarkus.http.root-path}/{quarkus.servlet.context-path}.
If REST Assured is used for testing and quarkus.http.root-path is set then Quarkus will automatically configure the
base URL for use in Quarkus tests, so test URL’s should not include the root path.
In general, path configurations for web content are interpreted relative to quarkus.http.root-path (which is / by default).
-
To specify paths within this context root, use a relative path that does not begin with a forward slash.
-
If you want to specify the URI explicitly, so it is always the same regardless of the value of
quarkus.http.root-path, use an absolute path that begins with a forward slash.
As an example, if an extension configures a service path, that endpoint will be served from ${quarkus.http.root-path}/service. If you change the configuration of that path to /service, that endpoint will be served from /service.
The Path Resolution in Quarkus blog post further explains how path resolution works for both user and extension defined paths.
|
Important
|
Management Interface
Refer to the management interface reference for more information. |
To have Quarkus support secure connections, you must either provide a certificate and associated key file, or supply a keystore.
In both cases, a password must be provided. See the designated paragraph for a detailed description of how to provide it.
|
Tip
|
To enable TLS/SSL support with native executables, please refer to our Using SSL With Native Executables guide. |
Quarkus provides a TLS centralized configuration that can be used to configure the server’s TLS context. It is the recommended approach to configure HTTPS.
To configure the HTTP server to use HTTPS, you can use the following configuration:
quarkus.tls.key-store.pem.0.cert=server.crt
quarkus.tls.key-store.pem.0.key=server.key
quarkus.http.insecure-requests=disabled # Reject HTTP requestsTo use a p12 (PKCS12) key store, apply the following configuration:
quarkus.tls.key-store.p12.path=server-keystore.p12
quarkus.tls.key-store.p12.password=secret
quarkus.http.insecure-requests=disabled # Reject HTTP requestsInstead of the default configuration, you can use a named configuration:
quarkus.tls.https.key-store.p12.path=server-keystore.p12
quarkus.tls.https.key-store.p12.password=secret
quarkus.http.insecure-requests=disabled
quarkus.http.tls-configuration-name=httpsIf you do not want to use the TLS registry, you can configure the HTTP server directly.
If the certificate has not been loaded into a keystore, it can be provided directly using the properties listed below. Quarkus will first try to load the given files as resources, and uses the filesystem as a fallback. The certificate / key pair will be loaded into a newly created keystore on startup.
Your application.properties would then look like this:
quarkus.http.ssl.certificate.files=/path/to/certificate
quarkus.http.ssl.certificate.key-files=/path/to/keyAn alternate solution is to directly provide a keystore which already contains a default entry with a certificate. You will need to at least provide the file and a password.
As with the certificate/key file combination, Quarkus will first try to resolve the given path as a resource, before attempting to read it from the filesystem.
Add the following property to your application.properties:
quarkus.http.ssl.certificate.key-store-file=/path/to/keystoreAs an optional hint, the type of keystore can be provided as one of the options listed. If the type is not provided, Quarkus will try to deduce it from the file extensions.
quarkus.http.ssl.certificate.key-store-file-type=[one of JKS, JCEKS, P12, PKCS12, PFX]In both aforementioned scenarios, a password needs to be provided to create/load the keystore with.
The password can be set in your application.properties (in plain-text) using the following property:
quarkus.http.ssl.certificate.key-store-password=your-passwordHowever, instead of providing the password as plain-text in the configuration file (which is considered bad practice), it can instead be supplied (using MicroProfile Config)
as the environment variable QUARKUS_HTTP_SSL_CERTIFICATE_KEY_STORE_PASSWORD.
This will also work in tandem with Kubernetes secrets.
Note: To remain compatible with earlier versions of Quarkus (before 0.16) the default password is set to "password". It is therefore not a mandatory parameter!
By default, Quarkus listens to port 8443 for SSL secured connections and 8444 when running tests.
These ports can be configured in your application.properties with the properties quarkus.http.ssl-port and quarkus.http.test-ssl-port.
It is possible to disable the HTTP port and only support secure requests. This is done via the
quarkus.http.insecure-requests property in application.properties. There are three possible
values:
enabled-
The default, HTTP works as normal
redirect-
HTTP requests will be redirected to the HTTPS port
disabled-
The HTTP port will not be opened.
|
Note
|
if you use redirect or disabled and have not added an SSL certificate or keystore, your server will not start!
|
Key store, trust store and certificate files can be reloaded periodically.
Configure the quarkus.http.ssl.certificate.reload-period property to specify the interval at which the certificates should be reloaded:
quarkus.http.ssl.certificate.files=/mount/certs/tls.crt
quarkus.http.ssl.certificate.key-files=/mount/certs/tls.key
quarkus.http.ssl.certificate.reload-period=1hThe files are reloaded from the same location as they were initially loaded from. If there is no content change, the reloading is a no-op. It the reloading fails, the server will continue to use the previous certificates.
To enable HTTP headers to be sent on every response, add the following properties:
quarkus.http.header."X-Content-Type-Options".value=nosniffThis will include the X-Content-Type-Options: nosniff HTTP Header on responses for requests performed on any resource in the application.
You can also specify a path pattern and the HTTP methods the header needs to be applied:
quarkus.http.header.Pragma.value=no-cache
quarkus.http.header.Pragma.path=/headers/pragma
quarkus.http.header.Pragma.methods=GET,HEADThis will apply the Pragma header only when the /headers/pragma resource is called with a GET or a HEAD method
If you need different header values depending on the path, you can use the following configuration:
quarkus.http.filter.index.header."Cache-Control"=none
quarkus.http.filter.index.matches=/index.htmlThis will set the Cache-Control header to none when /index.html is called.
|
Important
|
The index after quarkus.http.filter in the key is used for grouping and (as an example) can be named as you like.
|
You can use a regular expression in the path and also specify the HTTP methods where the HTTP header will be set:
quarkus.http.filter.static.header."Cache-Control"=max-age=31536000
quarkus.http.filter.static.methods=GET,HEAD
quarkus.http.filter.static.matches=/static/.*In case of overlapping paths in the configuration, you can specify an order (higher values take precedence). For example, having the following configuration:
quarkus.http.filter.just-order.order=10
quarkus.http.filter.just-order.header."Cache-Control"=max-age=5000
quarkus.http.filter.just-order.matches=/paths/order
quarkus.http.filter.any-order.order=11
quarkus.http.filter.any-order.header."Cache-Control"=max-age=1
quarkus.http.filter.any-order.matches=/paths/order.*Will include the Cache-Control: max-age=1 header when /paths/order is requested.
To support 100-continue, the quarkus.http.handle-100-continue-automatically option needs to be enabled explicitly
For additional information check 100-continue and the related
Vert.x documentation.
quarkus.http.handle-100-continue-automatically=trueHTTP/2 is enabled by default, and will be used by browsers if SSL is in use. Even if SSL is not in use HTTP/2 via cleartext upgrade is supported, and may be used by non-browser clients.
If you want to disable HTTP/2 you can set:
quarkus.http.http2=falseNote that some configuration attributes are specific to HTTP/2.
For example, to configure the max header list size (~ header), you need to configure the quarkus.http.limits.max-header-list-size attribute.
You can also enable or disable HTTP/2 push using quarkus.http.http2-push-enabled.
If you don’t want to specify a port you can set quarkus.http.port=0 or quarkus.http.test-port=0. A random open port
will be picked by the OS, and a log message printed in the console. When the port is bound the quarkus.http.port system
property will be set to the actual port that was selected, so you can use this to get the actual port number from inside
the application. If you are in a test you can inject the URL normally and this will be configured with the actual port,
and REST Assured will also be configured appropriately.
|
Warning
|
As this sets a system property you can access quarkus.http.port via MicroProfile Config, however if you use
injection the injected value may not always be correct. This port allocation is one of the last things to happen in
Quarkus startup, so if your object that is being injected is created eagerly before the port has opened the injected
value will not be correct.
|
To make your Quarkus application accessible to another application running on a different domain, you need to configure cross-origin resource sharing (CORS). For more information about the CORS filter that Quarkus provides, see the Quarkus CORS filter section of the "Cross-origin resource sharing" guide.
Traffic shaping allows you to limit the bandwidth across all channels (i.e. connections), regardless of the number of open channels. This can be useful when you want to control the overall network traffic to prevent congestion or prioritize certain types of traffic.
To enable traffic shaping, add the following property in your application configuration:
quarkus.http.traffic-shaping.enabled=true # Required to enable traffic shapingThe traffic shaping allows you to configure various parameters, such as write and read limitations (in bytes per second), check interval (the delay between two computations of the bandwidth), and maximum time to wait:
quarkus.http.traffic-shaping.enabled=true # Required to enable traffic shaping
quarkus.http.traffic-shaping.check-interval=30s
quarkus.http.traffic-shaping.outbound-global-bandwidth=1M
quarkus.http.traffic-shaping.inbound-global-bandwidth=1M
quarkus.http.traffic-shaping.max-delay=10sThe check interval represents the period at which the traffic is computed, and a higher interval may result in less precise traffic shaping. Despite 0 being accepted (no accounting), it is recommended to set a positive value for the check interval, even if it is high since the precision of the traffic shaping depends on the period where the traffic is computed. In this case, a suggested value is something close to 5 or 10 minutes.
The outbound-global-bandwidth and inbound-global-bandwidth parameters represent the maximum number of bytes per second for write and read operations, respectively.
You shall also consider to have object size in read or write operations relatively adapted to the bandwidth you required.
For instance having 10 MB objects for 10KB/s will lead to burst effect, while having 100 KB objects for 1 MB/s should be smoothly handle by the traffic shaping.
Additionally, you can set the maximum time to wait (max-delay), which specifies an upper bound for time shaping.
By default, it is set to 15 seconds.
It must be less than the HTTP timeout.
When one of the threshold is reached, no write happens for that period of time.
You can add HTTP request logging by configuring it in application.properties. There are two options for logging,
either logging to the standard JBoss logging output, or logging to a dedicated file.
| Attribute | Short Form | Long Form |
|---|---|---|
Remote IP address |
|
|
Local IP address |
|
|
Bytes sent, excluding HTTP headers, or '-' if no bytes were sent |
|
|
Bytes sent, excluding HTTP headers |
|
|
Remote host name |
|
|
Request protocol |
|
|
Request method |
|
|
Local port |
|
|
Query string (prepended with a '?' if it exists, otherwise an empty string) |
|
|
First line of the request |
|
|
HTTP status code of the response |
|
|
Date and time, in Common Log Format format |
|
|
Date and time as defined by a DateTimeFormatter compliant string |
|
|
Remote user that was authenticated |
|
|
Requested URL path |
|
|
Request relative path |
|
|
Local server name |
|
|
Time taken to process the request, in millis |
|
|
Time taken to process the request, in seconds |
|
|
Time taken to process the request, in micros |
|
|
Time taken to process the request, in nanos |
|
|
Current request thread name |
|
|
SSL cypher |
|
|
SSL client certificate |
|
|
SSL session id |
|
|
All request headers |
|
|
Cookie value |
|
|
Query parameter |
|
|
Request header |
|
|
Response header |
|
|
Vert.x Routing Context Internal Data |
|
|
Vert.x MDC data (e.g. 'traceId' for OpenTelemetry) |
|
Set quarkus.http.access-log.consolidate-rerouted-requests=true to enable support for the modifier <. This modifier can be used for requests that have been internally redirected to consult the original request.
The following attributes support this modifier:
| Attribute | Short Form | Long Form |
|---|---|---|
First line of the request |
|
|
Request method |
|
|
Request relative path |
|
|
Requested URL path |
|
|
Query string (prepended with a '?' if it exists, otherwise an empty string) |
|
|
Query parameter |
|
|
Note
|
Set |
|
Note
|
Assuming security has been set up for the application (see our guide for more details),
logging attribute |
|
Tip
|
Use |
Quarkus allows users to arbitrarily customize the options of HTTP servers started by Quarkus via the use of io.quarkus.vertx.http.HttpServerOptionsCustomizer.
For example, if the HTTP port needs to be set programmatically, then the following code could be used:
import jakarta.inject.Singleton;
import io.quarkus.vertx.http.HttpServerOptionsCustomizer;
@Singleton (1)
public class MyCustomizer implements HttpServerOptionsCustomizer {
@Override
public void customizeHttpServer(HttpServerOptions options) { (2)
options.setPort(9998);
}
}-
By making the class a managed bean, Quarkus will take the customizer into account when it starts the Vert.x servers
-
In this case, we only care about customizing the HTTP server, so we just override the
customizeHttpServermethod, but users should be aware thatHttpServerOptionsCustomizerallows configuring the HTTPS and Domain Socket servers as well
In order to execute some custom action when the HTTP server is started you’ll need to declare an asynchronous CDI observer method.
Quarkus asynchronously fires CDI events of types io.quarkus.vertx.http.HttpServerStart, io.quarkus.vertx.http.HttpsServerStart and io.quarkus.vertx.http.DomainSocketServerStart when the corresponding HTTP server starts listening on the configured host and port.
HttpServerStart example@ApplicationScoped
public class MyListener {
void httpStarted(@ObservesAsync HttpServerStart start) { (1)
// ...notified when the HTTP server starts listening
}
}-
An asynchronous
HttpServerStartobserver method may be declared by annotating anHttpServerStartparameter with@jakarta.enterprise.event.ObservesAsync.
|
Note
|
It’s not possible to use the StartupEvent for this particular use case because this CDI event is fired before the HTTP server is started.
|
Quarkus could be accessed through proxies that additionally generate headers (e.g. X-Forwarded-Host) to keep
information from the client-facing side of the proxy servers that is altered or lost when they are involved.
In those scenarios, Quarkus can be configured to automatically update information like protocol, host, port and URI
reflecting the values in these headers.
|
Important
|
Activating this feature leaves the server exposed to several security issues (i.e. information spoofing). Consider activate it only when running behind a reverse proxy. |
To set up this feature, please include the following lines in src/main/resources/application.properties:
quarkus.http.proxy.proxy-address-forwarding=trueTo consider only de-facto standard header (Forwarded header), please include the following lines in src/main/resources/application.properties:
quarkus.http.proxy.allow-forwarded=trueTo consider only non-standard headers, please include the following lines instead in src/main/resources/application.properties:
quarkus.http.proxy.proxy-address-forwarding=true
quarkus.http.proxy.allow-x-forwarded=true
quarkus.http.proxy.enable-forwarded-host=true
quarkus.http.proxy.enable-forwarded-prefix=true
quarkus.http.proxy.trusted-proxies=127.0.0.1 (1)-
Configure trusted proxy with the IP address
127.0.0.1. Request headers from any other address are going to be ignored.
Both configurations related to standard and non-standard headers can be combined, although the standard headers configuration will have precedence. However, combining them has security implications as clients can forge requests with a forwarded header that is not overwritten by the proxy. Therefore, proxies should strip unexpected X-Forwarded or X-Forwarded-* headers from the client.
Supported forwarding address headers are:
-
Forwarded -
X-Forwarded-Proto -
X-Forwarded-Host -
X-Forwarded-Port -
X-Forwarded-Ssl -
X-Forwarded-Prefix
One can easily add a SameSite cookie property to any of the cookies set by a Quarkus endpoint by listing a cookie name and a SameSite attribute, for example:
quarkus.http.same-site-cookie.jwt.value=Lax
quarkus.http.same-site-cookie.session.value=StrictGiven this configuration, the jwt cookie will have a SameSite=Lax attribute and the session cookie will have a SameSite=Strict attribute.
To use Servlet you need to explicitly include quarkus-undertow:
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-undertow</artifactId>
</dependency>implementation("io.quarkus:quarkus-undertow")You can make use of the Undertow predicate language using an undertow-handlers.conf file. This file should be placed
in the META-INF directory of your application jar. This file contains handlers defined using the
Undertow predicate language.
If you are using a web.xml file as your configuration file, you can place it in the src/main/resources/META-INF directory.
Route order values are the values that are specified via Vert.x route io.vertx.ext.web.Route.order(int) function.
Quarkus registers a couple of routes with specific order values.
The constants are defined in the io.quarkus.vertx.http.runtime.RouteConstants class and listed in the table below.
A custom route should define the order of value 20000 or higher so that it does not interfere with the functionality provided by Quarkus and extensions.
Route order constants defined in io.quarkus.vertx.http.runtime.RouteConstants and known extensions:
Route order value |
Constant name |
Origin |
|
|
Access-log handler, if enabled in the configuration. |
|
|
Handler adding the start-time, if enabled in the configuration. |
|
|
-replacement body handler. |
|
|
Body handler for the management router. |
|
|
Handlers that add headers specified in the configuration. |
|
|
CORS-Origin handler of the management router. |
|
|
Body handler. |
|
|
Route that enforces the upload body size limit. |
|
|
Compression handler. |
|
|
Route with priority over the default route (add an offset from this value). |
|
|
Default route order (i.e. Static Resources, Servlet). |
|
|
Route without priority over the default route (add an offset from this value) |