CLI reference
The complete servery command-line surface. Every flag maps to a
Config.create() keyword if you're using servery as a
library.
servery [OPTIONS] [directory]
directory — the folder to serve (default: the current directory).
Run servery --help for the same list inline, or servery --version.
Basics
| Flag |
Default |
Description |
-p, --port PORT |
8000 |
port to listen on (if taken, the next free port is used) |
-b, --bind ADDR |
127.0.0.1 |
bind address (0.0.0.0 to expose on the network) |
--show-hidden |
off |
include dotfiles in listings |
-q, --quiet |
off |
suppress request logging and the startup banner |
--timeout SECONDS |
30 |
per-connection socket timeout |
--profile NAME |
— |
apply a preset bundle of flags |
Uploads
| Flag |
Default |
Description |
--upload |
off |
accept POST multipart/form-data uploads, and resumable Content-Range PUT uploads, into the tree |
--max-upload-size BYTES |
100 MiB |
maximum accepted upload size |
--allow-overwrite |
off |
let uploads overwrite existing files |
--upload-extract |
off |
safely expand uploaded zip/tar archives (requires --upload) |
→ Uploads & authentication
Authentication
| Flag |
Default |
Description |
--auth USER:PASS |
off |
require HTTP Basic auth (or USER:sha256:HEX / USER:sha512:HEX) |
HTTPS & certificates
| Flag |
Default |
Description |
--tls-cert PATH |
— |
TLS certificate chain (PEM); enables HTTPS |
--tls-key PATH |
— |
TLS private key (PEM) |
--tls-self-signed |
off |
generate an ad-hoc self-signed cert at startup |
--tls-password-file PATH |
— |
file holding the private-key passphrase |
--tls-help |
— |
print how to generate a self-signed cert, then exit |
--acme DOMAIN |
— |
obtain a Let's Encrypt cert for DOMAIN via ACME HTTP-01 (repeatable) |
--acme-email EMAIL |
— |
ACME account contact email |
--acme-production |
staging |
use the production Let's Encrypt CA |
→ HTTPS & certificates
WebDAV
| Flag |
Default |
Description |
--dav |
off |
enable a (read-only) WebDAV endpoint, mountable as a drive |
--dav-write |
off |
allow WebDAV writes (requires --dav; use with --auth) |
→ WebDAV
LAN sharing
| Flag |
Default |
Description |
--qr |
off |
print a scannable QR code of the LAN URL on startup |
--discoverable |
off |
advertise over mDNS/DNS-SD (Bonjour) |
→ Sharing on a LAN
Web behaviors
| Flag |
Default |
Description |
--cache SECONDS |
no-cache |
Cache-Control: max-age for file responses |
--cors |
off |
send permissive CORS headers (Access-Control-Allow-Origin: *) |
--spa |
off |
serve /index.html for unknown paths (single-page apps) |
--no-compress |
(on) |
disable on-the-fly compression (zstd on 3.14+, else gzip) of text-like responses |
--no-security-headers |
(on) |
disable servery's default security response headers |
--access-log PATH |
— |
write an access log to PATH |
--access-log-format {clf,combined,json} |
clf |
access log format |
→ Compression, caching & headers
Protocols & concurrency
| Flag |
Default |
Description |
--http2 |
off |
HTTP/2 (ALPN h2 over TLS, or h2c cleartext) |
--http3 |
off |
HTTP/3 over QUIC (needs TLS + servery[http3]) |
--max-workers N |
unbounded |
bound concurrency to N worker threads |
→ HTTP/2, HTTP/3 & concurrency
TFTP (opt-in; separate UDP listener)
Serves the same directory over TFTP (RFC 1350) alongside HTTP — for PXE boot
and network gear. No authentication or encryption: trusted LAN / lab networks
only. Read-only unless --tftp-write.
| Flag |
Default |
Description |
--tftp |
off |
also serve the directory over TFTP on UDP (read-only) |
--tftp-port PORT |
69 |
UDP port for TFTP (below 1024 needs privileges) |
--tftp-write |
off |
allow anonymous TFTP uploads (WRQ); requires --tftp |
→ HTTP/2, HTTP/3 & concurrency
Apps & proxying (opt-in; replace file serving)
| Flag |
Description |
--wsgi MODULE:APP |
serve a WSGI application |
--asgi MODULE:APP |
serve an ASGI application (experimental) |
--cgi DIR |
execute CGI scripts from DIR (runs code; off by default) |
--proxy PREFIX=URL |
reverse-proxy PREFIX… to an upstream (repeatable; composes with file serving) |
→ Running apps & proxying
Profiles
--profile NAME applies a preset bundle of flags. Any explicit flag still
overrides the preset. Profiles that expose a writable surface to the network
require --auth.
| Profile |
Bundles |
local |
the safe default — 127.0.0.1, read-only, cleartext |
share |
bind 0.0.0.0 + self-signed TLS |
inbox |
bind 0.0.0.0 + TLS + --upload (requires --auth) |
public-readonly |
bind 0.0.0.0 + TLS + 1-hour cache |
public-readwrite |
bind 0.0.0.0 + TLS + --upload (requires --auth) |
cdn |
bind 0.0.0.0 + TLS + 1-year cache + CORS + HTTP/2 |
dev |
127.0.0.1 + SPA fallback + CORS |
app |
bind 0.0.0.0 + TLS + --max-workers = CPU count |
servery --profile cdn ./assets # long-cache static origin
servery --profile inbox --auth me:s3 # secure LAN drop box