[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
[0609]
[0610]
[0611]
[0612]
[0613]
[0614]
[0615]
[0616]
[0617]
[0618]
[0619]
[0620]
[0621]
[0622]
[0623]
[0624]
[0625]
[0626]
[0627]
[0628]
[0629]
[0630]
[0631]
[0632]
[0633]
[0634]
[0635]
[0636]
[0637]
[0638]
[0639]
[0640]
[0641]
[0642]
[0643]
[0644]
[0645]
[0646]
[0647]
[0648]
[0649]
[0650]
[0651]
[0652]
[0653]
[0654]
[0655]
[0656]
[0657]
[0658]
[0659]
[0660]
[0661]
[0662]
[0663]
[0664]
[0665]
[0666]
[0667]
[0668]
[0669]
[0670]
[0671]
[0672]
[0673]
[0674]
[0675]
[0676]
[0677]
[0678]
[0679]
[0680]
[0681]
[0682]
[0683]
[0684]
[0685]
[0686]
[0687]
[0688]
[0689]
[0690]
[0691]
[0692]
[0693]
[0694]
[0695]
[0696]
[0697]
[0698]
[0699]
[0700]
[0701]
[0702]
[0703]
[0704]
[0705]
[0706]
[0707]
[0708]
[0709]
[0710]
[0711]
[0712]
[0713]
[0714]
[0715]
[0716]
[0717]
[0718]
[0719]
[0720]
[0721]
[0722]
[0723]
[0724]
[0725]
[0726]
[0727]
[0728]
[0729]
[0730]
[0731]
[0732]
[0733]
[0734]
[0735]
[0736]
[0737]
[0738]
[0739]
[0740]
[0741]
[0742]
[0743]
[0744]
[0745]
[0746]
[0747]
[0748]
[0749]
[0750]
[0751]
[0752]
[0753]
[0754]
[0755]
[0756]
[0757]
[0758]
[0759]
[0760]
[0761]
[0762]
[0763]
[0764]
[0765]
[0766]
[0767]
[0768]
[0769]
[0770]
[0771]
[0772]
[0773]
[0774]
[0775]
[0776]
[0777]
[0778]
[0779]
[0780]
[0781]
[0782]
[0783]
[0784]
[0785]
[0786]
[0787]
[0788]
[0789]
[0790]
[0791]
[0792]
[0793]
[0794]
[0795]
[0796]
[0797]
[0798]
[0799]
[0800]
[0801]
[0802]
[0803]
[0804]
[0805]
[0806]
[0807]
[0808]
[0809]
[0810]
[0811]
[0812]
[0813]
[0814]
[0815]
[0816]
[0817]
[0818]
[0819]
[0820]
[0821]
[0822]
[0823]
[0824]
[0825]
[0826]
[0827]
[0828]
[0829]
[0830]
[0831]
[0832]
[0833]
[0834]
[0835]
[0836]
[0837]
[0838]
[0839]
[0840]
[0841]
[0842]
[0843]
[0844]
[0845]
[0846]
[0847]
[0848]
[0849]
[0850]
[0851]
[0852]
[0853]
[0854]
[0855]
[0856]
[0857]
[0858]
[0859]
[0860]
[0861]
[0862]
[0863]
[0864]
[0865]
[0866]
[0867]
[0868]
[0869]
[0870]
[0871]
[0872]
[0873]
[0874]
[0875]
[0876]
[0877]
[0878]
[0879]
[0880]
[0881]
[0882]
[0883]
[0884]
[0885]
[0886]
[0887]
[0888]
[0889]
[0890]
[0891]
[0892]
[0893]
[0894]
[0895]
[0896]
[0897]
[0898]
[0899]
[0900]
[0901]
[0902]
[0903]
[0904]
[0905]
[0906]
[0907]
[0908]
[0909]
[0910]
[0911]
[0912]
[0913]
[0914]
[0915]
[0916]
[0917]
[0918]
[0919]
[0920]
[0921]
[0922]
[0923]
[0924]
[0925]
[0926]
[0927]
[0928]
[0929]
[0930]
[0931]
[0932]
[0933]
[0934]
[0935]
[0936]
[0937]
[0938]
[0939]
[0940]
[0941]
[0942]
[0943]
[0944]
[0945]
[0946]
[0947]
[0948]
[0949]
[0950]
[0951]
[0952]
[0953]
[0954]
[0955]
[0956]
[0957]
[0958]
[0959]
[0960]
[0961]
[0962]
[0963]
[0964]
[0965]
[0966]
[0967]
[0968]
[0969]
[0970]
[0971]
[0972]
[0973]
[0974]
[0975]
[0976]
[0977]
[0978]
[0979]
[0980]
[0981]
[0982]
[0983]
[0984]
[0985]
[0986]
[0987]
[0988]
[0989]
[0990]
[0991]
[0992]
[0993]
[0994]
[0995]
[0996]
[0997]
[0998]
[0999]
[1000]
[1001]
[1002]
[1003]
[1004]
[1005]
[1006]
[1007]
[1008]
[1009]
[1010]
[1011]
[1012]
[1013]
[1014]
[1015]
[1016]
[1017]
[1018]
[1019]
[1020]
[1021]
[1022]
[1023]
[1024]
[1025]
[1026]
[1027]
[1028]
[1029]
[1030]
[1031]
[1032]
[1033]
[1034]
[1035]
[1036]
[1037]
[1038]
[1039]
[1040]
[1041]
[1042]
[1043]
[1044]
[1045]
[1046]
[1047]
[1048]
[1049]
[1050]
[1051]
[1052]
[1053]
[1054]
[1055]
[1056]
[1057]
[1058]
[1059]
[1060]
[1061]
[1062]
[1063]
[1064]
[1065]
[1066]
|1Conditional Configuration||
|^ Request processing (WASD_CONFIG_MAP) and authorization (WASD_CONFIG_AUTH)
rules may be conditionally applied depending on request, server or other
charactersistics. These include
|simple#|
|item| server host name, port
|item| client IP address and host name
|item| browser-accepted content-types, character sets, languages, encodings
|item| browser identification string
|item| scheme ("http:" or "https:", i.e. is it a secure request?)
|item| HTTP method (GET, POST, etc.)
|item| request path, query string, cookie data, refering page
|item| virtual host:port specified in request header
|item| system information (hardware, Alpha/IA64/X86, node name, VMS version, etc.)
|item| local time
|item| random number generation
|!simple|
|2Service Conditionals|
|^ As described in |link|[[virtual-server]]|| a [[|/host||:|/port||]] rule
applies subsequent configuration depending on whether the request service
matches the specified service. This makes it a fundamental element of
conditional configuration.
|^ Note that service conditionals impose a boundary on the scope of
|/if..endif|| constructs. That is, an |/if..endif|| may not span a virtual
service conditional. A conditional flow syntax error is reported if an
|/if..endif|| construct is not properly closed before encountering a subsequent
[[|/host||:|/port||]] rule.
|2If..endif Conditionals|
|^ These may be nested up to a maximum depth of eight, are not case sensitive
and generally match via string comparison, although some tests are performed as
boolean operations, by converting the conditional parameter to a number before
comparison, and IP address parameters will accept a network mask as well as a
string pattern.
|0String Matching||
|^ The basis of much conditional decision making is string pattern matching.
Both wildcard and regular expression based pattern matching is available
(|link|String Matching||). Wildcard matching in conditional tests is
|/greedy||. Regular expression matching, in common with usage throughout WASD,
is differentiated from wildcard patterns using a leading "^" character.
|0Conditional Syntax||
|^ Conditional expressions and processing flow structures may be used in the
following formats. Conditional and rule text may be indented for clarifying
structure.
|code|
|*if (|/condition||)|| then apply rest of line
|*if (|/condition||)||
then apply one
or more rules
up until the corresponding |...|
|*endif||
|*if (|/condition||)||
then apply one
or more rules
|*else||
apply one or more other rules
up until the corresponding |...|
|*endif||
|*if (|/condition||)||
then apply one
or more rules
|*elif (|/condition||)||
apply one or more other rules
in a sort or case statement
|*else||
a possible default rule or rules
up until the delimiting
|*endif||
|!code|
|^ Logical operators are also supported, in conjunction with precedence
ordering parentheses, allowing moderately complex compound expressions to be
applied in conditionals.
|table|
|~ |:= ! |. logical negation
|~ |:= &&\ \ \ |. logical AND
|~ |:= \|\| |. logical OR
|!table|
|^ There are two more conditional structures that allow previous decisions to
be reused. These are |/unif|| and the |/ifif||. The first
unconditionally includes rules regardless of the current state of execution.
The second resumes execution only if the previous |/if|| or
|/elif|| expression was true. The |/else|| statement may also
be used after an |/unif|| to continue only if the previous expression
was false. The purpose of these constructs are to allow a single decision
statement to include both conditional and unconditional rules.
|code|
|*if (|/condition||)||
then apply one
or more rules
|*unif||
apply this block of rules
unconditionally
|*ifif||
applied only if the original
if expression was evaulated as true
|*unif||
apply another block of rules
unconditionally
|*else||
and this block of rules
only if the original was false
|*endif||
|!code|
|note|
|0CAUTIONS|
Conditional syntax is checked at rule load time (either server startup or
reload). Basic errors such as unknown keywords and unbalanced parentheses or
structure statements will be detected and reported to the corresponding Admin
Menu report and to the server process log.
Unless these reports are checked after modifying rule sets syntax errors may
result in unexpected mappings or access.
|^ Although the server cannot determine
the correct intent of an otherwise syntactically correct conditional, if it
encounters an unexpected but detectable condition during processing it aborts
the request, supplying an appropriate error message.
|^ Flow control errors (e.g. an |/if|| not closed by a subsequent
|/endif||) abort all rule processing and provide a fatal error report
to the client.
|!note|
|2Conditional Keywords|
|^ The following keywords provide a match between the corresponding request or
other value and a string immediately following the delimiting colon. White
space or other reserved characters may not be included unless preceded by a
backslash. The actual value being used in the conditional matching may be
observed using the mapping item of the WATCH facility.
|0Conditional Keywords|
|table|
|~_ |: Keyword|: Description
|~
|~#* |. accept: |.
Browser-accepted content types as listed in the "Accept:" request
header field. Same string as provided in CGI variable HTTP_ACCEPT.
|~ |. accept-charset: |.
Browser-accepted character sets as listed in the "Accept-Charset:"
request header field. CGI variable HTTP_ACCEPT_CHARSET.
|~ |. accept-encoding: |.
Browser-accepted content encoding as listed in the
"Accept-Encoding:" request header field. CGI variable
HTTP_ACCEPT_ENCODING.
|~ |. accept-language: |.
Browser language preferences as listed in the
"Accept-Language:" request header field. CGI variable
HTTP_ACCEPT_LANGUAGE.
|~ |. authorization: |.
The raw authorization string from the request header, if any supplied.
This could be simply used to test whether it has been supplied or not.
|~ |. callout: |.
Simple boolean value. If a script callout is in progress (see "Scripting
Overview, CGI Callouts".) it is true, otherwise false.
|~ |. client_connect_gt: |.
An integer representing the current network connections (those currently being
processed plus those currently being "kept alive") for the particular client
represented by the current request. If greater than this value returns true,
otherwise false.
See |link|Client Concurrency||.
|~ |. cluster_member: |.
If the supplied node name is (perhaps currently) a member of the cluster (if
any) the server may be executing on.
|~ |. command_line: |.
The command line qualifiers and parameters used when the server image was
activated.
|~ |. cookie: |.
Raw cookie data as the text string provided in "Cookie:" request header field.
CGI variable HTTP_COOKIE.
|~ |. decnet: |.
Whether DECnet is active on the system and which version is available. This
value will be 0 if not active, 4 if PhaseIV or 5 is PhaseV.
|~ |. dict: |.
Matches the specified dictionary entry.
See |link|WATCH Dictionary||.
|~ |. directory: |.
Tests whether the specified directory exists or not. Parameter can be a URI
available for mapping by the server or a VMS file-system specification. If no
parameter is supplied the request path is mapped to a file-system
specification. As this conditional accesses the file-system it can be
|/relatively expensive in terms of server latency||.
|~ |. document_root: |.
The DOCUMENT_ROOT CGI variable SET using the
|/map=root=<string>|| mapping rule.
|~ |. file: |.
Tests whether the specified file exists or not. Parameter can be a URI
available for mapping by the server or a VMS file-system specification. If no
parameter is supplied the request path is mapped to a file-system
specification. The specification can be a directory. As this conditional
accesses the file-system it can be |/relatively expensive in terms of
server latency||.
|~ |. forwarded: |.
Proxy/gateway host(s) request forwarded by, as specified in request header
field "Forwarded:". CGI variable HTTP_FORWARDED.
|~ |. host: |.
The host (and optionally port) specified in request header "Host:"
field. This is used by all modern browsers to provide virtual host information
to the server. CGI variable HTTP_HOST.
|~ |. http2: |.
Is true if the request is being transported using HTTP/2
|~ |. instance: |.
Used to check whether a particular, clustered instance of WASD is available.
See |link|Instance: and Robin: Keywords||.
|~ |. jpi_username: |.
The account username the server is executing as.
|~ |. mapped_path: |.
The path resulting from mapping (phase 2 if script path involved) from which
the path-translated is derived.
|~ |. multihome: |.
Somewhat specialised conditional that becomes non-null when a client used a
different IP address to connect to the service than the is bound to. Is set to
the IP address the client used and may be matched using wildcard matching or as
a network mask.
|~ |. note: |.
Ad hoc information (string) provided by the server administrator using the
/DO=NOTE= facility (and online equivalent) that can be used to quickly and
easily modify rule processing on a per-system or per-cluster basis.
|~ |. notepad: |.
Information (strings) stored using the SET |/notepad=|| mapping rule.
See |link|Notepad: Keyword||.
|~ |. ods: |.
Specified as 2 or 5 (Extended File System), or as SRI file name encoding
(MultiNet NFS and others) PWK encoding (PATHWORKS 4/5), ADS encoding
(Advanced Server / PATHWORKS 6), SMB encoding (Samba - same as ADS).
|~ |. pass: |.
A numeric value, 1 or 2, representing the first or second pass (if a script
component was parsed) through the path mapping rules. Will be zero at other
times. When the server is |/reverse-mapping|| a file specification
will be -1.
|~ |. path-info: |.
Path specified in the request line. CGI variable PATH_INFO.
|~ |. path-translated: |.
VMS translation of path-info. Available after rule mapping (i.e. during
authorization rule processing).
|~ |. proctor: |.
Simple boolean value. If a proctored script this is true (see
|link%|../scripting/##Script Proctor++in++WASD Scripting||).
|~ |. query-string: |.
Query string specified in request line. Same information as provided in
CGI variable QUERY_STRING.
|~ |. rand: |.
Value from a random number generator.
See |link|Rand: Keyword||.
|~ |. redirected: |.
If a request has been internally redirected
(|link|REDIRECT Rule||) this conditional will be non-zero. Can
be used as a boolean or with a digit specified.
|~ |. referer: |.
URL of refering page as provided in "Referer:" request header field.
CGI variable HTTP_REFERER.
|~ |. regex: |.
Simple boolean value. If configuration directive [RegEx] is enabled (and hence
regular expression string matching, |link|String Matching||) this
will be true.
|~ |. remote-addr: |.
Client IP address. Same as provided as CGI variable REMOTE_ADDR. As
with all IP addresses used for conditional testing this may be wildcard string
match or network mask expressed as |/address||/|/mask-length||
(see |link|Host Addresses||). A domain (host) name
preceded by a question point may be specified (e.g. "?the.host.name").
The corresponding IP address is then looked up and compared to the client.
This allows ad hoc host name based rules and is distinct from use of
|/remote-host||. Note that DNS lookup can introduce some latency to
rule (and request) processing.
|~ |. remote-host: |.
Client host name if name resolution enabled, otherwise the IP address (same
as |/remote-addr||).
CGI variable REMOTE_HOST.
|~ |. request: |.
Detect the presence of specific or unknown request fields.
See |link|Request: Keyword||.
|~ |. request-method: |.
HTTP method ("GET", "POST", etc.) specified in the request
line. CGI variable REQUEST_METHOD.
|~ |. request-protocol: |.
Detect the HTTP protocol in use for the request, as "2", "1.1",
"1.0" or "0.9". Note that the |/server-protocol||
conditional will indicate 1.1 when the |/request-protocol|| indicates
2. The server and its applications (scripts) still treat it semantically
as HTTP/1.1.
|~ |. request-scheme: |.
Request protocol as "http:" or "https:". CGI variable
REQUEST_SCHEME.
|~ |. request-uri: |.
The unescaped request path plus any query-string. CGI variable REQUEST_URI.
|~ |. restart: |.
A numeric value, zero to maximum, representing the number of times path mapping
has been SET |/map=restart||. Can be used as a boolean or with a
digit specified.
|~ |. robin: |.
Used to check whether a particular, clustered instance of WASD is available and
distribute requests to it using a round-robin algorithm.
See |link|Instance: and Robin: Keywords||.
|~ |. script-name: |.
After the first pass of rule mapping (script component resolution), or during
authorization processing, any script component of the request URI.
|~ |. server-addr: |.
The service IP address. CGI variable SERVER_ADDR.
This may be wildcard string match or network mask expressed as
|/address||/|/mask-length||.
|~ |. server_connect_gt: |.
An integer representing the current server network connections (those currently
being processed plus those currently being "kept alive"). If greater than this
value returns true, otherwise false.
|~ |. server_process_gt: |.
An integer representing the current server requests in-progress. If greater
than this value returns true, otherwise false.
|~ |. server-name: |.
The (possibly virtual) server name. This may or may not exactly match any
string provided via the |/host|| keyword. CGI variable SERVER_NAME.
|~ |. server-port: |.
The (possibly virtual) server port number. CGI variable SERVER_PORT.
|~ |. server-protocol: |.
"1.1", "1.0", "0.9" representing the HTTP protocol used by
the request.
|~ |. server-software: |.
The server identification string, including the version. For example
"HTTPd-WASD/8.0.0 OpenVMS/AXP SSL". CGI variable SERVER_SOFTWARE.
|~ |. service: |.
This is the composite server name plus port as
|/server-name||:|/port||. To match an unknown service use
"?".
|~ |. ssl: |.
Simple boolean value. If request is via Secure Sockets Layer then this
will be true.
|~ |. syi_arch_name: |.
System information; CPU architecture of the server system, "Alpha",
"Itanium" or "x86-64".
|~ |. syi_hw_name: |.
System information; hardware identification string, for example
"AlphaStation 400 4/233".
|~ |. syi_nodename: |.
System information; the node name, for example "KLAATU".
|~ |. syi_version: |.
System information; VMS version string, for example "V7.3".
|~ |. tcpip: |.
A string derived from the UCX$IPC_SHR shareable image. It looks something like
this "Compaq TCPIP$IPC_SHR V5.1-15 (11-JAN-2001 02:28:33.95)" and comprises the
agent (Compaq, MultiNet, TCPware, unknown), the name of the image, the version
and finally the link date.
|~ |. time: |.
Compare to current system time. See |link|Time: Keyword||.
|~ |. trnlnm: |.
Translate a logical name. See |link|Trnlnm: Keyword||.
|~ |. upstream-addr: |.
Client proxy/accelerator IP address, when "SET CLIENT=keyword" has been applied
to enable transparent up-stream proxy. Same as provided as CGI variable
UPSTREAM_ADDR. As with all IP addresses used for conditional testing this may
be wildcard string match or network mask expressed as
|/address||/|/mask-length|| (see |link|Host Addresses||).
|~ |. user-agent: |.
Browser identification string as provided in "User-Agent:" request
header field. CGI variable HTTP_USER_AGENT.
|~ |. webdav: |.
Simple boolean value. If the request has been identified as WebDAV then this
is true. Takes an optional parameter:
|table|
|~ |. webdav:all |.
True if path has been |/SET webdav=all|
|~ |. webdav:auth |.
True if path has been |/SET webdav=auth|
|~ |. webdav:MSagent |.
True if a Microsoft WebDAV agent has been detected.
|!table|
|~ |. websocket: |.
Simple boolean value. If a WebSocket protocol upgrade request will be true.
|~ |. x-forwarded-for: |.
Proxied client name or address as provided in "X-Forwarded-For:" request
header field. CGI variable HTTP_X_FORWARDED_FOR.
|!table|
|3Notepad: Keyword|
|^ The |/request notepad|| is a string storage area that can be used to store
and retrieve ad hoc information during path mapping and subsequent
authorization processing. The notepad contents can be changed using the SET
|/notepad=<string>|| or appended to using SET |/notepad=+<string>|| (|link|SET
Rule||). These contents then can be subsequently detected using the
|/notepad:|| conditional keyword (or the obsolescent 'NO' mapping conditional)
and used to control subsequent mapping or authorization processing.
|^ Notepad information persists across internal redirection processing
(|link|REDIRECT Rule||) and so may be used when the regenerated request is
mapped and authorized. To prevent such information from unexpectedly
interfering with internally redirected requests a |/notepad=""|| can be used to
empty the storage area.
|^ The |/dictionary|| facility provides similar and arguably superior
functionailtiy. See |link|WATCH Dictionary||. In fact |/notepad|| is now
implemented as a dictionary entry.
|3Rand: Keyword|
|^ At the commencement of each pass a new pseudo-random number is generated
(and therefore remains constant during that pass). The |/rand:||
conditional is intended to allow some sort of distribution to be built into a
set of rules, where each pass (request) generates a different one. The random
conditional accepts two parameters, a |/modulas|| number, which is used
to modulas the base number, and a |/comparison|| number, which is
compared to the modulas result.
|^ Hence the following conditional rules
|
|code|
if (rand:3:0)
|/do this||
elif (rand:3:1)
|/do this||
else
|/do this||
endif
|!code|
|
would pseudo-randomly generate base numbers of 0, 1, 2 and perform the
appropriate conditional block. Over a sufficient number of usages this should
produce a relatively even distribution of numbers. If the modulas is specified
as less than two (i.e. no distribution factor at all) it defaults to 2 (i.e. a
distribution of 50%). Hence the following example should be the equivalent of
a coin toss.
|
|code|
if (rand:)
|/heads||
else
|/tails||
endif
|!code|
|3Request: Keyword|
|^ Looks through each of the lines of the request header for the specified
request field and/or value. This may be used to detect the presence of
specific or unknown (to the server) request fields. When detecting a specified
just field the name can be provided
|
|code|
if (request:"Keep-Alive:*")
|!code|
|
matching any value, or specific values can also be matched for
|
|code|
if (request:"User-Agent:*Opera*")
|!code|
|^ Note that all request fields known to the server have a specific associated
conditional keyword (i.e. "user-agent:" for the above example). To
determine whether any request fields unknown to the server have been supplied
use the |/request:|| keyword as in the following example.
|
|code|
if (request:?)
map * /cgi-bin/unknown_request_notify.com*
endif
|!code|
|3Instance: and Robin: Keywords|
|^ Both of these conditionals are designed to allow the redistribution of
requests between clustered WASD services. They are WASD-aware and so allow a
slightly more tailored distribution than perhaps an IP package round-robin
implementation might. Each tests for the current operation of WASD on a
particular node (using the DLM) before allowing the selection of that node as a
target. This can allow some systems to be shutting down or starting up, or have
WASD shutdown for any reason, without requiring any extraordinary procedures
to allow for the change in processing environment.
|0Instance:|
|^ The instance: directive allows testing for a particular
cluster member having a WASD instance currently running. This can allow
requests to be redirected or reverse-proxied to a particular system with the
knowlege that it should be processed (of course there is a small window of
uncertainty as events such as system shutdown and startup occur
asynchronously). The behaviour of the conditional block is entirely
determinate based on which node names have a WASD instance and the order of
evaluation. Compare this to a similar construct using the robin: directive, as
described below.
|^ This conditional is deployed in two phases. In the first, it contains a
comma-separated list of node names (that are expected to have instances of WASD
instantiated). In the second, containing a single node name, allowing the
selected node to be tested. For example.
|code|
if (instance:NODE1,NODE2,NODE3)
if (instance:NODE1) redirect /* http://node1.domain.name/*?
if (instance:NODE2) redirect /* http://node2.domain.name/*?
if (instance:NODE3) redirect /* http://node3.domain.name/*?
pass * "500 Some sort of logic error!!"
endif
pass * "503 No instance currently available!"
|!code|
|^ If none of the node names specified in the first phase is currently running
a WASD instance the rule returns false, otherwise true. If true the above
example has conditional block processed with each of the node names
successively tested. If NODE1 has a WASD instance executing it returns true
and the associated redirect is performed. The same for NODE2 and NODE3. At
least one of these would be expected to test true otherwise the outer
conditional established during phase one would have been expected to return
false.
|0Robin:|
|^ The robin: conditional allows rules to be applied
sequentially against specified members of a cluster that currently have
instances of WASD running. This is obviously intended to allow a form of load
sharing and/or with redundancy (not balancing, as no evaluation of the selected
target's current workload is performed, see below). As with the instance:
directive above, there is, of course, a small window of potential uncertainty
as events such as system shutdown and startup occur asynchronously and may
impact availability between the phase one test and ultimate request
distribution.
|^ This conditional is again used in two phases. The first, containing a
comma-separated list of node names (that are expected to have instances of WASD
instantiated). The second, containing a single node name, allowing the
selected node (from phase one) to have a rule applied. For example.
|code|
if (robin:X861,ALPHA1,ALPHA2,IA64A)
if (robin:X861) redirect /* http://x861.domain.name/*?
if (robin:ALPHA1) redirect /* http://alpha1.domain.name/*?
if (robin:ALPHA2) redirect /* http://alpha2.domain.name/*?
if (robin:IA64A) redirect /* http://ia64a.domain.name/*?
pass * "500 Some sort of logic error!!"
endif
pass * "503 No round-robin node currently available!"
|!code|
|^ In this case round-robining will be made through four node names. Of
course these do not have to represent all the systems in the cluster currently
available or having WASD instantiated. The first time the 'robin:' rule
containing multiple names is called X861 will be selected. The second time
ALPHA1, the third ALPHA2, and the fourth IA64A. With the fifth call X861 is
returned to, the sixth ALPHA1, etc. In addition, the selected nodename is
verified to have a instance of WASD currently running (using the DLM and WASD's
instance awareness). If it does not, round-robining is applied again until one
is found (if none is available the phase one conditional returns false). This
is most significant as it ensures that the selected node should be able to
respond to a redirected or (reverse-)proxied requested. This is the selection
set-up phase.
|^ Then there is the selection application phase. Inside the set-up
conditional other conditionals apply the selection made in the first phase
(through simple nodename string comparison). The rule, in the above example a
redirect, is applied if that was the node selected.
|^ During selection set-up unequal weighting can be applied to the round-robin
algorithm by including particular node names more than once.
|code|
if (robin:X861,ALPHA,X862,ALPHA)
|!code|
|^ In the above example, the node ALPHA will be selected twice as often as
either of X861 and X862 (and because of the ordering interleaved with the X86
selections).
|3Time: Keyword|
|^ The |/time:|| conditional allows server behaviour to change
according to the time of day, week, or even year. It compares the supplied
parameter to the current system time in one of three ways.
|number|
|item| The supplied parameter is in the form "1200-1759", which should
be read as "twelve noon to five fifty-nine PM" (i.e. as a time range in
minutes, generalized as |/hhmm-hhmm||), where the first is the start
time and the second the end time. If the current time is within that range
(inclusive) the conditional returns true, otherwise false. If the range
doesn't look correct false is always returned.
|code|
if (time:0000-0000)
|/it's midnight||
elif (time:0001-1159)
|/it's AM||
elif (time:1200-1200)
|/it's noon||
else
|/it's PM||
endif
|!code|
|item| If the supplied parameter is a single digit it is compared to the VMS day
of the week (1-Monday, 2-Tuesday |...| 7-Sunday).
|code|
if (time:6 \|\| time:7)
|/it's the weekend||
else
|/it's the working week||
endif
|!code|
|item| If the supplied string is not in either of the formats described above it
is treated as a string match with a VMS comparision time (i.e.
|/yyyy-mm-dd hh-mm-ss.hh||).
|code|
if (time:%%%%-05-*)
|/it's the month of May||
endif
|!code|
|!number|
|3Trnlnm: Keyword|
|^ The |/trnlnm:|| conditional dynamically translates a logical name
and uses the value. One mandatory and up to two optional parameters may be
supplied.
|code|
trnlnm:logical-name[;name-table][:string-to-match]
|!code|
|^ The |/logical-name|| must be supplied; without it false is always
returned. If just the |/logical-name|| is supplied the conditional
returns true if the name exists or false if it does not. The default
|/name-table|| is LNM$FILE_DEV. When the optional
|/name-table|| is supplied the lookup is confined to that table. If
the optional |/string-to-match|| is supplied it is matched against the
value of the logical and the result returned.
|3Host Addresses|
|^ Host names or addresses can be an alpha-numeric string (if DNS lookup is
enabled) or dotted-decimal network address, a slash, then a dotted-decimal
mask. For example "131.185.250.0/255.255.255.192". This has a 6 bit
subnet. It operates by bitwise-ANDing the client host address with the mask,
bitwise-ANDing the network address supplied with the mask, then comparing the
two results for equality. Using the above example the host 131.185.250.250
would be accepted, but 131.185.250.50 would be rejected. Equivalent notation
for this rule would be "131.185.250.0/26".
|2Examples|
|^ The following provides a collection of examples of conditional mapping and
authorization rules illustrating the use of wildcard matching, network mask
matching and the various formats in which the rules may be blocked.
|number|
|item| This first example shows an EXEC mapping rule being applied to a path if
the request query string contains the string "example".
|code|
if (query-string:*example*) exec /* /cgi-bin/example/*
|!code|
|item| In this example a block of mapping statements is processed if the virtual
service of the request matches that in the conditional, otherwise the block is
skipped. Note the indentation to help clarify the structure.
|code|
if (service:the.host.name:80)
pass /web/* /dka0/the_host_name_web/*
pass /graphics/* /dka100/graphics/*
pass * "404 Resource not found."
endif
|!code|
|item| This example a series of tests allow a form of case processing where the
first to match will be processed and terminate the matching process. In this
case if a match does not occur rule processing continues after the
|/endif||.
|code|
if (service:the.host.name:80)
pass /web/* /dka0/the_host_name_web/*
elif (service:next.host.name:80)
pass /web/* /dka0/next_host_name_web/*
elif (service:another.host.name:80)
pass /web/* /dka0/another_host_name_web/*
endif
pass /graphics/* /dka100/graphics/*
pass * "404 Resource not found."
|!code|
|item| In this (somewhat contrived) example a nested test is used to check
(virtual) server name and that the request is being handled via Secure Sockets
Layer (SSL) for security. If it is not an informative message is supplied.
The |/else|| and the quotes are not really required but included here
for illustration.
|code|
if (server-name:the.host.name)
if (scheme:"https")
pass /secure/* /dka0/the_host_name_web/secure/*
else
pass * /dka0/the_host_name_web/secure/only-via-SSL.html
endif
endif
|!code|
|item| This would be another way to accomplish a similar objective to example 4.
This uses a |/negation|| operator to exclude access to successive
mappings if not requesting via SSL.
|code|
if (server-name:the.host.name)
if (!SSL:)
pass * /web/secure/only-via-SSL.html
endif
pass /secure/* /web/secure/*
pass /other/* /web/other/*
pass /web/* /web/web/*
pass * "404 Resource not found."
endif
|!code|
|item| This example shows the use of a compound conditional using the AND and OR
operators. It also illustrates the use of a network mask. It will exclude all
access to the specified path unless the request is originating from
within a specified network (perhaps an intranet) or via SSL.
|code|
if (path:/sensitive/* && !(remote-addr:131.185.250.0/24 \|\| SSL:))
pass * 404 "Access denied (SSL only)."
endif
|!code|
|item| This example illustrates restricting authentication to SSL.
|code|
[[*]]
["Your VMS password"=VMS]
if (!request-scheme:https)
* r+w,#0
endif
|!code|
|item| Logical name translation may be used to dynamically alter the flow of
rule interpretation.
|code|
if (trnlnm:HTTPD_EXAMPLE)
pass /* /example/*
else
pass /* /*
endif
|!code|
|item| Using a site administrator's /DO=NOTE= entry to modify rule processing.
In this example the contingency of a broken back-end processor has been
prepared for and a document advising clients of the temporary problem is
redirected to once the administrator enters
|code|
$ HTTPD /DO=NOTE=PROBLEM /ALL
|!code|
at the command-line (or via the online equivalent). Note that in this
example external clients are provided with the problem advice document while
internal clients may still access the back-end for troubleshooting purposes.
|code|
if (note:PROBLEM && !remote-addr:131.185.0.0/16)
pass /* /problem_with_backend.html
else
pass /* /backend/*
endif
|!code|
|^ Of course there are a multitude of possibilities based on this idea!
|!number|
|note><|
The noted data persists across server startups but does not persist across
system startups!
|!note|
|2Dictionary|
|^ The per-request dictionary stores key-value string pairs related to request
processing. Some entries are generated and used internally by the server and
others may be inserted, value changed, removed and tested by the server admin
for conditional processing purposes.
|^ The dictionary was initially introduced as an abstraction layer between the
significantly different HTTP/2 and HTTP/1.|/n|| header semantics and
server internal processing. Its utility was then extended into configuration.
It is implemented as a standard hash table with collision lists. The small
cost in terms of processing is completely offset by its effectiveness.
|3Configuration Entries|
|^ Dictionary entries may be configured using the SET dict=|/key||=|/value||
mapping rule or the DICT |/key||=|/value|| meta keyword. These are known as
|/configuration entries||. Keys must begin with an alpha-numeric character but
otherwise keys and values may contain any printable character, with some
needing to be escaped in the text of configuration files. These are some
examples of each.
|code|
set /example/path* dict=example_key=example\ value
set /example/path* dict=example_key="example value"
set /example/path* dict=example_key="example \"value\""
dict example_key=example\ value
dict example_key="example value"
dict example_key="example \"value\""
|!code|
|^ If an existing key is (re-)inserted it overwrites the old value.
|^ An entry can have an empty value.
|code|
set /example/path* dict=example_key=
dict example_key=
|!code|
|^ An entry may be removed from the dictionary by prefixing the key name with
an exclamation point.
|code|
set /example/path* dict=!example_key
dict !example_key
|!code|
|^ All configuration entries may be removed by using the exclamation point
with an empty key.
|code|
set /example/path* dict=!
dict !
|!code|
|note|
Configuration entries persist across internal redirection processing
(|link|REDIRECT Rule||) and so may be used as flags or otherwise contain useful
information when the regenerated request is mapped and authorized. To prevent
such information from unexpectedly interfering with internally redirected
requests selected or all entries can be removed in the redirected request using
the above values.
|!note|
|3Other Entries|
|^ As mentioned, the server generates and uses dictionary entries during
request processing. There are multiple types of entry, generally insulated
from each other for good reason. These entries are also available for
conditional testing.
|0Dictionary Entries|
|table|
|~_ |: Character|: Type|: Description
|~
|~ |. ~ |. configuration |. admin managed entry
|~ |. $ |. internal |. server processing
|~ |. > |. request |. request header field
|~ |. < |. response |. response header field
|!table|
|^ The "if (dict:|/expression||)" contruct first checks for a configuration
entry, then for an request header field entry, then finally for an internal
entry (response entries are only available for testing after response
processing begins and so not in the search list). It is also possible to test
for a key of a specific type by prefixing the key name with the type character.
This example shows a request header field being conditionally processed.
|code|
if (dict:>X-example=hello)
|!code|
|^ It is also possible to set an entry of a specific type by prefixing the key
with the type character. For example the following will set a response header
field that will be included in the header when returned to the client.
|code|
set /example/path* dict=<X-example="\"quoted string\""
|!code|
|^ Setting any non-configuration entry should only be undertaken by the
literati or the brave.
|3Entry Substitution|
|^ The value of a dictionary entry can be derived in whole or part from the
value of another entry or entries. This uses a somewhat familiar substitution
syntax. A contrived example shows an entry being set that transfers back the
request user-agent header field as a response header field.
|code|
set /example/path* dict=<X-user-agent=''>user-agent'
|!code|
A similar rule can be seen applied in the WATCH report example below.
|3WATCH Dictionary|
|^ The content of a request's dictionary at significant stages of request
processing can be viewed using the [x]Internal item of a WATCH report. See
|link%|../features/##WATCH Facility| of
|link%|../features/##|WASD Features and Facilities||.
|^ A request dictionary WATCH point is similar to the following (end of request
processing) example. Note that all of the entry types described above are
present in the example, including two configured entries. Note also that two
of the internal entries contain embedded line-breaks and empty lines. This is
an HTTP/2 request and the expanded (HTTP/1.|/n|| style) |/request_header|| and
|/response_header|| entries are due to WATCH items Request [x]Header and
Response [x]Header also being checked. They were not required for request
processing.
|code|
\|Time_______\|Module__\|Line\|Item\|Category__\|Event...\|
|/8< snip 8<||
\|21:11:00.12 DICT 0836 0001 INTERNAL DICTIONARY size:32 count:29 bytes:4193\|
ENTRY 001 [005] $ {14}request_method={3}GET
ENTRY 002 [009] $ {12}request_path={15}/httpd/-/admin/
ENTRY 003 [014] > {6}accept={63}text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
ENTRY 004 [018] > {15}accept-encoding={13}gzip, deflate
ENTRY 005 [001] > {10}user-agent={116}Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/601.4.4
ENTRY 006 [007] > {15}accept-language={5}en-us
ENTRY 007 [031] > {13}authorization={30}Basic *************************
ENTRY 008 [004] > {3}dnt={1}1
ENTRY 009 [012] $ {12}request_line={28}GET /httpd/-/admin/ HTTP/1.1
ENTRY 010 [024] > {4}host={18}klaatu.private:443
ENTRY 011 [011] $ {10}http2_ping={6}44.919
ENTRY 012 [013] $ {14}request_header={372}GET /httpd/-/admin/ HTTP/1.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-encoding: gzip, deflate
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/601.4.4
accept-language: en-us
authorization: Basic *************************
dnt: 1
host: klaatu.private:443
ENTRY 013 .012. $ {9}path_info={15}/httpd/-/admin/
ENTRY 014 [000] $ {12}query_string={0}
ENTRY 015 .004. $ {11}request_uri={15}/httpd/-/admin/
ENTRY 016 [025] ~ {7}this_is={7}a test!
ENTRY 017 [028] < {12}x-user-agent={116}Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/601.4.4
ENTRY 018 .018. $ {15}response_status={3}200
ENTRY 019 [026] $ {15}response_reason={2}OK
ENTRY 020 .011. < {6}server={33}HTTPd-WASD/11.0.0 OpenVMS/AXP SSL
ENTRY 021 [002] < {4}date={29}Tue, 02 Feb 2016 10:40:59 GMT
ENTRY 022 .005. < {13}accept-ranges={5}bytes
ENTRY 023 [008] < {15}accept-encoding={13}gzip, deflate
ENTRY 024 .004. < {7}expires={29}Fri, 13 Jan 1978 14:00:00 GMT
ENTRY 025 [030] < {13}cache-control={18}no-cache, no-store
ENTRY 026 .028. < {6}pragma={8}no-cache
ENTRY 027 .030. < {12}content-type={29}text/html; charset=ISO-8859-1
ENTRY 028 [006] < {14}content-length={5}15741
ENTRY 029 [019] $ {15}response_header={446}HTTP/1.1 200 OK
x-user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/601.4.4
server: HTTPd-WASD/11.0.0 OpenVMS/AXP SSL
date: Tue, 02 Feb 2016 10:40:59 GMT
accept-ranges: bytes
accept-encoding: gzip, deflate
expires: Fri, 13 Jan 1978 14:00:00 GMT
cache-control: no-cache, no-store
pragma: no-cache
content-type: text/html; charset=ISO-8859-1
content-length: 15741
|/8< snip 8<||
|!code|
|^ The first three digit number is simply the entry count in order of
insertion. The second, either square bracketed or period delimited, is the
hash table entry. The square brackets indicate the head of the hash table, the
periods down the collision list. The single punctuation character is use to
indicate and differentiate the entry type. Then are the key and
equate-separated value. The brace enclosed numbers are the length of the key
and value respectively.