[0001] [0002] [0003] [0004] [0005] [0006] [0007] [0008] [0009] [0010] [0011] [0012] [0013] [0014] [0015] [0016] [0017] [0018] [0019] [0020] [0021] [0022] [0023] [0024] [0025] [0026] [0027] [0028] [0029] [0030] [0031] [0032] [0033] [0034] [0035] [0036] [0037] [0038] [0039] [0040] [0041] [0042] [0043] [0044] [0045] [0046] [0047] [0048] [0049] [0050] [0051] [0052] [0053] [0054] [0055] [0056] [0057] [0058] [0059] [0060] [0061] [0062] [0063] [0064] [0065] [0066] [0067] [0068] [0069] [0070] [0071] [0072] [0073] [0074] [0075] [0076] [0077] [0078] [0079] [0080] [0081] [0082] [0083] [0084] [0085] [0086] [0087] [0088] [0089] [0090] [0091] [0092] [0093] [0094] [0095] [0096] [0097] [0098] [0099] [0100] [0101] [0102] [0103] [0104] [0105] [0106] [0107] [0108] [0109] [0110] [0111] [0112] [0113] [0114] [0115] [0116] [0117] [0118] [0119] [0120] [0121] [0122] [0123] [0124] [0125] [0126] [0127] [0128] [0129] [0130] [0131] [0132] [0133] [0134] [0135] [0136] [0137] [0138] [0139] [0140] [0141] [0142] [0143] [0144] [0145] [0146] [0147] [0148] [0149] [0150] [0151] [0152] [0153] [0154] [0155] [0156] [0157] [0158] [0159] [0160] [0161] [0162] [0163] [0164] [0165] [0166] [0167] [0168] [0169] [0170] [0171] [0172] [0173] [0174] [0175] [0176] [0177] [0178] [0179] [0180] [0181] [0182] [0183] [0184] [0185] [0186] [0187] [0188] [0189] [0190] [0191] [0192] [0193] [0194] [0195] [0196] [0197] [0198] [0199] [0200] [0201] [0202] [0203] [0204] [0205] [0206] [0207] [0208] [0209] [0210] [0211] [0212] [0213] [0214] [0215] [0216] [0217] [0218] [0219] [0220] [0221] [0222] [0223] [0224] [0225] [0226] [0227] [0228] [0229] [0230] [0231] [0232] [0233] [0234] [0235] [0236] [0237] [0238] [0239] [0240] [0241] [0242] [0243] [0244] [0245] [0246] [0247] [0248] [0249] [0250] [0251] [0252] [0253] [0254] [0255] [0256] [0257] [0258] [0259] [0260] [0261] [0262] [0263] [0264] [0265] [0266] [0267] [0268] [0269] [0270] [0271] [0272] [0273] [0274] [0275] [0276] [0277] [0278] [0279] [0280] [0281] [0282] [0283] [0284] [0285] [0286] [0287] [0288] [0289] [0290] [0291] [0292] [0293] [0294] [0295] [0296] [0297] [0298] [0299] [0300] [0301] [0302] [0303] [0304] [0305] [0306] [0307] [0308] [0309] [0310] [0311] [0312] [0313] [0314] [0315] [0316] [0317] [0318] [0319] [0320] [0321] [0322] [0323] [0324] [0325] [0326] [0327] [0328] [0329] [0330] [0331] [0332] [0333] [0334] [0335] [0336] [0337] [0338] [0339] [0340] [0341] [0342] [0343] [0344] [0345] [0346] [0347] [0348] [0349] [0350] [0351] [0352] [0353] [0354] [0355] [0356] [0357] [0358] [0359] [0360] [0361] [0362] [0363] [0364] [0365] [0366] [0367] [0368] [0369] [0370] [0371] [0372] [0373] [0374] [0375] [0376] [0377] [0378] [0379] [0380] [0381] [0382] [0383] [0384] [0385] [0386] [0387] [0388] [0389] [0390] [0391] [0392] [0393] [0394] [0395] [0396] [0397] [0398] [0399] [0400] [0401] [0402] [0403] [0404] [0405] [0406] [0407] [0408] [0409] [0410] [0411] [0412] [0413] [0414] [0415] [0416] [0417] [0418] [0419] [0420] [0421] [0422] [0423] [0424] [0425] [0426] [0427] [0428] [0429] [0430] [0431] [0432] [0433] [0434] [0435] [0436] [0437] [0438] [0439] [0440] [0441] [0442] [0443] [0444] [0445] [0446] [0447] [0448] [0449] [0450] [0451] [0452] [0453] [0454] [0455] [0456] [0457] [0458] [0459] [0460] [0461] [0462] [0463] [0464] [0465] [0466] [0467] [0468] [0469] [0470] [0471] [0472] [0473] [0474] [0475] [0476] [0477] [0478] [0479] [0480] [0481] [0482] [0483] [0484] [0485] [0486] [0487] [0488] [0489] [0490] [0491] [0492] [0493] [0494] [0495] [0496] [0497] [0498] [0499] [0500] [0501] [0502] [0503] [0504] [0505] [0506] [0507] [0508] [0509] [0510] [0511] [0512] [0513] [0514] [0515] [0516] [0517] [0518] [0519] [0520] [0521] [0522] [0523] [0524] [0525] [0526] [0527] [0528] [0529] [0530] [0531] [0532] [0533] [0534] [0535] [0536] [0537] [0538] [0539] [0540] [0541] [0542] [0543] [0544] [0545] [0546] [0547] [0548] [0549] [0550] [0551] [0552] [0553] [0554] [0555] [0556] [0557] [0558] [0559] [0560] [0561] [0562] [0563] [0564] [0565] [0566] [0567] [0568] [0569] [0570] [0571] [0572] [0573] [0574] [0575] [0576] [0577] [0578] [0579] [0580] [0581] [0582] [0583] [0584] [0585] [0586] [0587] [0588] [0589] [0590] [0591] [0592] [0593] [0594] [0595] [0596] [0597] [0598] [0599] [0600] [0601] [0602] [0603] [0604] [0605] [0606] [0607] [0608] [0609] [0610] [0611] [0612] [0613] [0614] [0615] [0616] [0617] [0618] [0619] [0620] [0621] [0622] [0623] [0624] [0625] [0626] [0627] [0628] [0629] [0630] [0631] [0632] [0633] [0634] [0635] [0636] [0637] [0638] [0639] [0640] [0641] [0642] [0643] [0644] [0645] [0646] [0647] [0648] [0649] [0650] [0651] [0652] [0653] [0654] [0655] [0656] [0657] [0658] [0659] [0660] [0661] [0662] [0663] [0664] [0665] [0666] [0667] [0668] [0669] [0670] [0671] [0672] [0673] [0674] [0675] [0676] [0677] [0678] [0679] [0680] [0681] [0682] [0683] [0684] [0685] [0686] [0687] [0688] [0689] [0690] [0691] [0692] [0693] [0694] [0695] [0696] [0697] [0698] [0699] [0700] [0701] [0702] [0703] [0704] [0705] [0706] [0707] [0708] [0709] [0710] [0711] [0712] [0713] [0714] [0715] [0716] [0717] [0718] [0719] [0720] [0721] [0722] [0723] [0724] [0725] [0726] [0727] [0728] [0729] [0730] [0731] [0732] [0733] [0734] [0735] [0736] [0737] [0738] [0739] [0740] [0741] [0742] [0743] [0744] [0745] [0746] [0747] [0748] [0749] [0750] [0751] [0752] [0753] [0754] [0755] [0756] [0757] [0758] [0759] [0760] [0761] [0762] [0763] [0764] [0765] [0766] [0767] [0768] [0769] [0770] [0771] [0772] [0773] [0774] [0775] [0776] [0777] [0778] [0779] [0780] [0781] [0782] [0783] [0784] [0785] [0786] [0787] [0788] [0789] [0790] [0791] [0792] [0793] [0794] [0795] [0796] [0797] [0798] [0799] [0800] [0801] [0802] [0803] [0804] [0805] [0806] [0807] [0808] [0809] [0810] [0811] [0812] [0813] [0814] [0815] [0816] [0817] [0818] [0819] [0820] [0821] [0822] [0823] [0824] [0825] [0826] [0827] [0828] [0829] [0830] [0831] [0832] [0833] [0834] [0835] [0836] [0837] [0838] [0839] [0840] [0841] [0842] [0843] [0844] [0845] [0846] [0847] [0848] [0849] [0850] [0851] [0852] [0853] [0854] [0855] [0856] [0857] [0858] [0859] [0860] [0861] [0862] [0863] [0864] [0865] [0866] [0867] [0868] [0869] [0870] [0871] [0872] [0873] [0874] [0875] [0876] [0877] [0878] [0879] [0880] [0881] [0882] [0883] [0884] [0885] [0886] [0887] [0888] [0889] [0890] [0891] [0892] [0893] [0894] [0895] [0896] [0897] [0898] [0899] [0900] [0901] [0902] [0903] [0904] [0905] [0906] [0907] [0908] [0909] [0910] [0911] [0912] [0913] [0914] [0915] [0916] [0917] [0918] [0919] [0920] [0921] [0922] [0923] [0924] [0925] [0926] [0927] [0928] [0929] [0930] [0931] [0932] [0933] [0934] [0935] [0936] [0937] [0938] [0939] [0940] [0941] [0942] [0943] [0944] [0945] [0946] [0947] [0948] [0949] [0950] [0951] [0952] [0953] [0954] [0955] [0956] [0957] [0958] [0959] [0960] [0961] [0962] [0963] [0964] [0965] [0966] [0967] [0968] [0969] [0970] [0971] [0972] [0973] [0974] [0975] [0976] [0977] [0978] [0979] [0980] [0981] [0982] [0983] [0984] [0985] [0986] [0987] [0988] [0989] [0990] [0991] [0992] [0993] [0994] [0995] [0996] [0997] [0998] [0999] [1000] [1001] [1002] [1003] [1004] [1005] [1006] [1007] [1008] [1009] [1010] [1011] [1012] [1013] [1014] [1015] [1016] [1017] [1018] [1019] [1020] [1021] [1022] [1023] [1024] [1025] [1026] [1027] [1028] [1029] [1030] [1031] [1032] [1033] [1034] [1035] [1036] [1037] [1038] [1039] [1040] [1041] [1042] [1043] [1044] [1045] [1046] [1047] [1048] [1049] [1050] [1051] [1052] [1053] [1054] [1055] [1056] [1057] [1058] [1059] [1060] [1061] [1062] [1063] [1064] [1065] [1066] [1067] [1068] [1069] [1070] [1071] [1072] [1073] [1074] [1075] [1076] [1077] [1078] [1079] [1080] [1081] [1082] [1083] [1084] [1085] [1086] [1087] [1088] [1089] [1090] [1091] [1092] [1093] [1094] [1095] [1096] [1097] [1098] [1099] [1100] [1101] [1102] [1103] [1104] [1105] [1106] [1107] [1108] [1109] [1110] [1111] [1112] [1113] [1114] [1115] [1116] [1117] [1118] [1119] [1120] [1121] [1122] [1123] [1124] [1125] [1126] [1127] [1128] [1129] [1130] [1131] [1132] [1133] [1134] [1135] [1136] [1137] [1138] [1139] [1140] [1141] [1142] [1143] [1144] [1145] [1146] [1147] [1148] [1149] [1150] [1151] [1152] [1153] [1154] [1155] [1156] [1157] [1158] [1159] [1160] [1161] [1162] [1163] [1164] [1165] [1166] [1167] [1168] [1169] [1170] [1171] [1172] [1173] [1174] [1175] [1176] [1177] [1178] [1179] [1180] [1181] [1182] [1183] [1184] [1185] [1186] [1187] [1188] [1189] [1190] [1191] [1192] [1193] [1194] [1195] [1196] [1197] [1198] [1199] [1200] [1201] [1202] [1203] [1204] [1205] [1206] [1207] [1208] [1209] [1210] [1211] [1212] [1213] [1214] [1215] [1216] [1217] [1218] [1219] [1220] [1221] [1222] [1223] [1224] [1225] [1226] [1227] [1228] [1229] [1230] [1231] [1232] [1233] [1234] [1235] [1236] [1237] [1238] [1239] [1240] [1241] [1242] [1243] [1244] [1245] [1246] [1247] [1248] [1249] [1250] [1251] [1252] [1253] [1254] [1255] [1256] [1257] [1258] [1259] [1260] [1261] [1262] [1263] [1264] [1265] [1266] [1267] [1268] [1269] [1270] [1271] [1272] [1273] [1274] [1275] [1276] [1277] [1278] [1279] [1280] [1281] [1282] [1283] [1284] [1285] [1286] [1287] [1288] [1289] [1290] [1291] [1292] [1293] [1294] [1295] [1296] [1297] [1298] [1299] [1300] [1301] [1302] [1303] [1304] [1305] [1306] [1307] [1308] [1309] [1310] [1311] [1312] [1313] [1314] [1315] [1316] [1317] [1318] [1319] [1320] [1321] [1322] [1323] [1324] [1325] [1326] [1327] [1328] [1329] [1330] [1331] [1332] [1333] [1334] [1335] [1336] [1337] [1338] [1339] [1340] [1341] [1342] [1343] [1344] [1345] [1346] [1347] [1348] [1349] [1350] [1351] [1352] [1353] [1354] [1355] [1356] [1357] [1358] [1359] [1360] [1361] [1362] [1363] [1364] [1365] [1366] [1367] [1368] [1369] [1370] [1371] [1372] [1373] [1374] [1375] [1376] [1377] [1378] [1379] [1380] [1381] [1382] [1383] [1384] [1385] [1386] [1387] [1388] [1389] [1390] [1391] [1392] [1393] [1394] [1395] [1396] [1397] [1398] [1399] [1400] [1401] [1402] [1403] [1404] [1405] [1406] [1407] [1408] [1409] [1410] [1411] [1412] [1413] [1414] [1415] [1416] [1417] [1418] [1419] [1420] [1421] [1422] [1423] [1424] [1425] [1426] [1427] [1428] [1429] [1430] [1431] [1432] [1433] [1434] [1435] [1436] [1437] [1438] [1439] [1440] [1441] [1442] [1443] [1444] [1445] [1446] [1447] [1448] [1449] [1450] [1451] [1452] [1453] [1454] [1455] [1456] [1457] [1458] [1459] [1460] [1461] [1462] [1463] [1464] [1465] [1466] [1467] [1468] [1469] [1470] [1471] [1472] [1473] [1474] [1475] [1476] [1477] [1478] [1479] [1480] [1481] [1482] [1483] [1484] [1485] [1486] [1487] [1488] [1489] [1490] [1491] [1492] [1493] [1494] [1495] [1496] [1497] [1498] [1499] [1500] [1501] [1502] [1503] [1504] [1505] [1506] [1507] [1508] [1509] [1510] [1511] [1512] [1513] [1514] [1515] [1516] [1517] [1518] [1519] [1520] [1521] [1522] [1523] [1524] [1525] [1526] [1527] [1528] [1529] [1530] [1531] [1532] [1533] [1534] [1535] [1536] [1537] [1538] [1539] [1540] [1541] [1542] [1543] [1544] [1545] [1546] [1547] [1548] [1549] [1550] [1551] [1552] [1553] [1554] [1555] [1556] [1557] [1558] [1559] [1560] [1561] [1562] [1563] [1564] [1565] [1566] [1567] [1568] [1569] [1570] [1571] [1572] [1573] [1574] [1575] [1576] [1577] [1578] [1579] [1580] [1581] [1582] [1583] [1584] [1585] [1586] [1587] [1588] [1589] [1590] [1591] [1592] [1593] [1594] [1595] [1596] [1597] [1598] [1599] [1600] [1601] [1602] [1603] [1604] [1605] [1606] [1607] [1608] [1609] [1610] [1611] [1612] [1613] [1614] [1615] [1616] [1617] [1618] [1619] [1620] [1621] [1622] [1623] [1624] [1625] [1626] [1627] [1628] [1629] [1630] [1631] [1632] [1633] [1634] [1635] [1636] [1637] [1638] [1639] [1640] [1641] [1642] [1643] [1644] [1645] [1646] [1647] [1648] [1649] [1650] [1651] [1652] [1653] [1654] [1655] [1656] [1657] [1658] [1659] [1660] [1661] [1662] [1663] [1664] [1665] [1666] [1667] [1668] [1669] [1670] [1671] [1672] [1673] [1674] [1675] [1676] [1677] [1678] [1679] [1680] [1681] [1682] [1683] [1684] [1685] [1686] [1687] [1688] [1689] [1690] [1691] [1692] [1693] [1694] [1695] [1696] [1697] [1698] [1699] [1700] [1701] [1702] [1703] [1704] [1705] [1706] [1707] [1708] [1709] [1710] [1711] [1712] [1713] [1714] [1715] [1716] [1717] [1718] [1719] [1720] [1721] [1722] [1723] [1724] [1725] [1726] [1727] [1728] [1729] [1730] [1731] [1732] [1733] [1734] [1735] [1736] [1737] [1738] [1739] [1740] [1741] [1742] [1743] [1744] [1745] [1746] [1747] [1748] [1749] [1750] [1751] [1752] [1753] [1754] [1755] [1756] [1757] [1758] [1759] [1760] [1761] [1762] [1763] [1764] [1765] [1766] [1767] [1768] [1769] [1770] [1771] [1772] [1773] [1774] [1775] [1776] [1777] [1778] [1779] [1780] [1781] [1782] [1783] [1784] [1785] [1786] [1787] [1788] [1789] [1790] [1791] [1792] [1793] [1794] [1795] [1796] [1797] [1798] [1799] [1800] [1801] [1802] [1803] [1804] [1805] [1806] [1807] [1808] [1809] [1810] [1811] [1812] [1813] [1814] [1815] [1816] [1817] [1818] [1819] [1820] [1821] [1822] [1823] [1824] [1825] [1826] [1827] [1828] [1829] [1830] [1831] [1832] [1833] [1834] [1835] [1836] [1837] [1838] [1839] [1840] [1841] [1842] [1843] [1844] [1845] [1846] [1847] [1848] [1849] [1850] [1851] [1852] [1853] [1854] [1855] [1856] [1857] [1858] [1859] [1860] [1861] [1862] [1863] [1864] [1865] [1866] [1867] [1868] [1869] [1870] [1871] [1872] [1873] [1874] [1875] [1876] [1877] [1878] [1879] [1880] [1881] [1882] [1883] [1884] [1885] [1886] [1887] [1888] [1889] [1890] [1891] [1892] [1893] [1894] [1895] [1896] [1897] [1898] [1899] [1900] [1901] [1902] [1903] [1904] [1905] [1906] [1907] [1908] [1909] [1910] [1911] [1912] [1913] [1914] [1915] [1916] [1917] [1918] [1919] [1920] [1921] [1922] [1923] [1924] [1925] [1926] [1927] [1928] [1929] [1930] [1931] [1932] [1933] [1934] [1935] [1936] [1937] [1938] [1939] [1940] [1941] [1942] [1943] [1944] [1945] [1946] [1947] [1948] [1949] [1950] [1951] [1952] [1953] [1954] [1955] [1956] [1957] [1958] [1959] [1960] [1961] [1962] [1963] [1964] [1965] [1966] [1967] [1968] [1969] [1970] [1971] [1972] [1973] [1974] [1975] [1976] [1977] [1978] [1979] [1980] [1981] [1982] [1983] [1984] [1985] [1986] [1987] [1988] [1989] [1990] [1991] [1992] [1993] [1994] [1995] [1996] [1997] [1998] [1999] [2000] [2001] [2002] [2003] [2004] [2005] [2006] [2007] [2008] [2009] [2010] [2011] [2012] [2013] [2014] [2015] [2016] [2017] [2018] [2019] [2020] [2021] [2022] [2023] [2024] [2025] [2026] [2027] [2028] [2029] [2030] [2031] [2032] [2033] [2034] [2035] [2036] [2037] [2038] [2039] [2040] [2041] [2042] [2043] [2044] [2045] [2046] [2047] [2048] [2049] [2050] [2051] [2052] [2053] [2054] [2055] [2056] [2057] [2058] [2059] [2060] [2061] [2062] [2063] [2064] [2065] [2066] [2067] [2068] [2069] [2070] [2071] [2072] [2073] [2074] [2075] [2076] [2077] [2078] [2079] [2080] [2081] [2082] [2083] [2084] [2085] [2086] [2087] [2088] [2089] [2090] [2091] [2092] [2093] [2094] [2095] [2096] [2097] [2098] [2099] [2100] [2101] [2102] [2103] [2104] [2105] [2106] [2107] [2108] [2109] [2110] [2111] [2112] [2113] [2114] [2115] [2116] [2117] [2118] [2119] [2120] [2121] [2122] [2123] [2124] [2125] [2126] [2127] [2128] [2129] [2130] [2131] [2132] [2133] [2134] [2135] [2136] [2137] [2138] [2139] [2140] [2141] [2142] [2143] [2144] [2145] [2146] [2147] [2148] [2149] [2150] [2151] [2152] [2153] [2154] [2155] [2156] [2157] [2158] [2159] [2160] [2161] [2162] [2163] [2164] [2165] [2166] [2167] [2168] [2169] [2170] [2171] [2172] [2173] [2174] [2175] [2176] [2177] [2178] [2179] [2180] [2181] [2182] [2183] [2184] [2185] [2186] [2187] [2188] [2189] [2190] [2191] [2192] [2193] [2194] [2195] [2196] [2197] [2198] [2199] [2200] [2201] [2202] [2203] [2204] [2205] [2206] [2207] [2208] [2209] [2210] [2211] [2212] [2213] [2214] [2215] [2216] [2217] [2218] [2219] [2220] [2221] [2222] [2223] [2224] [2225] [2226] [2227] [2228] [2229] [2230] [2231] [2232] [2233] [2234] [2235] [2236] [2237] [2238] [2239] [2240] [2241] [2242] [2243] [2244] [2245] [2246] [2247] [2248] [2249] [2250] [2251] [2252] [2253] [2254] [2255] [2256] [2257] [2258] [2259] [2260] [2261] [2262] [2263] [2264] [2265] [2266] [2267] [2268] [2269] [2270] [2271] [2272] [2273] [2274] [2275] [2276] [2277] [2278] [2279] [2280] [2281] [2282] [2283] [2284] [2285] [2286] [2287] [2288] [2289] [2290] [2291] [2292] [2293] [2294] [2295] [2296] [2297] [2298] [2299] [2300] [2301] [2302] [2303] [2304] [2305] [2306] [2307] [2308] [2309] [2310] [2311] [2312] [2313] [2314] [2315] [2316] [2317] [2318] [2319] [2320] [2321] [2322] [2323] [2324] [2325] [2326] [2327] [2328] [2329] [2330] [2331] [2332] [2333] [2334] [2335] [2336] [2337] [2338] [2339] [2340] [2341] [2342] [2343] [2344] [2345] [2346] [2347] [2348] [2349] [2350] [2351] [2352] [2353] [2354] [2355] [2356] [2357] [2358] [2359] [2360] [2361] [2362] [2363] [2364] [2365] [2366] [2367] [2368] [2369] [2370] [2371] [2372] [2373] [2374] [2375] [2376] [2377] [2378] [2379] [2380] [2381] [2382] [2383] [2384] [2385] [2386] [2387] [2388] [2389] [2390] [2391] [2392] [2393] [2394] [2395] [2396] [2397] [2398] [2399] [2400] [2401] [2402] [2403] [2404] [2405] [2406] [2407] [2408] [2409] [2410] [2411] [2412] [2413] [2414] [2415] [2416] [2417] [2418] [2419] [2420] [2421] [2422] [2423] [2424] [2425] [2426] [2427] [2428] [2429] [2430] [2431] [2432] [2433] [2434] [2435] [2436] [2437] [2438] [2439] [2440] [2441] [2442] [2443] [2444] [2445] [2446] [2447] [2448] [2449] [2450] [2451] [2452] [2453] [2454] [2455] [2456] [2457] [2458] [2459] [2460] [2461] [2462] [2463] [2464] [2465] [2466] [2467] [2468] [2469] [2470] [2471] [2472] [2473] [2474] [2475] [2476] [2477] [2478] [2479] [2480] [2481] [2482] [2483] [2484] [2485] [2486] [2487] [2488] [2489] [2490] [2491] [2492] [2493] [2494] [2495] [2496] [2497] [2498] [2499] [2500] [2501] [2502] [2503] [2504] [2505] [2506] [2507] [2508] [2509] [2510] [2511] [2512] [2513] [2514] [2515] [2516] [2517] [2518] [2519] [2520] [2521] [2522] [2523] [2524] [2525] [2526] [2527] [2528] [2529] [2530] [2531] [2532] [2533] [2534] [2535] [2536] [2537] [2538] [2539] [2540] [2541] [2542] [2543] [2544] [2545] [2546] [2547] [2548] [2549] [2550] [2551] [2552] [2553] [2554] [2555] [2556] [2557] [2558] [2559] [2560] [2561] [2562] [2563] [2564] [2565] [2566] [2567] [2568] [2569] [2570] [2571] [2572] [2573] [2574] [2575] [2576] [2577] [2578] [2579] [2580] [2581] [2582] [2583] [2584] [2585] [2586] [2587] [2588] [2589] [2590] [2591] [2592] [2593] [2594] [2595] [2596] [2597] [2598] [2599] [2600] [2601] [2602] [2603] [2604] [2605] [2606] [2607] [2608] [2609] [2610] [2611] [2612] [2613] [2614] [2615] [2616] [2617] [2618] [2619] [2620] [2621] [2622] [2623] [2624] [2625] [2626] [2627] [2628] [2629] [2630] [2631] [2632] [2633] [2634] [2635] [2636] [2637] [2638] [2639] [2640] [2641] [2642] [2643] [2644] [2645] [2646] [2647] [2648] [2649] [2650] [2651] [2652] [2653] [2654] [2655] [2656] [2657] [2658] [2659] [2660] [2661] [2662] [2663] [2664] [2665] [2666] [2667] [2668] [2669] [2670] [2671] [2672] [2673] [2674] [2675] [2676] [2677] [2678] [2679] [2680] [2681] [2682] [2683] [2684] [2685] [2686] [2687] [2688] [2689] [2690] [2691] [2692] [2693] [2694] [2695] [2696] [2697] [2698] [2699] [2700] [2701] [2702] [2703] [2704] [2705] [2706] [2707] [2708] [2709] [2710] [2711] [2712] [2713] [2714] [2715] [2716] [2717] [2718] [2719] [2720] [2721] [2722] [2723] [2724] [2725] [2726] [2727] [2728] [2729] [2730] [2731] [2732] [2733] [2734] [2735] [2736] [2737] [2738] [2739] [2740] [2741] [2742] [2743] [2744] [2745] [2746] [2747] [2748] [2749] [2750] [2751] [2752] [2753] [2754] [2755] [2756] [2757] [2758] [2759] [2760] [2761] [2762] [2763] [2764] [2765] [2766] [2767] [2768] [2769] [2770] [2771] [2772] [2773] [2774] [2775] [2776] [2777] [2778] [2779] [2780] [2781] [2782] [2783] [2784] [2785] [2786] [2787] [2788] [2789] [2790] [2791] [2792] [2793] [2794] [2795] [2796] [2797] [2798] [2799] [2800] [2801] [2802] [2803] [2804] [2805] [2806] [2807] [2808] [2809] [2810] [2811] [2812] [2813] [2814] [2815] [2816] [2817] [2818] [2819] [2820] [2821] [2822] [2823] [2824] [2825] [2826] [2827] [2828] [2829] [2830] [2831] [2832] [2833] [2834] [2835] [2836] [2837] [2838] [2839] [2840] [2841] [2842] [2843] [2844] [2845] [2846] [2847] [2848] [2849] [2850] [2851] [2852] [2853] [2854] [2855] [2856] [2857] [2858] [2859] [2860] [2861] [2862] [2863] [2864] [2865] [2866] [2867] [2868] [2869] [2870] [2871] [2872] [2873] [2874] [2875] [2876] [2877] [2878] [2879] [2880] [2881] [2882] [2883] [2884] [2885] [2886] [2887] [2888] [2889] [2890] [2891] [2892] [2893] [2894] [2895] [2896] [2897] [2898] [2899] [2900] [2901] [2902] [2903] [2904] [2905] [2906] [2907] [2908] [2909] [2910] [2911] [2912] [2913] [2914] [2915] [2916] [2917] [2918] [2919] [2920] [2921] [2922] [2923] [2924] [2925] [2926] [2927] [2928] [2929] [2930] [2931] [2932] [2933] [2934] [2935] [2936] [2937] [2938] [2939] [2940] [2941] [2942] [2943] [2944] [2945] [2946] [2947] [2948] [2949] [2950] [2951] [2952] [2953] [2954] [2955] [2956] [2957] [2958] [2959] [2960] [2961] [2962] [2963] [2964] [2965] [2966] [2967] [2968] [2969] [2970] [2971] [2972] [2973] [2974] [2975] [2976] [2977] [2978] [2979] [2980] [2981] [2982] [2983] [2984] [2985] [2986] [2987] [2988] [2989] [2990] [2991] [2992] [2993] [2994] [2995] [2996] [2997] [2998] [2999] [3000] [3001] [3002] [3003] [3004] [3005] [3006] [3007] [3008] [3009] [3010] [3011] [3012] [3013] [3014] [3015] [3016] [3017] [3018] [3019] [3020] [3021] [3022] [3023] [3024] [3025] [3026] [3027] [3028] [3029] [3030] [3031] [3032] [3033] [3034] [3035] [3036] [3037] [3038] [3039] [3040] [3041] [3042] [3043] [3044] [3045] [3046] [3047] [3048] [3049] [3050] [3051] [3052] [3053] [3054] [3055] [3056] [3057] [3058] [3059] [3060] [3061] [3062] [3063] [3064] [3065] [3066] [3067] [3068] [3069] [3070] [3071] [3072] [3073] [3074] [3075] [3076] [3077] [3078] [3079] [3080] [3081] [3082] [3083] [3084] [3085] [3086] [3087] [3088] [3089] [3090] [3091] [3092] [3093] [3094] [3095] [3096] [3097] [3098] [3099] [3100] [3101] [3102] [3103] [3104] [3105] [3106] [3107] [3108] [3109] [3110] [3111] [3112] [3113] [3114] [3115] [3116] [3117] [3118] [3119] [3120] [3121] [3122] [3123] [3124] [3125] [3126] [3127] [3128] [3129] [3130] [3131] [3132] [3133] [3134] [3135] [3136] [3137] [3138] [3139] [3140] [3141] [3142] [3143] [3144] [3145] [3146] [3147] [3148] [3149] [3150] [3151] [3152] [3153] [3154] [3155] [3156] [3157] [3158] [3159] [3160] [3161] [3162] [3163] [3164] [3165] [3166] [3167] [3168] [3169] [3170] [3171] [3172] [3173] [3174] [3175] [3176] [3177] [3178] [3179] [3180] [3181] [3182] [3183] [3184] [3185] [3186] [3187] [3188] [3189] [3190] [3191] [3192] [3193] [3194] [3195] [3196] [3197] [3198] [3199] [3200] [3201] [3202] [3203] [3204] [3205] [3206] [3207] [3208] [3209] [3210] [3211] [3212] [3213] [3214] [3215] [3216] [3217] [3218] [3219] [3220] [3221] [3222] [3223] [3224] [3225] [3226] [3227] [3228] [3229] [3230] [3231] [3232] [3233] [3234] [3235] [3236] [3237] [3238] [3239] [3240] [3241] [3242] [3243] [3244] [3245] [3246] [3247] [3248] [3249] [3250] [3251] [3252] [3253] [3254] [3255] [3256] [3257] [3258] [3259] [3260] [3261] [3262] [3263] [3264] [3265] [3266] [3267] [3268] [3269] [3270] [3271] [3272] [3273] [3274] [3275] [3276] [3277] [3278] [3279] [3280] [3281] [3282] [3283] [3284] [3285] [3286] [3287] [3288] [3289] [3290] [3291] [3292] [3293] [3294] [3295] [3296] [3297] [3298] [3299] [3300] [3301] [3302] [3303] [3304] [3305] [3306] [3307] [3308] [3309] [3310] [3311] [3312] [3313] [3314] [3315] [3316] [3317] [3318] [3319] [3320] [3321] [3322] [3323] [3324] [3325] [3326] [3327] [3328] [3329] [3330] [3331] [3332] [3333] [3334] [3335] [3336] [3337] [3338] [3339] [3340] [3341] [3342] [3343] [3344] [3345] [3346] [3347] [3348] [3349] [3350] [3351] [3352] [3353] [3354] [3355] [3356] [3357] [3358] [3359] [3360] [3361] [3362] [3363] [3364] [3365] [3366] [3367] [3368] [3369] [3370] [3371] [3372] [3373] [3374] [3375] [3376] [3377] [3378] [3379] [3380] [3381] [3382] [3383] [3384] [3385] [3386] [3387] [3388] [3389] [3390] [3391] [3392] [3393] [3394] [3395] [3396] [3397] [3398] [3399] [3400] [3401] [3402] [3403] [3404] [3405] [3406] [3407] [3408] [3409] [3410] [3411] [3412] [3413] [3414] [3415] [3416] [3417] [3418] [3419] [3420] [3421] [3422] [3423] [3424] [3425] [3426] [3427] [3428] [3429] [3430] [3431] [3432] [3433] [3434] [3435] [3436] [3437] [3438] [3439] [3440] [3441] [3442] [3443] [3444] [3445] [3446] [3447] [3448] [3449] [3450] [3451] [3452] [3453] [3454] [3455] [3456] [3457] [3458] [3459] [3460] [3461] [3462] [3463] [3464] [3465] [3466] [3467] [3468] [3469] [3470] [3471] [3472] [3473] [3474] [3475] [3476] [3477] [3478] [3479] [3480] [3481] [3482] [3483] [3484] [3485] [3486] [3487] [3488] [3489] [3490] [3491] [3492] [3493] [3494] [3495] [3496] [3497] [3498] [3499] [3500] [3501] [3502] [3503] [3504] [3505] [3506] [3507] [3508] [3509] [3510] [3511] [3512] [3513] [3514] [3515] [3516] [3517] [3518] [3519] [3520] [3521] [3522] [3523] [3524] [3525] [3526] [3527] [3528] [3529] [3530] [3531] [3532] [3533] [3534] [3535] [3536] [3537] [3538] [3539] [3540] [3541] [3542] [3543] [3544] [3545] [3546] [3547] [3548] [3549] [3550] [3551] [3552] [3553] [3554] [3555] [3556] [3557] [3558] [3559] [3560] [3561] [3562] [3563] [3564] [3565] [3566] [3567] [3568] [3569] [3570] [3571] [3572] [3573] [3574] [3575] [3576] [3577] [3578] [3579] [3580] [3581] [3582] [3583] [3584] [3585] [3586] [3587] [3588] [3589] [3590] [3591] [3592] [3593] [3594] [3595] [3596] [3597] [3598] [3599] [3600] [3601] [3602] [3603] [3604] [3605] [3606] [3607] [3608] [3609] [3610] [3611] [3612] [3613] [3614] [3615] [3616] [3617] [3618] [3619] [3620] [3621] [3622] [3623] [3624] [3625] [3626] [3627] [3628] [3629] [3630] [3631] [3632] [3633] [3634] [3635] [3636] [3637] [3638] [3639] [3640] [3641] [3642] [3643] [3644] [3645] [3646] [3647] [3648] [3649] [3650] [3651] [3652] [3653] [3654] [3655] [3656] [3657] [3658] [3659] [3660] [3661] [3662] [3663] [3664] [3665] [3666] [3667] [3668] [3669] [3670] [3671] [3672] [3673] [3674] [3675] [3676] [3677] [3678] [3679] [3680] [3681] [3682] [3683] [3684] [3685] [3686] [3687] [3688] [3689] [3690] [3691] [3692] [3693] [3694] [3695] [3696] [3697] [3698] [3699] [3700] [3701] [3702] [3703] [3704] [3705] [3706] [3707] [3708] [3709] [3710] [3711] [3712] [3713] [3714] [3715] [3716] [3717] [3718] [3719] [3720] [3721] [3722] [3723] [3724] [3725] [3726] [3727] [3728] [3729] [3730] [3731] [3732] [3733] [3734] [3735] [3736] [3737] [3738] [3739] [3740] [3741] [3742] [3743] [3744] [3745] [3746] [3747] [3748] [3749] [3750] [3751] [3752] [3753] [3754] [3755] [3756] [3757] [3758] [3759] [3760] [3761] [3762] [3763] [3764] [3765] [3766] [3767] [3768] [3769] [3770] [3771] [3772] [3773] [3774] [3775] [3776] [3777] [3778] [3779] [3780] [3781] [3782] [3783] [3784] [3785] [3786] [3787] [3788] [3789] [3790] [3791] [3792] [3793] [3794] [3795] [3796] [3797] [3798] [3799] [3800] [3801] [3802] [3803] [3804] [3805] [3806] [3807] [3808] [3809] [3810] [3811] [3812] [3813] [3814] [3815] [3816] [3817] [3818] [3819] [3820] [3821] [3822] [3823] [3824] [3825] [3826] [3827] [3828] [3829] [3830] [3831] [3832] [3833] [3834] [3835] [3836] [3837] [3838] [3839] [3840] [3841] [3842] [3843] [3844] [3845] [3846] [3847] [3848] [3849] [3850] [3851] [3852] [3853] [3854] [3855] [3856] [3857] [3858] [3859] [3860] [3861] [3862] [3863] [3864] [3865] [3866] [3867] [3868] [3869] [3870] [3871] [3872] [3873] [3874] [3875] [3876] [3877] [3878] [3879] [3880] [3881] [3882] [3883] [3884] [3885] [3886] [3887] [3888] [3889] [3890] [3891] [3892] [3893] [3894] [3895] [3896] [3897] [3898] [3899] [3900] [3901] [3902] [3903] [3904] [3905] [3906] [3907] [3908] [3909] [3910] [3911] [3912] [3913] [3914] [3915] [3916] [3917] [3918] [3919] [3920] [3921] [3922] [3923] [3924] [3925] [3926] [3927] [3928] [3929] [3930] [3931] [3932] [3933] [3934] [3935] [3936] [3937] [3938] [3939] [3940] [3941] [3942] [3943] [3944] [3945] [3946] [3947] [3948] [3949] [3950] [3951] [3952] [3953] [3954] [3955] [3956] [3957] [3958] [3959] [3960] [3961] [3962] [3963] [3964] [3965] [3966] [3967] [3968] [3969] [3970] [3971] [3972] [3973] [3974] [3975] [3976] [3977] [3978] [3979] [3980] [3981] [3982] [3983] [3984] [3985] [3986] [3987] [3988] [3989] [3990] [3991] [3992] [3993] [3994] [3995] [3996] [3997] [3998] [3999] [4000] [4001] [4002] [4003] [4004] [4005] [4006] [4007] [4008] [4009] [4010] [4011] [4012] [4013] [4014] [4015] [4016] [4017] [4018] [4019] [4020] [4021] [4022] [4023] [4024] [4025] [4026] [4027] [4028] [4029] [4030] [4031] [4032] [4033] [4034] [4035] [4036] [4037] [4038] [4039] [4040] [4041] [4042] [4043] [4044] [4045] [4046] [4047] [4048] [4049] [4050] [4051] [4052] [4053] [4054] [4055] [4056] [4057] [4058] [4059] [4060] [4061] [4062] [4063] [4064] [4065] [4066] [4067] [4068] [4069] [4070] [4071] [4072] [4073] [4074] [4075] [4076] [4077] [4078] [4079] [4080] [4081] [4082] [4083] [4084] [4085] [4086] [4087] [4088] [4089] [4090] [4091] [4092] [4093] [4094] [4095] [4096] [4097] [4098] [4099] [4100] [4101] [4102] [4103] [4104] [4105] [4106] [4107] [4108] [4109] [4110] [4111] [4112] [4113] [4114] [4115] [4116] [4117] [4118] [4119] [4120] [4121] [4122] [4123] [4124] [4125] [4126] [4127] [4128] [4129] [4130] [4131] [4132] [4133] [4134] [4135] [4136] [4137] [4138] [4139] [4140] [4141] [4142] [4143] [4144] [4145] [4146] [4147] [4148] [4149] [4150] [4151] [4152] [4153] [4154] [4155] [4156] [4157] [4158] [4159] [4160] [4161] [4162] [4163] [4164] [4165] [4166] [4167] [4168] [4169] [4170] [4171] [4172] [4173] [4174] [4175] [4176] [4177] [4178] [4179] [4180] [4181] [4182] [4183] [4184] [4185] [4186] [4187] [4188] [4189] [4190] [4191] [4192] [4193] [4194] [4195] [4196] [4197] [4198] [4199] [4200] [4201] [4202] [4203] [4204] [4205] [4206] [4207] [4208] [4209] [4210] [4211] [4212] [4213] [4214] [4215] [4216] [4217] [4218] [4219] [4220] [4221] [4222] [4223] [4224] [4225] [4226] [4227] [4228] [4229] [4230] [4231] [4232] [4233] [4234] [4235] [4236] [4237] [4238] [4239] [4240] [4241] [4242] [4243] [4244] [4245] [4246] [4247] [4248] [4249] [4250] [4251] [4252] [4253] [4254] [4255] [4256] [4257] [4258] [4259] [4260] [4261] [4262] [4263] [4264] [4265] [4266] [4267] [4268] [4269] [4270] [4271] [4272] [4273] [4274] [4275] [4276] [4277] [4278] [4279] [4280] [4281] [4282] [4283] [4284] [4285] [4286] [4287] [4288] [4289] [4290] [4291] [4292] [4293] [4294] [4295] [4296] [4297] [4298] [4299] [4300] [4301] [4302] [4303] [4304] [4305] [4306] [4307] [4308] [4309] [4310] [4311] [4312] [4313] [4314] [4315] [4316] [4317] [4318] [4319] [4320] [4321] [4322] [4323] [4324] [4325] [4326] [4327] [4328] [4329] [4330] [4331] [4332] [4333] [4334] [4335] [4336] [4337] [4338] [4339] [4340] [4341] [4342] [4343] [4344] [4345] [4346] [4347] [4348] [4349] [4350] [4351] [4352] [4353] [4354] [4355] [4356] [4357] [4358] [4359] [4360] [4361] [4362] [4363] [4364] [4365] [4366] [4367] [4368] [4369] [4370] [4371] [4372] [4373] [4374] [4375] [4376] [4377] [4378] [4379] [4380] [4381] [4382] [4383] [4384] [4385] [4386] [4387] [4388] [4389] [4390] [4391] [4392] [4393] [4394] [4395] [4396] [4397] [4398] [4399] [4400] [4401] [4402] [4403] [4404] [4405] [4406] [4407] [4408] [4409] [4410] [4411] [4412] [4413] [4414] [4415] [4416] [4417] [4418] [4419] [4420] [4421] [4422] [4423] [4424] [4425] [4426] [4427] [4428] [4429] [4430] [4431] [4432] [4433] [4434] [4435] [4436] [4437] [4438] [4439] [4440] [4441] [4442] [4443] [4444] [4445] [4446] [4447] [4448] [4449] [4450] [4451] [4452] [4453] [4454] [4455] [4456] [4457] [4458] [4459] [4460] [4461] [4462] [4463] [4464] [4465] [4466] [4467] [4468] [4469] [4470] [4471] [4472] [4473] [4474] [4475] [4476] [4477] [4478] [4479] [4480] [4481] [4482] [4483] [4484] [4485] [4486] [4487] [4488] [4489] [4490] [4491] [4492] [4493] [4494] [4495] [4496] [4497] [4498] [4499] [4500] [4501] [4502] [4503] [4504] [4505] [4506] [4507] [4508] [4509] [4510] [4511] [4512] [4513] [4514] [4515] [4516] [4517] [4518] [4519] [4520] [4521] [4522] [4523] [4524] [4525] [4526] [4527] [4528] [4529] [4530] [4531] [4532] [4533] [4534] [4535] [4536] [4537] [4538] [4539] [4540] [4541] [4542] [4543] [4544] [4545] [4546] [4547] [4548] [4549] [4550] [4551] [4552] [4553] [4554] [4555] [4556] [4557] [4558] [4559] [4560] [4561] [4562] [4563] [4564] [4565] [4566] [4567] [4568] [4569] [4570] [4571] [4572] [4573] [4574] [4575] [4576] [4577] [4578] [4579] [4580] [4581] [4582] [4583] [4584] [4585] [4586] [4587] [4588] [4589] [4590] [4591] [4592] [4593] [4594] [4595] [4596] [4597] [4598] [4599] [4600] [4601] [4602] [4603] [4604] [4605] [4606] [4607] [4608] [4609] [4610] [4611] [4612] [4613] [4614] [4615] [4616] [4617] [4618] [4619] [4620] [4621] [4622] [4623] [4624] [4625] [4626] [4627] [4628] [4629] [4630] [4631] [4632] [4633] [4634] [4635] [4636] [4637] [4638] [4639] [4640] [4641] [4642] [4643] [4644] [4645] [4646] [4647] [4648] [4649] [4650] [4651] [4652] [4653] [4654] [4655] [4656] [4657] [4658] [4659] [4660] [4661] [4662] [4663] [4664] [4665] [4666] [4667] [4668] [4669] [4670] [4671] [4672] [4673] [4674] [4675] [4676] [4677] [4678] [4679] [4680] [4681] [4682] [4683] [4684] [4685] [4686] [4687] [4688] [4689] [4690] [4691] [4692] [4693] [4694] [4695] [4696] [4697] [4698] [4699] [4700] [4701] [4702] [4703] [4704] [4705] [4706] [4707] [4708] [4709] [4710] [4711] [4712] [4713] [4714] [4715] [4716] [4717] [4718] [4719] [4720] [4721] [4722] [4723] [4724] [4725] [4726] [4727] [4728] [4729] [4730] [4731] [4732] [4733] [4734] [4735] [4736] [4737] [4738] [4739] [4740] [4741] [4742] [4743] [4744] [4745] [4746] [4747] [4748] [4749] [4750] [4751] [4752] [4753] [4754] [4755] [4756] [4757] [4758] [4759] [4760] [4761] [4762] [4763] [4764] [4765] [4766] [4767] [4768] [4769] [4770] [4771] [4772] [4773] [4774] [4775] [4776] [4777] [4778] [4779] [4780] [4781] [4782] [4783] [4784] [4785] [4786] [4787] [4788] [4789] [4790] [4791] [4792] [4793] [4794] [4795] [4796] [4797] [4798] [4799] [4800] [4801] [4802] [4803] [4804] [4805] [4806] [4807] [4808] [4809] [4810] [4811] [4812] [4813] [4814] [4815] [4816] [4817] [4818] [4819] [4820] [4821] [4822] [4823] [4824] [4825] [4826] [4827] [4828] [4829] [4830] [4831] [4832] [4833] [4834] [4835] [4836] [4837] [4838] [4839] [4840] [4841] [4842] [4843] [4844] [4845] [4846] [4847] [4848] [4849] [4850] [4851] [4852] [4853] [4854] [4855] [4856] [4857] [4858] [4859] [4860] [4861] [4862] [4863] [4864] [4865] [4866] [4867] [4868] [4869] [4870] [4871] [4872] [4873] [4874] [4875] [4876] [4877] [4878] [4879] [4880] [4881] [4882] [4883] [4884] [4885] [4886] [4887] [4888] [4889] [4890] [4891] [4892] [4893] [4894] [4895] [4896] [4897] [4898] [4899] [4900] [4901] [4902] [4903] [4904] [4905] [4906] [4907] [4908] [4909] [4910] [4911] [4912] [4913] [4914] [4915] [4916] [4917] [4918] [4919] [4920] [4921] [4922] [4923] [4924] [4925] [4926] [4927] [4928] [4929] [4930] [4931] [4932] [4933] [4934] [4935] [4936] [4937] [4938] [4939] [4940] [4941] [4942] [4943] [4944] [4945] [4946] [4947] [4948] [4949] [4950] [4951] [4952] [4953] [4954] [4955] [4956] [4957] [4958] [4959] [4960] [4961] [4962] [4963] [4964] [4965] [4966] [4967] [4968] [4969] [4970] [4971] [4972] [4973] [4974] [4975] [4976] [4977] [4978] [4979] [4980] [4981] [4982] [4983] [4984] [4985] [4986] [4987] [4988] [4989] [4990] [4991] [4992] [4993] [4994] [4995] [4996] [4997] [4998] [4999] [5000] [5001] [5002] [5003] [5004] [5005] [5006] [5007] [5008] [5009] [5010] [5011] [5012] [5013] [5014] [5015] [5016] [5017] [5018] [5019] [5020] [5021] [5022] [5023] [5024] [5025] [5026] [5027] [5028] [5029] [5030] [5031] [5032] [5033] [5034] [5035] [5036] [5037] [5038] [5039] [5040] [5041] [5042] [5043] [5044] [5045] [5046] [5047] [5048] [5049] [5050] [5051] [5052] [5053] [5054] [5055] [5056] [5057] [5058] [5059] [5060] [5061] [5062] [5063] [5064] [5065] [5066] [5067] [5068] [5069] [5070] [5071] [5072] [5073] [5074] [5075] [5076] [5077] [5078] [5079] [5080] [5081] [5082] [5083] [5084] [5085] [5086] [5087] [5088] [5089] [5090] [5091] [5092] [5093] [5094] [5095] [5096] [5097] [5098] [5099] [5100] [5101] [5102] [5103] [5104] [5105] [5106] [5107] [5108] [5109] [5110] [5111] [5112] [5113] [5114] [5115] [5116] [5117] [5118] [5119] [5120] [5121] [5122] [5123] [5124] [5125] [5126] [5127] [5128] [5129] [5130] [5131] [5132] [5133] [5134] [5135] [5136] [5137] [5138] [5139] [5140] [5141] [5142] [5143] [5144] [5145] [5146] [5147] [5148] [5149] [5150] [5151] [5152] [5153] [5154] [5155] [5156] [5157] [5158] [5159] [5160] [5161] [5162] [5163] [5164] [5165] [5166] [5167] [5168] [5169] [5170] [5171] [5172] [5173] [5174] [5175] [5176] [5177] [5178] [5179] [5180] [5181] [5182] [5183] [5184] [5185] [5186] [5187] [5188] [5189] [5190] [5191] [5192] [5193] [5194] [5195] [5196] [5197] [5198] [5199] [5200] [5201] [5202] [5203] [5204] [5205] [5206] [5207] [5208] [5209] [5210] [5211] [5212] [5213] [5214] [5215] [5216] [5217] [5218] [5219] [5220] [5221] [5222] [5223] [5224] [5225] [5226] [5227] [5228] [5229] [5230] [5231] [5232] [5233] [5234] [5235] [5236] [5237] [5238] [5239] [5240] [5241] [5242] [5243] [5244] [5245] [5246] [5247] [5248] [5249] [5250] [5251] [5252] [5253] [5254] [5255] [5256] [5257] [5258] [5259] [5260] [5261] [5262] [5263] [5264] [5265] [5266] [5267] [5268] [5269] [5270] [5271] [5272] [5273] [5274] [5275] [5276] [5277] [5278] [5279] [5280] [5281] [5282] [5283] [5284] [5285] [5286] [5287] [5288] [5289] [5290] [5291] [5292] [5293] [5294] [5295] [5296] [5297] [5298] [5299] [5300] [5301] [5302] [5303] [5304] [5305] [5306] [5307] [5308] [5309] [5310] [5311] [5312] [5313] [5314] [5315] [5316] [5317] [5318] [5319] [5320] [5321] [5322] [5323] [5324] [5325] [5326] [5327] [5328] [5329] [5330] [5331] [5332] [5333] [5334] [5335] [5336] [5337] [5338] [5339] [5340] [5341] [5342] [5343] [5344] [5345] [5346] [5347] [5348] [5349] [5350] [5351] [5352] [5353] [5354] [5355] [5356] [5357] [5358] [5359] [5360] [5361] [5362] [5363] [5364] [5365] [5366] [5367] [5368] [5369] [5370] [5371] [5372] [5373] [5374] [5375] [5376] [5377] [5378] [5379] [5380] [5381] [5382] [5383] [5384] [5385] [5386] [5387] [5388] [5389] [5390] [5391] [5392] [5393] [5394] [5395] [5396] [5397] [5398] [5399] [5400] [5401] [5402] [5403] [5404] [5405] [5406] [5407] [5408] [5409] [5410] [5411] [5412] [5413] [5414] [5415] [5416] [5417] [5418] [5419] [5420] [5421] [5422] [5423] [5424] [5425] [5426] [5427] [5428] [5429] [5430] [5431] [5432] [5433] [5434] [5435] [5436] [5437] [5438] [5439] [5440] [5441] [5442] [5443] [5444] [5445] [5446] [5447] [5448] [5449] [5450] [5451] [5452] [5453] [5454] [5455] [5456] [5457] [5458] [5459] [5460] [5461] [5462] [5463] [5464] [5465] [5466] [5467] [5468] [5469] [5470] [5471] [5472] [5473] [5474] [5475] [5476] [5477] [5478] [5479] [5480] [5481] [5482] [5483] [5484] [5485] [5486] [5487] [5488] [5489] [5490] [5491] [5492] [5493] [5494] [5495] [5496] [5497] [5498] [5499] [5500] [5501] [5502] [5503] [5504] [5505] [5506] [5507] [5508] [5509] [5510] [5511] [5512] [5513] [5514] [5515] [5516] [5517] [5518] [5519] [5520] [5521] [5522] [5523] [5524] [5525] [5526] [5527] [5528] [5529] [5530] [5531] [5532] [5533] [5534] [5535] [5536] [5537] [5538] [5539] [5540] [5541] [5542] [5543] [5544] [5545] [5546] [5547] [5548] [5549] [5550] [5551] [5552] [5553] [5554] [5555] [5556] [5557] [5558] [5559] [5560] [5561] [5562] [5563] [5564] [5565] [5566] [5567] [5568] [5569] [5570] [5571] [5572] [5573] [5574] [5575] [5576] [5577] [5578] [5579] [5580] [5581] [5582] [5583] [5584] [5585] [5586] [5587] [5588] [5589] [5590] [5591] [5592] [5593] [5594] [5595] [5596] [5597] [5598] [5599] [5600] [5601] [5602] [5603] [5604] [5605] [5606] [5607] [5608] [5609] [5610] [5611] [5612] [5613] [5614] [5615] [5616] [5617] [5618] [5619] [5620] [5621] [5622] [5623] [5624] [5625] [5626] [5627] [5628] [5629] [5630] [5631] [5632] [5633] [5634] [5635] [5636] [5637] [5638] [5639] [5640] [5641] [5642] [5643] [5644] [5645] [5646] [5647] [5648] [5649] [5650] [5651] [5652] [5653] [5654] [5655] [5656] [5657] [5658] [5659] [5660] [5661] [5662] [5663] [5664] [5665] [5666] [5667] [5668] [5669] [5670] [5671] [5672] [5673] [5674] [5675] [5676] [5677] [5678] [5679] [5680] [5681] [5682] [5683] [5684] [5685] [5686] [5687] [5688] [5689] [5690] [5691] [5692] [5693] [5694] [5695] [5696] [5697] [5698] [5699] [5700] [5701] [5702] [5703] [5704] [5705] [5706] [5707] [5708] [5709] [5710] [5711] [5712] [5713] [5714] [5715] [5716] [5717] [5718] [5719] [5720] [5721] [5722] [5723] [5724] [5725] [5726] [5727] [5728] [5729] [5730] [5731] [5732] [5733] [5734] [5735] [5736] [5737] [5738] [5739] [5740] [5741] [5742] [5743] [5744] [5745] [5746] [5747] [5748] [5749] [5750] [5751] [5752] [5753] [5754] [5755] [5756] [5757] [5758] [5759] [5760] [5761] [5762] [5763] [5764] [5765] [5766] [5767] [5768] [5769] [5770] [5771] [5772] [5773] [5774] [5775] [5776] [5777] [5778] [5779] [5780] [5781] [5782] [5783] [5784] [5785] [5786] [5787] [5788] [5789] [5790] [5791] [5792] [5793] [5794] [5795] [5796] [5797] [5798] [5799] [5800] [5801] [5802] [5803] [5804] [5805] [5806] [5807] [5808] [5809] [5810] [5811] [5812] [5813] [5814] [5815] [5816] [5817] [5818] [5819] [5820] [5821] [5822] [5823] [5824] [5825] [5826] [5827] [5828] [5829] [5830] [5831] [5832] [5833] [5834] [5835] [5836] [5837] [5838] [5839] [5840] [5841] [5842] [5843] [5844] [5845] [5846] [5847] [5848] [5849] [5850] [5851] [5852] [5853] [5854] [5855] [5856] [5857] [5858] [5859] [5860] [5861] [5862] [5863] [5864] [5865] [5866] [5867] [5868] [5869] [5870] [5871] [5872] [5873] [5874] [5875] [5876] [5877] [5878] [5879] [5880] [5881] [5882] [5883] [5884] [5885] [5886] [5887] [5888] [5889] [5890] [5891] [5892] [5893] [5894] [5895] [5896] [5897] [5898] [5899] [5900] [5901] [5902] [5903] [5904] [5905] [5906] [5907] [5908] [5909] [5910] [5911] [5912] [5913] [5914] [5915] [5916] [5917] [5918] [5919] [5920] [5921] [5922] [5923] [5924] [5925] [5926] [5927] [5928] [5929] [5930] [5931] [5932] [5933] [5934] [5935] [5936] [5937] [5938] [5939] [5940] [5941] [5942] [5943] [5944] [5945] [5946] [5947] [5948] [5949] [5950] [5951] [5952] [5953] [5954] [5955] [5956] [5957] [5958] [5959] [5960] [5961] [5962] [5963] [5964] [5965] [5966] [5967] [5968] [5969] [5970] [5971] [5972] [5973] [5974] [5975] [5976] [5977] [5978] [5979] [5980] [5981] [5982] [5983] [5984] [5985] [5986] [5987] [5988] [5989] [5990] [5991] [5992] [5993] [5994] [5995] [5996] [5997] [5998] [5999] [6000] [6001] [6002] [6003] [6004] [6005] [6006] [6007] [6008] [6009] [6010] [6011] [6012] [6013] [6014] [6015] [6016] [6017] [6018] [6019] [6020] [6021] [6022] [6023] [6024] [6025] [6026] [6027] [6028] [6029] [6030] [6031] [6032] [6033] [6034] [6035] [6036] [6037] [6038] [6039] [6040] [6041] [6042] [6043] [6044] [6045] [6046] [6047] [6048] [6049] [6050] [6051] [6052] [6053] [6054] [6055] [6056] [6057] [6058] [6059] [6060] [6061] [6062] [6063] [6064] [6065] [6066] [6067] [6068] [6069] [6070] [6071] [6072] [6073] [6074] [6075] [6076] [6077] [6078] [6079] [6080] [6081] [6082] [6083] [6084] [6085] [6086] [6087] [6088] [6089] [6090] [6091] [6092] [6093] [6094] [6095] [6096] [6097] [6098] [6099] [6100] [6101] [6102] [6103] [6104] [6105] [6106] [6107] [6108] [6109] [6110] [6111] [6112] [6113] [6114] [6115] [6116] [6117] [6118] [6119] [6120] [6121] [6122] [6123] [6124] [6125] [6126] [6127] [6128] [6129] [6130] [6131] [6132] [6133] [6134] [6135] [6136] [6137] [6138] [6139] [6140] [6141] [6142] [6143] [6144] [6145] [6146] [6147] [6148] [6149] [6150] [6151] [6152] [6153] [6154] [6155] [6156] [6157] [6158] [6159] [6160] [6161] [6162] [6163] [6164] [6165] [6166] [6167] [6168] [6169] [6170] [6171] [6172] [6173] [6174] [6175] [6176] [6177] [6178] [6179] [6180] [6181] [6182] [6183] [6184] [6185] [6186] [6187] [6188] [6189] [6190] [6191] [6192] [6193] [6194] [6195] [6196] [6197] [6198] [6199] [6200] [6201] [6202] [6203] [6204] [6205] [6206] [6207] [6208] [6209] [6210] [6211] [6212] [6213] [6214] [6215] [6216] [6217] [6218] [6219] [6220] [6221] [6222] [6223] [6224] [6225] [6226] [6227] [6228] [6229] [6230] [6231] [6232] [6233] [6234] [6235] [6236] [6237] [6238] [6239] [6240] [6241] [6242] [6243] [6244] [6245] [6246] [6247] [6248] [6249] [6250] [6251] [6252] [6253] [6254] [6255] [6256] [6257] [6258] [6259] [6260] [6261] [6262] [6263] [6264] [6265] [6266] [6267] [6268] [6269] [6270] [6271] [6272] [6273] [6274] [6275] [6276] [6277] [6278] [6279] [6280] [6281] [6282] [6283] [6284] [6285] [6286] [6287] [6288] [6289] [6290] [6291] [6292] [6293] [6294] [6295] [6296] [6297] [6298] [6299] [6300] [6301] [6302] [6303] [6304] [6305] [6306] [6307] [6308] [6309] [6310] [6311] [6312] [6313] [6314] [6315] [6316] [6317] [6318] [6319] [6320] [6321] [6322] [6323] [6324] [6325] [6326] [6327] [6328] [6329] [6330] [6331] [6332] [6333] [6334] [6335] [6336] [6337] [6338] [6339] [6340] [6341] [6342] [6343] [6344] [6345] [6346] [6347] [6348] [6349] [6350] [6351] [6352] [6353] [6354] [6355] [6356] [6357] [6358] [6359] [6360] [6361] [6362] [6363] [6364] [6365] [6366] [6367] [6368] [6369] [6370] [6371] [6372] [6373] [6374] [6375] [6376] [6377] [6378] [6379] [6380] [6381] [6382] [6383] [6384] [6385] [6386] [6387] [6388] [6389] [6390] [6391] [6392] [6393] [6394] [6395] [6396] [6397] [6398] [6399] [6400] [6401] [6402] [6403] [6404] [6405] [6406] [6407] [6408] [6409] [6410] [6411] [6412] [6413] [6414] [6415] [6416] [6417] [6418] [6419] [6420] [6421] [6422] [6423] [6424] [6425] [6426] [6427] [6428] [6429] [6430] [6431] [6432] [6433] [6434] [6435] [6436] [6437] [6438] [6439] [6440] [6441] [6442] [6443] [6444] [6445] [6446] [6447] [6448] [6449] [6450] [6451] [6452] [6453] [6454] [6455] [6456] [6457] [6458] [6459] [6460] [6461] [6462] [6463] [6464] [6465] [6466] [6467] [6468] [6469] [6470] [6471] [6472] [6473] [6474] [6475] [6476] [6477] [6478] [6479] [6480] [6481] [6482] [6483] [6484] [6485] [6486] [6487] [6488] [6489] [6490] [6491] [6492] [6493] [6494] [6495] [6496] [6497] [6498] [6499] [6500] [6501] [6502] [6503] [6504] [6505] [6506] [6507] [6508] [6509] [6510] [6511] [6512] [6513] [6514] [6515] [6516] [6517] [6518] [6519] [6520] [6521] [6522] [6523] [6524] [6525] [6526] [6527] [6528] [6529] [6530] [6531] [6532] [6533] [6534] [6535] [6536] [6537] [6538] [6539] [6540] [6541] [6542] [6543] [6544] [6545] [6546] [6547] [6548] [6549] [6550] [6551] [6552] [6553] [6554] [6555] [6556] [6557] [6558] [6559] [6560] [6561] [6562] [6563] [6564] [6565] [6566] [6567] [6568] [6569] [6570] [6571] [6572] [6573] [6574] [6575] [6576] [6577] [6578] [6579] [6580] [6581] [6582] [6583] [6584] [6585] [6586] [6587] [6588] [6589] [6590] [6591] [6592] [6593] [6594] [6595] [6596] [6597] [6598] [6599] [6600] [6601] [6602] [6603] [6604] [6605] [6606] [6607] [6608] [6609] [6610] [6611] [6612] [6613] [6614] [6615] [6616] [6617] [6618] [6619] [6620] [6621] [6622] [6623] [6624] [6625] [6626] [6627] [6628] [6629] [6630] [6631] [6632] [6633] [6634] [6635] [6636] [6637] [6638] [6639] [6640] [6641] [6642] [6643] [6644] [6645] [6646] [6647] [6648] [6649] [6650] [6651] [6652] [6653] [6654] [6655] [6656] [6657] [6658] [6659] [6660] [6661] [6662] [6663] [6664] [6665] [6666] [6667] [6668] [6669] [6670] [6671] [6672] [6673] [6674] [6675] [6676] [6677] [6678] [6679] [6680] [6681] [6682] [6683] [6684] [6685] [6686] [6687] [6688] [6689] [6690] [6691] [6692] [6693] [6694] [6695] [6696] [6697] [6698] [6699] [6700] [6701] [6702] [6703] [6704] [6705] [6706] [6707] [6708] [6709] [6710] [6711] [6712] [6713] [6714] [6715] [6716] [6717] [6718] [6719] [6720] [6721] [6722] [6723] [6724] [6725] [6726] [6727] [6728] [6729] [6730] [6731] [6732] [6733] [6734] [6735] [6736] [6737] [6738] [6739] [6740] [6741] [6742] [6743] [6744] [6745] [6746] [6747] [6748] [6749] [6750] [6751] [6752] [6753] [6754] [6755] [6756] [6757] [6758] [6759] [6760] [6761] [6762] [6763] [6764] [6765] [6766] [6767] [6768] [6769] [6770] [6771] [6772] [6773] [6774] [6775] [6776] [6777] [6778] [6779] [6780] [6781] [6782] [6783] [6784] [6785] [6786] [6787] [6788] [6789] [6790] [6791] [6792] [6793] [6794] [6795] [6796] [6797] [6798] [6799] [6800] [6801] [6802] [6803] [6804] [6805] [6806] [6807] [6808] [6809] [6810] [6811] [6812] [6813] [6814] [6815] [6816] [6817] [6818] [6819] [6820] [6821] [6822] [6823] [6824] [6825] [6826] [6827] [6828] [6829] [6830] [6831] [6832] [6833] [6834] [6835] [6836] [6837] [6838] [6839] [6840] [6841] [6842] [6843] [6844] [6845] [6846] [6847] [6848] [6849] [6850] [6851] [6852] [6853] [6854] [6855] [6856] [6857] [6858] [6859] [6860] [6861] [6862] [6863] [6864] [6865] [6866] [6867] [6868] [6869] [6870] [6871] [6872] [6873] [6874] [6875] [6876] [6877] [6878] [6879] [6880] [6881] [6882] [6883] [6884] [6885] [6886] [6887] [6888] [6889] [6890] [6891] [6892] [6893] [6894] [6895] [6896] [6897] [6898] [6899] [6900] [6901] [6902] [6903] [6904] [6905] [6906] [6907] [6908] [6909] [6910] [6911] [6912] [6913] [6914] [6915] [6916] [6917] [6918] [6919] [6920] [6921] [6922] [6923] [6924] [6925] [6926] [6927] [6928] [6929] [6930] [6931] [6932] [6933] [6934] [6935] [6936] [6937] [6938] [6939] [6940] [6941] [6942] [6943] [6944] [6945] [6946] [6947] [6948] [6949] [6950] [6951] [6952] [6953] [6954] [6955] [6956] [6957] [6958] [6959] [6960] [6961] [6962] [6963] [6964] [6965] [6966] [6967] [6968] [6969] [6970] [6971] [6972] [6973] [6974] [6975] [6976] [6977] [6978] [6979] [6980] [6981] [6982] [6983] [6984] [6985] [6986] [6987] [6988] [6989] [6990] [6991] [6992] [6993] [6994] [6995] [6996] [6997] [6998] [6999] [7000] [7001] [7002] [7003] [7004] [7005] [7006] [7007] [7008] [7009] [7010] [7011] [7012] [7013] [7014] [7015] [7016] [7017] [7018] [7019] [7020] [7021] [7022] [7023] [7024] [7025] [7026] [7027] [7028] [7029] [7030] [7031] [7032] [7033] [7034] [7035] [7036] [7037] [7038] [7039] [7040] [7041] [7042] [7043] [7044] [7045] [7046] [7047] [7048] [7049] [7050] [7051] [7052] [7053] [7054] [7055] [7056] [7057] [7058] [7059] [7060] [7061] [7062] [7063] [7064] [7065] [7066] [7067] [7068] [7069] [7070] [7071] [7072] [7073] [7074] [7075] [7076] [7077] [7078] [7079] [7080] [7081] [7082] [7083] [7084] [7085] [7086] [7087] [7088] [7089] [7090] [7091] [7092] [7093] [7094] [7095] [7096] [7097] [7098] [7099] [7100] [7101] [7102] [7103] [7104] [7105] [7106] [7107] [7108] [7109] [7110] [7111] [7112] [7113] [7114] [7115] [7116] [7117] [7118] [7119] [7120] [7121] [7122] [7123] [7124] [7125] [7126] [7127] [7128] [7129] [7130] [7131] [7132] [7133] [7134] [7135] [7136] [7137] [7138] [7139] [7140] [7141] [7142] [7143] [7144] [7145] [7146] [7147] [7148] [7149] [7150] [7151] [7152] [7153] [7154] [7155] [7156] [7157] [7158] [7159] [7160] [7161] [7162] [7163] [7164] [7165] [7166] [7167] [7168] [7169] [7170] [7171] [7172] [7173] [7174] [7175] [7176] [7177] [7178] [7179] [7180] [7181] [7182] [7183] [7184] [7185] [7186] [7187] [7188] [7189] [7190] [7191] [7192] [7193] [7194] [7195] [7196] [7197] [7198] [7199] [7200] [7201] [7202] [7203] [7204] [7205] [7206] [7207] [7208] [7209] [7210] [7211] [7212] [7213] [7214] [7215] [7216] [7217] [7218] [7219] [7220] [7221] [7222] [7223] [7224] [7225] [7226] [7227] [7228] [7229] [7230] [7231] [7232] [7233] [7234] [7235] [7236] [7237] [7238] [7239] [7240] [7241] [7242] [7243] [7244] [7245] [7246] [7247] [7248] [7249] [7250] [7251] [7252] [7253] [7254] [7255] [7256] [7257] [7258] [7259] [7260] [7261] [7262] [7263] [7264] [7265] [7266] [7267] [7268] [7269] [7270] [7271] [7272] [7273] [7274] [7275] [7276] [7277] [7278] [7279] [7280] [7281] [7282] [7283] [7284] [7285] [7286] [7287] [7288] [7289] [7290] [7291] [7292] [7293] [7294] [7295] [7296] [7297] [7298] [7299] [7300] [7301] [7302] [7303] [7304] [7305] [7306] [7307] [7308] [7309] [7310] [7311] [7312] [7313] [7314] [7315] [7316] [7317] [7318] [7319] [7320] [7321] [7322] [7323] [7324] [7325] [7326] [7327] [7328] [7329] [7330] [7331] [7332] [7333] [7334] [7335] [7336] [7337] [7338] [7339] [7340] [7341] [7342] [7343] [7344] [7345] [7346] [7347] [7348] [7349] [7350] [7351] [7352] [7353] [7354] [7355] [7356] [7357] [7358] [7359] [7360] [7361] [7362] [7363] [7364] [7365] [7366] [7367] [7368] [7369] [7370] [7371] [7372] [7373] [7374] [7375] [7376] [7377] [7378] [7379] [7380] [7381] [7382] [7383] [7384] [7385] [7386] [7387] [7388] [7389] [7390] [7391] [7392] [7393] [7394] [7395] [7396] [7397] [7398] [7399] [7400] [7401] [7402] [7403] [7404] [7405] [7406] [7407] [7408] [7409] [7410] [7411] [7412] [7413] [7414] [7415] [7416] [7417] [7418] [7419] [7420] [7421] [7422] [7423] [7424] [7425] [7426] [7427] [7428] [7429] [7430] [7431] [7432] [7433] [7434] [7435] [7436] [7437] [7438] [7439] [7440] [7441] [7442] [7443] [7444] [7445] [7446] [7447] [7448] [7449] [7450] [7451] [7452] [7453] [7454] [7455] [7456] [7457] [7458] [7459] [7460] [7461] [7462] [7463] [7464] [7465] [7466] [7467] [7468] [7469] [7470] [7471] [7472] [7473] [7474] [7475] [7476] [7477] [7478] [7479] [7480] [7481] [7482] [7483] [7484] [7485] [7486] [7487] [7488] [7489] [7490] [7491] [7492] [7493] [7494] [7495] [7496] [7497] [7498] [7499] [7500] [7501] [7502] [7503] [7504] [7505] [7506] [7507] [7508] [7509] [7510] [7511] [7512] [7513] [7514] [7515] [7516] [7517] [7518] [7519] [7520] [7521] [7522] [7523] [7524] [7525] [7526] [7527] [7528] [7529] [7530] [7531] [7532] [7533] [7534] [7535] [7536] [7537] [7538] [7539] [7540] [7541] [7542] [7543] [7544] [7545] [7546] [7547] [7548] [7549] [7550] [7551] [7552] [7553] [7554] [7555] [7556] [7557] [7558] [7559] [7560] [7561] [7562] [7563] [7564] [7565] [7566] [7567] [7568] [7569] [7570] [7571] [7572] [7573] [7574] [7575] [7576] [7577] [7578] [7579] [7580] [7581] [7582] [7583] [7584] [7585] [7586] [7587] [7588] [7589] [7590] [7591] [7592] [7593] [7594] [7595] [7596] [7597] [7598] [7599] [7600] [7601] [7602] [7603] [7604] [7605] [7606] [7607] [7608] [7609] [7610] [7611] [7612] [7613] [7614] [7615] [7616] [7617] [7618] [7619] [7620] [7621] [7622] [7623] [7624] [7625] [7626] [7627] [7628] [7629] [7630] [7631] [7632] [7633] [7634] [7635] [7636] [7637] [7638] [7639] [7640] [7641] [7642] [7643] [7644] [7645] [7646] [7647] [7648] [7649] [7650] [7651] [7652] [7653] [7654] [7655] [7656] [7657] [7658] [7659] [7660] [7661] [7662] [7663] [7664] [7665] [7666] [7667] [7668] [7669] [7670] [7671] [7672] [7673] [7674] [7675] [7676] [7677] [7678] [7679] [7680] [7681] [7682] [7683] [7684] [7685] [7686] [7687] [7688] [7689] [7690] [7691] [7692] [7693] [7694] [7695] [7696] [7697] [7698] [7699] [7700] [7701] [7702] [7703] [7704] [7705] [7706] [7707] [7708] [7709] [7710] [7711] [7712] [7713] [7714] [7715] [7716] [7717] [7718] [7719] [7720] [7721] [7722] [7723] [7724] [7725] [7726] [7727] [7728] [7729] [7730] [7731] [7732] [7733] [7734] [7735] [7736] [7737] [7738] [7739] [7740] [7741] [7742] [7743] [7744] [7745] [7746] [7747] [7748] [7749] [7750] [7751] [7752] [7753] [7754] [7755] [7756] [7757] [7758] [7759] [7760] [7761] [7762] [7763] [7764] [7765] [7766] [7767] [7768] [7769] [7770] [7771] [7772] [7773] [7774] [7775] [7776] [7777] [7778] [7779] [7780] [7781] [7782] [7783] [7784] [7785] [7786] [7787] [7788] [7789] [7790] [7791] [7792] [7793] [7794] [7795] [7796] [7797] [7798] [7799] [7800] [7801] [7802] [7803] [7804] [7805] [7806] [7807] [7808] [7809] [7810] [7811] [7812] [7813] [7814] [7815] [7816] [7817] [7818] [7819] [7820] [7821] [7822] [7823] [7824] [7825] [7826] [7827] [7828] [7829] [7830] [7831] [7832] [7833] [7834] [7835] [7836] [7837] [7838] [7839] [7840] [7841] [7842] [7843] [7844] [7845] [7846] [7847] [7848] [7849] [7850] [7851] [7852] [7853] [7854] [7855] [7856] [7857] [7858] [7859] [7860] [7861] [7862] [7863] [7864] [7865] [7866] [7867] [7868] [7869] [7870] [7871] [7872] [7873] [7874] [7875] [7876] [7877] [7878] [7879] [7880] [7881] [7882] [7883] [7884] [7885] [7886] [7887] [7888] [7889] [7890] [7891] [7892] [7893] [7894] [7895] [7896] [7897] [7898] [7899] [7900] [7901] [7902] [7903] [7904] [7905] [7906] [7907] [7908] [7909] [7910] [7911] [7912] [7913] [7914] [7915] [7916] [7917] [7918] [7919] [7920] [7921] [7922] [7923] [7924] [7925] [7926] [7927] [7928] [7929] [7930] [7931] [7932] [7933] [7934] [7935] [7936] [7937] [7938] [7939] [7940] [7941] [7942] [7943] [7944] [7945] [7946] [7947] [7948] [7949] [7950] [7951] [7952] [7953] [7954] [7955] [7956] [7957] [7958] [7959] [7960] [7961] [7962] [7963] [7964] [7965] [7966] [7967] [7968] [7969] [7970] [7971] [7972] [7973] [7974] [7975] [7976] [7977] [7978] [7979] [7980] [7981] [7982] [7983] [7984] [7985] [7986] [7987] [7988] [7989] [7990] [7991] [7992] [7993] [7994] [7995] [7996] [7997] [7998] [7999] [8000] [8001] [8002] [8003] [8004] [8005] [8006] [8007] [8008] [8009] [8010] [8011] [8012] [8013] [8014] [8015] [8016] [8017] [8018] [8019] [8020] [8021] [8022] [8023] [8024] [8025] [8026] [8027] [8028] [8029] [8030] [8031] [8032] [8033] [8034] [8035] [8036] [8037] [8038] [8039] [8040] [8041] [8042] [8043] [8044] [8045] [8046] [8047] [8048] [8049] [8050] [8051] [8052] [8053] [8054] [8055] [8056] [8057] [8058] [8059] [8060] [8061] [8062] [8063] [8064] [8065] [8066] [8067] [8068] [8069] [8070] [8071] [8072] [8073] [8074] [8075] [8076] [8077] [8078] [8079] [8080] [8081] [8082] [8083] [8084] [8085] [8086] [8087] [8088] [8089] [8090] [8091] [8092] [8093] [8094] [8095] [8096] [8097] [8098] [8099] [8100] [8101] [8102] [8103] [8104] [8105] [8106] [8107] [8108] [8109] [8110] [8111] [8112] [8113] [8114] [8115] [8116] [8117] [8118] [8119] [8120] [8121] [8122] [8123] [8124] [8125] [8126] [8127] [8128] [8129] [8130] [8131] [8132] [8133] [8134] [8135] [8136] [8137] [8138] [8139] [8140] [8141] [8142] [8143] [8144] [8145] [8146] [8147] [8148] [8149] [8150] [8151] [8152] [8153] [8154] [8155] [8156] [8157] [8158] [8159] [8160] [8161] [8162] [8163] [8164] [8165] [8166] [8167] [8168] [8169] [8170] [8171] [8172] [8173] [8174] [8175] [8176] [8177] [8178] [8179] [8180] [8181] [8182] [8183] [8184] [8185] [8186] [8187] [8188] [8189] [8190] [8191] [8192] [8193] [8194] [8195] [8196] [8197] [8198] [8199] [8200] [8201] [8202] [8203] [8204] [8205] [8206] [8207] [8208] [8209] [8210] [8211] [8212] [8213] [8214] [8215] [8216] [8217] [8218] [8219] [8220] [8221] [8222] [8223] [8224] [8225] [8226] [8227] [8228] [8229] [8230] [8231] [8232] [8233] [8234] [8235] [8236] [8237] [8238] [8239] [8240] [8241] [8242] [8243] [8244] [8245] [8246] [8247] [8248] [8249] [8250] [8251] [8252] [8253] [8254] [8255] [8256] [8257] [8258] [8259] [8260] [8261] [8262] [8263] [8264] [8265] [8266] [8267] [8268] [8269] [8270] [8271] [8272] [8273] [8274] [8275] [8276] [8277] [8278] [8279] [8280] [8281] [8282] [8283] [8284] [8285] [8286] [8287] [8288] [8289] [8290] [8291] [8292] [8293] [8294] [8295] [8296] [8297] [8298] [8299] [8300] [8301] [8302] [8303] [8304] [8305] [8306] [8307] [8308] [8309] [8310] [8311] [8312] [8313] [8314] [8315] [8316] [8317] [8318] [8319] [8320] [8321] [8322] [8323] [8324] [8325] [8326] [8327] [8328] [8329] [8330] [8331] [8332] [8333] [8334] [8335] [8336] [8337] [8338] [8339] [8340] [8341] [8342] [8343] [8344] [8345] [8346] [8347] [8348] [8349] [8350] [8351] [8352] [8353] [8354] [8355] [8356] [8357] [8358] [8359] [8360] [8361] [8362] [8363] [8364] [8365] [8366] [8367] [8368] [8369] [8370] [8371] [8372] [8373] [8374] [8375] [8376] [8377] [8378] [8379] [8380] [8381] [8382] [8383] [8384] [8385] [8386] [8387] [8388] [8389] [8390] [8391] [8392] [8393] [8394] [8395] [8396] [8397] [8398] [8399] [8400] [8401] [8402] [8403] [8404] [8405] [8406] [8407] [8408] [8409] [8410] [8411] [8412] [8413] [8414] [8415] [8416] [8417] [8418] [8419] [8420] [8421] [8422] [8423] [8424] [8425] [8426] [8427] [8428] [8429] [8430] [8431] [8432] [8433] [8434] [8435] [8436] [8437] [8438] [8439] [8440] [8441] [8442] [8443] [8444] [8445] [8446] [8447] [8448] [8449] [8450] [8451] [8452] [8453] [8454] [8455] [8456] [8457] [8458] [8459] [8460] [8461] [8462] [8463] [8464] [8465] [8466] [8467] [8468] [8469] [8470] [8471] [8472] [8473] [8474] [8475] [8476] [8477] [8478] [8479] [8480] [8481] [8482] [8483] [8484] [8485] [8486] [8487] [8488] [8489] [8490] [8491] [8492] [8493] [8494] [8495] [8496] [8497] [8498] [8499] [8500] [8501] [8502] [8503] [8504] [8505] [8506] [8507] [8508] [8509] [8510] [8511] [8512] [8513] [8514] [8515] [8516] [8517] [8518] [8519] [8520] [8521] [8522] [8523] [8524] [8525] [8526] [8527] [8528] [8529] [8530] [8531] [8532] [8533] [8534] [8535] [8536] [8537] [8538] [8539] [8540] [8541] [8542] [8543] [8544] [8545] [8546] [8547] [8548] [8549] [8550] [8551] [8552] [8553] [8554] [8555] [8556] [8557] [8558] [8559] [8560] [8561] [8562] [8563] [8564] [8565] [8566] [8567] [8568] [8569] [8570] [8571] [8572] [8573] [8574] [8575] [8576] [8577] [8578] [8579] [8580] [8581] [8582] [8583] [8584] [8585] [8586] [8587] [8588] [8589] [8590] [8591] [8592] [8593] [8594] [8595] [8596] [8597] [8598] [8599] [8600] [8601] [8602] [8603] [8604] [8605] [8606] [8607] [8608] [8609] [8610] [8611] [8612] [8613] [8614] [8615] [8616] [8617] [8618] [8619] [8620] [8621] [8622] [8623] [8624] [8625] [8626] [8627] [8628] [8629] [8630] [8631] [8632] [8633] [8634] [8635] [8636] [8637] [8638] [8639] [8640] [8641] [8642] [8643] [8644] [8645] [8646] [8647] [8648] [8649] [8650] [8651] [8652] [8653] [8654] [8655] [8656] [8657] [8658] [8659] [8660] [8661] [8662] [8663] [8664] [8665] [8666] [8667] [8668] [8669] [8670] [8671] [8672] [8673] [8674] [8675] [8676] [8677] [8678] [8679] [8680] [8681] [8682] [8683] [8684] [8685] [8686] [8687] [8688] [8689] [8690] [8691] [8692] [8693] [8694] [8695] [8696] [8697] [8698] [8699] [8700] [8701] [8702] [8703] [8704] [8705] [8706] [8707] [8708] [8709] [8710] [8711] [8712] [8713] [8714] [8715] [8716] [8717] [8718] [8719] [8720] [8721] [8722] [8723] [8724] [8725] [8726] [8727] [8728] [8729] [8730] [8731] [8732] [8733] [8734] [8735] [8736] [8737] [8738] [8739] [8740] [8741] [8742] [8743] [8744] [8745] [8746] [8747] [8748] [8749] [8750] [8751] [8752] [8753] [8754] [8755] [8756] [8757] [8758] [8759] [8760] [8761] [8762] [8763] [8764] [8765] [8766] [8767] [8768] [8769] [8770] [8771] [8772] [8773] [8774] [8775] [8776] [8777] [8778] [8779] [8780] [8781] [8782] [8783] [8784] [8785] [8786] [8787] [8788] [8789] [8790] [8791] [8792] [8793] [8794] [8795] [8796] [8797] [8798] [8799] [8800] [8801] [8802] [8803] [8804] [8805] [8806] [8807] [8808] [8809] [8810] [8811] [8812] [8813] [8814] [8815] [8816] [8817] [8818] [8819] [8820] [8821] [8822] [8823] [8824] [8825] [8826] [8827] [8828] [8829] [8830] [8831] [8832] [8833] [8834] [8835] [8836] [8837] [8838] [8839] [8840] [8841] [8842] [8843] [8844] [8845] [8846] [8847] [8848] [8849] [8850] [8851] [8852] [8853] [8854] [8855] [8856] [8857] [8858] [8859] [8860] [8861] [8862] [8863] [8864] [8865] [8866] [8867] [8868] [8869] [8870] [8871] [8872] [8873] [8874] [8875] [8876] [8877] [8878] [8879] [8880] [8881] [8882] [8883] [8884] [8885] [8886] [8887] [8888] [8889] [8890] [8891] [8892] [8893] [8894] [8895] [8896] [8897] [8898] [8899] [8900] [8901] [8902] [8903] [8904] [8905] [8906] [8907] [8908] [8909] [8910] [8911] [8912] [8913] [8914] [8915] [8916] [8917] [8918] [8919] [8920] [8921] [8922] [8923] [8924] [8925] [8926] [8927] [8928] [8929] [8930] [8931] [8932] [8933] [8934] [8935] [8936] [8937] [8938] [8939] [8940] [8941] [8942] [8943] [8944] [8945] [8946] [8947] [8948] [8949] [8950] [8951] [8952] [8953] [8954] [8955] [8956] [8957] [8958] [8959] [8960] [8961] [8962] [8963] [8964] [8965] [8966] [8967] [8968] [8969] [8970] [8971] [8972] [8973] [8974] [8975] [8976] [8977] [8978] [8979] [8980] [8981] [8982] [8983] [8984] [8985] [8986] [8987] [8988] [8989] [8990] [8991] [8992] [8993] [8994] [8995] [8996] [8997] [8998] [8999] [9000] [9001] [9002] [9003] [9004] [9005] [9006] [9007] [9008] [9009] [9010] [9011] [9012] [9013] [9014] [9015] [9016] [9017] [9018] [9019] [9020] [9021] [9022] [9023] [9024] [9025] [9026] [9027] [9028] [9029] [9030] [9031] [9032] [9033] [9034] [9035] [9036] [9037] [9038] [9039] [9040] [9041] [9042] [9043] [9044] [9045] [9046] [9047] [9048] [9049] [9050] [9051] [9052] [9053] [9054] [9055] [9056] [9057] [9058] [9059] [9060] [9061] [9062] [9063] [9064] [9065] [9066] [9067] [9068] [9069] [9070] [9071] [9072] [9073] [9074] [9075] [9076] [9077] [9078] [9079] [9080] [9081] [9082] [9083] [9084] [9085] [9086] [9087] [9088] [9089] [9090] [9091] [9092] [9093] [9094] [9095] [9096] [9097] [9098] [9099] [9100] [9101] [9102] [9103] [9104] [9105] [9106] [9107] [9108] [9109] [9110] [9111] [9112] [9113] [9114] [9115] [9116] [9117] [9118] [9119] [9120] [9121] [9122] [9123] [9124] [9125] [9126] [9127] [9128] [9129] [9130] [9131] [9132] [9133] [9134] [9135] [9136] [9137] [9138] [9139] [9140] [9141] [9142] [9143] [9144] [9145] [9146] [9147] [9148] [9149] [9150] [9151] [9152] [9153] [9154] [9155] [9156] [9157] [9158] [9159] [9160] [9161] [9162] [9163] [9164] [9165] [9166] [9167] [9168] [9169] [9170] [9171] [9172] [9173] [9174] [9175] [9176] [9177] [9178] [9179] [9180] [9181] [9182] [9183] [9184] [9185] [9186] [9187] [9188] [9189] [9190] [9191] [9192] [9193] [9194] [9195] [9196] [9197] [9198] [9199] [9200] [9201] [9202] [9203] [9204] [9205] [9206] [9207] [9208] [9209] [9210] [9211] [9212] [9213] [9214] [9215] [9216] [9217] [9218] [9219] [9220] [9221] [9222] [9223] [9224] [9225] [9226] [9227] [9228] [9229] [9230] [9231] [9232] [9233] [9234] [9235] [9236] [9237] [9238] [9239] [9240] [9241] [9242] [9243] [9244] [9245] [9246] [9247] [9248] [9249] [9250] [9251] [9252] [9253] [9254] [9255] [9256] [9257] [9258] [9259] [9260] [9261] [9262] [9263] [9264] [9265] [9266] [9267] [9268] [9269] [9270] [9271] [9272] [9273] [9274] [9275] [9276] [9277] [9278] [9279] [9280] [9281] [9282] [9283] [9284] [9285] [9286] [9287] [9288] [9289] [9290] [9291] [9292] [9293] [9294] [9295] [9296] [9297] [9298] [9299] [9300] [9301] [9302] [9303] [9304] [9305] [9306] [9307] [9308] [9309] [9310] [9311] [9312] [9313] [9314] [9315] [9316] [9317] [9318] [9319] [9320] [9321] [9322] [9323] [9324] [9325] [9326] [9327] [9328] [9329] [9330] [9331] [9332] [9333] [9334] [9335] [9336] [9337] [9338] [9339] [9340] [9341] [9342] [9343] [9344] [9345] [9346] [9347] [9348] [9349] [9350] [9351] [9352] [9353] [9354] [9355] [9356] [9357] [9358] [9359] [9360] [9361] [9362] [9363] [9364] [9365] [9366] [9367] [9368] [9369] [9370] [9371] [9372] [9373] [9374] [9375] [9376] [9377] [9378] [9379] [9380] [9381] [9382] [9383] [9384] [9385] [9386] [9387] [9388] [9389] [9390] [9391] [9392] [9393] [9394] [9395] [9396] [9397] [9398] [9399] [9400] [9401] [9402] [9403] [9404] [9405] [9406] [9407] [9408] [9409] [9410] [9411] [9412] [9413] [9414] [9415] [9416] [9417] [9418] [9419] [9420] [9421] [9422] [9423] [9424] [9425] [9426] [9427] [9428] [9429] [9430] [9431] [9432] [9433] [9434] [9435] [9436] [9437] [9438] [9439] [9440] [9441] [9442] [9443] [9444] [9445] [9446] [9447] [9448] [9449] [9450] [9451] [9452] [9453] [9454] [9455] [9456] [9457] [9458] [9459] [9460] [9461] [9462] [9463] [9464] [9465] [9466] [9467] [9468] [9469] [9470] [9471] [9472] [9473] [9474] [9475] [9476] [9477] [9478] [9479] [9480] [9481] [9482] [9483] [9484] [9485] [9486] [9487] [9488] [9489] [9490] [9491] [9492] [9493] [9494] [9495] [9496] [9497] [9498] [9499] [9500] [9501] [9502] [9503] [9504] [9505] [9506] [9507] [9508] [9509] [9510] [9511] [9512] [9513] [9514] [9515] [9516] [9517] [9518] [9519] [9520] [9521] [9522] [9523] [9524] [9525] [9526] [9527] [9528] [9529] [9530] [9531] [9532] [9533] [9534] [9535] [9536] [9537] [9538] [9539] [9540] [9541] [9542] [9543] [9544] [9545] [9546] [9547] [9548] [9549] [9550] [9551] [9552] [9553] [9554] [9555] [9556] [9557] [9558] [9559] [9560] [9561] [9562] [9563] [9564] [9565] [9566] [9567] [9568] [9569] [9570] [9571] [9572] [9573] [9574] [9575] [9576] [9577] [9578] [9579] [9580] [9581] [9582] [9583] [9584] [9585] [9586] [9587] [9588] [9589] [9590] [9591] [9592] [9593] [9594] [9595] [9596] [9597] [9598] [9599] [9600] [9601] [9602] [9603] [9604] [9605] [9606] [9607] [9608] [9609] [9610] [9611] [9612] [9613] [9614] [9615] [9616] [9617] [9618] [9619] [9620] [9621] [9622] [9623] [9624] [9625] [9626] [9627] [9628] [9629] [9630] [9631] [9632] [9633] [9634] [9635] [9636] [9637] [9638] [9639] [9640] [9641] [9642] [9643] [9644] [9645] [9646] [9647] [9648] [9649] [9650] [9651] [9652] [9653] [9654] [9655] [9656] [9657] [9658] [9659] [9660] [9661] [9662] [9663] [9664] [9665] [9666] [9667] [9668] [9669] [9670] [9671] [9672] [9673] [9674] [9675] [9676] [9677] [9678] [9679] [9680] [9681] [9682] [9683] [9684] [9685] [9686] [9687] [9688] [9689] [9690] [9691] [9692] [9693] [9694] [9695] [9696] [9697] [9698] [9699] [9700] [9701] [9702] [9703] [9704] [9705] [9706] [9707] [9708] [9709] [9710] [9711] [9712] [9713] [9714] [9715] [9716] [9717] [9718] [9719] [9720] [9721] [9722] [9723] [9724] [9725] [9726] [9727] [9728] [9729] [9730] [9731] [9732] [9733] [9734] [9735] [9736] [9737] [9738] [9739] [9740] [9741] [9742] [9743] [9744] [9745] [9746] [9747] [9748] [9749] [9750] [9751] [9752] [9753] [9754] [9755] [9756] [9757] [9758] [9759] [9760] [9761] [9762] [9763] [9764] [9765] [9766] [9767] [9768] [9769] [9770] [9771] [9772] [9773] [9774] [9775] [9776] [9777] [9778] [9779] [9780] [9781] [9782] [9783] [9784] [9785] [9786] [9787] [9788] [9789] [9790] [9791] [9792] [9793] [9794] [9795] [9796] [9797] [9798] [9799] [9800] [9801] [9802] [9803] [9804] [9805] [9806] [9807] [9808] [9809] [9810] [9811] [9812] [9813] [9814] [9815] [9816] [9817] [9818] [9819] [9820] [9821] [9822] [9823] [9824] [9825] [9826] [9827] [9828] [9829] [9830] [9831] [9832] [9833] [9834] [9835] [9836] [9837] [9838] [9839] [9840] [9841] [9842] [9843] [9844] [9845] [9846] [9847] [9848] [9849] [9850] [9851] [9852] [9853] [9854] [9855] [9856] [9857] [9858] [9859] [9860] [9861] [9862] [9863] [9864] [9865] [9866] [9867] [9868] [9869] [9870] [9871] [9872] [9873] [9874] [9875] [9876] [9877] [9878] [9879] [9880] [9881] [9882] [9883] [9884] [9885] [9886] [9887] [9888] [9889] [9890] [9891] [9892] [9893] [9894] [9895] [9896] [9897] [9898] [9899] [9900] [9901] [9902] [9903] [9904] [9905] [9906] [9907] [9908] [9909] [9910] [9911] [9912] [9913] [9914] [9915] [9916] [9917] [9918] [9919] [9920] [9921] [9922] [9923] [9924] [9925] [9926] [9927] [9928] [9929] [9930] [9931] [9932] [9933] [9934] [9935] [9936] [9937] [9938] [9939] [9940] [9941] [9942] [9943] [9944] [9945] [9946] [9947] [9948] [9949] [9950] [9951] [9952] [9953] [9954] [9955] [9956] [9957] [9958] [9959] [9960] [9961] [9962] [9963] [9964] [9965] [9966] [9967] [9968] [9969] [9970] [9971] [9972] [9973] [9974] [9975] [9976] [9977] [9978] [9979] [9980] [9981] [9982] [9983] [9984] [9985] [9986] [9987] [9988] [9989] [9990] [9991] [9992] [9993] [9994] [9995] [9996] [9997] [9998] [9999] [10000] [10001] [10002] [10003] [10004] [10005] [10006] [10007] [10008] [10009] [10010] [10011] [10012] [10013] [10014] [10015] [10016] [10017] [10018] [10019] [10020] [10021] [10022] [10023] [10024] [10025] [10026] [10027] [10028] [10029] [10030] [10031] [10032] [10033] [10034] [10035] [10036] [10037] [10038] [10039] [10040] [10041] [10042] [10043] [10044] [10045] [10046] [10047] [10048] [10049] [10050] [10051] [10052] [10053] [10054] [10055] [10056] [10057] [10058] [10059] [10060] [10061] [10062] [10063] [10064] [10065] [10066] [10067] [10068] [10069] [10070] [10071] [10072] [10073] [10074] [10075] [10076] [10077] [10078] [10079] [10080] [10081] [10082] [10083] [10084] [10085] [10086] [10087] [10088] [10089] [10090] [10091] [10092] [10093] [10094] [10095] [10096] [10097] [10098] [10099] [10100] [10101] [10102] [10103] [10104] [10105] [10106] [10107] [10108] [10109] [10110] [10111] [10112] [10113] [10114] [10115] [10116] [10117] [10118] [10119] [10120] [10121] [10122] [10123] [10124] [10125] [10126] [10127] [10128] [10129] [10130] [10131] [10132] [10133] [10134] [10135] [10136] [10137] [10138] [10139] [10140] [10141] [10142] [10143] [10144] [10145] [10146] [10147] [10148] [10149] [10150] [10151] [10152] [10153] [10154] [10155] [10156] [10157] [10158] [10159] [10160] [10161] [10162] [10163] [10164] [10165] [10166] [10167] [10168] [10169] [10170] [10171] [10172] [10173] [10174] [10175] [10176] [10177] [10178] [10179] [10180] [10181] [10182] [10183] [10184] [10185] [10186] [10187] [10188] [10189] [10190] [10191] [10192] [10193] [10194] [10195] [10196] [10197] [10198] [10199] [10200] [10201] [10202] [10203] [10204] [10205] [10206] [10207] [10208] [10209] [10210] [10211] [10212] [10213] [10214] [10215] [10216] [10217] [10218] [10219] [10220] [10221] [10222] [10223] [10224] [10225] [10226] [10227] [10228] [10229] [10230] [10231] [10232] [10233] [10234] [10235] [10236] [10237] [10238] [10239] [10240] [10241] [10242] [10243] [10244] [10245] [10246] [10247] [10248] [10249] [10250] [10251] [10252] [10253] [10254] [10255] [10256] [10257] [10258] [10259] [10260] [10261] [10262] [10263] [10264] [10265] [10266] [10267] [10268] [10269] [10270] [10271] [10272] [10273] [10274] [10275] [10276] [10277] [10278] [10279] [10280] [10281] [10282] [10283] [10284] [10285] [10286] [10287] [10288] [10289] [10290] [10291] [10292] [10293] [10294] [10295] [10296] [10297] [10298] [10299] [10300] [10301] [10302] [10303] [10304] [10305] [10306] [10307] [10308] [10309] [10310] [10311] [10312] [10313] [10314] [10315] [10316] [10317] [10318] [10319] [10320] [10321] [10322] [10323] [10324] [10325] [10326] [10327] [10328] [10329] [10330] [10331] [10332] [10333] [10334] [10335] [10336] [10337] [10338] [10339] [10340] [10341] [10342] [10343] [10344] [10345] [10346] [10347] [10348] [10349] [10350] [10351] [10352] [10353] [10354] [10355] [10356] [10357] [10358] [10359] [10360] [10361] [10362] [10363] [10364] [10365] [10366] [10367] [10368] [10369] [10370] [10371] [10372] [10373] [10374] [10375] [10376] [10377] [10378] [10379] [10380] [10381] [10382] [10383] [10384] [10385] [10386] [10387] [10388] [10389] [10390] [10391] [10392] [10393] [10394] [10395] [10396] [10397] [10398] [10399] [10400] [10401] [10402] [10403] [10404] [10405] [10406] [10407] [10408] [10409] [10410] [10411] [10412] [10413] [10414] [10415] [10416] [10417] [10418] [10419] [10420] [10421] [10422] [10423] [10424] [10425] [10426] [10427] [10428] [10429] [10430] [10431] [10432] [10433] [10434] [10435] [10436] [10437] [10438] [10439] [10440] [10441] [10442] [10443] [10444] [10445] [10446] [10447] [10448] [10449] [10450] [10451] [10452] [10453] [10454] [10455] [10456] [10457] [10458] [10459] [10460] [10461] [10462] [10463] [10464] [10465] [10466] [10467] [10468] [10469] [10470] [10471] [10472] [10473] [10474] [10475] [10476] [10477] [10478] [10479] [10480] [10481] [10482] [10483] [10484] [10485] [10486] [10487] [10488] [10489] [10490] [10491] [10492] [10493] [10494] [10495] [10496] [10497] [10498] [10499] [10500] [10501] [10502] [10503] [10504] [10505] [10506] [10507] [10508] [10509] [10510] [10511] [10512] [10513] [10514] [10515] [10516] [10517] [10518] [10519] [10520] [10521] [10522] [10523] [10524] [10525] [10526] [10527] [10528] [10529] [10530] [10531] [10532] [10533] [10534] [10535] [10536] [10537] [10538] [10539] [10540] [10541] [10542] [10543] [10544] [10545] [10546] [10547] [10548] [10549] [10550] [10551] [10552] [10553] [10554] [10555] [10556] [10557] [10558] [10559] [10560] [10561] [10562] [10563] [10564] [10565] [10566] [10567] [10568] [10569] [10570] [10571] [10572] [10573] [10574] [10575] [10576] [10577] [10578] [10579] [10580] [10581] [10582] [10583] [10584] [10585] [10586] [10587] [10588] [10589] [10590] [10591] [10592] [10593] [10594] [10595] [10596] [10597] [10598] [10599] [10600] [10601] [10602] [10603] [10604] [10605] [10606] [10607] [10608] [10609] [10610] [10611] [10612] [10613] [10614] [10615] [10616] [10617] [10618] [10619] [10620] [10621] [10622] [10623] [10624] [10625] [10626] [10627] [10628] [10629] [10630] [10631] [10632] [10633] [10634] [10635] [10636] [10637] [10638] [10639] [10640] [10641] [10642] [10643] [10644] [10645] [10646] [10647] [10648] [10649] [10650] [10651] [10652] [10653] [10654] [10655] [10656] [10657] [10658] [10659] [10660] [10661] [10662] [10663] [10664] [10665] [10666] [10667] [10668] [10669] [10670] [10671] [10672] [10673] [10674] [10675] [10676] [10677] [10678] [10679] [10680] [10681] [10682] [10683] [10684] [10685] [10686] [10687] [10688] [10689] [10690] [10691] [10692] [10693] [10694] [10695] [10696] [10697] [10698] [10699] [10700] [10701] [10702] [10703] [10704] [10705] [10706] [10707] [10708] [10709] [10710] [10711] [10712] [10713] [10714] [10715] [10716] [10717] [10718] [10719] [10720] [10721] [10722] [10723] [10724] [10725] [10726] [10727] [10728] [10729] [10730] [10731] [10732] [10733] [10734] [10735] [10736] [10737] [10738] [10739] [10740] [10741] [10742] [10743] [10744] [10745] [10746] [10747] [10748] [10749] [10750] [10751] [10752] [10753] [10754] [10755] [10756] [10757] [10758] [10759] [10760] [10761] [10762] [10763] [10764] [10765] [10766] [10767] [10768] [10769] [10770] [10771] [10772] [10773] [10774] [10775] [10776] [10777] [10778] [10779] [10780] [10781] [10782] [10783] [10784] [10785] [10786] [10787] [10788] [10789] [10790] [10791] [10792] [10793] [10794] [10795] [10796] [10797] [10798] [10799] [10800] [10801] [10802] [10803] [10804] [10805] [10806] [10807] [10808] [10809] [10810] [10811] [10812] [10813] [10814] [10815] [10816] [10817] [10818] [10819] [10820] [10821] [10822] [10823] [10824] [10825] [10826] [10827] [10828] [10829] [10830] [10831] [10832] [10833] [10834] [10835] [10836] [10837] [10838] [10839] [10840] [10841] [10842] [10843] [10844] [10845] [10846] [10847] [10848] [10849] [10850] [10851] [10852] [10853] [10854] [10855] [10856] [10857] [10858] [10859] [10860] [10861] [10862] [10863] [10864] [10865] [10866] [10867] [10868] [10869] [10870] [10871] [10872] [10873] [10874] [10875] [10876] [10877] [10878] [10879] [10880] [10881] [10882] [10883] [10884] [10885] [10886] [10887] [10888] [10889] [10890] [10891] [10892] [10893] [10894] [10895] [10896] [10897] [10898] [10899] [10900] [10901] [10902] [10903] [10904] [10905] [10906] [10907] [10908] [10909] [10910] [10911] [10912] [10913] [10914] [10915] [10916] [10917] [10918] [10919] [10920] [10921] [10922] [10923] [10924] [10925] [10926] [10927] [10928] [10929] [10930] [10931] [10932] [10933] [10934] [10935] [10936] [10937] [10938] [10939] [10940] [10941] [10942] [10943] [10944] [10945] [10946] [10947] [10948] [10949] [10950] [10951] [10952] [10953] [10954] [10955] [10956] [10957] [10958] [10959] [10960] [10961] [10962] [10963] [10964] [10965] [10966] [10967] [10968] [10969] [10970] [10971] [10972] [10973] [10974] [10975] [10976] [10977] [10978] [10979] [10980] [10981] [10982] [10983] [10984] [10985] [10986] [10987] [10988] [10989] [10990] [10991] [10992] [10993] [10994] [10995] [10996] [10997] [10998] [10999] [11000] [11001] [11002] [11003] [11004] [11005] [11006] [11007] [11008] [11009] [11010] [11011] [11012] [11013] [11014] [11015] [11016] [11017] [11018] [11019] [11020] [11021] [11022] [11023] [11024] [11025] [11026] [11027] [11028] [11029] [11030] [11031] [11032] [11033] [11034] [11035] [11036] [11037] [11038] [11039] [11040] [11041] [11042] [11043] [11044] [11045] [11046] [11047] [11048] [11049] [11050] [11051] [11052] [11053] [11054] [11055] [11056] [11057] [11058] [11059] [11060] [11061] [11062] [11063] [11064] [11065] [11066] [11067] [11068] [11069] [11070] [11071] [11072] [11073] [11074] [11075] [11076] [11077] [11078] [11079] [11080] [11081] [11082] [11083] [11084] [11085] [11086] [11087] [11088] [11089] [11090] [11091] [11092] [11093] [11094] [11095] [11096] [11097] [11098] [11099] [11100] [11101] [11102] [11103] [11104] [11105] [11106] [11107] [11108] [11109] [11110] [11111] [11112] [11113] [11114] [11115] [11116] [11117] [11118] [11119] [11120] [11121] [11122] [11123] [11124] [11125] [11126] [11127] [11128] [11129] [11130] [11131] [11132] [11133] [11134] [11135] [11136] [11137] [11138] [11139] [11140] [11141] [11142] [11143] [11144] [11145] [11146] [11147] [11148] [11149] [11150] [11151] [11152] [11153] [11154] [11155] [11156] [11157] [11158] [11159] [11160] [11161] [11162] [11163] [11164] [11165] [11166] [11167] [11168] [11169] [11170] [11171] [11172] [11173] [11174] [11175] [11176] [11177] [11178] [11179] [11180] [11181] [11182] [11183] [11184] [11185] [11186] [11187] [11188] [11189] [11190] [11191] [11192] [11193] [11194] [11195] [11196] [11197] [11198] [11199] [11200] [11201] [11202] [11203] [11204] [11205] [11206] [11207] [11208] [11209] [11210] [11211] [11212] [11213] [11214] [11215] [11216] [11217] [11218] [11219] [11220] [11221] [11222] [11223] [11224] [11225] [11226] [11227] [11228] [11229] [11230] [11231] [11232] [11233] [11234] [11235] [11236] [11237] [11238] [11239] [11240] [11241] [11242] [11243] [11244] [11245] [11246] [11247] [11248] [11249] [11250] [11251] [11252] [11253] [11254] [11255] [11256] [11257] [11258] [11259] [11260] [11261] [11262] [11263] [11264] [11265] [11266] [11267] [11268] [11269] [11270] [11271] [11272] [11273] [11274] [11275] [11276] [11277] [11278] [11279] [11280] [11281] [11282] [11283] [11284] [11285] [11286] [11287] [11288] [11289] [11290] [11291] [11292] [11293] [11294] [11295] [11296] [11297] [11298] [11299] [11300] [11301] [11302] [11303] [11304] [11305] [11306] [11307] [11308] [11309] [11310] [11311] [11312] [11313] [11314] [11315] [11316] [11317] [11318] [11319] [11320] [11321] [11322] [11323] [11324] [11325] [11326] [11327] [11328] [11329] [11330] [11331] [11332] [11333] [11334] [11335] [11336] [11337] [11338] [11339] [11340] [11341] [11342] [11343] [11344] [11345] [11346] [11347] [11348] [11349] [11350] [11351] [11352] [11353] [11354] [11355] [11356] [11357] [11358] [11359] [11360] [11361] [11362] [11363] [11364] [11365] [11366] [11367] [11368] [11369] [11370] [11371] [11372] [11373] [11374] [11375] [11376] [11377] [11378] [11379] [11380] [11381] [11382] [11383] [11384] [11385] [11386] [11387] [11388] [11389] [11390] [11391] [11392] [11393] [11394] [11395] [11396] [11397] [11398] [11399] [11400] [11401] [11402] [11403] [11404] [11405] [11406] [11407] [11408] [11409] [11410] [11411] [11412] [11413] [11414] [11415] [11416] [11417] [11418] [11419] [11420] [11421] [11422] [11423] [11424] [11425] [11426] [11427] [11428] [11429] [11430] [11431] [11432] [11433] [11434] [11435] [11436] [11437] [11438] [11439] [11440] [11441] [11442] [11443] [11444] [11445] [11446] [11447] [11448] [11449] [11450] [11451] [11452] [11453] [11454] [11455] [11456] [11457] [11458] [11459] [11460] [11461] [11462] [11463] [11464] [11465] [11466] [11467] [11468] [11469] [11470] [11471] [11472] [11473] [11474] [11475] [11476] [11477] [11478] [11479] [11480] [11481] [11482] [11483] [11484] [11485] [11486] [11487] [11488] [11489] [11490] [11491] [11492] [11493] [11494] [11495] [11496] [11497] [11498] [11499] [11500] [11501] [11502] [11503] [11504] [11505] [11506] [11507] [11508] [11509] [11510] [11511] [11512] [11513] [11514] [11515] [11516] [11517] [11518] [11519] [11520] [11521] [11522] [11523] [11524] [11525] [11526] [11527] [11528] [11529] [11530] [11531] [11532] [11533] [11534] [11535] [11536] [11537] [11538] [11539] [11540] [11541] [11542] [11543] [11544] [11545] [11546] [11547] [11548] [11549] [11550] [11551] [11552] [11553] [11554] [11555] [11556] [11557] [11558] [11559] [11560] [11561] [11562] [11563] [11564] [11565] [11566] [11567] [11568] [11569] [11570] [11571] [11572] [11573] [11574] [11575] [11576] [11577] [11578] [11579] [11580] [11581] [11582] [11583] [11584] [11585] [11586] [11587] [11588] [11589] [11590] [11591] [11592] [11593] [11594] [11595] [11596] [11597] [11598] [11599] [11600] [11601] [11602] [11603] [11604] [11605] [11606] [11607] [11608] [11609] [11610] [11611] [11612] [11613] [11614] [11615] [11616] [11617] [11618] [11619] [11620] [11621] [11622] [11623] [11624] [11625] [11626] [11627] [11628] [11629] [11630] [11631] [11632] [11633] [11634] [11635] [11636] [11637] [11638] [11639] [11640] [11641] [11642] [11643] [11644] [11645] [11646] [11647] [11648] [11649] [11650] [11651] [11652] [11653] [11654] [11655] [11656] [11657] [11658] [11659] [11660] [11661] [11662] [11663] [11664] [11665] [11666] [11667] [11668] [11669] [11670] [11671] [11672] [11673] [11674] [11675] [11676] [11677] [11678] [11679] [11680] [11681] [11682] [11683] [11684] [11685] [11686] [11687] [11688] [11689] [11690] [11691] [11692] [11693] [11694] [11695] [11696] [11697] [11698] [11699] [11700] [11701] [11702] [11703] [11704] [11705] [11706] [11707] [11708] [11709] [11710] [11711] [11712] [11713] [11714] [11715] [11716] [11717] [11718] [11719] [11720] [11721] [11722] [11723] [11724] [11725] [11726] [11727] [11728] [11729] [11730] [11731] [11732] [11733] [11734] [11735] [11736] [11737] [11738] [11739] [11740] [11741] [11742] [11743] [11744] [11745] [11746] [11747] [11748] [11749] [11750] [11751] [11752] [11753] [11754] [11755] [11756] [11757] [11758] [11759] [11760] [11761] [11762] [11763] [11764] [11765] [11766] [11767] [11768] [11769] [11770] [11771] [11772] [11773] [11774] [11775] [11776] [11777] [11778] [11779] [11780] [11781] [11782] [11783] [11784] [11785] [11786] [11787] [11788] [11789] [11790] [11791] [11792] [11793] [11794] [11795] [11796] [11797] [11798] [11799] [11800] [11801] [11802] [11803] [11804] [11805] [11806] [11807] [11808] [11809] [11810] [11811] [11812] [11813] [11814] [11815] [11816] [11817] [11818] [11819] [11820] [11821] [11822] [11823] [11824] [11825] [11826] [11827] [11828] [11829] [11830] [11831] [11832] [11833] [11834] [11835] [11836] [11837] [11838] [11839] [11840] [11841] [11842] [11843] [11844] [11845] [11846] [11847] [11848] [11849] [11850] [11851] [11852] [11853] [11854] [11855] [11856] [11857] [11858] [11859] [11860] [11861] [11862] [11863] [11864] [11865] [11866] [11867] [11868] [11869] [11870] [11871] [11872] [11873] [11874] [11875] [11876] [11877] [11878] [11879] [11880] [11881] [11882] [11883] [11884] [11885] [11886] [11887] [11888] [11889] [11890] [11891] [11892] [11893] [11894] [11895] [11896] [11897] [11898] [11899] [11900] [11901] [11902] [11903] [11904] [11905] [11906] [11907] [11908] [11909] [11910] [11911] [11912] [11913] [11914] [11915] [11916] [11917] [11918] [11919] [11920] [11921] [11922] [11923] [11924] [11925] [11926] [11927] [11928] [11929] [11930] [11931] [11932] [11933] [11934] [11935] [11936] [11937] [11938] [11939] [11940] [11941] [11942] [11943] [11944] [11945] [11946] [11947] [11948] [11949] [11950] [11951] [11952] [11953] [11954] [11955] [11956] [11957] [11958] [11959] [11960] [11961] [11962] [11963] [11964] [11965] [11966] [11967] [11968] [11969] [11970] [11971] [11972] [11973] [11974] [11975] [11976] [11977] [11978] [11979] [11980] [11981] [11982] [11983] [11984] [11985] [11986] [11987] [11988] [11989] [11990] [11991] [11992] [11993] [11994] [11995] [11996] [11997] [11998] [11999] [12000] [12001] [12002] [12003] [12004] [12005] [12006] [12007] [12008] [12009] [12010] [12011] [12012] [12013] [12014] [12015] [12016] [12017] [12018] [12019] [12020] [12021] [12022] [12023] [12024] [12025] [12026] [12027] [12028] [12029] [12030] [12031] [12032] [12033] [12034] [12035] [12036] [12037] [12038] [12039] [12040] [12041] [12042] [12043] [12044] [12045] [12046] [12047] [12048] [12049] [12050] [12051] [12052] [12053] [12054] [12055] [12056] [12057] [12058] [12059] [12060] [12061] [12062] [12063] [12064] [12065] [12066] [12067] [12068] [12069] [12070] [12071] [12072] [12073] [12074] [12075] [12076] [12077] [12078] [12079] [12080] [12081] [12082] [12083] [12084] [12085] [12086] [12087] [12088] [12089] [12090] [12091] [12092] [12093] [12094] [12095] [12096] [12097] [12098] [12099] [12100] [12101] [12102] [12103] [12104] [12105] [12106] [12107] [12108] [12109] [12110] [12111] [12112] [12113] [12114] [12115] [12116] [12117] [12118] [12119] [12120] [12121] [12122] [12123] [12124] [12125] [12126] [12127] [12128] [12129] [12130] [12131] [12132] [12133] [12134] [12135] [12136] [12137] [12138] [12139] [12140] [12141] [12142] [12143] [12144] [12145] [12146] [12147] [12148] [12149] [12150] [12151] [12152] [12153] [12154] [12155] [12156] [12157] [12158] [12159] [12160] [12161] [12162] [12163] [12164] [12165] [12166] [12167] [12168] [12169] [12170] [12171] [12172] [12173] [12174] [12175] [12176] [12177] [12178] [12179] [12180] [12181] [12182] [12183] [12184] [12185] [12186] [12187] [12188] [12189] [12190] [12191] [12192] [12193] [12194] [12195] [12196] [12197] [12198] [12199] [12200] [12201] [12202] [12203] [12204] [12205] [12206] [12207] [12208] [12209] [12210] [12211] [12212] [12213] [12214] [12215] [12216] [12217] [12218] [12219] [12220] [12221] [12222] [12223] [12224] [12225] [12226] [12227] [12228] [12229] [12230] [12231] [12232] [12233] [12234] [12235] [12236] [12237] [12238] [12239] [12240] [12241] [12242] [12243] [12244] [12245] [12246] [12247] [12248] [12249] [12250] [12251] [12252] [12253] [12254] [12255] [12256] [12257] [12258] [12259] [12260] [12261] [12262] [12263] [12264] [12265] [12266] [12267] [12268] [12269] [12270] [12271] [12272] [12273] [12274] [12275] [12276] [12277] [12278] [12279] [12280] [12281] [12282] [12283] [12284] [12285] [12286] [12287] [12288] [12289] [12290] [12291] [12292] [12293] [12294] [12295] [12296] [12297] [12298] [12299] [12300] [12301] [12302] [12303] [12304] [12305] [12306] [12307] [12308] [12309] [12310] [12311] [12312] [12313] [12314] [12315] [12316] [12317] [12318] [12319] [12320] [12321] [12322] [12323] [12324] [12325] [12326] [12327] [12328] [12329] [12330] [12331] [12332] [12333] [12334] [12335] [12336] [12337] [12338] [12339] [12340] [12341] [12342] [12343] [12344] [12345] [12346] [12347] [12348] [12349] [12350] [12351] [12352] [12353] [12354] [12355] [12356] [12357] [12358] [12359] [12360] [12361] [12362] [12363] [12364] [12365] [12366] [12367] [12368] [12369] [12370] [12371] [12372] [12373] [12374] [12375] [12376] [12377] [12378] [12379] [12380] [12381] [12382] [12383] [12384] [12385] [12386] [12387] [12388] [12389] [12390] [12391] [12392] [12393] [12394] [12395] [12396] [12397] [12398] [12399] [12400] [12401] [12402] [12403] [12404] [12405] [12406] [12407] [12408] [12409] [12410] [12411] [12412] [12413] [12414] [12415] [12416] [12417] [12418] [12419] [12420] [12421] [12422] [12423] [12424] [12425] [12426] [12427] [12428] [12429] [12430] [12431] [12432] [12433] [12434] [12435] [12436] [12437] [12438] [12439] [12440] [12441] [12442] [12443] [12444] [12445] [12446] [12447] [12448] [12449] [12450] [12451] [12452] [12453] [12454] [12455] [12456] [12457] [12458] [12459] [12460] [12461] [12462] [12463] [12464] [12465] [12466] [12467] [12468] [12469] [12470] [12471] [12472] [12473] [12474] [12475] [12476] [12477] [12478] [12479] [12480] [12481] [12482] [12483] [12484] [12485] [12486] [12487] [12488] [12489] [12490] [12491] [12492] [12493] [12494] [12495] [12496] [12497] [12498] [12499] [12500] [12501] [12502] [12503] [12504] [12505] [12506] [12507] [12508] [12509] [12510] [12511] [12512] [12513] [12514] [12515] [12516] [12517] [12518] [12519] [12520] [12521] [12522] [12523] [12524] [12525] [12526] [12527] [12528] [12529] [12530] [12531] [12532] [12533] [12534] [12535] [12536] [12537] [12538] [12539] [12540] [12541] [12542] [12543] [12544] [12545] [12546] [12547] [12548] [12549] [12550] [12551] [12552] [12553] [12554] [12555] [12556] [12557] [12558] [12559] [12560] [12561] [12562] [12563] [12564] [12565] [12566] [12567] [12568] [12569] [12570] [12571] [12572] [12573] [12574] [12575] [12576] [12577] [12578] [12579] [12580] [12581] [12582] [12583] [12584] [12585] [12586] [12587] [12588] [12589] [12590] [12591] [12592] [12593] [12594] [12595] [12596] [12597] [12598] [12599] [12600] [12601] [12602] [12603] [12604] [12605] [12606] [12607] [12608] [12609] [12610] [12611] [12612] [12613] [12614] [12615] [12616] [12617] [12618] [12619] [12620] [12621] [12622] [12623] [12624] [12625] [12626] [12627] [12628] [12629] [12630] [12631] [12632] [12633] [12634] [12635] [12636] [12637] [12638] [12639] [12640] [12641] [12642] [12643] [12644] [12645] [12646] [12647] [12648] [12649] [12650] [12651] [12652] [12653] [12654] [12655] [12656] [12657] [12658] [12659] [12660] [12661] [12662] [12663] [12664] [12665] [12666] [12667] [12668] [12669] [12670] [12671] [12672] [12673] [12674] [12675] [12676] [12677] [12678] [12679] [12680] [12681] [12682] [12683] [12684] [12685] [12686] [12687] [12688] [12689] [12690] [12691] [12692] [12693] [12694] [12695] [12696] [12697] [12698] [12699] [12700] [12701] [12702] [12703] [12704] [12705] [12706] [12707] [12708] [12709] [12710] [12711] [12712] [12713] [12714] [12715] [12716] [12717] [12718] [12719] [12720] [12721] [12722] [12723] [12724] [12725] [12726] [12727] [12728] [12729] [12730] [12731] [12732] [12733] [12734] [12735] [12736] [12737] [12738] [12739] [12740] [12741] [12742] [12743] [12744] [12745] [12746] [12747] [12748] [12749] [12750] [12751] [12752] [12753] [12754] [12755] [12756] [12757] [12758] [12759] [12760] [12761] [12762] [12763] [12764] [12765] [12766] [12767] [12768] [12769] [12770] [12771] [12772] [12773] [12774]
<!DOCTYPE html> <!-- WASDOC AXP-2.0.0 (CGILIB AXP-1.9.9) --> <!-- wasDOC Copyright (C) 2019,2020 Mark G.Daniel - Apache-2.0 licenced --> <!-- 3-NOV-2021 02:50 --> <noscript>NOTE: SOME FUNCTIONALITY EMPLOYS JAVASCRIPT</noscript> <div id="erreport1" style="display:none;"></div> <script> function errorReport(string) { for (var cnt = 1; cnt <= 2; cnt++) { var err = document.getElementById('erreport'+cnt); err.style.display = 'block'; err.innerHTML += string; } } </script> <style type="text/css"> html { font-family: arial, verdana, sans-serif; font-size:12pt; margin:1em; } h1 { font-size:124%; font-style:bold; margin-top:1em; margin-bottom:0.5em; } h2 { font-size:120%; font-style:bold; margin-top:1.1em; margin-bottom:0.4em; } h3 { font-size:116%; font-style:bold; margin-top:1.0em; margin-bottom:0.3em; } h4 { font-size:112%; font-style:bold; margin-top:1.1em; margin-bottom:0.3em; } h5 { font-size:112%; font-style:bold; margin-top:1.1em; margin-bottom:0.3em; } h6 { font-size:112%; font-style:bold; padding:0; margin:0; } h1 .text { text-decoration:underline; } h1 .numb { padding-right:0.8em; } h1 .numb:empty { display:none; padding-right:0; } h2 .numb { padding-right:0.8em; } h2 .numb:empty { display:none; padding-right:0; } h3 .numb { padding-right:0.8em; } h3 .numb:empty { display:none; padding-right:0; } h4 .numb { padding-right:0.8em; } h4 .numb:empty { display:none; padding-right:0; } h5 .numb { display:none; padding-right:0; } h6 .numb { display:none; padding-right:0; } kbd { font-family:monospace; } noscript { font-size:1.2em; } p { line-height:1.1em; margin-top:1em; margin-bottom:1em; } .chunk { font-size:130%; text-decoration:underline; } .head {} .high {} .bold { font-weight:bold; } .center { text-align:center; } .italic { font-style:italic; } .left { text-align:left; } .nowrap { white-space:nowrap; } .prewrap { white-space:pre; } .right { text-align:right; } .strike { text-decoration:line-through; } .under { text-decoration:underline; } .backlight { background-color:#f2f2f2; } .display0 { display:none; } img { max-width:100%; } .imglink { } .link { } .blank { } .list { margin-bottom:1em; } .list li { margin-top:0.5em; } .list0 li { margin-top:0; } .item {} .tabl { border-collapse:collapse; text-align:left; margin:0.4em 2em 0.5em 2em; } .tabu { border-collapse:collapse; text-align:right; margin:0.4em 2em 0.5em 2em; } .tabr { vertical-align:top; } .tabh { padding:0.2em 0 0 2em; margin:0; } .tabd { padding:0.1em 0 0 2em; margin:0; } .tabh:first-of-type, td:first-of-type { padding-left:0; } .tabu .tabh, .tabu .tabd { border:1px solid gray; padding:0.2em 0.3em 0.2em 0.3em; } .tab0 { border:none; visibility:hidden; max-width:1em; white-space:nowrap; overflow:hidden; } .tabauto { margin-left:auto; margin-right:auto; } .tabr:empty { height:0.2em; } .tabu .tabh:empty, .tabu .tabd:empty { border:none; visibility:hidden; } .error { font-size:110%; color:black; background-color:yellow; font-family:sans-serif; font-weight:bold; font-style:normal; width:95%; border:solid 1px gray; padding:0.5em 1em 0.5em 1em; } .error::before { content:'\026a0\00a0'; } .image { } .page { width:98%; border:1px dashed gray; margin:1.5em 0 1.8em 0; } .epage { width:98%; border:1px dashed black; margin:1.5em 0 1.8em 0; } .monosp { font-family:monospace; } .ppage { display:none; } .simple { list-style-type:none; } .valtop { vertical-align:top; } .valmid { vertical-align:middle; } .valbot { vertical-align:bottom; } .code { border-style:solid; border-width:0 0 0 1px; padding-left:1em; font-family:monospace; white-space:pre; } .block { } .blockof { margin:0.4em 2em 0.5em 2em; } .example { border-style:dashed; border-width:0 0 0 1px; padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; white-space:pre; } .indent { margin-left:2em; margin-right:2em; } .noindent { margin-left:0; margin-right:0; } .inblock { display:inline-block; } .mono { white-space:pre; font-family:monospace; } .note { margin:0.4em 2em 0.5em 2em; page-break-inside:avoid; } .note h5 { margin-top:0 } .note_hr { width:80%; border:1px solid gray; } .prop { padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; } .quote { border-style:dashed; border-width:0 0 0 1px; padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; } .this { display:none; } a:link,a:visited { color:black; text-decoration:none; } a:hover,a:active { text-decoration:underline; } a:focus { outline:0; } :target:before { content:''; display:block; height:0.1em; margin:-0.1em; } a.link:link, a.link:visited,a.link:active { color:midnightBlue; text-decoration:underline; text-decoration-style:solid; } .TOC1cols1 { width:80%; max-width:80%; } .TOC1cols2 { column-count:2; width:80%; max-width:80%; } .TOC1cols3 { column-count:3; max-width:90%; max-width:90%; } .TOC1cols4 { column-count:4; max-width:100%; max-width:100%; } .TOC1table { margin-left:2em; white-space:nowrap; break-inside:auto; } .TOC1table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; } .TOC1table td+td { padding:0 0 0 0.5em; } .TOC1table .numb { width:3em; max-width:3em; } .TOC1table .sepr { width:5em; max-width:6em; overflow:hidden; } .TOC1table .majr { font-weight:bold; } .TOC1table .text { white-space:normal; } /* These are due to Firefox (at least <= 76) recalcitrant multi-column handling. Web search "Split table into css columns, issue in Firefox" (stackoverflow). "Good grief, Charlie Brown!" */ .TOC1cols2 table, .TOC1cols2 tbody, .TOC1cols2 tr, .TOC1cols3 table, .TOC1cols3 tbody, .TOC1cols3 tr, .TOC1cols4 table, .TOC1cols4 tbody, .TOC1cols4 tr { display:block; padding:0; } .TOC2cols1 { width:60%; max-width:60%; } .TOC2cols2 { column-count:2; width:70%; max-width:70%; } .TOC2cols3 { column-count:3; width:80%; max-width:80%; } .TOC2cols4 { column-count:4; width:90%; max-width:90%; } .TOC2table { margin-left:2em; white-space:nowrap; break-inside:auto; } .TOC2table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; } .TOC2table .numb { font-weight:bold; padding-right:0.5em; } .TOC2table .text { width:100%; white-space:normal; } /* see "recalcitrant" above */ .TOC2cols2 table, .TOC2cols2 tbody, .TOC2cols2 tr, .TOC2cols3 table, .TOC2cols3 tbody, .TOC2cols3 tr, .TOC2cols4 table, .TOC2cols4 tbody, .TOC2cols4 tr { display:block; padding:0; } .NAVtable { margin:0.1em 0 0 2em; } .NAVtable td { font-size:110%; font-weight:bold; padding:0; margin:0; } .NAVtable a { padding:0 0.5em 0 0.5em; text-decoration:none; } .IDXcols1 { width:80%; max-width:80%; } .IDXcols2 { column-count:2; width:90%; max-width:90%; } .IDXcols3 { column-count:3; width:95%; max-width:95%; } .IDXcols4 { column-count:4; width:100%; max-width:100%; } .IDXtable { margin:1em 0 1em 2em; white-space:nowrap; break-inside:auto; } .IDXtable tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; } .IDXtable .alpha { font-weight:bold; min-width:2em; } .IDXtable .text { width:100%; white-space:normal; } .IDXtable .para:before { content:'\00b6\00a0'; } /* see "recalcitrant" above */ .IDXcols2 table, .IDXcols2 tbody, .IDXcols2 tr, .IDXcols3 table, .IDXcols3 tbody, .IDXcols3 tr, .IDXcols4 table, .IDXcols4 tbody, .IDXcols4 tr { display:block; padding:0; } .insight { background-color:cyan; font-family:monospace; padding:0 0.2em 0 0.2em; margin:0 0.2em 0 0.2em; font-size:100%; font-style:normal; font-weight:normal; text-decoration:none; } .wasdoc { font-family: "Lucida Console", Monaco, monospace; letter-spacing:-0.07em; } @media screen { .blank::after { content:"\2924"; } .print { display:none; } } @media print { table { page-break-inside:avoid; } .noprint { display:none; } .page { border:none; page-break-after: always; } .epage { display:none; } .ppage { page-break-after:always; } .NAVtable { display:none; } .NAVprint { display:block!important; } } @page { margin:2cm 1cm 2cm 1cm; } </style> <!-- source:0000_config.wasdoc --> <style type="text/css">._smiley::after { font-size:150%; vertical-align:middle; content:'\263a' }</style> <style type="text/css">._frowny::after { font-size:150%; vertical-align:middle; content:'\2639' }</style> <a id="0." href="#"></a> <a id="0.0.0.0.1" href="#"></a> <a id="0.wasdconfiguration" href="#"></a> <a id="wasdconfiguration" href="#"></a> <h1 class="head" style="font-size:140%;"><span class="text">WASD Configuration</span></h1> <p> For version 12.0 release of WASD VMS Web Services. <p> Published November 2021 <p> Document generated using <span class="high wasdoc">wasDOC</span> version 2.0.0 <a id="0.0.0.0.2" href="#"></a> <a id="0.abstract" href="#"></a> <a id="abstract" href="#"></a> <h5 class="head"><span class="text">Abstract</span></h5> <p> This document provides detailed configuration instructions for the WASD Web Services package. <p> For installation and update details see <a class="link blank" target="_blank" href="../features/">WASD Web Services - Installation</a> <p> For the more significant WASD features and facilities see <a class="link blank" target="_blank" href="../features/">WASD Web Services - Features</a> <p> For information on CGI, CGIplus, ISAPI, OSU, etc., scripting, see <a class="link blank" target="_blank" href="../scripting/">WASD Web Services - Scripting</a> <p> And for a description of WASD document, SSI and directory listing behaviours and options, <a class="link blank" target="_blank" href="../env/">WASD Web Services - Environment</a> <a id="0.0.0.0.3" href="#"></a> <a id="0.onlinesearch" href="#"></a> <a id="onlinesearch" href="#"></a> <h5 class="head"><span class="text">Online Search</span></h5> <p> <table class="tabl noindent" style="border:1px #808080 solid;background-color:#eeeeee;margin-bottom:1.5em;"> <tr class="tabr"> <td class="tabd" style="padding:0.5em;"><form action="/cgi-bin/query/wasd_root/wasdoc/config/*.html" target="_top"> <input type="submit" value="Search for:"> <input type="text" name="search" size="20"> <input type="reset" value="Reset"> </form> </table> <p> <span class="high bold">WASD VMS Web Services – Copyright © 1996-2021 Mark G. Daniel</span> <a id="0.0.0.0.3.1" href="#"></a> <a id="0.apachelicenseversion20" href="#"></a> <a id="apachelicenseversion20" href="#"></a> <h6 class="head display0"><span class="text">Apache License, Version 2.0</span></h6> <a id="0.0.0.0.3.2" href="#"></a> <a id="0.license" href="#"></a> <a id="license" href="#"></a> <h6 class="head display0"><span class="text">License</span></h6> <p> Licensed under the <span class="high bold">Apache License</span>, Version 2.0 (the "License"); <div class="blockof quote" style="font-size:0.9em;width:49em;margin:-0.5em 0 0 1em;">you may not use this software except in compliance with the License. You may obtain a copy of the License at <p> <a class="link blank" target="_blank" style="margin-left:1em;" href="https://www.apache.org/licenses/LICENSE-2.0">https://www.apache.org/licenses/LICENSE-2.0</a> <p> Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. </div> <p> <a class="link" href="mailto:Mark.Daniel@wasd.vsm.com.au">Mark.Daniel@wasd.vsm.com.au</a> <br> <span class="high bold italic">A pox on the houses of all spamers. Make that two poxes.</span> <p> All copyright and trademarks within this document belong to their rightful owners. See <a class="link" href="#13.attributionandacknowledgement">13. Attribution and Acknowledgement</a>. <p> This is a static (file), single document. <br> Alternative <a class="link" href="/wasd_root/wasdoc/config/config.html">multi-part</a> static and <a class="link" href="/cgi-bin/wasdoc/wasd_root/wasdoc/config/">dynamic</a> documents. <br> Links followed by ⤤ open in a new page. <a id="0.0.0.0.4.2" href="#"></a> <a id="0.tableofcontent" href="#"></a> <a id="tableofcontent" href="#"></a> <h1 class="head" style="font-size:120%;"><span class="text">Table of Content</span></h1> <div class="TOC1cols2"> <table class="TOC1table"> <tr><td class="sepr"><a href="#1.introduction">1.</a>…………………<td class="text majr"><a href="#1.introduction">Introduction</a> <tr><td class="sepr"><a href="#1.1.troubleshooting">1.1</a>…………………<td class="text"><a href="#1.1.troubleshooting">Troubleshooting?</a> <tr><td class="sepr"><a href="#2.configurationconsiderations">2.</a>…………………<td class="text majr"><a href="#2.configurationconsiderations">Configuration Considerations</a> <tr><td class="sepr"><a href="#2.1.includefiledirective">2.1</a>…………………<td class="text"><a href="#2.1.includefiledirective">Include File Directive</a> <tr><td class="sepr"><a href="#2.2.siteorganisation">2.2</a>…………………<td class="text"><a href="#2.2.siteorganisation">Site Organisation</a> <tr><td class="sepr"><a href="#2.3.virtualservices">2.3</a>…………………<td class="text"><a href="#2.3.virtualservices">Virtual Services</a> <tr><td class="sepr"><a href="#2.3.1.virtualserver">2.3.1</a>…………………<td class="text"><a href="#2.3.1.virtualserver">[[virtual-server]]</a> <tr><td class="sepr"><a href="#2.3.2.unknownvirtualserver">2.3.2</a>…………………<td class="text"><a href="#2.3.2.unknownvirtualserver">Unknown Virtual Server</a> <tr><td class="sepr"><a href="#2.4.gzipencoding">2.4</a>…………………<td class="text"><a href="#2.4.gzipencoding">GZIP Encoding</a> <tr><td class="sepr"><a href="#2.4.1.responseencoding">2.4.1</a>…………………<td class="text"><a href="#2.4.1.responseencoding">Response Encoding</a> <tr><td class="sepr"><a href="#2.4.2.requestencoding">2.4.2</a>…………………<td class="text"><a href="#2.4.2.requestencoding">Request Encoding</a> <tr><td class="sepr"><a href="#2.5.requestthrottling">2.5</a>…………………<td class="text"><a href="#2.5.requestthrottling">Request Throttling</a> <tr><td class="sepr"><a href="#2.6.clientconcurrency">2.6</a>…………………<td class="text"><a href="#2.6.clientconcurrency">Client Concurrency</a> <tr><td class="sepr"><a href="#2.7.contenttypeconfiguration">2.7</a>…………………<td class="text"><a href="#2.7.contenttypeconfiguration">Content-Type Configuration</a> <tr><td class="sepr"><a href="#2.7.1.addingcontenttypes">2.7.1</a>…………………<td class="text"><a href="#2.7.1.addingcontenttypes">Adding Content-Types</a> <tr><td class="sepr"><a href="#2.7.2.mimetypes">2.7.2</a>…………………<td class="text"><a href="#2.7.2.mimetypes">MIME.TYPES</a> <tr><td class="sepr"><a href="#2.7.3.unknowncontenttypes">2.7.3</a>…………………<td class="text"><a href="#2.7.3.unknowncontenttypes">Unknown Content-Types</a> <tr><td class="sepr"><a href="#2.7.4.explicitlyspecifyingcontenttype">2.7.4</a>…………………<td class="text"><a href="#2.7.4.explicitlyspecifyingcontenttype">Explicitly Specifying Content-Type</a> <tr><td class="sepr"><a href="#2.8.languagevariants">2.8</a>…………………<td class="text"><a href="#2.8.languagevariants">Language Variants</a> <tr><td class="sepr"><a href="#2.9.charactersetconversion">2.9</a>…………………<td class="text"><a href="#2.9.charactersetconversion">Character Set Conversion</a> <tr><td class="sepr"><a href="#2.10.errorreporting">2.10</a>…………………<td class="text"><a href="#2.10.errorreporting">Error Reporting</a> <tr><td class="sepr"><a href="#2.10.1.basicanddetailed">2.10.1</a>…………………<td class="text"><a href="#2.10.1.basicanddetailed">Basic and Detailed</a> <tr><td class="sepr"><a href="#2.10.2.sitespecific">2.10.2</a>…………………<td class="text"><a href="#2.10.2.sitespecific">Site Specific</a> <tr><td class="sepr"><a href="#2.11.opcomlogging">2.11</a>…………………<td class="text"><a href="#2.11.opcomlogging">OPCOM Logging</a> <tr><td class="sepr"><a href="#2.12.accesslogging">2.12</a>…………………<td class="text"><a href="#2.12.accesslogging">Access Logging</a> <tr><td class="sepr"><a href="#2.12.1.logformat">2.12.1</a>…………………<td class="text"><a href="#2.12.1.logformat">Log Format</a> <tr><td class="sepr"><a href="#2.12.2.logperperiod">2.12.2</a>…………………<td class="text"><a href="#2.12.2.logperperiod">Log Per-Period</a> <tr><td class="sepr"><a href="#2.12.3.logperservice">2.12.3</a>…………………<td class="text"><a href="#2.12.3.logperservice">Log Per-Service</a> <tr><td class="sepr"><a href="#2.12.4.logperinstance">2.12.4</a>…………………<td class="text"><a href="#2.12.4.logperinstance">Log Per-Instance</a> <tr><td class="sepr"><a href="#2.12.5.lognaming">2.12.5</a>…………………<td class="text"><a href="#2.12.5.lognaming">Log Naming</a> <tr><td class="sepr"><a href="#2.12.6.accesstracking">2.12.6</a>…………………<td class="text"><a href="#2.12.6.accesstracking">Access Tracking</a> <tr><td class="sepr"><a href="#2.12.7.accessalert">2.12.7</a>…………………<td class="text"><a href="#2.12.7.accessalert">Access Alert</a> <tr><td class="sepr"><a href="#3.securityconsiderations">3.</a>…………………<td class="text majr"><a href="#3.securityconsiderations">Security Considerations</a> <tr><td class="sepr"><a href="#3.1.serverandsitetesting">3.1</a>…………………<td class="text"><a href="#3.1.serverandsitetesting">Server and Site Testing</a> <tr><td class="sepr"><a href="#3.2.recommendedpackagesecurity">3.2</a>…………………<td class="text"><a href="#3.2.recommendedpackagesecurity">Recommended Package Security</a> <tr><td class="sepr"><a href="#3.3.maintainingpackagesecurity">3.3</a>…………………<td class="text"><a href="#3.3.maintainingpackagesecurity">Maintaining Package Security</a> <tr><td class="sepr"><a href="#3.4.independentpackageandlocalresources">3.4</a>…………………<td class="text"><a href="#3.4.independentpackageandlocalresources">Independent Package and Local Resources</a> <tr><td class="sepr"><a href="#3.5.configuration">3.5</a>…………………<td class="text"><a href="#3.5.configuration">Configuration</a> <tr><td class="sepr"><a href="#3.5.1.directorylistings">3.5.1</a>…………………<td class="text"><a href="#3.5.1.directorylistings">Directory Listings</a> <tr><td class="sepr"><a href="#3.5.2.serverreports">3.5.2</a>…………………<td class="text"><a href="#3.5.2.serverreports">Server Reports</a> <tr><td class="sepr"><a href="#3.5.3.scripting">3.5.3</a>…………………<td class="text"><a href="#3.5.3.scripting">Scripting</a> <tr><td class="sepr"><a href="#3.5.4.serversideincludes">3.5.4</a>…………………<td class="text"><a href="#3.5.4.serversideincludes">Server Side Includes</a> <tr><td class="sepr"><a href="#3.6.scripting">3.6</a>…………………<td class="text"><a href="#3.6.scripting">Scripting</a> <tr><td class="sepr"><a href="#3.7.authorization">3.7</a>…………………<td class="text"><a href="#3.7.authorization">Authorization</a> <tr><td class="sepr"><a href="#3.8.miscellaneousissues">3.8</a>…………………<td class="text"><a href="#3.8.miscellaneousissues">Miscellaneous Issues</a> <tr><td class="sepr"><a href="#3.9.siteattacks">3.9</a>…………………<td class="text"><a href="#3.9.siteattacks">Site Attacks</a> <tr><td class="sepr"><a href="#3.10.contentsecuritypolicycsp">3.10</a>…………………<td class="text"><a href="#3.10.contentsecuritypolicycsp">Content Security Policy (CSP)</a> <tr><td class="sepr"><a href="#4.stringmatching">4.</a>…………………<td class="text majr"><a href="#4.stringmatching">String Matching</a> <tr><td class="sepr"><a href="#4.1.wildcardpatterns">4.1</a>…………………<td class="text"><a href="#4.1.wildcardpatterns">Wildcard Patterns</a> <tr><td class="sepr"><a href="#4.2.regularexpressions">4.2</a>…………………<td class="text"><a href="#4.2.regularexpressions">Regular Expressions</a> <tr><td class="sepr"><a href="#4.3.examples">4.3</a>…………………<td class="text"><a href="#4.3.examples">Examples</a> <tr><td class="sepr"><a href="#4.4.expressionsubstitution">4.4</a>…………………<td class="text"><a href="#4.4.expressionsubstitution">Expression Substitution</a> <tr><td class="sepr"><a href="#5.conditionalconfiguration">5.</a>…………………<td class="text majr"><a href="#5.conditionalconfiguration">Conditional Configuration</a> <tr><td class="sepr"><a href="#5.1.serviceconditionals">5.1</a>…………………<td class="text"><a href="#5.1.serviceconditionals">Service Conditionals</a> <tr><td class="sepr"><a href="#5.2.ifendifconditionals">5.2</a>…………………<td class="text"><a href="#5.2.ifendifconditionals">If..endif Conditionals</a> <tr><td class="sepr"><a href="#5.3.conditionalkeywords">5.3</a>…………………<td class="text"><a href="#5.3.conditionalkeywords">Conditional Keywords</a> <tr><td class="sepr"><a href="#5.3.1.notepadkeyword">5.3.1</a>…………………<td class="text"><a href="#5.3.1.notepadkeyword">Notepad: Keyword</a> <tr><td class="sepr"><a href="#5.3.2.randkeyword">5.3.2</a>…………………<td class="text"><a href="#5.3.2.randkeyword">Rand: Keyword</a> <tr><td class="sepr"><a href="#5.3.3.requestkeyword">5.3.3</a>…………………<td class="text"><a href="#5.3.3.requestkeyword">Request: Keyword</a> <tr><td class="sepr"><a href="#5.3.4.instanceandrobinkeywords">5.3.4</a>…………………<td class="text"><a href="#5.3.4.instanceandrobinkeywords">Instance: and Robin: Keywords</a> <tr><td class="sepr"><a href="#5.3.5.timekeyword">5.3.5</a>…………………<td class="text"><a href="#5.3.5.timekeyword">Time: Keyword</a> <tr><td class="sepr"><a href="#5.3.6.trnlnmkeyword">5.3.6</a>…………………<td class="text"><a href="#5.3.6.trnlnmkeyword">Trnlnm: Keyword</a> <tr><td class="sepr"><a href="#5.3.7.hostaddresses">5.3.7</a>…………………<td class="text"><a href="#5.3.7.hostaddresses">Host Addresses</a> <tr><td class="sepr"><a href="#5.4.examples">5.4</a>…………………<td class="text"><a href="#5.4.examples">Examples</a> <tr><td class="sepr"><a href="#5.5.dictionary">5.5</a>…………………<td class="text"><a href="#5.5.dictionary">Dictionary</a> <tr><td class="sepr"><a href="#5.5.1.configurationentries">5.5.1</a>…………………<td class="text"><a href="#5.5.1.configurationentries">Configuration Entries</a> <tr><td class="sepr"><a href="#5.5.2.otherentries">5.5.2</a>…………………<td class="text"><a href="#5.5.2.otherentries">Other Entries</a> <tr><td class="sepr"><a href="#5.5.3.entrysubstitution">5.5.3</a>…………………<td class="text"><a href="#5.5.3.entrysubstitution">Entry Substitution</a> <tr><td class="sepr"><a href="#5.5.4.watchdictionary">5.5.4</a>…………………<td class="text"><a href="#5.5.4.watchdictionary">WATCH Dictionary</a> <tr><td class="sepr"><a href="#6.globalconfiguration">6.</a>…………………<td class="text majr"><a href="#6.globalconfiguration">Global Configuration</a> <tr><td class="sepr"><a href="#6.1.functionalgroupings">6.1</a>…………………<td class="text"><a href="#6.1.functionalgroupings">Functional Groupings</a> <tr><td class="sepr"><a href="#6.2.alphabeticlisting">6.2</a>…………………<td class="text"><a href="#6.2.alphabeticlisting">Alphabetic Listing</a> <tr><td class="sepr"><a href="#7.serviceconfiguration">7.</a>…………………<td class="text majr"><a href="#7.serviceconfiguration">Service Configuration</a> <tr><td class="sepr"><a href="#7.1.specificservices">7.1</a>…………………<td class="text"><a href="#7.1.specificservices">Specific Services</a> <tr><td class="sepr"><a href="#7.2.genericservices">7.2</a>…………………<td class="text"><a href="#7.2.genericservices">Generic Services</a> <tr><td class="sepr"><a href="#7.3.sslservices">7.3</a>…………………<td class="text"><a href="#7.3.sslservices">SSL Services</a> <tr><td class="sepr"><a href="#7.4.administrationservices">7.4</a>…………………<td class="text"><a href="#7.4.administrationservices">Administration Services</a> <tr><td class="sepr"><a href="#7.5.ipv4andipv6">7.5</a>…………………<td class="text"><a href="#7.5.ipv4andipv6">IPv4 and IPv6</a> <tr><td class="sepr"><a href="#7.6.towwwornottowww">7.6</a>…………………<td class="text"><a href="#7.6.towwwornottowww">To www. Or Not To www.</a> <tr><td class="sepr"><a href="#7.7.servicedirectives">7.7</a>…………………<td class="text"><a href="#7.7.servicedirectives">Service Directives</a> <tr><td class="sepr"><a href="#7.8.directivedetail">7.8</a>…………………<td class="text"><a href="#7.8.directivedetail">Directive Detail</a> <tr><td class="sepr"><a href="#7.9.administration">7.9</a>…………………<td class="text"><a href="#7.9.administration">Administration</a> <tr><td class="sepr"><a href="#7.10.serviceexamples">7.10</a>…………………<td class="text"><a href="#7.10.serviceexamples">Service Examples</a> <tr><td class="sepr"><a href="#8.messageconfiguration">8.</a>…………………<td class="text majr"><a href="#8.messageconfiguration">Message Configuration</a> <tr><td class="sepr"><a href="#8.1.behaviour">8.1</a>…………………<td class="text"><a href="#8.1.behaviour">Behaviour</a> <tr><td class="sepr"><a href="#8.2.messagefileformat">8.2</a>…………………<td class="text"><a href="#8.2.messagefileformat">Message File Format</a> <tr><td class="sepr"><a href="#8.3.multiplelanguagespecifications">8.3</a>…………………<td class="text"><a href="#8.3.multiplelanguagespecifications">Multiple Language Specifications</a> <tr><td class="sepr"><a href="#8.4.suppliedmessagefiles">8.4</a>…………………<td class="text"><a href="#8.4.suppliedmessagefiles">Supplied Message Files</a> <tr><td class="sepr"><a href="#9.cacheconfiguration">9.</a>…………………<td class="text majr"><a href="#9.cacheconfiguration">Cache Configuration</a> <tr><td class="sepr"><a href="#9.1.nonfilecontentcaching">9.1</a>…………………<td class="text"><a href="#9.1.nonfilecontentcaching">Non-File Content Caching</a> <tr><td class="sepr"><a href="#9.2.permanentandvolatile">9.2</a>…………………<td class="text"><a href="#9.2.permanentandvolatile">Permanent and Volatile</a> <tr><td class="sepr"><a href="#9.3.cachesuitabilityconsiderations">9.3</a>…………………<td class="text"><a href="#9.3.cachesuitabilityconsiderations">Cache Suitability Considerations</a> <tr><td class="sepr"><a href="#9.4.cachecontentvalidation">9.4</a>…………………<td class="text"><a href="#9.4.cachecontentvalidation">Cache Content Validation</a> <tr><td class="sepr"><a href="#9.5.cacheconfiguration">9.5</a>…………………<td class="text"><a href="#9.5.cacheconfiguration">Cache Configuration</a> <tr><td class="sepr"><a href="#9.6.cachecontrol">9.6</a>…………………<td class="text"><a href="#9.6.cachecontrol">Cache Control</a> <tr><td class="sepr"><a href="#9.7.circumventingthecache">9.7</a>…………………<td class="text"><a href="#9.7.circumventingthecache">Circumventing The Cache</a> <tr><td class="sepr"><a href="#10.requestprocessingconfiguration">10.</a>…………………<td class="text majr"><a href="#10.requestprocessingconfiguration">Request Processing Configuration</a> <tr><td class="sepr"><a href="#10.1.ruleinterpretation">10.1</a>…………………<td class="text"><a href="#10.1.ruleinterpretation">Rule Interpretation</a> <tr><td class="sepr"><a href="#10.2.vmsfilesystemspecifications">10.2</a>…………………<td class="text"><a href="#10.2.vmsfilesystemspecifications">VMS File System Specifications</a> <tr><td class="sepr"><a href="#10.3.traditionalfilespecificationsods2">10.3</a>…………………<td class="text"><a href="#10.3.traditionalfilespecificationsods2">Traditional File Specifications (ODS-2)</a> <tr><td class="sepr"><a href="#10.4.extendedfilespecificationsods5">10.4</a>…………………<td class="text"><a href="#10.4.extendedfilespecificationsods5">Extended File Specifications (ODS-5)</a> <tr><td class="sepr"><a href="#10.4.1.charactersinrequestpaths">10.4.1</a>…………………<td class="text"><a href="#10.4.1.charactersinrequestpaths">Characters In Request Paths</a> <tr><td class="sepr"><a href="#10.4.2.filenameambiguity">10.4.2</a>…………………<td class="text"><a href="#10.4.2.filenameambiguity">File Name Ambiguity</a> <tr><td class="sepr"><a href="#10.4.3.charactersinservergeneratedpaths">10.4.3</a>…………………<td class="text"><a href="#10.4.3.charactersinservergeneratedpaths">Characters In Server-Generated Paths</a> <tr><td class="sepr"><a href="#10.5.rules">10.5</a>…………………<td class="text"><a href="#10.5.rules">Rules</a> <tr><td class="sepr"><a href="#10.5.1.mappassfailrules">10.5.1</a>…………………<td class="text"><a href="#10.5.1.mappassfailrules">MAP, PASS, FAIL Rules</a> <tr><td class="sepr"><a href="#10.5.2.redirectrule">10.5.2</a>…………………<td class="text"><a href="#10.5.2.redirectrule">REDIRECT Rule</a> <tr><td class="sepr"><a href="#10.5.3.userrule">10.5.3</a>…………………<td class="text"><a href="#10.5.3.userrule">USER Rule</a> <tr><td class="sepr"><a href="#10.5.4.execuxecandscriptscriptmappingrules">10.5.4</a>…………………<td class="text"><a href="#10.5.4.execuxecandscriptscriptmappingrules">EXEC/UXEC and SCRIPT, Script Mapping Rules</a> <tr><td class="sepr"><a href="#10.5.5.setrule">10.5.5</a>…………………<td class="text"><a href="#10.5.5.setrule">SET Rule</a> <tr><td class="sepr"><a href="#10.6.reversemapping">10.6</a>…………………<td class="text"><a href="#10.6.reversemapping">Reverse Mapping</a> <tr><td class="sepr"><a href="#10.7.mappingexamples">10.7</a>…………………<td class="text"><a href="#10.7.mappingexamples">Mapping Examples</a> <tr><td class="sepr"><a href="#10.8.virtualservers">10.8</a>…………………<td class="text"><a href="#10.8.virtualservers">Virtual Servers</a> <tr><td class="sepr"><a href="#10.9.conditionalmapping">10.9</a>…………………<td class="text"><a href="#10.9.conditionalmapping">Conditional Mapping</a> <tr><td class="sepr"><a href="#10.10.mappinguserdirectoriestildecharacterquotquot">10.10</a>…………………<td class="text"><a href="#10.10.mappinguserdirectoriestildecharacterquotquot">Mapping User Directories (<span class="high italic">tilde</span> character ("~"))</a> <tr><td class="sepr"><a href="#10.10.1.usingthesysuaf">10.10.1</a>…………………<td class="text"><a href="#10.10.1.usingthesysuaf">Using The SYSUAF</a> <tr><td class="sepr"><a href="#10.10.2.withoutusingthesysuaf">10.10.2</a>…………………<td class="text"><a href="#10.10.2.withoutusingthesysuaf">Without Using The SYSUAF</a> <tr><td class="sepr"><a href="#10.11.crossoriginresourcesharing">10.11</a>…………………<td class="text"><a href="#10.11.crossoriginresourcesharing">Cross Origin Resource Sharing</a> <tr><td class="sepr"><a href="#11.authorizationconfigurationbasics">11.</a>…………………<td class="text majr"><a href="#11.authorizationconfigurationbasics">Authorization Configuration (Basics)</a> <tr><td class="sepr"><a href="#11.1.sysuafidentifierauthentication">11.1</a>…………………<td class="text"><a href="#11.1.sysuafidentifierauthentication">SYSUAF/Identifier Authentication</a> <tr><td class="sepr"><a href="#11.2.otherauthentication">11.2</a>…………………<td class="text"><a href="#11.2.otherauthentication">Other Authentication</a> <tr><td class="sepr"><a href="#11.3.readandwritegroupings">11.3</a>…………………<td class="text"><a href="#11.3.readandwritegroupings">Read and Write Groupings</a> <tr><td class="sepr"><a href="#11.4.considerations">11.4</a>…………………<td class="text"><a href="#11.4.considerations">Considerations</a> <tr><td class="sepr"><a href="#12.index">12.</a>…………………<td class="text majr"><a href="#12.index">Index</a> <tr><td class="sepr"><a href="#13.attributionandacknowledgement">13.</a>…………………<td class="text majr"><a href="#13.attributionandacknowledgement">Attribution and Acknowledgement</a> </table> </div> <br> <!-- source:0100_INTRO.WASDOC --> <hr class="page"> <a id="1." href="#"></a> <a id="1.introduction" href="#"></a> <a id="introduction" href="#"></a> <h1 class="head"><span class="numb">1.</span><span class="text">Introduction</span></h1> <table class="TOC2table"> <tr><td><a href="#1.1.troubleshooting"><span class="numb">1.1</span><span class="text">Troubleshooting?</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#0.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#2.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <a id="1.0.0.0.1" href="#"></a> <a id="1.welcome" href="#"></a> <a id="welcome" href="#"></a> <h5 class="head"><span class="text">Welcome!</span></h5> <p> WASD is outlined in the <a class="link blank" target="_blank" href="../features/#introduction">Introduction</a> and <a class="link blank" target="_blank" href="../features/#packageoverview">Package Overview</a> sections of the <a class="link blank" target="_blank" href="../features/#0.">WASD Features</a> document. <p> Installation and update of the package is covered by <a class="link blank" target="_blank" href="../install/#0.">WASD Installation</a>. <p> This document provides detailed configuration instructions of the WASD Web Services package. <p> Following installation the package should require only minor further configuration for basic serving. <p> WASD configuration is performed using the contents of five files located using logical names <table class="tabl"> <tr class="tabr"> <td class="tabd">WASD_CONFIG_AUTH <td class="tabd">request authorization control <tr class="tabr"> <td class="tabd">WASD_CONFIG_GLOBAL <td class="tabd">global server configuration <tr class="tabr"> <td class="tabd">WASD_CONFIG_MAP <td class="tabd">request processing control <tr class="tabr"> <td class="tabd">WASD_CONFIG_MSG <td class="tabd">provides server messages <tr class="tabr"> <td class="tabd">WASD_CONFIG_SERVICE <td class="tabd">specifies services (virtual servers) </table> <p> along with server CLI parameters commonly provide by startup DCL procedures. <p> <span class="high bold">Initially</span> two files may require alteration. <ol class="list"> <li class="item"> The startup file, possibly to set the local WASD_CONFIG_GMT logical (for systems not supporting DTSS (e.g. DECnet-Plus)). Consider using the STARTUP_LOCAL.COM file for other site-specific requirements (<a class="link blank" target="_blank" href="../install/#accountsupportfiles">Account Support Files</a> in <a class="link blank" target="_blank" href="../install/#0.">WASD Installation</a>). <li class="item"> The only configuration that should require immediate attention will be the mapping rules (<a class="link" href="#10.requestprocessingconfiguration">10. Request Processing Configuration</a>). </ol> <p> <span class="high bold">More generally</span> server runtime configuration involves the considerations discussed in <a class="link" href="#2.2.siteorganisation">2.2 Site Organisation</a> along with the following aspects: <ul class="list"> <li class="item"> Configuring the HTTP server run-time characteristics (<a class="link" href="#2.configurationconsiderations">2. Configuration Considerations</a>). <li class="item"> Mapping request paths to the VMS file system, and to other things such as scripts (<a class="link" href="#10.requestprocessingconfiguration">10. Request Processing Configuration</a>). <li class="item"> Customizing some or all messages (<a class="link" href="#8.messageconfiguration">8. Message Configuration</a>). <li class="item"> Establishing an authentication and authorization environment (<a class="link" href="#11.authorizationconfigurationbasics">11. Authorization Configuration (Basics)</a>). </ul> <a id="1.0.0.0.2" href="#"></a> <a id="1.keepsitespecificresourcesandserverinstallationseparateanddistinct" href="#"></a> <a id="keepsitespecificresourcesandserverinstallationseparateanddistinct" href="#"></a> <h5 class="head"><span class="text">Keep site-specific resources and server installation separate and distinct.</span></h5> <a id="1.1" href="#"></a> <a id="1.1.troubleshooting" href="#"></a> <a id="troubleshooting" href="#"></a> <h2 class="head"><span class="numb">1.1</span><span class="text">Troubleshooting?</span></h2> <p> When initially installing or configuring WASD, and sometimes later where something breaks spectacularly, it is most useful to be able to gain insight into what the server is up to. <p> The <span class="high italic">go-to</span> tool is <span style="font-size:110%">WATCH</span> (yes, all capitals, and for no other reason than it makes it stand out). <p> WATCH is described in detail in <a class="link blank" target="_blank" href="../features/#watchfacility">WATCH Facility</a> of the <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a> document. <p> For most circumstances WATCH can be made available for troubleshooting even if the configuration is significantly broken. This is done by using a skeleton-key to authorise special access into the server. <p> The skeleton-key is described in detail in <a class="link blank" target="_blank" href="../features/#skeletonkeyauthentication">Skeleton-Key Authentication</a> of the <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a> document. <p> <span class="high bold">TL;DR</span> <p> Enable at the command-line with the username anything beginning with an underscore and at least 8 characters, same for the password length. <div class="blockof code">$ HTTPD /DO=AUTH=SKELKEY=_<span class="high italic">username</span>:<span class="high italic">password</span> </div> <p> Then using a browser access any available service, entering the above username (including underscore) and password when prompted. <div class="blockof block"><a class="link blank" target="_blank" href="/httpd/-/admin/report/WATCH">https://<i>the.host.name:port</i> /httpd/-/admin/report/WATCH</a> </div> <p> The service administration facilities (of which WATCH is one) are also available and useful. <div class="blockof block"><a class="link blank" target="_blank" href="/httpd/-/admin/">https://<i>the.host.name:port</i> /httpd/-/admin/</a> </div> <!-- source:0400_CONSIDER.WASDOC --> <hr class="page"> <a id="2." href="#"></a> <a id="2.configurationconsiderations" href="#"></a> <a id="configurationconsiderations" href="#"></a> <h1 class="head"><span class="numb">2.</span><span class="text">Configuration Considerations</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#2.1.includefiledirective"><span class="numb">2.1</span><span class="text">Include File Directive</span></a> <tr><td><a href="#2.2.siteorganisation"><span class="numb">2.2</span><span class="text">Site Organisation</span></a> <tr><td><a href="#2.3.virtualservices"><span class="numb">2.3</span><span class="text">Virtual Services</span></a> <tr><td><a href="#2.3.1.virtualserver"><span class="numb">2.3.1</span><span class="text">[[virtual-server]]</span></a> <tr><td><a href="#2.3.2.unknownvirtualserver"><span class="numb">2.3.2</span><span class="text">Unknown Virtual Server</span></a> <tr><td><a href="#2.4.gzipencoding"><span class="numb">2.4</span><span class="text">GZIP Encoding</span></a> <tr><td><a href="#2.4.1.responseencoding"><span class="numb">2.4.1</span><span class="text">Response Encoding</span></a> <tr><td><a href="#2.4.2.requestencoding"><span class="numb">2.4.2</span><span class="text">Request Encoding</span></a> <tr><td><a href="#2.5.requestthrottling"><span class="numb">2.5</span><span class="text">Request Throttling</span></a> <tr><td><a href="#2.6.clientconcurrency"><span class="numb">2.6</span><span class="text">Client Concurrency</span></a> <tr><td><a href="#2.7.contenttypeconfiguration"><span class="numb">2.7</span><span class="text">Content-Type Configuration</span></a> <tr><td><a href="#2.7.1.addingcontenttypes"><span class="numb">2.7.1</span><span class="text">Adding Content-Types</span></a> <tr><td><a href="#2.7.2.mimetypes"><span class="numb">2.7.2</span><span class="text">MIME.TYPES</span></a> <tr><td><a href="#2.7.3.unknowncontenttypes"><span class="numb">2.7.3</span><span class="text">Unknown Content-Types</span></a> <tr><td><a href="#2.7.4.explicitlyspecifyingcontenttype"><span class="numb">2.7.4</span><span class="text">Explicitly Specifying Content-Type</span></a> <tr><td><a href="#2.8.languagevariants"><span class="numb">2.8</span><span class="text">Language Variants</span></a> <tr><td><a href="#2.9.charactersetconversion"><span class="numb">2.9</span><span class="text">Character Set Conversion</span></a> <tr><td><a href="#2.10.errorreporting"><span class="numb">2.10</span><span class="text">Error Reporting</span></a> <tr><td><a href="#2.10.1.basicanddetailed"><span class="numb">2.10.1</span><span class="text">Basic and Detailed</span></a> <tr><td><a href="#2.10.2.sitespecific"><span class="numb">2.10.2</span><span class="text">Site Specific</span></a> <tr><td><a href="#2.11.opcomlogging"><span class="numb">2.11</span><span class="text">OPCOM Logging</span></a> <tr><td><a href="#2.12.accesslogging"><span class="numb">2.12</span><span class="text">Access Logging</span></a> <tr><td><a href="#2.12.1.logformat"><span class="numb">2.12.1</span><span class="text">Log Format</span></a> <tr><td><a href="#2.12.2.logperperiod"><span class="numb">2.12.2</span><span class="text">Log Per-Period</span></a> <tr><td><a href="#2.12.3.logperservice"><span class="numb">2.12.3</span><span class="text">Log Per-Service</span></a> <tr><td><a href="#2.12.4.logperinstance"><span class="numb">2.12.4</span><span class="text">Log Per-Instance</span></a> <tr><td><a href="#2.12.5.lognaming"><span class="numb">2.12.5</span><span class="text">Log Naming</span></a> <tr><td><a href="#2.12.6.accesstracking"><span class="numb">2.12.6</span><span class="text">Access Tracking</span></a> <tr><td><a href="#2.12.7.accessalert"><span class="numb">2.12.7</span><span class="text">Access Alert</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#1.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#3.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> WASD has a global configuration, which applies characteristics to the entire running server, as well as per-service (virtual server) and conditional configuration, which applies characteristics or behaviours to specific requests. All configuration is provided via files located by logical names. <a id="2.0.0.0.1" href="#"></a> <a id="2.configurationfiles" href="#"></a> <a id="configurationfiles" href="#"></a> <h5 class="head"><span class="text">Configuration Files</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Name <th class="tabh">Scope <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">WASD_CONFIG_AUTH <td class="tabd">loadable <td class="tabd">request authorization control <tr class="tabr"> <td class="tabd">WASD_CONFIG_GLOBAL <td class="tabd">global <td class="tabd">global server configuration <tr class="tabr"> <td class="tabd">WASD_CONFIG_MAP <td class="tabd">loadable <td class="tabd">request processing control <tr class="tabr"> <td class="tabd">WASD_CONFIG_MSG <td class="tabd">global <td class="tabd">provides server messages <tr class="tabr"> <td class="tabd">WASD_CONFIG_SERVICE <td class="tabd">global <td class="tabd">specifies services (virtual servers) </table> <p> Simple editing of these files change the configuration. Comment lines may be included by prefixing them with the hash ("#") character. Comment lines prefixed with a quote and then a hash ("!#") are displayed in Server Admin reports and are WATCHable during rule proceessing. Configuration file directives are not case-sensitive. Any changes to global configuration file can only be enabled by restarting the HTTPd process using the following command on the server system. <div class="blockof code">$ HTTPD /DO=RESTART </div> <p> Changes to request mapping or authorization configuration files also can be dynamically reloaded into the running server using the administration command-line interface. <div class="blockof code">$ HTTPD /DO=MAP=LOAD $ HTTPD /DO=AUTH=LOAD </div> <p> Changes to configuration files can be validated at the command-line before reload or restart. This detects and reports any syntactical and fatal configuration errors but of course cannot check the <span class="high italic">intent</span> of the rules. <div class="blockof code">$ HTTPD /DO=AUTH=CHECK $ HTTPD /DO=CONFIG=CHECK $ HTTPD /DO=GLOBAL=CHECK $ HTTPD /DO=MAP=CHECK $ HTTPD /DO=MSG=CHECK $ HTTPD /DO=SERVICE=CHECK </div> <p> The <span class="high italic">config</span> check sequentially processes each of the <span class="high italic">authorization</span>, <span class="high italic">global</span>, <span class="high italic">mapping</span>, <span class="high italic">message</span> and <span class="high italic">service</span> configuration files. <p> If additional server startup qualifiers are required to enable specific configuration features then these must also be provided when checking. For example: <div class="blockof code">$ HTTPD /DO=AUTH=CHECK /SYSUAF /PROFILE </div> <p> A server's currently loaded configuration can be interrogated from the Server Administration menu (see <a class="link blank" target="_blank" href="../features/#serveradministration">Server Administration</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <a id="2.1" href="#"></a> <a id="2.1.includefiledirective" href="#"></a> <a id="includefiledirective" href="#"></a> <h2 class="head"><span class="numb">2.1</span><span class="text">Include File Directive</span></h2> <p> WASD uses multiple configuration files for a server and its site, each one providing for a different functional aspect … configuration, virtual services, path mapping, authorization, etc. Generally these configuration files are "flat", with all required directives included in a single file. This provides a simple and straight-forward approach suitable for most sites and allows for the provision of Server Administration page online configuration of several aspects. <p> It is also possible to build site configurations by including the contents of referenced files. This may provide a structure and flexibility not possible using the flat-file approach. All WASD configuration files allow the use of an [IncludeFile] directive. This takes a VMS file specification parameter. The file's contents are then loaded and processed as if part of the parent configuration file. These included files are allowed to be nested to a depth of two (i.e. the configuration file can include a file which may then include another file). <p> The following is an example used to build up the mapping rules for four virtual services supported on the one server. <div class="blockof code"># WASD_CONFIG_MAP [[alpha.site.com]] [IncludeFile] WASD_ROOT:[LOCAL]MAP_ALPHA_80.CONF [[alpha.site.com:443]] [IncludeFile] WASD_ROOT:[LOCAL]MAP_ALPHA_443.CONF [[beta.site.com]] [IncludeFile] WASD_ROOT:[LOCAL]MAP_BETA_80.CONF [[beta.site.com:443]] [IncludeFile] WASD_ROOT:[LOCAL]MAP_BETA_443.CONF [[*]] [IncludeFile] WASD_ROOT:[LOCAL]MAP_COMMON.CONF </div> <div class="note"><a id="2.1.0.0.0.1" href="#"></a> <a id="2.1.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> Such configurations cannot be managed using Server Administration facility (see <a class="link blank" target="_blank" href="../features/#serveradministration">Server Administration</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). Files containing [IncludeFile] directives are noted during server startup and if an Server Administration page configuration interface is accessed where this would be a problem an explanatory message and warning is provided. A configuration <span class="high italic">can still be saved</span> but the resulting configuration will be a flat-file representation of the server configuration, not the original hierarchical one. <hr class="note_hr"> </div> <a id="2.2" href="#"></a> <a id="2.2.siteorganisation" href="#"></a> <a id="siteorganisation" href="#"></a> <h2 class="head"><span class="numb">2.2</span><span class="text">Site Organisation</span></h2> <p> <span class="high bold">It is recommended that the server distribution tree and any document and other web-specific data areas be kept separate and distinct.</span> <p> The former in WASD_ROOT:[000000], the latter perhaps in something like WEB:[000000]. This logical device could be provided with the following DCL introduced into the site or server startup procedures: <div class="blockof code">$ DEFINE /SYSTEM /TRANSLATION=CONCEALED WEB DKA0:[WEB.] </div> <p> See <a class="link" href="#10.2.vmsfilesystemspecifications">10.2 VMS File System Specifications</a> for further information on the use of logical names in locating and defining the content and structure of a site. <p> Note that logical device names like this need not appear in in the structure of the Web site. The root of the Web-accessible path can be concealed using a final mapping rule similar to the following <div class="blockof code">pass /* /web/* </div> which simply defaults <span class="high italic">anything else</span> to that physical area. Of course if that <span class="high italic">anything else</span> needs to exist then it must be located in that physical area. <p> Mapping rules are the tools used to build a logical structure to a site from the physical area, perhaps multiple areas, used to house the associated files. The logical organisation of served data is largely hierarchical, organised under the Web-server path root, and is achieved via two mechanisms. <ol class="list"> <li class="item"> The natural tree structure provided by a hierarchical file system. <li class="item"> The logical hierarchy possible using rules within the mapping file to place disparate physical areas into a single logical structure. </ol> <p> Physically distinct areas are used for good physical reasons (e.g. the area can best be hosted on a task-local disk), for historical reasons (e.g. the area existed before any Web environment existed) or for reasons of convenience (e.g. lets put this where access controls already allow the maintainers to manage it). <p> <span class="high bold">There are no good reasons for having site-specific documents integrated into the package directory structure!</span> <p> All site-served files should be located in an autonomous, dedicated area or areas. The only reason to place script files into WASD_ROOT:[CGI-BIN] or WASD_ROOT:[<span class="high italic">architecture</span>_BIN] is that the script script is traditionally accessible via a /cgi-bin/ path or that the site is a small and/or low usage environment where this directory is conveniently available for the few extra scripts being made available. <p> For any significant site (size that as best suits your perception), or for when a specific software system or systems is being built or exists and it is being "Web-ified", design that software system as you would be any other. That is place the documentation in one directory are, executables and support procedures in their own, management files in another, data in yet another area, etc. Then make those portions that are required to be accessible via the Web interface accessible via the logical associations afforded through the use of the server's mapping rules (<a class="link" href="#10.requestprocessingconfiguration">10. Request Processing Configuration</a>). Of course existing areas that are to be now made available via the Web can be mapped in the same way. This includes the active components - executable scripts. There is no reason (apart from historical) why the /cgi-bin/ path should be used to activate scripts associated with a dedicated software system. Use a specific and unique path for scripts associated with each such system. <p> When making a directory structure available via the Web care must be taken that only the portions required to be accessed can be. Other areas should or must not be accessible. The server process can only access files that are world-accessible, it is specifically granted access via VMS protection mechanisms (e.g. ACLs), or that the individual SYSUAF-authorized accessor can access and which have specifically been made available via server authorization rules. Use the recommendations in <a class="link" href="#3.2.recommendedpackagesecurity">3.2 Recommended Package Security</a> as guidlines when designing your own site's protections and permissions. <a id="2.2.0.0.1" href="#"></a> <a id="2.2.documentroot" href="#"></a> <a id="documentroot" href="#"></a> <h5 class="head"><span class="text">Document Root</span></h5> <p> A particular area of the file system may be specified as the <span class="high italic">root</span> of a particular (virtual) sites documents. This is done using the WASD_CONFIG_MAP SET <span class="high italic">map=root=<string></span> mapping rule. After this rule is applied all subsequent rules have the specified string prefixed to mapped strings before file-system resolution. <p> For example, the following WASD_CONFIG_MAP rule set <div class="blockof code">[[the.virtual.site:*]] pass /*/-/* /wasd_root/runtime/*/* /wasd_root/* /wasd_root/* set * map=root=/dka0/the_site exec /cgi-bin/* /cgi-bin/* pass /* /* fail * </div> <p> when applied to the following request URLs results in the described mappings being applied. <div class="blockof code">http://the.virtual.site/doc/example.txt </div> access to the document represented by file <div class="blockof code">DKA0:[THE_SITE.DOC]EXAMPLE.TXT </div> <p> With the request for a directory icon using <div class="blockof code">http://the.virtual.site/-/httpd/file.gif </div> access to the image represented by file <div class="blockof code">WASD_ROOT:[RUNTIME.HTTPD]FILE.GIF </div> <p> And a request for a script using <div class="blockof code">http://the.virtual.site/cgi-bin/example.php </div> activation of the script represented by the file <div class="blockof code">DKA0:[THE_SITE.CGI-BIN]EXAMPLE.PHP </div> <p> Care must be taken in getting the sequence of mapping rules correct for access to non-site resources before actually setting the document root which then ties every other resource to that root. <a id="2.3" href="#"></a> <a id="2.3.virtualservices" href="#"></a> <a id="virtualservices" href="#"></a> <h2 class="head"><span class="numb">2.3</span><span class="text">Virtual Services</span></h2> <p> A single WASD server process is capable of concurrently supporting the same host name on different port numbers and a number of different host names (DNS aliased or multi-homed) using the same port number. This capability is generally known as a <span class="high italic">virtual server</span>. There is no design limitation on the number of these services that WASD will concurrently support. Virtual services offer versatile and powerful multi-site capabilities using the one system and server. Service determination is based on the contents of the request's "Host:" header field. If none is present it defaults to base service for the interface's IP address and port. <a id="2.3.0.0.1" href="#"></a> <a id="2.3.wasdconfigservice" href="#"></a> <a id="wasdconfigservice" href="#"></a> <h5 class="head"><span class="text">WASD_CONFIG_SERVICE</span></h5> <p> If the logical name WASD_CONFIG_SERVICE is defined the deprecated WASD_CONFIG_GLOBAL [Service] directive is not used (see below). <p> See <a class="link" href="#7.7.servicedirectives">7.7 Service Directives</a> for further detail. <a id="2.3.0.0.2" href="#"></a> <a id="2.3.wasdconfigglobalservicedeprecated" href="#"></a> <a id="wasdconfigglobalservicedeprecated" href="#"></a> <h5 class="head"><span class="text">WASD_CONFIG_GLOBAL [Service] <span class="high italic">(deprecated)</span> </span></h5> <p> Using the [Service] WASD_CONFIG_GLOBAL configuration parameter or the /SERVICE qualifier the server creates an HTTP service for each specified. If the host name is omitted it defaults to the local host name. If the port is omitted it defaults to 80. The first port specified in the service list becomes the "administration" port of the server, using the local host name, appearing in administration reports, menus, etc. This port is also that specified when sending control commands via the /DO= qualifier. <p> This rather contrived example shows a server configured to provide four services over two host names. <div class="blockof code">[Service] alpha.example.com alpha.example.com:8080 beta.example.com beta.example.com:8000 </div> <p> Note that both the WASD_CONFIG_SERVICE configuration file (see <a class="link" href="#7.7.servicedirectives">7.7 Service Directives</a>) and the /SERVICE= command-line qualifier override this directive. <a id="2.3.1" href="#"></a> <a id="2.3.1.virtualserver" href="#"></a> <a id="virtualserver" href="#"></a> <h3 class="head"><span class="numb">2.3.1</span><span class="text">[[virtual-server]]</span></h3> <p> The essential profile of a site is established by its mapped resources and any authorization controls, the WASD_CONFIG_MAP and WASD_CONFIG_AUTH configuration files respectively, and these two files support directives that allow configuration rules to be applied to all virtual services (i.e. a default), to a host name (all ports), or to a single specified service (host name and specific port). <p> To restrict rules to a specified server (virtual or real) add a line containing the server host name, and optionally a port number, between double-square brackets. All following rules will be applied only to that service. If a port number is not present it applies to all ports for that service name, otherwise only to the service using that port. To resume applying rules to all services use a single asterisk instead of a host name. In this way default (all service) and server-specific rules may be interleaved to build a composite environment, server-specific yet with defaults. Note that service-specific and service-common rules may be mixed in any order allowing common rules to be shared. This descriptive example shows a file with one rule per line. <div class="blockof code"># just an example <span class="high italic">this rule applies to all services so does this and this one</span> [[alpha.example.com]] <span class="high italic">this one however applies only to ALPHA, but to all ports as indeed does this</span> [[beta.example.com:8000]] <span class="high italic">now we switch to the BETA service, but only port 8000 another one only applying to BETA and a third</span> [[*]] <span class="high italic">now we have a couple default rules that again apply to all servers</span> </div> <div class="note"> <a id="2.3.1.0.1" href="#"></a> <a id="2.3.1.serviceconditionals" href="#"></a> <a id="serviceconditionals" href="#"></a> <h5 class="head center"><span class="text">Service Conditionals</span></h5> <hr class="note_hr"> As a virtual service specification acts as a conditional on subsequent rule application they must be considered a fundamental element of <a class="link" href="#5.conditionalconfiguration">5. Conditional Configuration</a>. Service conditionals also impose a boundary on the scope of <span class="high italic">if..endif</span> constructs. <hr class="note_hr"> </div> <p> Both the mapping and authorization modules report if rules are provided for services that are not configured for the particular server process (i.e. not in the server's [Service] or /SERVICE parameter list). This provides feedback to the site administrator about any configuration problems that exist, but may also appear if a set of rules are shared between multiple processes on a system or cluster where processes deliver differing services. In this latter case the reports can be considered informational, but should be checked initially and then occasionally for misconfiguration. <div class="note"><a id="2.3.1.0.1.1" href="#"></a> <a id="2.3.1.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> There is a difference when specifying virtual services during service creation and when using them to apply mapping, etc. When creating a service the scheme (or protocol, e.g. "http:", "https:") needs to be specified so the server can apply the correct protocol to connections accepted at that service. Once a service is created however, it becomes defined by the host-name and port supplied when created. Only one scheme (protocol) can be supported on any one host-name/port instance and so it becomes unnecessary to provide it with mapping rules, etc. The server will complain in instances where it is redundant. <hr class="note_hr"> </div> <a id="2.3.2" href="#"></a> <a id="2.3.2.unknownvirtualserver" href="#"></a> <a id="unknownvirtualserver" href="#"></a> <h3 class="head"><span class="numb">2.3.2</span><span class="text">Unknown Virtual Server</span></h3> <p> If a service is not configured for the particular host address and port of a request one of two actions will be taken. <ol class="list"> <li class="item"> If the configuration directive [ServiceNotFoundURL] is set the request will be redirected to the specified URL. This should contain a specific host name, as well as message page. For the default page use: <div class="blockof code">[ServiceNotFoundURL] //server.host.name/httpd/-/servicenotfound.html </div> <li class="item"> If the above directive is not set the request is mapped using the default rules (e.g. [[*]]). It is possible to specify a rule set containing a default rule for each virtual server. The unmatched request is then handled by a fallback rule, as illustrated in the following. <div class="blockof code">pass /*/-/admin/* pass /*/-/* /wasd_root/runtime/*/* exec /cgi-bin/* /cgi-bin/* [[virtual1.host.name]] /* /web/virtual1/* / /web/virtual1/ [[virtual2.host.name]] /* /web/virtual2/* / /web/virtual2/ [[virtual3.host.name]] /* /web/virtual3/* / /web/virtual3/ [[*]] /* /web/servicenotfound.html </div> </ol> <p> This applies to dotted-decimal addresses as well as alpha-numeric. Therefore if there is a requirement to connect via a numeric IP address such a service must have been configured. <p> Note also that the converse is possible. That is, it's possible to configure a service that the server cannot ever possibly respond to because it does not have an interface using the IP address represented by the service host. <a id="2.4" href="#"></a> <a id="2.4.gzipencoding" href="#"></a> <a id="gzipencoding" href="#"></a> <h2 class="head"><span class="numb">2.4</span><span class="text">GZIP Encoding</span></h2> <p> WASD can apply GZIP compression (gzip, deflate) to any suitable response body and can accept similarly compressed request bodies. It dynamically maps required functions from a ZLIB shareable image. Originally developed against the ZLIB v1.2.<span class="high italic">n</span> port by Jean-François Piéronne, the VMS-PORTS (GNV) LIBZ package is also supported. <p> WASD dynamically maps the associated shareable image by successively accessing the (optionally defined) WASD_LIBZ_SHR32 logical name, then GNV$LIBZSHR32, then LIBZ_SHR32, before reporting GZIP unavailable. <p> The shareable image must be INSTALLed (without any particular privileges) before it can be activated by the privileged WASD HTTPd image (the WASD startup will automatically do this if necessary). The server process log and the Server Administration page, Statistics Report panel named Environment contains the version activated or a VMS status message if an error was encountered. <a id="2.4.1" href="#"></a> <a id="2.4.1.responseencoding" href="#"></a> <a id="responseencoding" href="#"></a> <h3 class="head"><span class="numb">2.4.1</span><span class="text">Response Encoding</span></h3> <p> The WASD_CONFIG_GLOBAL directive [GzipResponse] controls whether this feature is enabled for the gzip content-encoding of suitable response bodies. This directive requires at least one parameter, the compression level in the range 1..9. Smaller values provide faster but poorer compression ratios while larger values better compression at the cost of more CPU cycles and latency. This corresponds to the GZIP utility's -1..-9 CLI switches. Two optional parameters could allow ZLIB's 'memLevel' and 'windowBits' to be adjusted by ZLIB afficiendos (level[,memory,window]). A small amount of experimentation by this author indicates minor changes in memory usage and compression ratio by fiddling with these. <p> Be aware that GZIP encoding is <span class="high bold">memory intensive</span>. From 132kB to 265kB has been observed per compressing request (WATCH provides this in a summary line). These values apply across a wide range of transfer sizes (from kilobytes to tens of megabytes). It also is <span class="high bold">CPU intensive</span> and adds response latency, though that might be well be offset by significant reductions in transfer time on the Internet or other slower, non-intranet infrastructures. Text content compression has been observed from 30% to 10% of the original file size (even down to 1% in the case of the extremely redundant content of [EXAMPLE]64K.TXT). VMS executables (for want of another binary test case) at around 40%. In other words, GZIP encoding may not be suitable or efficient for every site or every request! <p> Once enabled WASD will GZIP the responses for all suitable contents provided the client accepts the encoding and the response is not one of the following: <ul class="list list0"> <li class="item"> less than 1400 bytes (no point in the overhead) <li class="item"> already content-encoded script output <li class="item"> a compressed image (e.g. GIF, JPEG, PNG, etc) <li class="item"> a video stream (presumably already compressed, e.g. MPEG) <li class="item"> a compressed audio stream <li class="item"> a PDF file <li class="item"> a Shockwave Flash file <li class="item"> an obviously compressed application stream (e.g. GZIP, ZIP, JAR) </ul> <p> Additional control may be exercised with the following path SETings: <ul class="list list0"> <li class="item"> "response=GZIP=all", matching paths will always have GZIP encoding performed (the above constraints still apply) <li class="item"> "response=GZIP=none", matching paths will never have GZIP encoding <li class="item"> "response=GZIP=<integer>", responses with content-lengths greater than the specified number of kilobytes will be GZIP content-encoded (if the content-length cannot be determined it will NOT not encoded and the above constraints still apply) </ul> <p> Using path settings GZIP compression may be disabled for specified file types (apart from those already suppressed as described above). <div class="blockof code">set **.myzip response=gzip=none </div> <p> A script using the <span class="high italic">Script-Control: X-content-encoding-gzip=0</span> CGI response header can similarly suppress GZIP compression of its output if required. See "Scripting Overview" for further detail. <a id="2.4.1.0.1" href="#"></a> <a id="2.4.1.flushperiod" href="#"></a> <a id="flushperiod" href="#"></a> <h5 class="head"><span class="text">Flush Period</span></h5> <p> By default GZIP encoding flushes the internal buffer only when full. Most commonly this is not an issue because of high rates of output. However with slow output sources, such as from some classes of script, this can result in considerable latency before a client sees an initial response, and then between transmission of further output. By default output is initially flushed after 5 seconds and thereafter at a maximum interval of 15 seconds. The WASD_CONFIG_GLOBAL directive [GzipFlushSeconds] allows this period to be adjusted. <a id="2.4.2" href="#"></a> <a id="2.4.2.requestencoding" href="#"></a> <a id="requestencoding" href="#"></a> <h3 class="head"><span class="numb">2.4.2</span><span class="text">Request Encoding</span></h3> <p> Decoding of GZIP content-encoded request bodies is enabled using the WASD_CONFIG_GLOBAL directive [GzipAccept]. Enabling this using a value 15 (or 1) results in the server advertising its acceptance of GZIPed requests using the "Accept-Encoding: gzip, deflate" response header. Requests containing bodies GZIP compressed will have these decoded as they are read from the client and before further processing, such as the upload of files into server accessible file-system space. This decoding is optional and not the default with DCL and DECnet script processing. That is, a request body will be passed to the script still encoded unless specific mapping directs otherwise. Decoding by the server into the original data prior to transfering to the script can be enabled for all or selected scripts using the following path settings: <ul class="list"> <li class="item"> "script=body=decode", script gets the decoded stream <li class="item"> "script=body=NOdecode", script gets the raw, encoded stream (default) </ul> <p> Note that scripts need to be specially aware of both GZIP encoded bodies and those already decoded by the server. In the first case the stream must be read to the specified content-length and then decoded. In the second case, a content-length cannot be provided by the server (without unencoding the entire stream ahead of time it cannot predict the final size). Where the server is to decode the request body before transfering it to the script it changes the CGI variable CONTENT_LENGTH to a single question-mark ("?"). Scripts may use this to detect the server's intention and then must ignore any transfer-encoding and/or content-encoding header information and read the request body until end-of-file is received. <p> GZIP decoding (decompression) is understandably much less memory and CPU intensive. Experimentation indicates it does not contribute significantly to latency either. <a id="2.5" href="#"></a> <a id="2.5.requestthrottling" href="#"></a> <a id="requestthrottling" href="#"></a> <h2 class="head"><span class="numb">2.5</span><span class="text">Request Throttling</span></h2> <p> Request "throttling" is a term adopted to describe controlling the number of requests that can be processing against any specified path at any one time. Requests in excess of this value are First-In-First-Out (FIFO) queued, up to an optional limit, waiting for a currently processing request to conclude allowing the next queued request to resume processing. This is primarily intended to limit concurrent resource-intensive script execution but could be applied to any resource path. Here's one dictionary description. <p class="indent"> <span class="high italic"> <span class="high bold">throttle n 1:</span> a valve that regulates the supply of fuel to the engine [syn: accelerator, throttle valve] <span class="high bold">2:</span> a pedal that controls the throttle valve; "he stepped on the gas" [syn: accelerator, accelerator pedal, gas pedal, gas, gun] <span class="high bold">v 1:</span> place limits on; "restrict the use of this parking lot" [syn: restrict, restrain, trammel, limit, bound, confine] <span class="high bold">2:</span> squeeze the throat of; "he tried to strangle his opponent" [syn: strangle, strangulate] <span class="high bold">3:</span> reduce the air supply; of carburetors [syn: choke] </span> <p> This is applied to a path (or paths) using the WASD_CONFIG_MAP mapping SET THROTTLE= rule (<a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>). The general format is <div class="blockof code">set <span class="high italic">path</span> throttle=<span class="high italic">n1</span>[<!-- u1 -->][<span class="high italic">n2,n3,n4,t/o1,t/o2</span>] set <span class="high italic">path</span> throttle=<span class="high italic">from</span>[<!-- per-user -->][<span class="high italic">to,resume,busy,t/o-queue,t/o-busy</span>] </div> where <ul class="list"> <li class="item"> <span class="high italic">n1</span> sets the number of concurrent requests before queuing begins (the number of processing requests becomes static and the number of queued requests increases) <li class="item"> <span class="high italic">u1</span> is separated from the <span class="high italic">n1</span> value by a forward-slash and limits the concurrent request any one authenticated user can process. Even though the <span class="high italic">n1</span> value may allow processing if <span class="high italic">u1</span> would be exceeded the request is queued. <li class="item"> <span class="high italic">n2</span> is the concurrent requests before FIFO queuing begins, meaning each new request is put onto the queue but at the same the first-in request is taken off the queue for processing (the number of queued requests becomes static and the number of processing requests increases) <li class="item"> <span class="high italic">n3</span> puts a limit on FIFO queuing (the number of queued requests again increases and the number of processing requests becomes static) <li class="item"> <span class="high italic">n4</span> is an absolute limit for concurrent requests against the path (a 503 "server too busy" status is immediately generated) <li class="item"> <span class="high italic">t/o1</span> is the maximum period for queued requests before they are processed (if not constrained by <span class="high italic">n3</span>) <li class="item"> <span class="high italic">t/o2</span> is the maximum period for queued requests before a 503 "server too busy" response is returned, it begins immediately or following the expiry of any <span class="high italic">t/o1</span> </ul> <p> One way to read a throttle rule is "begin to <span class="high italic">throttle</span> (queue) requests <span class="high italic">from</span> the n1 value up <span class="high italic">to</span> the n2 value, after which the queue is FIFOed up to the n3 value when it <span class="high italic">resume</span>s queuing-only, up until the <span class="high italic">busy</span> n4 value". <p> Each integer represents the number of concurrent requests against the throttle rule path. Parameters not required may be specified as zero or omitted in a comma-separated list. The schema of the rule requires that each successive parameter be larger than that preceding it. This basic consistency check is performed when the rule is loaded. <p> For any rule the possible maximum number of requests that can be processed at any one time may be simply calculated through the addition of the <span class="high italic">n1</span> value to the difference of the <span class="high italic">n3</span> and <span class="high italic">n2</span> values (i.e. max = n1 + (n3 - n2)). The maximum concurrently queued as the difference of the <span class="high italic">n4</span> and the maximum concurrently processed. <p> A comprehensive throttle statistics report is available from the Server Administration facility. <a id="2.5.0.0.1" href="#"></a> <a id="2.5.peruserthrottle" href="#"></a> <a id="peruserthrottle" href="#"></a> <h5 class="head"><span class="text">Per-User Throttle</span></h5> <p> If the concurrent processing value (<span class="high italic">n1</span>) has a second, slash-delimited integer, this serves to limit the number of authenticated user-associated requests that can be concurrently processing. <p> When a request is available for processing the associated remote user name is checked for activity against the queue. The <span class="high italic">u1</span> (or per-user throttle value) is a limit on that user name's concurrent processing. If it would exceed the specified value the request is queued until the number of requests processing drops below the <span class="high italic">u1</span> value. All other values in the throttle rule are applied as for non-per-user throttling. <div class="note"><a id="2.5.0.0.1.1" href="#"></a> <a id="2.5.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> The user name used for comparison purposes is the authenticated remote user (same as the CGI variable value REMOTE_USER). This can be for any realm. Of course the same string can be used to represent different users within different authentication realms and so care should be exercised that per-user throttling does not span realms otherwise unexpected (and incorrect) throttling may occur for distinct users. <hr class="note_hr"> </div> <p> If an unauthenticated request is matched against the throttle rule (i.e. there is no authorization rule matching the request path) the client has a 500 (server error) response returned. Obviously per-user throttling must have a remote user name to throttle against and this is a configuration issue. <a id="2.5.0.0.2" href="#"></a> <a id="2.5.examples" href="#"></a> <a id="examples" href="#"></a> <h5 class="head"><span class="text">Examples</span></h5> <ol class="list"> <li class="item"> <span class="high bold">throttle=10</span> <p> Requests up to 10 are concurrently processed. When 10 is reached futher requests are queued to server capacity. <li class="item"> <span class="high bold">throttle=10,20</span> <p> Concurrent requests to 10 are processed immediately. From 11 to 20 requests are queued. After 20 all requests are queued but also result in a request FIFOing off the queue to be processed (queue length is static, number being processed increases to server capacity). <li class="item"> <span class="high bold">throttle=15,30,40</span> <p> Concurrent requests up to 15 are immediately processed. Requests 16 through to 30 are queued, while 31 to 40 requests result in the new requests being queued and waiting requests being FIFOed into processing. Concurrent requests from 41 onwards are again queued, in this scenario to server capacity. <li class="item"> <span class="high bold">throttle=10,20,30,40</span> <p> Concurrent requests up to 10 are immediately processed. Requests 11 through to 20 will be queued. Concurrent requests from 21 to 30 are queued too, but at the same time waiting requests are FIFOed from the queue (resulting in 10 (n1) + 10 (n3-n2) = 20 being processed). From 31 onwards requests are just queued. Up to 40 concurrent requests may be against the path before all new requests are immediately returned with a 503 "busy" status. With this scenario no more than 20 can be concurrently processed with 20 concurrently queued. <li class="item"> <span class="high bold">throttle=10,,,30</span> <p> Concurrent requests up to 10 are processed. When 10 is reached requests are queued up to request 30. When request 31 arrives it is immediately given a 503 "busy" status. <li class="item"> <span class="high bold">throttle=10,20,30,40,00:02:00</span> <p> This is basically the same as scenario 4) but with a resume-on-timeout of two minutes. If there are currently 15 (or 22 or 28) requests (n1 exceeded, n3 still within limit) the queued requests will begin processing on timeout. Should there be 32 processing (n3 has reached limit) the request will continue to sit in the queue. The timeout would not be reset. <li class="item"> <span class="high bold">throttle=15,30,40,,,00:03:00</span> <p> This is basically the same as scenario 3) but with a busy-on-timeout of three minutes. When the timeout expires the request is immediately dequeued with a 503 "busy" status. <li class="item"> <span class="high bold">throttle=10/1</span> <p> Concurrent requests up to 10 are processed. The requests must be of authenticated users. Each authenticated user is allowed to execute at most one concurrent request against this path. When 10 is reached, or if less than 10 users are currently executing requests, then further requests are queued to server capacity. <li class="item"> <span class="high bold">throttle=10/1,,,,,00:03:00</span> <p> This is basically the same as scenario 8) but with a busy-on-timeout of three minutes. When the timeout expires any requests still queued against the user name is immediately dequeued with a 503 "busy" status. </ol> <a id="2.5.0.0.3" href="#"></a> <a id="2.5.mappingreload" href="#"></a> <a id="mappingreload" href="#"></a> <h5 class="head"><span class="text">Mapping Reload</span></h5> <p> Throttling is applied using mapping rules. The set of these rules may be changed within an executing server using map reload functionality. This means the number of, and/or contents of, throttle rules may change during server execution. The throttle functionality needs to be independent of the the mapping functionality (requests are processed independently of mapping rules once the rules have been applied). After a mapping reload the contents of the throttle data structures may be at variance with the constraints currently executing requests began processing under. <p> This should have little deleterious effect. The worst case is mis-applied constraints on the execution limits of changed request paths, and slightly confusing data in the Throttle Report. This quickly passes as requests being processed under the previous throttle constraints conclude and an entirely new collection of requests created using the constraints of the currently loaded rules are processed. <a id="2.6" href="#"></a> <a id="2.6.clientconcurrency" href="#"></a> <a id="clientconcurrency" href="#"></a> <h2 class="head"><span class="numb">2.6</span><span class="text">Client Concurrency</span></h2> <p> The "client_connect_gt:" mapping conditional (<a class="link" href="#5.conditionalconfiguration">5. Conditional Configuration</a>) attempts to allow some measurement of the number of requests a particular client currently has being processed. Using this decision criterion appropriate request mapping for controlling the additional requests can be undertaken. It is not intended to provide fine-grained control over activities, rather just to prevent a single client using an unreasonable proportion of the resources. <p> For example. If the number of requests from one particulat client looks like it has got out of control (at the client end) then it becomes possible to queue (throttle) or reject further requests. In WASD_CONFIG_MAP <div class="blockof code">if (client_connect_gt:15) set * throttle=15 if (client_connect_gt:15) pass * "503 Exceeding your concurrency limit!" </div> <p> While not completely foolproof it does offer some measure of control over gross client concurrency abuse or error. <a id="2.7" href="#"></a> <a id="2.7.contenttypeconfiguration" href="#"></a> <a id="contenttypeconfiguration" href="#"></a> <h2 class="head"><span class="numb">2.7</span><span class="text">Content-Type Configuration</span></h2> <p> HTTP uses an implementation of the MIME (Multi-purpose Internet Mail Extensions) specification for identifying the type of data returned in a response. A MIME content-type consists of a plain text string describing the data as a <span class="high italic">type</span> and slash-separated <span class="high italic">subtype</span>, as illustrated in the following examples: <div class="blockof code">text/html text/plain image/gif image/jpeg application/octet-stream </div> The content-type is returned to the client as part of the HTTP response, the client then using this information to correctly process and present the data contained in that response. <a id="2.7.1" href="#"></a> <a id="2.7.1.addingcontenttypes" href="#"></a> <a id="addingcontenttypes" href="#"></a> <h3 class="head"><span class="numb">2.7.1</span><span class="text">Adding Content-Types</span></h3> <p> In common with most HTTP servers WASD uses a file's suffix (extension, type, e.g. <span class="high monosp">.HTML</span>, <span class="high monosp">.TXT</span>, <span class="high monosp">.GIF</span>) to identify the data type within the file. The [AddType] directive is used during configuration to bind a file type to a MIME content-type. To make the server recognise and return specific content-types these directives map file types to content-types. <p> With the VMS file system there is no effective file characteristic or algorithm for identifying a file's content without an exhaustive examination of the data contained there-in … a very expensive process (and probably still inconclusive in many cases), hence the reliance on the file type. <div class="note"><a id="2.7.1.0.0.1" href="#"></a> <a id="2.7.1.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> When adding a totally new content-type to the configuration be sure also to bind an icon to that type using the [AddIcon] directive (see below). If this is not done the default icon specified by [AddDefaultIcon] is displayed. If that is not defined then a directory listing shows "<span style="font-weight:bold;color:red;">?</span>" in place of an icon. <hr class="note_hr"> </div> <p> Mappings using [AddType] look like these. <div class="blockof code">[AddType] .html text/html Web Markup Language .txt text/plain plain text .gif image/gif image (GIF) .hlb text/x-script /Conan VMS Help library .decw$book text/x-script /HyperReader Bookreader book * internal/x-unknown application/octet-stream </div> <a id="2.7.2" href="#"></a> <a id="2.7.2.mimetypes" href="#"></a> <a id="mimetypes" href="#"></a> <h3 class="head"><span class="numb">2.7.2</span><span class="text">MIME.TYPES</span></h3> <p> To allow the server to share content-type definitions with other MIME-aware applications, and for WASD scripts to be able to perform their own mapping on a shared understanding of MIME content it is possible to move the file suffix to content-type mapping from a collection of [AddType]s in WASD_CONFIG_GLOBAL to an external file. This file is usually named MIME.TYPES and is specified in WASD_CONFIG_GLOBAL using the [AddMimeTypesFile] directive. <p> Mappings using MIME.TYPES look like these. <div class="blockof code"># MIME type Extension application/msword doc application/octet-stream bin dms lha lzh exe class application/oda oda application/pdf pdf application/postscript ai eps ps application/rtf rtf </div> <p> A leading content-type is mapped to single or multiple file suffixes. A general MIME.TYPES file commonly has content-types listed with no corresponding file suffix. These are ignored by WASD. Where a file suffix is repeated during configuration the latter version completely supercedes the former (with the Server Administration page showing an italicised and struck-through content-type to help identify duplicates). <p> To allow the configuration information used by the server to generate directory listings with additional detail, WASD-specific extensions to the standard MIME.TYPES format are provided. These are "hidden" in comment structures so as not to interfere with non-WASD application use. All begin with a hash then an exclamation character ("#!") then another reserved character indicating the purpose of the extension. Existing comments are unaffected provided the second character is anything but an exclamation mark! <ul class="list"> <li class="item"> <span class="high bold">#! file description</span> <br> A space reserved character indicates following free-form text, used as the file type description displayed on the far right of directory listings. <li class="item"> <span class="high bold">#!/cgi-bin/script</span> <br> A forward-slash introduces an auto-script specification. An auto-script is automatically activated by the server to process and display a corresponding file's contents. These are sometimes refered to as <span class="high italic">presentation</span> scripts. <li class="item"> <span class="high bold">#![<span class="high italic">alt</span>] /path/to/icon.gif</span> <br> A left-square-bracket is used for icon specifications. These are actually mapped against the following content-type, not file suffix, and so only need to be specified once for each content-type in the file. This behaves in a similar fashion to [AddIcon], only the components are reversed. <li class="item"> <span class="high bold">#!!</span> <br> The two exclamation marks can be used to indicate a MIME type intended for WASD only. The can be ignored by non-WASD applications. <li class="item"> <span class="high bold">#!+</span> <br> An exclamation mark then a plus symbol indicates an FTP transfer mode directive. One of three characters may follow the plus. An "A" indicates that this file type should be FTP transfered in ASCII mode. An "I" or a "B" indicates that this file type should be FTP transfered in Image (binary) mode. <li class="item"> <span class="high bold">#!%</span> <br> A percentage is ignored by WASD. This is reserved for local (non-WASD) viewers. </ul> <p> These directives are placed <span class="high bold">following</span> the MIME-type entry they apply to. An example of the contents of a MIME.TYPES file with various WASD extensions. <div class="blockof code"># MIME type Extension application/msword doc #! MS Word document #![DOC] /httpd/-/doc.gif application/octet-stream bin dms lha lzh exe class #! binary content #![BIN] /httpd/-/binary.gif application/oda oda application/pdf pdf application/postscript ai eps ps #! Adobe PostScript #![PS.] /httpd/-/postscript.gif #!+A application/rtf rtf #! Rich Text Format #![RTF] /httpd/-/rtf.gif application/x-script bks decw$bookshelf #! DEC Bookshelf #!/cgi-bin/hypershelf application/x-script bkb decw$book #![BKR] /httpd/-/script.gif #! DEC Book #!/cgi-bin/hyperreader </div> <p> Other reserved characters have been specified for development purposes but are not (perhaps currently) employed by the HTTP server. <ul class="list"> <li class="item"> <span class="high bold">#!< html marked-up text</span> <br> A less-than symbol indicates HTML marked-up text. <li class="item"> <span class="high bold">#!# blah blah blah</span> <br> <span class="high bold">##! rhubarb rhubarb</span> <br> Two combinations of hash and exclamation characters provide for WASD-specific comments. </ul> <a id="2.7.3" href="#"></a> <a id="2.7.3.unknowncontenttypes" href="#"></a> <a id="unknowncontenttypes" href="#"></a> <h3 class="head"><span class="numb">2.7.3</span><span class="text">Unknown Content-Types</span></h3> <p> If a file type is not recognised (i.e. no [AddType] or [AddMimeTypesFile] mapping corresponding to the file type) then by default WASD identifies its data as <span class="high italic">application/octet-stream</span> (i.e. essentially binary data). Most browsers respond to this content-type with a download dialog, allowing the data to be saved as a file. Most commonly these unknown types manifest themselves when authors use "interesting" file names to indicate their purpose. Here are some examples the author has encountered: <div class="blockof code">README.VMS README.1ST READ-ME.FIRST BUILD.INSTRUCTIONS MANUAL.PT1 (.PT2, …) </div> <p> If the site administrator would prefer another default content-type, perhaps "text/plain" so that any unidentified files default to plain text, then this may be configured by specifying that content-type as the <span class="high italic">description</span> of the catch-all file type entry. Examples (use one of): <div class="blockof code">[AddType] * internal/x-unknown * internal/x-unknown application/octet-stream * internal/x-unknown text/plain * internal/x-unknown something/else-entirely </div> It is the author's opinion that unidentified file types should remain as binary downloads, not "text" documents, which they are probably more often not, but it's there if wanted. <a id="2.7.4" href="#"></a> <a id="2.7.4.explicitlyspecifyingcontenttype" href="#"></a> <a id="explicitlyspecifyingcontenttype" href="#"></a> <h3 class="head"><span class="numb">2.7.4</span><span class="text">Explicitly Specifying Content-Type</span></h3> <p> When accessing files it is possible to explicitly specify the identifying content-type to be returned to the browser in the HTTP response header. Of course this does not change the actual content of the file, just the header content-type! This is primarily provided to allow access to plain-text documents that have obscure, non-"standard" or non-configured file extensions. <p> It could also be used for other purposes, "forcing" the browser to accept a particular file as a particular content-type. This can be useful if the extension is not configured (as mentioned above) or in the case where the file contains data of a known content-type but with an extension conflicting with an already configured extension specifying data of a different content-type. <p> Enter the file path into the browser's URL specification field ("Location:", "Address:"). Then, for plain-text, append the following query string: <div class="blockof code">?httpd=content&type=text/plain </div> <p> For another content-type substitute it appropriately. For example, to retrieve a text file in binary (why I can't imagine :-) use <div class="blockof code">?httpd=content&type=application/octet-stream </div> <p> This is an example: <div class="blockof mono"><a class="link blank" target="_blank" href="/wasd_root/wasdoc/config/file.unknown">file.unknown</a> <a class="link blank" target="_blank" href="/wasd_root/wasdoc/config/file.unknown?httpd=content&type=text/plain">file.unknown?httpd=content&type=text/plain</a> </div> <p> It is posssible to "force" the content-type for all files in a particular directory. Enter the path to the directory and then add <div class="blockof code">?httpd=index&type=text/plain </div> <p> (or what-ever type is desired). Links to files in the listing will contain the appropriate "?httpd=content&type=..." appended as a query string. <p> This is an example: <div class="blockof mono"><a class="link blank" target="_blank" href="/wasd_root/wasdoc/config/*.*">*.*</a> <a class="link blank" target="_blank" href="/wasd_root/wasdoc/config/*.*?httpd=content&type=text/plain">*.*?httpd=content&type=text/plain</a> </div> <a id="2.8" href="#"></a> <a id="2.8.languagevariants" href="#"></a> <a id="languagevariants" href="#"></a> <h2 class="head"><span class="numb">2.8</span><span class="text">Language Variants</span></h2> <p> Language-specific variants of a document may be configured to be served automatically and transparently. This is organized as a basic file and name with language-specific variant indicated by an additional "tag", one of ISO language abbreviations used by the "Accept-Language:" request header field, e.g. <span class="high italic">en</span> for English, <span class="high italic">fr</span> for French, <span class="high italic">de</span> for German, <span class="high italic">ru</span> for Russian, etc. <p> Two variants of the basic file specification are possible; file name (the default) and file type. Hence if the basic file name is EXAMPLE.HTML then specifically German, English, French and Russian language versions in the directory would be either <div class="blockof code">EXAMPLE.HTML EXAMPLE_DE.HTML EXAMPLE_EN.HTML EXAMPLE_FR.HTML EXAMPLE_RU.HTML </div> or <div class="blockof code">EXAMPLE.HTML EXAMPLE.HTML_DE EXAMPLE.HTML_EN EXAMPLE.HTML_FR EXAMPLE.HTML_RU </div> <p> A path must be explicitly SET using the <span class="high italic">accept=lang</span> mapping rule as containing language variants. As searching for variants is a relatively expensive operation the rule(s) applying this functionality should be carefully crafted. The <span class="high italic">accept=lang</span> rule accepts an optional default language representing the contents of the basic, untagged files. This provides an opportunity to more efficiently handle requests with a language first preference matching that of the default. In this case no variant search is undertaken, the basic file is simply served. The following example sets a path to contain files with a default language of French and possibly containing other language variants. <div class="blockof code">set /web/doc/* accept=lang=(default=fr) </div> <p> In this case the behaviour would be as follows. With the default language set to "fr" a request's "Accept-Language:" field is initially processed to check if the first preference is for "fr". If it is then there is no need for further accept language processing and the basic file is returned as the response. If not then the directory is searched for other files matching the EXAMPLE_*.HTML specification. All files matching this wildcard have the "*" portion (e.g. "EN", "FR", "DE", "RU") added to a list of variants. When the search is complete this list is compared to the request's "Accept-Language:" list. The first one to be matched has the contents of the corresponding file returned. If none are matched the default version would be returned. <p> This example of the behaviour is based on the contents of the directory described above. A request that specifies <div class="blockof code">Accept-Language: fr,de,en </div> <p> will have EXAMPLE.HTML returned (without having searched for any other variants). For a request specifying <div class="blockof code">Accept-Language: ru,en </div> <p> then the EXAMPLE_RU.HTML file is returned, and if no "Accept-Language:" is supplied with the request EXAMPLE.HTML would be returned. One or other file is always returned, with the default, non-language file always the fallback source of data. If it does not exist and no other language variant is selected the request returns a 404 file-not-found error. <a id="2.8.0.0.1" href="#"></a> <a id="2.8.contenttype" href="#"></a> <a id="contenttype" href="#"></a> <h5 class="head"><span class="text">Content-Type</span></h5> <p> When using the <span class="high italic">accept=lang=(variant=type)</span> form of the rule (i.e. the variant is placed on the file type rather than the default file name) each possible file extension must also must have its content-type made known to the server. Using the example above the variants would need to be configured in a similar way to the following. <div class="blockof code">[AddType] .HTML "text/html; charset=ISO-8859-1" Web Markup Language .HTML_DE "text/html; charset=ISO-8859-1" HTML (German) .HTML_EN "text/html; charset=ISO-8859-1" HTML (English) .HTML_FR "text/html; charset=ISO-8859-1" HTML (French) .HTML_RU "text/html; charset=koi8-r" HTML (Russian) </div> <a id="2.8.0.0.2" href="#"></a> <a id="2.8.nontextcontent" href="#"></a> <a id="nontextcontent" href="#"></a> <h5 class="head"><span class="text">Non-Text Content</span></h5> <p> Normally only files with a content-type of "text/.." are subject to variant searching. If the rule path includes a file type then those files matching the rule are also variant-searched. In this way images, audio files, etc., may also have language-specific versions supplied transparently. The following illustrates this usage <div class="blockof code">set /web/doc/*.jpg accept=lang=(default=fr) set /web/doc/*.wav accept=lang=(default=fr) </div> <a id="2.9" href="#"></a> <a id="2.9.charactersetconversion" href="#"></a> <a id="charactersetconversion" href="#"></a> <h2 class="head"><span class="numb">2.9</span><span class="text">Character Set Conversion</span></h2> <p> The default character set sent in the response header for text documents (plain and HTML) is set using the [CharsetDefault] directive and/or the SET charset mapping rule. English language sites should specify ISO-8859-1, other Latin alphabet sites, ISO-8859-2, 3, etc. Cyrillic sites might wish to specify ISO-8859-5 or KOI8-R, and so on. <p> Document and CGI script output may be dynamically converted from one character set to another using the standard VMS NCS conversion library. The [CharsetConvert] directive provides the server with character set aliases (those that are for all requirements the same) and which NCS conversion function may be used to convert one character set into another. <div class="blockof code">document-charset accept-charset[,accept-charset..] [NCS-function-name[=factor]] </div> <p> When this directive is configured the server compares each text response's character set (if any) to each of the directive's <span class="high italic">document charset</span> string. If it matches it then compares each of the <span class="high italic">accepted charset</span> (if multiple) to the request "Accept-Charset:" list of accepted characters sets. <p> At least one <span class="high italic">doc-charset</span> and one <span class="high italic">accept-charset</span> must be present. If only these two are present (i.e. no <span class="high italic">NCS-conversion-function</span>) it indicates that the two character sets are aliases (i.e. the same set of characters, different name) and no conversion is necessary. <p> If an <span class="high italic">NCS-conversion-function</span> is supplied it indicates that the document <span class="high italic">doc-charset</span> can be converted to the request "Accept-Charset:" preference of the <span class="high italic">accept-charset</span> using the NCS conversion function name specified. <p> A <span class="high italic">factor</span> parameter can be appended to the conversion function. Some conversion functions require more than one output byte to represent one input byte for some characters. The 'factor' is an integer between 1 and 4 indicating how much more buffer space may be required for the converted string. It works by allocating that many times more output buffer space than is occupied by the input buffer. If not specified it defaults to 1, or an output buffer the same size as the input buffer. <p> Multiple comma-separated <span class="high italic">accept-charset</span>s may be included as the second component for either of the above behaviours, with each being matched individually. Wildcard <span class="high monosp">*</span> (asterisk) and <span class="high monosp">%</span> (percentage) may be used in the <span class="high italic">doc-charset</span> and <span class="high italic">accept-charset</span> strings. <div class="blockof code">[CharsetConvert] windows-1251 windows-1251,cp-1251 windows-1251 koi8-r windows1251_to_koi8r koi8-r koi8-r,koi8 koi8-r windows-1251,cp-1251 koi8r_to_windows1251 koi8-r utf-8 koi8r_to_utf8=2 </div> <a id="2.10" href="#"></a> <a id="2.10.errorreporting" href="#"></a> <a id="errorreporting" href="#"></a> <h2 class="head"><span class="numb">2.10</span><span class="text">Error Reporting</span></h2> <p> By default the server provides its own internal error reporting facility. These reports may be configured as <span class="high italic">basic</span> or <span class="high italic">detailed</span> on a per-path basis, as well as determining the basic "look-and-feel". For more demanding requirements the [ErrorReportPath] configuration directive allows a redirection path to be specified for error reporting, permitting the site administrator to tailor both the nature and format of the information provided. A Server Side Include document, CGI script or even standard HTML file(s) may be specified. Generally an SSI document would be recommended for the simplicity yet versatility. <a id="2.10.1" href="#"></a> <a id="2.10.1.basicanddetailed" href="#"></a> <a id="basicanddetailed" href="#"></a> <h3 class="head"><span class="numb">2.10.1</span><span class="text">Basic and Detailed</span></h3> <p> Internally generated error reports are the most efficient. These can be delivered with two levels of error information. The default is more detailed. <blockquote> <font size="+1"> <b>ERROR 404</b> - The requested resource could not be found. </font> <br>Document not found ... /wasd_root/index.html <!-- sts: %x00018292 "wasd_root:[000000]index.html" --> <br><i>(document, bookmark, or reference requires revision)</i> <br>Additional information: <a class="link" href="/httpd/-/status1xx.html">1<i>xx</i></a>, <a class="link" href="/httpd/-/status2xx.html">2<i>xx</i></a>, <a class="link" href="/httpd/-/status3xx.html">3<i>xx</i></a>, <a class="link" href="/httpd/-/status4xx.html">4<i>xx</i></a>, <a class="link" href="/httpd/-/status5xx.html">5<i>xx</i></a>, <a class="link" href="/httpd/-/statushelp.html">help</a> <br><hr width="55%" align="left" size="2" noshade> <address>WASD/10.0.0 server at <a class="link" href="mailto:mark.daniel@www.example.com">www.example.com</a> port 80</address> </blockquote> <p> There is also the more basic. <blockquote> <font size="+1"> <b>ERROR 404</b> - The requested resource could not be found. </font> <br>Additional information: <a class="link" href="/httpd/-/status1xx.html">1<i>xx</i></a>, <a class="link" href="/httpd/-/status2xx.html">2<i>xx</i></a>, <a class="link" href="/httpd/-/status3xx.html">3<i>xx</i></a>, <a class="link" href="/httpd/-/status4xx.html">4<i>xx</i></a>, <a class="link" href="/httpd/-/status5xx.html">5<i>xx</i></a>, <a class="link" href="/httpd/-/statushelp.html">help</a> <br><hr width="55%" align="left" size="2" noshade> <address>WASD/10.0.0 server at <a class="link" href="mailto:mark.daniel@www.example.com">www.example.com</a> port 80</address> </blockquote> <p> These can be set per-server using the [ReportBasicOnly] configuration directive, or on a per-path basis in the WASD_CONFIG_MAP configuration file. The basic report is intended for environments where traditionally a minimum of information might be provided to the user community, both to reduce site configuration information leakage but also where a general user population may only need or want the information that a document was either found or not found. The detailed report often provides far more specific information as to the nature of the event and so may be more appropriate to a more technical group of users. Either way it is relatively simple to provide one as the default and the other for specific audiences. Note that the detailed report also includes in page <META> information the code module and line references for reported errors. <p> To default to a basic report for all but selected resource paths introduce the following to the top of the WASD_CONFIG_MAP configuration file. <div class="blockof code"># default is basic reports set /* report=basic set /internal-documents/* report=detailed set /other/path/* report=detailed </div> <p> To provide the converse, default to a detailed report for all but selected paths use the following. <div class="blockof code"># default is detailed reports set /web/* report=basic </div> <a id="2.10.1.0.1" href="#"></a> <a id="2.10.1.othercustomization" href="#"></a> <a id="othercustomization" href="#"></a> <h5 class="head"><span class="text">Other Customization</span></h5> <p> The additional reference information included in the report may be disabled using the appropriate WASD_CONFIG_MSG [status] message item. Emptying this message results in an error report similar to the following. <blockquote> <font size="+1"> <b>ERROR 404</b> - The requested resource could not be found. </font> <br><hr width="55%" align="left" size="2" noshade> <address>WASD/10.0.0 server at <a class="link" href="mailto:mark.daniel@www.example.com">www.example.com</a> port 80</address> </blockquote> <p> The server signature may be disabled using the WASD_CONFIG_GLOBAL [ServerSignature] configuration directive. This results in a minimal error report. <blockquote> <font size="+1"> <b>ERROR 404</b> - The requested resource could not be found. </font> </blockquote> <p> A simple approach to providing a site-specific "look-and-feel" to server reports is to customize the [ServerReportBodyTag] WASD_CONFIG_GLOBAL configuration directive. Using this directive report page background colour, background image, text and link colours, etc., may be specified for all reports. It is also possible to more significantly change the report format and contents (within some constraints), without resorting to the site-specific mechansims refered to below, by changing the contents of the appropriate WASD_CONFIG_MSG [status] item. This should be undertaken with care. <a id="2.10.2" href="#"></a> <a id="2.10.2.sitespecific" href="#"></a> <a id="sitespecific" href="#"></a> <h3 class="head"><span class="numb">2.10.2</span><span class="text">Site Specific</span></h3> <p> Customized error reports can be generated for all or selected HTTP status status associated with errors reported by the server using the WASD_CONFIG_GLOBAL [ErrorReportPath] and WASD_CONFIG_SERVER [ServiceErrorReportPath] configuration directives. To explicitly handle all error reports specify the path to the error reporting mechanism (see description below) as in the following example. <div class="blockof code">[ErrorReportPath] /httpd/-/reporterror.shtml </div> <p> To handle only selected error reports add the HTTP status codes following the report path. In this example only 403 and 404 errors are explicitly handled, the rest remain server-generated. This is particularly useful for static error documents. <div class="blockof code">[ErrorReportPath] /httpd/-/reporterror.shtml 403 404 </div> <p> To exclude selected error reports (and handle all others by default) add the HTTP status codes preceded by a hyphen following the report path. In this example 401 and 500 errors are server-generated. <div class="blockof code">[ErrorReportPath] /httpd/-/reporterror.shtml -401 -500 </div> <p> Site-specific error reporting works by internal redirection. When an error is reported the original request is concluded and the request reconstructed using the error report path before internally being reprocessed. For SSI and CGI script handlers error information becomes available via a specially-built query string, and from that as CGI variables in the error report context. One implication is the original request path and query string are no longer available. All error information must be obtained from the error information in the new query string. <p> It is suggested with any use of this facility the reporting document(s) be located somewhere local, probably WASD_ROOT:[RUNTIME.HTTPD], and then enabled by placing the appropriate path into the [ErrorReportPath] configuration directive. <div class="blockof code">[ErrorReportPath] /httpd/-/reporterror.shtml </div> <p> Note that virtual services can subsequently have this path mapped to other documents (or even scripts) so that some or all services may have custom error reports. For instance the following arrangement provides each host (service) with an customized error report. <div class="blockof code"># WASD_CONFIG_GLOBAL [ErrorReportPath] /errorreport.shtml # WASD_CONFIG_MAP [[alpha.example.com]] pass /errorreport.shtml /httpd/-/alphareport.shtml [[beta.example.com]] pass /errorreport.shtml /httpd/-/betareport.shtml [[gamma.example.com]] pass /errorreport.shtml /httpd/-/gammareport.shtml </div> <a id="2.10.2.0.1" href="#"></a> <a id="2.10.2.usingstatichtmldocuments" href="#"></a> <a id="usingstatichtmldocuments" href="#"></a> <h5 class="head"><span class="text">Using Static HTML Documents</span></h5> <p> Static HTML documents are a good choice for site-specific error messages. They are very low overhead and are easily customizable. One per possible response error status code is required. When providing an error report path including a "!UL" introduces the response status code into the file path, providing a report path that includes a three digit number representing the HTTP status code. A file for each possible or configured code must then be provided, in this example for 403 (authorization failure), 404 (resource not found) and 502 (bad gateway/script). <div class="blockof code">[ErrorReportPath] /httpd/-/reporterror!UL.html 403 404 502 </div> <p> This mapping will generate paths such as the following, and require the three specified to respond to those errors. <div class="blockof code">/httpd/-/reporterror403.html /httpd/-/reporterror404.html /httpd/-/reporterror502.html </div> <a id="2.10.2.0.2" href="#"></a> <a id="2.10.2.usinganssidocument" href="#"></a> <a id="usinganssidocument" href="#"></a> <h5 class="head"><span class="text">Using an SSI Document</span></h5> <p> SSI documents provide the versatility of dynamic report generation for but they do take time and CPU for processing, and this may be a significant consideration on busy sites. <p> Three example SSI error report documents are provided. <ol class="list"> <li class="item"> <a class="link blank" target="_blank" href="/wasd_root/example/reporterror1.shtml?httpd=content&type=text/plain"> WASD_ROOT:[EXAMPLE]REPORTERROR1.SHTML</a> <br>Provides a report identical with those internally generated in versions prior to v7.0. <li class="item"> <a class="link blank" target="_blank" href="/wasd_root/example/reporterror2.shtml?httpd=content&type=text/plain"> WASD_ROOT:[EXAMPLE]REPORTERROR2.SHTML</a> <br>This is a minor variation, showing how the format may be easily customized. <li class="item"> <a class="link blank" target="_blank" <a href="/wasd_root/example/reporterror3.shtml?httpd=content&type=text/plain"> WASD_ROOT:[EXAMPLE]REPORTERROR3.SHTML</a> <br>This version has a radically different format and content, with much less specific error information (which some administrator's may consider advantageous). When generated these reports <a class="link blank" target="_blank" href="/wasd_root/example/reporterror3.html">look something like this</a>. <li class="item"> <a class="link blank" target="_blank" <a href="/wasd_root/example/reporterror4.shtml?httpd=content&type=text/plain"> WASD_ROOT:[EXAMPLE]REPORTERROR4.SHTML</a> <br> This example uses the report format provided with WASD v7.0 and later, and <a class="link blank" target="_blank" href="/wasd_root/example/reporterror4.html">look something like this</a>. <li class="item"> <a class="link blank" target="_blank" <a href="/wasd_root/example/reporterror5.shtml?httpd=content&type=text/plain"> WASD_ROOT:[EXAMPLE]REPORTERROR5.SHTML</a> <br>This is another variation, showing how the format may be easily customized. When generated this report <a class="link blank" target="_blank" href="/wasd_root/example/reporterror5.html">looks something like this</a>. </ol> <p> The following SSI variables are available specifically for generating error reports. The <!--#printenv --> statement near the top of the file may be uncommented to view all SSI and CGI variables available. <p> <a id="2.10.2.0.3" href="#"></a> <a id="2.10.2.errorvariables" href="#"></a> <a id="errorvariables" href="#"></a> <h5 class="head"><span class="text">Error Variables</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Variable <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">ERROR_LINE <td class="tabd">The HTTPd source code line from where the error was generated. <tr class="tabr"> <td class="tabd">ERROR_MODULE <td class="tabd">The HTTPd source code module corresponding to the line described above. <tr class="tabr"> <td class="tabd">ERROR_REPORT <td class="tabd">A single HTML string providing a detailed error message. <tr class="tabr"> <td class="tabd">ERROR_REPORT2 <td class="tabd">A single HTML comment providing more detailed VMS error information if available <tr class="tabr"> <td class="tabd">ERROR_REPORT3 <td class="tabd">A server-generated HTML string providing a brief explanation of the error if available <tr class="tabr"> <td class="tabd">ERROR_STATUS_CLASS <td class="tabd">Essentially the single hundreds digit from the status code (e.g. 4). <tr class="tabr"> <td class="tabd">ERROR_STATUS_CODE <td class="tabd">The HTTP response status code representing the error (e.g. 404). <tr class="tabr"> <td class="tabd">ERROR_STATUS_EXPLANATION <td class="tabd">The HTTP response status code descriptive meaning (e.g. "The requested resource could not be found.") <tr class="tabr"> <td class="tabd">ERROR_STATUS_TEXT <td class="tabd">The HTTP response status code abbreviated meaning (e.g. "Not Found"). <tr class="tabr"> <td class="tabd">ERROR_STATUS_TYPE <td class="tabd">"basic" or "detailed". <tr class="tabr"> <td class="tabd">ERROR_STATUS_URI <td class="tabd">The HTML-escaped URI of the request reporting the error. <tr class="tabr"> <td class="tabd">FORM_ERROR_… <td class="tabd">A series of CGI variables providing the sources for the above SSI variables, as well as other general environment information. </table> <a id="2.10.2.0.4" href="#"></a> <a id="2.10.2.usingascript" href="#"></a> <a id="usingascript" href="#"></a> <h5 class="head"><span class="text">Using a Script</span></h5> <p> It is also possible to report using a script. The same error information is available via corresponding CGI variables. The source code <a class="link blank" target="_blank" href="/wasd_root/src/misc/reporterror.c">WASD_ROOT:[SRC.MISC]REPORTERROR.C</a> provides such an implementation example. <a id="2.11" href="#"></a> <a id="2.11.opcomlogging" href="#"></a> <a id="opcomlogging" href="#"></a> <h2 class="head"><span class="numb">2.11</span><span class="text">OPCOM Logging</span></h2> <p> Significant server events may be optionally displayed via a selected operator's console and recorded in the operator log. Various categories of these events may be selectively enabled via WASD_CONFIG_GLOBAL directives (<a class="link" href="#6.globalconfiguration">6. Global Configuration</a>). <ul class="list list0"> <li class="item"> Server Administration page directives <li class="item"> authentication/authorization (e.g. failures) <li class="item"> CLI HTTPd control directives <li class="item"> HTTPd events (e.g. startup, exit, SSL private key password requests) <li class="item"> proxy file cache maintenance </ul> <p> Some significant server events are always logged to OPCOM if any one of the above categories is enabled. <a id="2.12" href="#"></a> <a id="2.12.accesslogging" href="#"></a> <a id="accesslogging" href="#"></a> <h2 class="head"><span class="numb">2.12</span><span class="text">Access Logging</span></h2> <p> WASD provides a versatile access log, allowing data to be collected in Web-standard <span class="high italic">common</span> and <span class="high italic">combined</span> formats, as well as allowing customization of the log record format. It is also possible to specify a log period. If this is done log files are automatically changed according to the period specified. <p> Where multiple access log files are generated with per-instance, per-period and/or per-service logging (see below) these can be merged into single files for administrative or archival purposes using the CALOGS utility. <p> The Quick-and-Dirty LOG STATisticS utility can be used to provide elementary ad hoc log analysis from the command-line or CGI interface. <p> Exclude requests from specified hosts using the [LogExcludeHosts] configuration parameter, or using the "SET NOLOG" mapping directive. <a id="2.12.1" href="#"></a> <a id="2.12.1.logformat" href="#"></a> <a id="logformat" href="#"></a> <h3 class="head"><span class="numb">2.12.1</span><span class="text">Log Format</span></h3> <p> The configuration parameter [LogFormat] and the server qualifier /FORMAT specifies one of three pre-defined formats, or a user-definable format. Most log analysis tools can process the three pre-defined formats. There is a small performance impost when using the user-defined format, as the log entry must be specially formatted for each request. <ul class="list"> <li class="item"> <span class="high bold">COMMON -</span> This is the most common, base logging format for Web servers. COMMON is the default log format. <li class="item"> <span class="high bold">COMMON_SERVER -</span> This is an optional format used, for one, by the NCSA server. It is basically the common format, with the server host name appended to the line (used for multi-homed servers, see <a class="link" href="#2.3.virtualservices">2.3 Virtual Services</a>). <li class="item"> <span class="high bold">COMBINED -</span> This is an optional format used, for one again, by the NCSA server. It too is basically the common format, with the HTTP referer and user agent appended. </ul> <a id="2.12.1.0.1" href="#"></a> <a id="2.12.1.userdefined" href="#"></a> <a id="userdefined" href="#"></a> <h5 class="head"><span class="text">User-Defined</span></h5> <p> The user-defined format allows customised log formats to be specified using a selection of commonly required data. The specification must begin with a character that is used as a substitute when a particular field is empty (use "0" for no substitute, as in the "windows log format" example below). <p> Two different "escape" characters introduce the following parameters: <a id="2.12.1.0.2" href="#"></a> <a id="2.12.1.aquotquotfollowedby" href="#"></a> <a id="aquotquotfollowedby" href="#"></a> <h5 class="head"><span class="text">A "!" followed by</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Characters <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">AR <td class="tabd">authentication realm (if any) <tr class="tabr"> <td class="tabd">AU <td class="tabd">authenticated user name (if any) <tr class="tabr backlight"> <td class="tabd">BB <td class="tabd">bytes in body (excludes response header) <tr class="tabr"> <td class="tabd">BQ <td class="tabd">quadword bytes in response (includes header) <tr class="tabr backlight"> <td class="tabd">BY <td class="tabd">bytes in response (includes header) <tr class="tabr"> <td class="tabd">CA <td class="tabd">client address <tr class="tabr backlight"> <td class="tabd">CC <td class="tabd">X509 client certificate authorization distinguishing name <tr class="tabr"> <td class="tabd">CI <td class="tabd">SSL session cipher (e.g. "AES128-SHA", "AES256-SHA256") <tr class="tabr backlight"> <td class="tabd">CL <td class="tabd">value provided by "Content-Length:" header (cf. "PL") <tr class="tabr"> <td class="tabd">CN <td class="tabd">client host name (or address if DNS lookup disabled) <tr class="tabr backlight"> <td class="tabd">CP <td class="tabd">client port <tr class="tabr"> <td class="tabd">DI <td class="tabd">specified dictionary value <tr class="tabr backlight"> <td class="tabd">ID <td class="tabd">session track ID - obsolete <tr class="tabr"> <td class="tabd">EM <td class="tabd">request elapsed time in milliseconds <tr class="tabr backlight"> <td class="tabd">ES <td class="tabd">request elapsed time in fractional seconds <tr class="tabr"> <td class="tabd">ME <td class="tabd">request method <tr class="tabr backlight"> <td class="tabd">NP <td class="tabd">specified notepad value <tr class="tabr"> <td class="tabd">PA <td class="tabd">request path (not to be confused with "RQ") <tr class="tabr backlight"> <td class="tabd">PL <td class="tabd">actual body (payload) length received with POST or PUT (cf. "CL") <tr class="tabr"> <td class="tabd">PR <td class="tabd">request URL (includes protocol scheme) <tr class="tabr backlight"> <td class="tabd">QS <td class="tabd">request query string (if any) <tr class="tabr"> <td class="tabd">RF <td class="tabd">referer (if any) <tr class="tabr backlight"> <td class="tabd">RQ <td class="tabd">complete request string (see below) <tr class="tabr"> <td class="tabd">RP <td class="tabd">request protocol <tr class="tabr backlight"> <td class="tabd">RS <td class="tabd">response status code <tr class="tabr"> <td class="tabd">SN <td class="tabd">server host name <tr class="tabr backlight"> <td class="tabd">SC <td class="tabd">script name (if any) <tr class="tabr"> <td class="tabd">SM <td class="tabd">request scheme (http: or https:) <tr class="tabr backlight"> <td class="tabd">SP <td class="tabd">server port <tr class="tabr"> <td class="tabd">SR <td class="tabd">SSL session reused <tr class="tabr backlight"> <td class="tabd">SV <td class="tabd">SSL protocol (e.g. "SSLv3", "TLSv1") <tr class="tabr"> <td class="tabd">TC <td class="tabd">request time (common log format) <tr class="tabr backlight"> <td class="tabd">TI <td class="tabd">request time (local in ISO 8601 extended format) <tr class="tabr"> <td class="tabd">TS <td class="tabd">request time (UTC in ISO 8601 basic format) sortable <tr class="tabr backlight"> <td class="tabd">TU <td class="tabd">request time (UTC) <tr class="tabr"> <td class="tabd">TV <td class="tabd">request time (VMS format) <tr class="tabr backlight"> <td class="tabd">UA <td class="tabd">user agent <tr class="tabr"> <td class="tabd">VS <td class="tabd">virtual service (service host:port) <tr class="tabr backlight"> <td class="tabd">XX <td class="tabd">custom, usually site/client-specific, logging item<br> see module [SRC.HTTPD]LOGGING.C functions LoggingCustom..() </table> <a id="2.12.1.0.3" href="#"></a> <a id="2.12.1.aquot94quotfollowedby" href="#"></a> <a id="aquot94quotfollowedby" href="#"></a> <h5 class="head"><span class="text">A "^" followed by</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Character <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">0 <td class="tabd">a null character (used to define the empty field character) <tr class="tabr"> <td class="tabd">! <td class="tabd">insert an "!" <tr class="tabr backlight"> <td class="tabd">^ <td class="tabd">insert a "^" <tr class="tabr"> <td class="tabd">n <td class="tabd">insert a newline <tr class="tabr backlight"> <td class="tabd">q <td class="tabd">insert a quote (so that in DCL the quotes won't need escaping!) <tr class="tabr"> <td class="tabd">t <td class="tabd">insert a TAB </table> <p> Any other character is directly inserted into the log entry. <div class="note"> <a id="2.12.1.0.4" href="#"></a> <a id="2.12.1.quotpaquotandquotrqquot" href="#"></a> <a id="quotpaquotandquotrqquot" href="#"></a> <h5 class="head center"><span class="text">"PA" and "RQ"</span></h5> <hr class="note_hr"> The "PA" and "RQ" have distinct roles. In general the "RQ" (request) directive will always be used as this is the full request string; script component (if any), path string and query string component (if any). The "PA" directive is merely the path string after any script and query string components have been removed. <hr class="note_hr"> </div> <a id="2.12.1.0.5" href="#"></a> <a id="2.12.1.predefinedplususerdefined" href="#"></a> <a id="predefinedplususerdefined" href="#"></a> <h5 class="head"><span class="text">Pre-defined Plus User-Defined</span></h5> <p> It is possible to use one of the pre-defined log format keywords with additional user-defined directive appended. The appended directives must include ALL additional literal characters and directives required in the log entry. The syntax is <pre-defined keyword>+<appended format> as in "COMMON+ !EM". <a id="2.12.1.0.6" href="#"></a> <a id="2.12.1.examples" href="#"></a> <a id="examples" href="#"></a> <h5 class="head"><span class="text">Examples</span></h5> <ol class="list"> <li class="item"> The equivalent of the common log format is: <div class="blockof code">-!CN - !AU [!TC] q!RQq !RS !BY </div> <li class="item"> The combined log format could be specified as: <div class="blockof code">-!CN - !AU [!TC] q!RQq !RS !BY q!RFq q!UAq </div> <li class="item"> The <span class="high italic">O'Reilly WebSite</span> "windows log format" would be created by: <div class="blockof code">0!TCt!CAt!SNt!ARt!AUt!MEt!PAt!RQt!EMt!UAt!RSt!BBt </div> <li class="item"> The common log format with appended request duration in seconds could be provided using: <div class="blockof code">-!CN - !AU [!TC] q!RQq !RS !BY !ES </div> <li class="item"> Alternatively, to append the SSL protocol version and cipher with the combined format: <div class="blockof code">COMBINED+ !SV !CI </div> </ol> <a id="2.12.2" href="#"></a> <a id="2.12.2.logperperiod" href="#"></a> <a id="logperperiod" href="#"></a> <h3 class="head"><span class="numb">2.12.2</span><span class="text">Log Per-Period</span></h3> <p> The access log file may have a period specified against it, producing an automatic generation of log file based on that period. This allows logs to be systematically named, ordered and kept to a managable size. This is also known as log rotation. The period specified can be one of <ul class="list list0"> <li class="item"> HOURLY <li class="item"> DAILY <li class="item"> weekly as … <br> MONDAY <br> TUESDAY <br> WEDNESDAY <br> THURSDAY <br> FRIDAY <br> SATURDAY <br> SUNDAY <li class="item"> MONTHLY </ul> <p> The log file changes on the first request after the entering of the new period. <p> When using a periodic log file, the file name specified by WASD_CONFIG_LOG or the configuration parameter [LogFile] is partially ignored, only partially because the directory component of it is used to located the generated file name. The periodic log file name generated comprises <ul class="list list0"> <li class="item"> server host name <li class="item"> server port <li class="item"> year (YYYY) <li class="item"> month (MM) <li class="item"> day (DD) <li class="item"> hour (HH, only present when HOURLY period is configured) </ul> <p> as in the following example <div class="blockof code">WASD_LOGS:WASD_80_19971013_ACCESS.LOG </div> <p> For the daily period the date represents the request date. For the weekly period it is the date of the previous (or current) day specified. That is, if the request occurs on the Wednesday for a weekly period specified by Monday the log date show the last Monday's. For the monthly period it uses the first. <a id="2.12.3" href="#"></a> <a id="2.12.3.logperservice" href="#"></a> <a id="logperservice" href="#"></a> <h3 class="head"><span class="numb">2.12.3</span><span class="text">Log Per-Service</span></h3> <p> By default a single access log file is created for each HTTP server process. Using the [LogPerService] configuration directive a log file for each service provided by the HTTPd is generated (<a class="link" href="#2.3.virtualservices">2.3 Virtual Services</a>). The [LogNaming] format can be any of "NAME" (default) which names the log file using the first period-delimited component of the IP host name, "HOST" (which uses as much of the IP host name as can be accomodated within the maximum 39 character filename limitation under ODS-2), or "ADDRESS" which uses the full IP host address in the name. Both HOST and ADDRESS have hyphens substituted for periods in the string. If these are specified then by default the service port follows the host name component. This may be suppressed using the [LogPerServiceHostOnly] directive, allowing a minimum extra 3 characters in the name, and combining entries for all ports associated with the host name (for example, a standard HTTP service on port 80 and an SSL service on port 443 would have entries in the one file). <a id="2.12.4" href="#"></a> <a id="2.12.4.logperinstance" href="#"></a> <a id="logperinstance" href="#"></a> <h3 class="head"><span class="numb">2.12.4</span><span class="text">Log Per-Instance</span></h3> <p> To reduce physical disk activity, and thereby significantly improve performance, the RMS characteristics of the logging stream are set to buffer records for as long as possible and only write to disk when buffer space is exhausted (a periodic flush ensures records from times of low activity are written to disk). However when multiple server processes (either in the case of multiple instances on a single node, single instance on each of multiple clustered nodes, or a combination of the two) have the same log files open for write then this buffering and defered write-to-disk is disabled by RMS, it insisting that all records must be flushed to disk for correct serialization and coherency. <p> This introduces measurable latency and a potentially significant bottleneck to high-demand processing. Note that it only becomes a real issue under load. Sites with a low load should not experience any impact. <p> Sites that may be affected by this issue can revert to the original buffered log stream by enabling the [LogPerInstance] configuration directive. This ensures that each log stream has only one writer by creating a unique log file for each instance process executing on the node and/or cluster. It does this by appending the node and process name to the file type. This would change the log name from something like <div class="blockof code">WASD_LOGS:131-185-250-202_80_ACCESS.LOG </div> to, in the case of a two-instance single node, <div class="blockof code">WASD_LOGS:131-185-250-202_80_ACCESS.LOG_KLAATU_HTTPD-80 WASD_LOGS:131-185-250-202_80_ACCESS.LOG_KLAATU_HTTPE-80 </div> <p> <span class="high bold">Of course the number-of and naming-of log files is beginning to become a little itimidating at this stage!</span> To assist with managing this seeming plethora of access log files is the calogs utility, which allows multiple log files to be merged whilst keeping the records in timestamp order. <a id="2.12.5" href="#"></a> <a id="2.12.5.lognaming" href="#"></a> <a id="lognaming" href="#"></a> <h3 class="head"><span class="numb">2.12.5</span><span class="text">Log Naming</span></h3> <p> When per-period or per-service logging is enabled the access log file has a specific name generated. Part of this name is the host's name or IP address. By default the host name is used, however if the host IP address is specified the literal address is used, hyphens being substituted for the periods. Accepted values for the [LogNaming] configuration directive are: <ul class="list list0"> <li class="item"> ADDRESS <li class="item"> HOST <li class="item"> NAME (default) </ul> <p> Examples of generated per-service (non-per-period) log names: <div class="blockof code">WASD_LOGS:131-185-250-202_80_ACCESS.LOG WASD_LOGS:WWW-EXAMPLE-COM_80_ACCESS.LOG WASD_LOGS:WASD_80_ACCESS.LOG </div> <p> Examples of generated per-period (with/without per-service) log names: <div class="blockof code">WASD_LOGS:131-185-250-202_80_19971013_ACCESS.LOG WASD_LOGS:WWW-EXAMPLE-COM_80_19971013_ACCESS.LOG WASD_LOGS:WWW_80_19971013_ACCESS.LOG </div> <p> Examples of generated per-instance (per-service and per-period) log names: <div class="blockof code">WASD_LOGS:131-185-250-202_80_ACCESS.LOG_KLAATU_HTTPD-80 WASD_LOGS:WWW-EXAMPLE-COM_80_ACCESS.LOG_KLAATU_HTTPD-80 WASD_LOGS:WASD_80_ACCESS.LOG_KLAATU_HTTPD-80 WASD_LOGS:131-185-250-202_80_19971013_ACCESS.LOG_KLAATU_HTTPD-80 WASD_LOGS:WWW-EXAMPLE-COM_80_19971013_ACCESS.LOG_KLAATU_HTTPD-80 WASD_LOGS:WWW_80_19971013_ACCESS.LOG_KLAATU_HTTPD-80 </div> <a id="2.12.6" href="#"></a> <a id="2.12.6.accesstracking" href="#"></a> <a id="accesstracking" href="#"></a> <h3 class="head"><span class="numb">2.12.6</span><span class="text">Access Tracking</span></h3> <p> Access tracking has been obsoleted with WASD v11.0. <a id="2.12.7" href="#"></a> <a id="2.12.7.accessalert" href="#"></a> <a id="accessalert" href="#"></a> <h3 class="head"><span class="numb">2.12.7</span><span class="text">Access Alert</span></h3> <p> It is possible to mark a path as being of specific interest. When this is accessed by a request the server puts a message into the the server process log and perhaps of greater immediate utility the increase in alert hits is detected by HTTPDMON and this (optionally) provides an audible alert allowing immediate attention. This is enabled on a per-path basis using the SET mapping rule. Variations on the basic rule allow some control over when the alert is generated. <ul class="list simple list0"> <li class="item"> ALERT – at the conclusion of the request <li class="item"> ALERT=MAP – immediately after mapping (early) <li class="item"> ALERT=AUTH – when (any) authorization has been performed <li class="item"> ALERT=END – at the conclusion of the request (default) <li class="item"> ALERT=<span class="high italic">integer</span> – see below <li class="item"> NOALERT – suppress alert for this path </ul> <p> The special case ALERT=<span class="high italic">integer</span> allows a path to be alerted if the final response HTTP status is the same as the integer specified (e.g. 501, 404) or within the category specified (599, 499). <!-- source:0500_SECURITY.WASDOC --> <hr class="page"> <a id="3." href="#"></a> <a id="3.securityconsiderations" href="#"></a> <a id="securityconsiderations" href="#"></a> <h1 class="head"><span class="numb">3.</span><span class="text">Security Considerations</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#3.1.serverandsitetesting"><span class="numb">3.1</span><span class="text">Server and Site Testing</span></a> <tr><td><a href="#3.2.recommendedpackagesecurity"><span class="numb">3.2</span><span class="text">Recommended Package Security</span></a> <tr><td><a href="#3.3.maintainingpackagesecurity"><span class="numb">3.3</span><span class="text">Maintaining Package Security</span></a> <tr><td><a href="#3.4.independentpackageandlocalresources"><span class="numb">3.4</span><span class="text">Independent Package and Local Resources</span></a> <tr><td><a href="#3.5.configuration"><span class="numb">3.5</span><span class="text">Configuration</span></a> <tr><td><a href="#3.5.1.directorylistings"><span class="numb">3.5.1</span><span class="text">Directory Listings</span></a> <tr><td><a href="#3.5.2.serverreports"><span class="numb">3.5.2</span><span class="text">Server Reports</span></a> <tr><td><a href="#3.5.3.scripting"><span class="numb">3.5.3</span><span class="text">Scripting</span></a> <tr><td><a href="#3.5.4.serversideincludes"><span class="numb">3.5.4</span><span class="text">Server Side Includes</span></a> <tr><td><a href="#3.6.scripting"><span class="numb">3.6</span><span class="text">Scripting</span></a> <tr><td><a href="#3.7.authorization"><span class="numb">3.7</span><span class="text">Authorization</span></a> <tr><td><a href="#3.8.miscellaneousissues"><span class="numb">3.8</span><span class="text">Miscellaneous Issues</span></a> <tr><td><a href="#3.9.siteattacks"><span class="numb">3.9</span><span class="text">Site Attacks</span></a> <tr><td><a href="#3.10.contentsecuritypolicycsp"><span class="numb">3.10</span><span class="text">Content Security Policy (CSP)</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#2.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#4.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> This section does not pretend to be a complete guide to keeping the "bad guys" out. It does provide a short guide to making a site more-or-less liberal in the way the server supplies information about the site and itself. The reader is also strongly recommended to a number of hard copy and Web based resources on this topic. <p> The WASD package had its genesis in making the VMS operating system and associated resources, in a development environment, available via Web technology. For this reason configurations can be made fairly liberal, providing information of use in a technical environment, but that may be superfluous or less-than-desirable in other, possibly commercial environments. For instance, directory listings can contain VMS file system META information, error reports can be generated with similar references along with reporting source code module and line information. <p> The example configuration files contain a fairly restrictive set of directives. When relaxing these recommendations keep in mind that the more information available about the underlying structure of the site the more potential for subversion. Do not enable functionality that contributes nothing to the fundamental usefulness of the site, or that has the real potential to compromise any given site. This section refers to configuration directives discussed in more detail in later chapters. <p> It is established wisdom that the only secure computing system is one with no users and no access, that system security is inversely proportional to system usability, and that making something idiot-proof results in only idiots using it. So there are some trade-offs but … <div class="note"> <a id="3.0.0.0.1" href="#"></a> <a id="3.dontthinkitcanthappentoyou" href="#"></a> <a id="dontthinkitcanthappentoyou" href="#"></a> <h5 class="head center"><span class="text">don't think it can't happen to you!</span></h5> <hr class="note_hr"> A systematic investigation of installed WASD packages by well-known IT professional Jean-loup Gailly during September 2002 revealed a couple of significant implementation flaws which compounded by notable instances of sloppy management practices on two public sites resulted in site compromise (one was mine). <p class="indent"> <a class="link blank" target="_blank" href="/wasd_root/doc/misc/wasd_advisory_020925.txt">WASD_ROOT:[WASDOC.MISC]WASD_ADVISORY_020925.TXT</a> <br> <a class="link blank" target="_blank" href="https://www.cvedetails.com/cve/CVE-2002-1825">https://www.cvedetails.com/cve/CVE-2002-1825</a> <p> This research has resulted in these server flaws being closed and package security considerations being extensively reviewed. As a result WASD v8.1 was much more resistent to such penetration than previous releases (and slightly less easy to use, but that's one of those trade-offs). My assessment would be that if Gailly did not find it then it wasn't there to find! <p> Of course any given site's security is a function of the underlying package's security profile, with the site's implementation of that, AND other considerations such as local authorization and script implementations. Pay particular and ongoing attention to site security and integrity. <hr class="note_hr"> </div> <a id="3.1" href="#"></a> <a id="3.1.serverandsitetesting" href="#"></a> <a id="serverandsitetesting" href="#"></a> <h2 class="head"><span class="numb">3.1</span><span class="text">Server and Site Testing</span></h2> <p> This is the merest of mentions for a topic that literally encompasses volumes! <p> Each site is very-much an individual combination of configurations and applications. Each site therefore has specific potential vulnerabilities that should be known about and addressed where possible. Especially if you have an Internet-facing site then <span class="high bold">this mean you!</span> <p> Many tools exist at the time of writing that didn't fifteen years before when WASD was investigated as described above. Some are on-line, "free" site health checks and penetration testing. Others are tools that can (often) be used from your platform of choice, many of which are free and open-source (FOSS). We are spoiled for choice. <p> In WASD's earlier years tools such as <span class="high italic">Apache Bench</span>, <span class="high italic">WASD Bench</span>, along with batched <span class="high italic">cURL</span> and <span class="high italic">wget</span> requests were used to exercise and, in some limited fashion, <span class="high italic">fuzz</span> the server (providing invalid, unexpected, or random request data) in an effort to discover flaws in server code and execution. <p> Currently the WASD development bench uses the OWASP ZAP tool to provide a much more comprehensive exercise and test environment. <div class="note"> <a id="3.1.0.0.1" href="#"></a> <a id="3.1.owaspzap" href="#"></a> <a id="owaspzap" href="#"></a> <h5 class="head center"><span class="text">OWASP ZAP</span></h5> <hr class="note_hr"> "Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible. <br>…<br> ZAP provides functionality for a range of skill levels from developers, to testers new to security testing, to security testing specialists. ZAP has versions for each major OS and Docker, so you are not tied to a single OS. Additional functionality is freely available from a variety of add-ons in the ZAP Marketplace, accessible from within the ZAP client." <p class="indent"> <a class="link blank" target="_blank" href="https://www.zaproxy.org">https://www.zaproxy.org</a> <hr class="note_hr"> </div> <p> ZAP is cross-platform (Linux, macOS, Windows, other), GUI-based, Java-implemented, and may be used effectively, though certainly not to its full capabilities, after fifteen minutes with the introductory documentation. <span class="high bold">ZAP is a highly recommended tool for site vulnerability assessment.</span> <p> ZAP is used to exercise the in-development WASD, in particular the following aspects (not in any particular order). <ul class="list"> <li class="item"> <span class="high bold">Traffic Loading – </span> server behaviour under load; continuing to process correctly while not exhibiting bottlenecks in performance, or worse, failing with soft (internal assertion checking) or hard (e.g. ACCVIO) bugchecks. Latency in AST-based processing often reveals subtle dependencies, race conditions, or other timing-related issues. ZAP allows a configurable number of concurrent requests when both spidering and vulnerability scanning. <li class="item"> <span class="high bold">Graded Alerts – </span> reports and counts of known attack vectors or general recommendations after spidering or penetration scans. These are flagged as high, medium or low risk, provide descriptions with references, and a quick overview of mitigation strategies. Each instance encountered during the scan has the request-response data available for analysis allowing specific cases to be identified and mitigated. <li class="item"> <span class="high bold">Directory Traversal – </span> (also known as path traversal) aims to access files and directories that are stored outside the server root, web root or web application folders. By manipulating data that reference files with <span class="high italic">dot-dot-slash</span> (../) sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored in the server or general file system. <li class="item"> <span class="high bold">Data Injection – </span> covers a variety of attacks where request parameters are used to execute (CLI) commands, SQL queries, interpreted script code (e.g. JavaScript, PHP), or platform-executable binary code. Injecting encoded or obscured data into an HTTP request via the query-string or header field values is a common vector. Lack of appropriate data validation underlies injection vulnerability. <li class="item"> <span class="high bold">Buffer Overflow – </span> the overwriting of memory fragments of the process, which should never be modified intentionally or unintentionally. HTTP requests with unusually large or otherwise unintended header field values, or web application input fields designed for small, fixed-length, or specific type data are obvious targets. Fuzzing requests can often induce this. <li class="item"> <span class="high bold">Request Fuzzing – </span> where malformed or spurious data is automatically generated and injected into the processing in an effort to induce unexpected behaviour or failure. In web environments this can include the HTTP protocol itself, the specific implementation of some capability of the server, and any scripting environment or web application hosted on a server. <li class="item"> <span class="high bold">Cross Site Scripting – </span> where a malicious web element such as JavaScript, HTML, or other browser-side code is injected into otherwise benign and trusted web content from a non-same-origin, third-party source. </ul> <p> It should be noted that these are provided "out-of-the-box", is a subset of that <span class="high italic">out-of-the-box</span> functionality of particular interest in WASD development, and utilise only a tiny percentage of ZAP total capabilities. <a id="3.1.0.0.2" href="#"></a> <a id="3.1.zapandhttp2" href="#"></a> <a id="zapandhttp2" href="#"></a> <h5 class="head"><span class="text">ZAP and HTTP/2</span></h5> <p> At the time of writing, OWASP ZAP does not support the HTTP/2 protocol. The solution for exercising WASD is to use the <span class="high italic">nghttpx</span> proxy utility. <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="https://nghttp2.org/documentation/nghttpx.1.html">https://nghttp2.org/documentation/nghttpx.1.html</a> <li class="item"> <a class="link blank" target="_blank" href="https://nghttp2.org/documentation/nghttpx-howto.html">https://nghttp2.org/documentation/nghttpx-howto.html</a> </ul> <p> It can be configured to accept HTTP and HTTPS connections at the front end (ZAP) and convert HTTP/1.1 requests to HTTP/2 requests at the back end (WASD). This introduces a proxy like this: <div class="drawing dfont draw indent"> <style> .dhflip { display:inline-block;transform:rotate(180deg); } .dvflip { display:inline-block;transform:rotate(-180deg); } .dnoflip { display:inline-block;transform:rotate(360deg); } .dfont { font-family:monospace;font-size:1em;line-height:0.9em;line-spacing:0em; } </style> ┌───────────┐ ┌────────────┐ ┌────────────┐<br> │ │ │ │ │ │<br> │ OWASP ZAP │<span class="dnoflip">◄</span>──HTTP/1.1──<span class="dhflip">◄</span>│ nghttpx │<span class="dnoflip">◄</span>───HTTP/2───<span class="dhflip">◄</span>│ WASD │<br> │ │ │ │ │ │<br> └───────────┘ └────────────┘ └────────────┘<br> </div> <p> The ZAP and <span class="high italic">nghttpx</span> can be run on the same or independent systems. <p> On a suitable platform (Linux, macOS, MS Windows – not ported to VMS) use this at the command-line. <div class="blockof code">nghttpx --frontend '0.0.0.0,<span class="high italic">port</span>;no-tls' \ --backend '<span class="high italic">WASD-server</span>,443;;tls;proto=h2' --insecure \ --workers=<span class="high italic">integer</span> --backend-http2-max-concurrent-streams=<span class="high italic">integer</span> </div> <p> Where 0.0.0.0 is any address on the <span class="high italic">nghttpx</span> platform and <span class="high italic">port</span> the IP port on that platform ZAP will connect to. The <span class="high italic">WASD-server</span> is the host name or address of the WASD system with port the usual 443. The workers integer is the number of threads used on the platform, with the maximum number of HTTP/2 back end connections maintained to the WASD system. The number of concurrent requests is determined by ZAP concurrency. <p> For example: <div class="blockof code">nghttpx --frontend '0.0.0.0,1280;no-tls' \ --backend 'klaatu.private,443;;tls;proto=h2' --insecure \ --workers=5 --backend-http2-max-concurrent-streams=5 </div> <a id="3.2" href="#"></a> <a id="3.2.recommendedpackagesecurity" href="#"></a> <a id="recommendedpackagesecurity" href="#"></a> <h2 class="head"><span class="numb">3.2</span><span class="text">Recommended Package Security</span></h2> <p> The following table provides recommended file protection settings for package top-level directories. Subdirectories share their parents' settings. The package tree is owned by the SYSTEM account. Directories with world READ access have no ACLs. Other directories, not accessible to the world, but sometimes having other degress of access to one or more accounts always have rights identifiers (see below) and associated ACLs to control directory access, and to propagate required access to files created beneath them. The server selectively enables SYSPRV to provide access to some of these areas (e.g. for log creation). <p> Some pre-v8.1 directories are not included in this table. These are not significant in versions from 8.1 onwards and may be deleted. They can continue to exist however and the security procedures described below ensure that they comply to the general post-8.1 security model. The file access permissions indicated below are for directory contents. The directory files themselves have settings appropriate for content access. <a id="3.2.0.0.1" href="#"></a> <a id="3.2.packageaccess" href="#"></a> <a id="packageaccess" href="#"></a> <h5 class="head"><span class="text">Package Access</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Directory <th class="tabh">Access<br>World <th class="tabh">Access<br>Other <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd"><span class="high monosp">[AXP-BIN]</span> <td class="tabd">none <td class="tabd">script:RE <td class="tabd">Alpha executable script files <tr class="tabr"> <td class="tabd"><span class="high monosp">[AXP]</span> <td class="tabd">none <td class="tabd">none <td class="tabd">Alpha build and utility area <tr class="tabr backlight"> <td class="tabd"><span class="high monosp">[CGI-BIN]</span> <td class="tabd">none <td class="tabd">script:RE <td class="tabd">architecture-neutral script files <tr class="tabr"> <td class="tabd"><span class="high monosp">[EXAMPLE]</span> <td class="tabd">read <td class="tabd">(world) <td class="tabd">package examples <tr class="tabr backlight"> <td class="tabd"><span class="high monosp">[EXERCISE]</span> <td class="tabd">read <td class="tabd">(world) <td class="tabd">package test files <tr class="tabr"> <td class="tabd"><span class="high monosp">[HTTP$NOBODY]</span> <td class="tabd">none <td class="tabd">script:RWED <td class="tabd">scripting account default home area <tr class="tabr backlight"> <td class="tabd"><span class="high monosp">[HTTP$SERVER]</span> <td class="tabd">none <td class="tabd">server:RWED <td class="tabd">server account default home area <tr class="tabr"> <td class="tabd"><span class="high monosp">[IA64-BIN]</span> <td class="tabd">none <td class="tabd">script:RE <td class="tabd">Itanium executable script files <tr class="tabr backlight"> <td class="tabd"><span class="high monosp">[IA64]</span> <td class="tabd">none <td class="tabd">none <td class="tabd">Itanium build and utility area <tr class="tabr"> <td class="tabd"><span class="high monosp">[INSTALL]</span> <td class="tabd">read <td class="tabd">(world) <td class="tabd">installation, update and secuity procedures <tr class="tabr backlight"> <td class="tabd"><span class="high monosp">[LOCAL]</span> <td class="tabd">none <td class="tabd">none <td class="tabd">site configuration files <tr class="tabr"> <td class="tabd"><span class="high monosp">[LOG]</span> <td class="tabd">none <td class="tabd">none <td class="tabd">site access logs <tr class="tabr backlight"> <td class="tabd"><span class="high monosp">[LOG_SERVER]</span> <td class="tabd">none <td class="tabd">server:RWED <td class="tabd">server process (SYS$OUTPUT) logs <tr class="tabr"> <td class="tabd"><span class="high monosp">[RUNTIME]</span> <td class="tabd">read <td class="tabd">(world) <td class="tabd">graphics, help files, etc. <tr class="tabr backlight"> <td class="tabd"><span class="high monosp">[SCRATCH]</span> <td class="tabd">none <td class="tabd">script:RWED <td class="tabd">working file space for scripts <tr class="tabr"> <td class="tabd"><span class="high monosp">[SCRIPT]</span> <td class="tabd">none <td class="tabd">none <td class="tabd">example architecture-neutral scripts <tr class="tabr backlight"> <td class="tabd"><span class="high monosp">[SRC]</span> <td class="tabd">none <td class="tabd">(world) <td class="tabd">package source files <tr class="tabr"> <td class="tabd"><span class="high monosp">[STARTUP]</span> <td class="tabd">none <td class="tabd">server:RE <td class="tabd">package startup procedures <tr class="tabr backlight"> <td class="tabd"><span class="high monosp">[X86_64-BIN]</span> <td class="tabd">none <td class="tabd">script:RE <td class="tabd">x86-64 executable script files <tr class="tabr"> <td class="tabd"><span class="high monosp">[X86_64]</span> <td class="tabd">none <td class="tabd">none <td class="tabd">x86-64 build and utility area <tr class="tabr backlight"> <td class="tabd"><span class="high monosp">[WASDOC]</span> <td class="tabd">read <td class="tabd">(world) <td class="tabd">package documentation </table> <p> It is recommended site-specific directories have settings applied appropriate to their function in comparison to similar package directories. See below for tools to assist in this. <p> Three rights identifiers provide selective access control to the directory tree. Identifiers were used to allow maximum flexibility for a site in allowing required accounts access to either execute the server or execute scripts. Non-default account names only need to be granted one of these identifiers to be provided with that role's access. Installation, update and/or security utilities create and maintain these identifiers appropriately. <a id="3.2.0.0.2" href="#"></a> <a id="3.2.rightsidentifiers" href="#"></a> <a id="rightsidentifiers" href="#"></a> <h5 class="head"><span class="text">Rights Identifiers</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Identifier <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">WASD_HTTP_SERVER <td class="tabd">Indicates the default server account. <tr class="tabr"> <td class="tabd">WASD_HTTP_NOBODY <td class="tabd">Indicates the default scripting account. <tr class="tabr"> <td class="tabd">WASD_IGNORE_THIS <td class="tabd">Looked for by the SECHAN utility to avoid it changing security on site-specific files. </table> <p> These rights identifiers are applied to directories and files to provide the required level of access. The following example shows the security setting of the top-level CGI-BIN.DIR and one of it content files. <div class="blockof code">$ DIRECTORY /SECURITY CGI-BIN.DIR Directory WASD_ROOT:[000000] CGI-BIN.DIR;1 [SYSTEM] (RWED,RWED,,) (IDENTIFIER=WASD_HTTP_SERVER,ACCESS=EXECUTE) (IDENTIFIER=WASD_HTTP_NOBODY,ACCESS=EXECUTE) (IDENTIFIER=*,ACCESS=NONE) (IDENTIFIER=WASD_HTTP_NOBODY,OPTIONS=DEFAULT,ACCESS=READ+EXECUTE) (IDENTIFIER=*,OPTIONS=DEFAULT,ACCESS=NONE) (DEFAULT_PROTECTION,SYSTEM:RWED,OWNER:RWED,GROUP:,WORLD:) Total of 1 file. $ DIRECTORY /SECURITY [CGI-BIN]CGI_SYMBOLS.COM Directory WASD_ROOT:[CGI-BIN] CGI_SYMBOLS.COM;1 [SYSTEM] (RWED,RWED,,) (IDENTIFIER=WASD_HTTP_NOBODY,ACCESS=READ+EXECUTE) (IDENTIFIER=*,ACCESS=NONE) Total of 1 file. </div> <a id="3.3" href="#"></a> <a id="3.3.maintainingpackagesecurity" href="#"></a> <a id="maintainingpackagesecurity" href="#"></a> <h2 class="head"><span class="numb">3.3</span><span class="text">Maintaining Package Security</span></h2> <p> As noted above, WASD version 8.1 and later is much more conservative in what it makes generally available from the package tree, and a site administrator now has to take extraordinary measures to open up certain sections, making it a much more difficult and deliberate action. The package installation, update and security procedures and their associated utilities should always be used to ensure that the installed package continues to conform to the security baseline. <p> Package security may be "refreshed" or reapplied at any time, and this should be done periodically to ensure that an installed package has not inadvertantly been opened to access where it shouldn't have. Of course this is not a guarantee that any given site is secure. Site security is a function of many factors; package vulnerabilities, site configuration, deployed scripts, cracker determination and expertise, etc., etc. What refreshing the security baseline does is provide a known secure (and WASD-community scrutinized) starting point. It should be used as part of a well considered site security maintenance program. <a id="3.3.0.0.1" href="#"></a> <a id="3.3.securecom" href="#"></a> <a id="securecom" href="#"></a> <h5 class="head"><span class="text">SECURE.COM</span></h5> <p> The following DCL procedure resets the package security baseline. <div class="blockof code">$ @WASD_ROOT:[INSTALL]SECURE.COM </div> <p> It guides the administrator through a number of stages <ul class="list list0"> <li class="item"> introductory notes <li class="item"> server account <li class="item"> scripting account <li class="item"> package tree security settings </ul> <p> of which each one may be declined. After all of these steps it searches for and executes if found the DCL procedure WASD_ROOT:[INSTALL]SECURE.COM. The intent of this file is to allow a site to automatically update any site-specific security settings (and of course modify any set by the main procedure). <a id="3.3.0.0.2" href="#"></a> <a id="3.3.sechanutility" href="#"></a> <a id="sechanutility" href="#"></a> <h5 class="head"><span class="text">SECHAN Utility</span></h5> <p> The SECHAN utility (pronounced "session") is used by SECURE.COM and the associated procedures to make file system security settings. It is also available for direct use by the site administrator. <p> One of the more useful functions of SECHAN is applied using the /IGNORE qualifier. <ul class="list"> <li class="item"> <span class="high bold">IGNORE – </span> adds an ACE containing the rights identifier WASD_IGNORE_THIS to the target file(s) which results in security settings not being applied in the future. When applying settings the SECHAN utility first checks whether a file has this ACE and if so ignores the file. This is an effective method for isolating site-specific settings from changes by this utility. <div class="blockof code">$ SECHAN /IGNORE WASD_ROOT:[CGI-BIN]MY_SCRIPT.COM $ SECHAN /IGNORE WASD_ROOT:[LOCAL]*.DAT $ SECHAN /IGNORE WEB:[DATA...]*.* $ SECHAN /IGNORE WEB:[000000]DATA.DIR </div> <p> This ACE can be removed from a file (leaving other entries of any ACL intact) using the /NOIGNORE qualifier. This returns the file(s) subject again to the SECHAN utility. <div class="blockof code">$ SECHAN /NOIGNORE WASD_ROOT:[CGI-BIN]MY_SCRIPT.COM $ SECHAN /NOIGNORE WASD_ROOT:[LOCAL]*.DAT </div> <li class="item"> <span class="high bold">ALL – </span> overrides the default behaviour of ignoring files that have been tagged using the /IGNORE qualifier. It causes the setting to be applied to ALL files. </ul> <p> Other functionality may prove useful when applied to local parts of the package or web structure. <ul class="list"> <li class="item"> <span class="high bold">PACKAGE – </span> used alone this qualifier results in the entire WASD_ROOT:[000000...] tree being traversed and the default package security settings applied to all package files. Top-level directories that the utility does not recognise as belonging to the package are ignored. <div class="blockof code">$ SECHAN /PACKAGE $ SECHAN /PACKAGE /ALL </div> <li class="item"> <span class="high bold">ASIF=<name> – </span> set the supplied file specification as if it was the specified, top-level WASD directory. This allows a site-specific directory to have the same security settings applied as the specified WASD package directory. <div class="blockof code">$ SECHAN /ASIF=LOCAL WEB:[DATA...]*.* $ SECHAN /ASIF=LOCAL WEB:[000000]DATA.DIR $ SECHAN /ASIF=CGI-BIN WEB:[SCRIPTS]*.* $ SECHAN /ASIF=CGI-BIN WEB:[000000]SCRIPTS.DIR $ SECHAN /ASIF=DOC WEB:[HTML...]*.* $ SECHAN /ASIF=DOC WEB:[000000]HTML.DIR </div> <li class="item"> <span class="high bold">NOSCRIPT – </span> modifies the default behaviour of the /PACKAGE qualifier. This changes the default rights identifiers applied to ACEs on files in the [CGI-BIN] and [AXP-BIN]/[IA64-BIN]/[X86_64-BIN] directories to disallow scripting until manually changed by site administration. <div class="blockof code">$ SECHAN /PACKAGE /NOSCRIPT </div> </ul> <p> This section provides only a basic description. More detail may be found in the prologue to the source code. <a id="3.4" href="#"></a> <a id="3.4.independentpackageandlocalresources" href="#"></a> <a id="independentpackageandlocalresources" href="#"></a> <h2 class="head"><span class="numb">3.4</span><span class="text">Independent Package and Local Resources</span></h2> <p> Not only does it make it easier to manage site content but is also good security practice to keep server package and site content completely separate (<a class="link" href="#2.2.siteorganisation">2.2 Site Organisation</a>). <p> This can also be applied to scripts, both source and build areas. Keep your business logic out of the package source tree and potentially prying eyes. The script executables themselves <span class="high italic">can</span> be placed into the package scripting directories but should be built independently from these and copied using locally maintained DCL procedures from build into scripting areas (the WASD_ROOT:[INSTALL]SECURE.COM procedures described above may be useful here). <a id="3.5" href="#"></a> <a id="3.5.configuration" href="#"></a> <a id="configuration" href="#"></a> <h2 class="head"><span class="numb">3.5</span><span class="text">Configuration</span></h2> <p> Various configuration and mapping directives can be used to make the site environment more or less liberal in the information it implicitly can provide. <a id="3.5.1" href="#"></a> <a id="3.5.1.directorylistings" href="#"></a> <a id="directorylistings" href="#"></a> <h3 class="head"><span class="numb">3.5.1</span><span class="text">Directory Listings</span></h3> <p> Published guidelines for securing a Web site generally advise against automatic directory listing generation. Where a home page is not available this may leak information on other directory contents, provide parent and child directory access, etc. Compounding this is the WASD facility to <span class="high italic">force</span> a listing by providing a directory URL with file wildcards (not to decry the usefulness in some environments). <ul class="list"> <li class="item"> <span class="high bold">[DirAccess] – </span> make "disabled" to completely remove the ability to generate directory listings under any circumstances. Setting to "selective" means a directory listing is <span class="high bold">only</span> available if the directory contains a file named .WWW_BROWSABLE. When made "enabled" a directory listing may be produced anytime it contains no home (welcome) page. <li class="item"> <span class="high bold">[DirWildcard] – </span> make "disabled" so that requests cannot <span class="high bold">force</span> a directory listing by supplying a URL containing a wildcard file part (when enabled this is provided regardless of whether a home page exists or not). <li class="item"> <span class="high bold">[DirMetaInfo] – </span> make "disabled" to prevent directory listing pages contain as HTML <META> tags information about the directory, most significantly the VMS file specification for the URL path! </ul> <p> The mapping rule "SET DIR=<span class="high italic">keyword</span>" can be used to change this on a per-path basis (<a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>). <p> <span class="high bold">Conservative recommendation: </span> Set "[DirAccess] selective" allowing listing for directories containing a file named ".WWW_BROWSABLE", disable [DirMetaInfo] and [DirWildcard]. <a id="3.5.2" href="#"></a> <a id="3.5.2.serverreports" href="#"></a> <a id="serverreports" href="#"></a> <h3 class="head"><span class="numb">3.5.2</span><span class="text">Server Reports</span></h3> <p> Reports are pages generated by the server, usually to indicate an error or other non-success condition, but sometimes to indicate success (e.g. after a successful file upload). Reports provide either basic or detailed information about the situation. Sometimes the detailed information includes VMS file system details, system status codes etc. To limit this information to a minimum indication adjust the following directives. <ul class="list"> <li class="item"> <span class="high bold">[ReportBasicOnly] – </span> make "enabled" to limit the quantity of information to the minimum required to advise of the situation. Such reports give only the HTTP status code and brief explanation of the code's meaning. Note that this can also be done on a per-path basis using mapping rules. <li class="item"> <span class="high bold">[ReportMetaInfo] – </span> make "disabled" to exclude information on the server software, source code module and line number initiating the report. META information may also contain VMS file or system specific information. <li class="item"> <span class="high bold">[ServerSignature] – </span> make "disabled" to prevent the inclusion of server software, host and port information as a footer to a report. </ul> <p> The mapping rule "SET REPORT=<span class="high italic">keyword</span>" can be used to change some of these on a per-path basis (<a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>). <p> <span class="high bold">Conservative recommendation: </span> Provide minimal error information by enabling [ReportBasicOnly] and disabling [ReportMetaInfo]. Enable [ServerSignature] to provide a slightly more friendly report (server software can easily be obtained from the response header anyway). <a id="3.5.3" href="#"></a> <a id="3.5.3.scripting" href="#"></a> <a id="scripting" href="#"></a> <h3 class="head"><span class="numb">3.5.3</span><span class="text">Scripting</span></h3> <p> If a static site is all that's required this source of compromise can simply be avoided. <ul class="list"> <li class="item"> <span class="high bold">[Scripting] – </span> setting this to "disabled" prevents all scripting entirely. This includes DCL CGI and CGIplus, DECnet-based OSU and CGI, and SSI DCL (<--#dcl -->, <--#exec -->, etc.). </ul> <p> <span class="high bold">Conservative recommendation: </span> Only deploy scripts your site will actually be using. Remove all the files associated with any other scripts. Do not allow obsolete script environments to remain active. Be proactive. <p> Also see <a class="link" href="#3.5.4.securingscripting">‘Securing Scripting’ in 3.5.4 Server Side Includes</a>. <a id="3.5.4" href="#"></a> <a id="3.5.4.serversideincludes" href="#"></a> <a id="serversideincludes" href="#"></a> <h3 class="head"><span class="numb">3.5.4</span><span class="text">Server Side Includes</span></h3> <p> SSI documents are pages containing special markup directives interpreted by the server and replaced with dynamic content. This can include detail about the server, the file or files making up the document, and can even include DCL commands and procedure activation for supplying content into the page. All this by anyone who can author on the site. <ul class="list"> <li class="item"> <span class="high bold">[SSI] – </span> setting this to "disabled" prevents all Server Side Include processing completely. <li class="item"> <span class="high bold">[SSIexec] – </span> setting this to "disabled" disallows pages from invoking DCL to supply content for the page. WASD provides a number of levels of this and the reader is refered elsewhere in this and other documents for further information of what can and cannot be done, and by whom, in these processes. </ul> <p> The mapping rule "SET SSI=<span class="high italic">keyword</span>" can be used to change some of this on a per-path basis (<a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>). <p> <span class="high bold">Conservative recommendation: </span> Disable [SsiExec]. <a id="3.5.4.0.0.1" href="#"></a> <a id="3.5.4.securingscripting" href="#"></a> <a id="securingscripting" href="#"></a> <h6 class="head display0"><span class="text">Securing Scripting</span></h6> <a id="3.6" href="#"></a> <a id="3.6.scripting" href="#"></a> <a id="scripting" href="#"></a> <h2 class="head"><span class="numb">3.6</span><span class="text">Scripting</span></h2> <p> Scripting has been a notorious source of server compromise, particularly within Unix environments where script process shell command-line issues require special attention. The WASD CGI scripting interface does not pass any arguments on the command line, and is careful not to allow substitution when constructing the CGI environment. Nevertheless, script behaviours cannot be guaranteed and care should be exercised in their deployment (ask me!) <p> It is strongly recommended to execute scripts in an account distinct from that executing the server. This should also mean that the accounts are not members of the same group nor should it be a member of any other group. This minimises the risk of both unintentional and malicious interference with server operation through either Inter-Process Communication (IPC) or scripts manipulating files used by the server. The PERSONA facility can be used to further differentiate script activities. See "Scripting Overview" for further detail. <p> The default WASD installation creates two such accounts, with distinct UICs, usernames and home directory space. Nothing should be assumed or read into the scripting account username - it's just a username. <a id="3.6.0.0.1" href="#"></a> <a id="3.6.defaultaccounts" href="#"></a> <a id="defaultaccounts" href="#"></a> <h5 class="head"><span class="text">Default Accounts</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Username <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">HTTP$SERVER <td class="tabd">Server Account <tr class="tabr"> <td class="tabd">HTTP$NOBODY <td class="tabd">Scripting Account </table> <p> During startup the server checks for the existence of the default scripting account and automatically configures itself to use this for scripting. If it is not present it falls-back to using the server account. Other account names can be used if the startup procedures are modified accordingly. The default scripting username may be overridden using the /SCRIPT=AS=<username> qualifier (also see the "Scripting Overview"). <a id="3.6.0.0.1.1" href="#"></a> <a id="3.6.securingauthorisation" href="#"></a> <a id="securingauthorisation" href="#"></a> <h6 class="head display0"><span class="text">Securing Authorisation</span></h6> <a id="3.7" href="#"></a> <a id="3.7.authorization" href="#"></a> <a id="authorization" href="#"></a> <h2 class="head"><span class="numb">3.7</span><span class="text">Authorization</span></h2> <p> Authorization issues imply controlling access to various resources and actions and therefore require careful planning and implementation if compromise is to be avoided. WASD has a quite capable and versatile authorization and authentication environment, with a significant number of considerations. <p> WASD authorization cannot be enabled without the administrator configuring at least three resources, and so therefore cannot easily be "accidentally" activated. One of these is the addition of a startup qualifier controlling where authentication information may be sourced. Another the server configuration file. The third, mapping paths against authorization configuration. <p> For sites that may be particularly sensitive about inadvertant access to some resources it is possible to use the authorization configuration file as a type of <span class="high italic">cross-check</span> on the mapping configuration file. The server /AUTHORIZATION=ALL startup qualifier forces all access to be authorized (even if some are marked "none"). This means that if something "escapes" via the mapping file it will very likely be "caught" by an absence in the authorization file. <a id="3.8" href="#"></a> <a id="3.8.miscellaneousissues" href="#"></a> <a id="miscellaneousissues" href="#"></a> <h2 class="head"><span class="numb">3.8</span><span class="text">Miscellaneous Issues</span></h2> <p> Although it is of limited usefulness because server identity may be deduced from behaviour and other indicators the exact server and version may be obscured by using the otherwise undocumented /SOFTWARE= qualifier to change the server identification string to (basically) whatever the administrator desires. This identification is included as part of all HTTP response headers. <p> Historically and by default server configuration and authorization sources are contained within the server package tree. There is no reason why they cannot be located anywhere the site prefers. Generally all that is required is a change to logical name definition and server startup. <a id="3.8.0.0.1" href="#"></a> <a id="3.8.packagetree" href="#"></a> <a id="packagetree" href="#"></a> <h5 class="head"><span class="text">Package Tree</span></h5> <p> Version 8.1 and later is much more conservative in what it makes available of the package tree via the server. The package installation, update and security procedures and their associated utilities should always be used to ensure that the installed package continues to conform to the security baseline. See <a class="link" href="#3.3.maintainingpackagesecurity">3.3 Maintaining Package Security</a>. <p> Furthermore, with many sites there may be little need to access the full, or any of the WASD package tree. A combination of mapping and/or authorization rules can relatively simply block or control access to it. These examples can be easily tailored to suit a site's specific requirements. <p> This example shows blocking all access to the /wasd_root/ tree, except for documentation, source code, examples and exercise (performance results) areas. <div class="blockof code"># WASD_CONFIG_MAP pass /wasd_root/doc/* pass /wasd_root/src/* pass /wasd_root/example/* pass /wasd_root/exercise/* fail /wasd_root/* </div> <p> The next example forbids all access to the package tree unless authorized (the authorization detail would vary according to the site). It also allows modify access for the Server Administration page and to the /wasd_root/local/ area. <div class="blockof code"># WASD_CONFIG_MAP pass /wasd_root/* # WASD_CONFIG_AUTH [WASD_WEB_ADMIN=id] /httpd/-/admin/* r+w /wasd_root/local/* r+w /wasd_root/* r </div> <div class="note"> <a id="3.8.0.0.2" href="#"></a> <a id="3.8.becareful" href="#"></a> <a id="becareful" href="#"></a> <h5 class="head center"><span class="text">Be careful!</span></h5> <hr class="note_hr"> There are often multiple paths to a single resource. For instance, it is of little significance blocking access to say /wasd_root/doc/ if it's also possible to access it via /doc/. <hr class="note_hr"> </div> <p> The following example shows how this might occur. <div class="blockof code"># WASD_CONFIG_MAP fail /wasd_root/doc/* pass /* /wasd_root/* </div> <p> Authorization rules can be used to effectively block access to any VMS file specification (it cannot be done during mapping because the translation from path to file system is not performed until mapping is complete). <div class="blockof code"># WASD_CONFIG_AUTH if (path-translated:WASD_ROOT:[DOC]*) * none </div> <p> or to selectively allow access <div class="blockof code"># WASD_CONFIG_AUTH [[WASD_VMS_RW=id]] if (path-translated:WASD_ROOT:[DOC]*) * read </div> <a id="3.9" href="#"></a> <a id="3.9.siteattacks" href="#"></a> <a id="siteattacks" href="#"></a> <h2 class="head"><span class="numb">3.9</span><span class="text">Site Attacks</span></h2> <p> This is not a treatise on Web security and the author is not a security specialist. This is some general advice based on observation. There is little one can do at the server itself to reduce a concerted attack against a site. Common objectives of such attacks include the following (not an exhaustive list). <a id="3.9.0.0.1" href="#"></a> <a id="3.9.platformvulnerabilities" href="#"></a> <a id="platformvulnerabilities" href="#"></a> <h5 class="head"><span class="text">Platform Vulnerabilities</span></h5> <p> Where a general attack is launched directed against a specific platform (a combination of operating system and Web server software). Often these can be due to wide-spread infection of systems, meaning many attacks are being launched from a large number of systems (often without the system owners' knowlege or cooperation). <p> WASD, and OpenVMS in particular, are generally immune to such attacks because they are not Microsoft or Unix based. The impact of the attack becomes one of the nuisance-value traffic as the site is probed by the (sometimes very large number of) source systems. <a id="3.9.0.0.2" href="#"></a> <a id="3.9.sitevulnerabilities" href="#"></a> <a id="sitevulnerabilities" href="#"></a> <h5 class="head"><span class="text">Site Vulnerabilities</span></h5> <p> Where a specific attack is made against a site in an attempt to exploit a known vulnerability associated with that platform or environment. <p> These are perhaps the most worrying, although the <span class="high italic">security-by-obscurity</span> element works in favour of WASD and OpenVMS in this case. Neither are as common as other platforms and therefore do not receive as much attention. <a id="3.9.0.0.3" href="#"></a> <a id="3.9.denialofservice" href="#"></a> <a id="denialofservice" href="#"></a> <h5 class="head"><span class="text">Denial of Service</span></h5> <p> (DOS) Usually comprise flooding a site with requests in an effort to consume all available network or server resources making it unavailable for legitimate use. <p> These can be insidious, flooding network equipment as well as systems. Attempts at control are best undertaken at the periphery of the network (routers) although concerted attacks can succeed against the best prepared network. <a id="3.9.0.0.4" href="#"></a> <a id="3.9.passwordcracking" href="#"></a> <a id="passwordcracking" href="#"></a> <h5 class="head"><span class="text">Password Cracking</span></h5> <p> Where a systematic attempt to break into one or more accounts is undertaken. These are often repeated, dictionary-based password-guessing attacks. <p> WASD's authentication functionality notes successive password validation failures and after a reasonable number disables all access via the username for a constantly extended period. Passwords stop being checked and so a dictionary-based attack cannot succeed. Password validation failures can be recorded via OPCOM. <a id="3.9.0.0.5" href="#"></a> <a id="3.9.authorizationholes" href="#"></a> <a id="authorizationholes" href="#"></a> <h5 class="head"><span class="text">Authorization Holes</span></h5> <p> Knowing of or searching for resources that should be controlled by authorization but are not. <p> WASD's /AUTHORIZATION=ALL functionality may assist here (<a class="link" href="#3.6.securingauthorisation">‘Securing Authorisation’ in 3.6 Scripting</a>). <a id="3.9.0.0.6" href="#"></a> <a id="3.9.strategies" href="#"></a> <a id="strategies" href="#"></a> <h5 class="head"><span class="text">Strategies</span></h5> <p> There are a few strategies for reducing the load on a server experiencing a generalized attack or probing. These can also be used to "discourage" the source from considering the site an easy target. Unfortunately most require request acceptance and at least some processing before taking action. The general idea is to identify either the source site or some characteristic of the request that indicates it could not possibly be legitimate. Most platform-specific attacks have such a signature. For instance attacks against Microsoft platforms often involve probes for backdoors into non-server executables. These can be identified by the path containing strings such as "/winnt/", "/system32/", "/cmd.exe" or variations on them. This style will be used in examples below. <ul class="list"> <li class="item"> If the source IP address is known then the [Reject] (and/or [Accept]) configuration directives can be used to reject the request connection very early in the processing. The source agent receives a message about access being rejected. <div class="blockof code">[Reject] 131.185.250.* the.host.name </div> <li class="item"> Mapping rules in combination with conditionals may be used to redirect the request. This redirection could be to another, non-existent site, in the hope that the source agent will use the supplied URL and thus divert some activity away from the local site. <div class="blockof code">if (remote-host:the.host.name) redirect * http://the.host.name/* endif redirect **/winnt/** http://does.not.exist/ </div> <li class="item"> Mapping rule redirection can also be used to just "drop" the connection without any further interaction or processing. The source agent receives no response, just a broken connection. <div class="blockof code">if (remote-addr:131.185.250.*) pass * "000 just drop it!" endif pass **/system32/** "000 just drop it!" </div> <li class="item"> The <span class="high italic">hiss</span> facility returns a stream of random alpha-numeric characters (a sort of <span class="high italic">white-noise</span>). No response header is provided. Such a response might cause the source agent at best some distress (perhaps disabling it) or at least disuade it from continuing with more probes (as the target is obviously not a Web server ;-) <div class="blockof code">if (remote-addr:131.185.250.*) map * /hiss/* script /hiss/* /hiss/* map **/cmd.exe** /hiss/*/cmd.exe* script /hiss/* /hiss/* </div> </ul> <a id="3.10" href="#"></a> <a id="3.10.contentsecuritypolicycsp" href="#"></a> <a id="contentsecuritypolicycsp" href="#"></a> <h2 class="head"><span class="numb">3.10</span><span class="text">Content Security Policy (CSP)</span></h2> <p> Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. <p class="indent"> <a class="link blank" target="_blank" href="https://en.wikipedia.org/wiki/Content_Security_Policy">https://en.wikipedia.org/wiki/Content_Security_Policy</a> <br> <a class="link blank" target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP</a> <div class="note center"> <a id="3.10.0.0.1" href="#"></a> <a id="3.10.thissectionisnotanexplanationofcsp" href="#"></a> <a id="thissectionisnotanexplanationofcsp" href="#"></a> <h5 class="head center"><span class="text">This section is not an explanation of CSP</span></h5> <hr class="note_hr"> The content of the above links and others like them must be understood to apply CSP to a WASD site. <hr class="note_hr"> </div> <p> WASD provides CSP support using mapping rules. See <a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>. WASD allows configuration of policy using the <span class="high monosp">set response=csp=<span class="high italic">policy</span></span> rule and reporting only of policy violations using <span class="high monosp">set response=cspro=<span class="high italic">policy</span></span>. WASD includes a (basic) violation reporting utility. See <a class="link blank" target="_blank" href="../features/#cspreporter">CSPreport[er]</a> in <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>. <!-- source:0600_STRINGS.WASDOC --> <hr class="page"> <a id="4." href="#"></a> <a id="4.stringmatching" href="#"></a> <a id="stringmatching" href="#"></a> <h1 class="head"><span class="numb">4.</span><span class="text">String Matching</span></h1> <table class="TOC2table"> <tr><td><a href="#4.1.wildcardpatterns"><span class="numb">4.1</span><span class="text">Wildcard Patterns</span></a> <tr><td><a href="#4.2.regularexpressions"><span class="numb">4.2</span><span class="text">Regular Expressions</span></a> <tr><td><a href="#4.3.examples"><span class="numb">4.3</span><span class="text">Examples</span></a> <tr><td><a href="#4.4.expressionsubstitution"><span class="numb">4.4</span><span class="text">Expression Substitution</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#3.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#5.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> Matching of strings is a pervasive and important function within the server. Two types are supported; wildcard and regular expression. Wildcard matching is generally much less expensive (in CPU cycles and time) than regular expression matching and so should always be used unless the match explicitly requires otherwise. WASD attempts to improve the efficiency of both by performing a preliminary pass to make simple matches and eliminate obvious mismatches using a very low-cost comparison. This either matches or doesn't, or encounters a pattern matching meta-character which causes it to undertake full pattern matching. <p> To assist with the refinement of string matching patterns the Server Administration facility has a report item named "Match". This report allows the input of target and match strings and allows direct access to the server's wildcard and regular expression matching routines. Successful matches show the matching elements and a substitution field (<a class="link" href="#4.4.expressionsubstitution">4.4 Expression Substitution</a>) allows resultant strings to be assessed. <p> To determine what string match processing is occuring during request processing in the running server use the <span class="high italic">match</span> item available from the Server Administration WATCH Report. <a id="4.1" href="#"></a> <a id="4.1.wildcardpatterns" href="#"></a> <a id="wildcardpatterns" href="#"></a> <h2 class="head"><span class="numb">4.1</span><span class="text">Wildcard Patterns</span></h2> <p> Wildcard patterns are simple, low-cost mechanisms for matching a string to a template. They are designed to be used in path and authorization mapping to compare a request path to the root (left-hand side) or a template expression. <a id="4.1.0.0.1" href="#"></a> <a id="4.1.wildcardoperators" href="#"></a> <a id="wildcardoperators" href="#"></a> <h5 class="head"><span class="text">Wildcard Operators</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Expression <th class="tabh">Purpose <tr class="tabr"> <tr class="tabr"> <td class="tabd">* <td class="tabd">Match zero or more characters (non-greedy) <tr class="tabr"> <td class="tabd">** <td class="tabd">Match zero or more characters (greedy) <tr class="tabr"> <td class="tabd">% <td class="tabd">Match any one character </table> <p> Wildcard matching uses the '*' and '%' symbols to match any zero or more, or any one character respectively. The '*' wildcard can either be greedy or non-greedy depending on the context (and for historical reasons). It can also be forced to be greedy by using two consecutive ('**'). By default it is not greedy when matching request paths for mapping or authentication, and is greedy at other times (matching strings within conditional testing, etc.) <a id="4.1.0.0.2" href="#"></a> <a id="4.1.greedyandnongreedy" href="#"></a> <a id="greedyandnongreedy" href="#"></a> <h5 class="head"><span class="text">Greedy and Non-Greedy</span></h5> <p> Non-greedy matching attempts to match an asterisk wildcard up until the first character that is not the same as the character immediately following the wildcard. It matches a minimum number of characters before failing. Greedy matching attempts to match all characters up until the first string that does not match what follows the asterisk. <p> To illustrate; using the following string <div class="blockof code">non-greedy character matching compared to greedy character matching </div> the following non-greedy pattern <div class="blockof code">*non-greedy character*matching </div> does not match but the following greedy pattern <div class="blockof code">*non-greedy character**matching </div> does match. The non-greedy one failed as soon as it encountered the space following the first "matching" string, while the greedy pattern continued to match eventually encountering a string matching the string following the greedy wildcard. <a id="4.2" href="#"></a> <a id="4.2.regularexpressions" href="#"></a> <a id="regularexpressions" href="#"></a> <h2 class="head"><span class="numb">4.2</span><span class="text">Regular Expressions</span></h2> <p> Regular expression matching is case insensitive (in line with other WASD behaviour) and uses the POSIX EGREP pattern syntax and capabilities. Regular expression matching offers significant but relatively expensive functionality. One of those expenses is expression compilation. WASD attempts to eliminate this by pre-compiling expressions during server startup whenever feasable. Regular expression matching must be enabled using the [RegEx] WASD_CONFIG_GLOBAL directive and are then differentiated from wildcard patterns by using a leading "^" character. <p> A detailed tutorial on regular expression capabilities and usage is well beyond the scope of this document. Many such hard-copy and on-line documents are available. <p class="indent"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Regular_expression">http://en.wikipedia.org/wiki/Regular_expression</a> <p> This summary is only to serve as a quick mnemonic. WASD regular expressions support the following set of operators. <a id="4.2.0.0.1" href="#"></a> <a id="4.2.operatoroverview" href="#"></a> <a id="operatoroverview" href="#"></a> <h5 class="head"><span class="text">Operator Overview</span></h5> <table class="tabl nowrap"> <tr class="tabr under"> <th class="tabh">Description <th class="tabh">Usage <tr class="tabr"> <tr class="tabr"> <td class="tabd">Match-self Operator <td class="tabd">Ordinary characters. <tr class="tabr"> <td class="tabd">Match-any-character Operator <td class="tabd">. <tr class="tabr"> <td class="tabd">Concatenation Operator <td class="tabd">Juxtaposition. <tr class="tabr"> <td class="tabd">Repetition Operators <td class="tabd">* + ? {} <tr class="tabr"> <td class="tabd">Alternation Operator <td class="tabd">| <tr class="tabr"> <td class="tabd">List Operators <td class="tabd">[...] [^...] <tr class="tabr"> <td class="tabd">Grouping Operators <td class="tabd">(...) <tr class="tabr"> <td class="tabd">Back-reference Operator <td class="tabd">^digit <tr class="tabr"> <td class="tabd">Anchoring Operators <td class="tabd">^ $ <tr class="tabr"> <td class="tabd">Backslash Operator <td class="tabd">Escape meta-character; i.e. ^ ^ . $ | [ ( </table> <p> The following operators are used to match one, or in conjunction with the repetition operators more, characters of the target string. These single and leading characters are reserved meta-characters and must be escaped using a leading backslash ("^") if required as a literal character in the matching pattern. <span class="high bold">Note</span> that this does not apply to the <span class="high italic">range</span> hyphen; to include a hyphen in a range ensure the character is the first or last in the range. <a id="4.2.0.0.2" href="#"></a> <a id="4.2.matchingoperators" href="#"></a> <a id="matchingoperators" href="#"></a> <h5 class="head"><span class="text">Matching Operators</span></h5> <table class="tabl nowrap"> <tr class="tabr under"> <th class="tabh">Expression <th class="tabh">Purpose <tr class="tabr"> <tr class="tabr"> <td class="tabd">^ <td class="tabd">Match the beginning of the line <tr class="tabr"> <td class="tabd">. <td class="tabd">Match any character <tr class="tabr"> <td class="tabd">$ <td class="tabd">Match the end of the line <tr class="tabr"> <td class="tabd">| <td class="tabd">Alternation (or) <tr class="tabr"> <td class="tabd">[abc] <td class="tabd">Match only a, b or c <tr class="tabr"> <td class="tabd">[^abc] <td class="tabd">Match anything except a, b and c <tr class="tabr"> <td class="tabd">[a-z0-9] <td class="tabd">Match any character in the range a to z or 0 to 9 </table> <p> Repetition operators control the extent, or number, of whatever the matching operators match. These are also reserved meta-characters and must be escaped using a leading backslash if required as a literal character. <a id="4.2.0.0.3" href="#"></a> <a id="4.2.repetitionoperators" href="#"></a> <a id="repetitionoperators" href="#"></a> <h5 class="head"><span class="text">Repetition Operators</span></h5> <table class="tabl nowrap"> <tr class="tabr under"> <th class="tabh">Expression <th class="tabh">Function <tr class="tabr"> <tr class="tabr"> <td class="tabd">* <td class="tabd">Match 0 or more times <tr class="tabr"> <td class="tabd">+ <td class="tabd">Match 1 or more times <tr class="tabr"> <td class="tabd">? <td class="tabd">Match 1 or zero times <tr class="tabr"> <td class="tabd">{n} <td class="tabd">Match exactly n times <tr class="tabr"> <td class="tabd">{n,} <td class="tabd">Match at least n times <tr class="tabr"> <td class="tabd">{n,m} <td class="tabd">Match at least n but not more than m times </table> <a id="4.3" href="#"></a> <a id="4.3.examples" href="#"></a> <a id="examples" href="#"></a> <h2 class="head"><span class="numb">4.3</span><span class="text">Examples</span></h2> <p> The following provides a series of examples as they might occur in use for server configuration. <ol class="list"> <li class="item"> Equivalent functionality using wildcard and regular expression patterns. Note that "Mozilla" must be at the start of the string, with the regular expression using the start-of-string anchor resulting in two consecutive "^"s, one indicating to WASD a regular expression, the other being part of the expression itself. <div class="blockof code">if (user-agent:Mozilla*Gecko*) if (user-agent:^^Mozilla.*Gecko) </div> <li class="item"> This shows path matching using equivalent wildcard and regular expression matching. Note the requirement to use the regular expression <span class="high italic">grouping</span> parentheses to provide the substitution elements, something provided implicitly with wildcard matching. <div class="blockof code">map /*/-/* /wasd_root/runtime/*/* map ^/(.+)/-/(.+) /wasd_root/runtime/*/* </div> <li class="item"> This rather contrived regular expression example has no equivalent capability available with wildcard matching. It forbids the use of any path that contains any character other than alpha-numerics, the hyphen, underscore, period and forward-slash. <div class="blockof code">pass ^[^-_./a-z0-9]+ "403 Forbidden character in path!" </div> </ol> <a id="4.4" href="#"></a> <a id="4.4.expressionsubstitution" href="#"></a> <a id="expressionsubstitution" href="#"></a> <h2 class="head"><span class="numb">4.4</span><span class="text">Expression Substitution</span></h2> <p> Expression substitution is available during path mapping (<a class="link" href="#10.requestprocessingconfiguration">10. Request Processing Configuration</a>). Both wildcard (implicitly) and regular expressions (using <span class="high italic">grouping</span> operators) note the offsets of matched portions of the strings. These are then used for wildcard and <span class="high italic">specified</span> wildcard substitution where result strings provide for this (e.g. mapping 'pass' and 'redirect' rules). A maximum of nine such wildcard substitutions are supported (one other, the zeroeth, is the full match). <a id="4.4.0.0.1" href="#"></a> <a id="4.4.wildcardsubstitution" href="#"></a> <a id="wildcardsubstitution" href="#"></a> <h5 class="head"><span class="text">Wildcard Substitution</span></h5> <p> With wildcard matching each asterisk wildcard contained in the pattern (<span class="high italic">template</span> string) has matching characters in the <span class="high italic">target</span> string noted and stored. Note that for the percentage (single character) wildcard no such storage is provided. These characters are available for substitution using corresponding wildcards present in the <span class="high italic">result</span> string. For instance, the target string <div class="blockof code">this is an example target string </div> would be matched by the pattern string <div class="blockof code">* is an example target * </div> as containing two matching wildcard strings <div class="blockof code">this string </div> which could be substituted using the result string <div class="blockof code">* is an example result * </div> producing the resultant string <div class="blockof code">this is an example result string </div> <a id="4.4.0.0.2" href="#"></a> <a id="4.4.regularexpressionsubstitution" href="#"></a> <a id="regularexpressionsubstitution" href="#"></a> <h5 class="head"><span class="text">Regular Expression Substitution</span></h5> <p> With regular expression matching the groups of matching characters must be explicitly specified using the <span class="high italic">grouping</span> parenthesis operator. Hence with regular expression matching it is possible to match many characters from the target string without retaining them for later substitution. Only if that match is designated as a subsitution source do the matching characters become available for substituion via any result string. Using two possible target strings as an example <div class="blockof code">this is an example target string this is a contrived target string </div> would both be matched by the regular expression <div class="blockof code">^^([a-z]*) is [a-z ]* target ([a-z]*)$ </div> which though it contains three regular expressions in the pattern, only two have the grouping parentheses, and so make their matching string available for substitution <div class="blockof code">this string </div> which could be substituted using the result string <div class="blockof code">* is the final result * </div> producing the resultant string <div class="blockof code">this is the final result string </div> <a id="4.4.0.0.3" href="#"></a> <a id="4.4.specifiedsubstitution" href="#"></a> <a id="specifiedsubstitution" href="#"></a> <h5 class="head"><span class="text">Specified Substitution</span></h5> <p> By default the strings matched by wildcard or grouping operators are substituted in the same order in which they are matched. This order may be changed by specifying which wildcard string should be substituted where. Not all matched (and stored) strings need to be substituted. Some may be omitted and the contents effectively ignored. <p> The specified substitution syntax is a result wildcard followed by a single-apostrophe (') and a single digit from zero to nine (0…9). The zeroeth element is the full matching string. Element one is the first matching part of the expression, on through to the last. Specifying an element that had no matching string substitutes an empty string (i.e. nothing is added). Using the same target string as in the previous previous example <div class="blockof code">this is an example target string </div> and matched by the wildcard pattern string <div class="blockof code">* is an example target * </div> when substituted by the result string <div class="blockof code">*'2 is an example result </div> would produce the resultant string <div class="blockof code">string is an example result </div> with the string represented by the first wildcard effectively being discarded. <!-- source:0700_CONDITIONAL.WASDOC --> <hr class="page"> <a id="5." href="#"></a> <a id="5.conditionalconfiguration" href="#"></a> <a id="conditionalconfiguration" href="#"></a> <h1 class="head"><span class="numb">5.</span><span class="text">Conditional Configuration</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#5.1.serviceconditionals"><span class="numb">5.1</span><span class="text">Service Conditionals</span></a> <tr><td><a href="#5.2.ifendifconditionals"><span class="numb">5.2</span><span class="text">If..endif Conditionals</span></a> <tr><td><a href="#5.3.conditionalkeywords"><span class="numb">5.3</span><span class="text">Conditional Keywords</span></a> <tr><td><a href="#5.3.1.notepadkeyword"><span class="numb">5.3.1</span><span class="text">Notepad: Keyword</span></a> <tr><td><a href="#5.3.2.randkeyword"><span class="numb">5.3.2</span><span class="text">Rand: Keyword</span></a> <tr><td><a href="#5.3.3.requestkeyword"><span class="numb">5.3.3</span><span class="text">Request: Keyword</span></a> <tr><td><a href="#5.3.4.instanceandrobinkeywords"><span class="numb">5.3.4</span><span class="text">Instance: and Robin: Keywords</span></a> <tr><td><a href="#5.3.5.timekeyword"><span class="numb">5.3.5</span><span class="text">Time: Keyword</span></a> <tr><td><a href="#5.3.6.trnlnmkeyword"><span class="numb">5.3.6</span><span class="text">Trnlnm: Keyword</span></a> <tr><td><a href="#5.3.7.hostaddresses"><span class="numb">5.3.7</span><span class="text">Host Addresses</span></a> <tr><td><a href="#5.4.examples"><span class="numb">5.4</span><span class="text">Examples</span></a> <tr><td><a href="#5.5.dictionary"><span class="numb">5.5</span><span class="text">Dictionary</span></a> <tr><td><a href="#5.5.1.configurationentries"><span class="numb">5.5.1</span><span class="text">Configuration Entries</span></a> <tr><td><a href="#5.5.2.otherentries"><span class="numb">5.5.2</span><span class="text">Other Entries</span></a> <tr><td><a href="#5.5.3.entrysubstitution"><span class="numb">5.5.3</span><span class="text">Entry Substitution</span></a> <tr><td><a href="#5.5.4.watchdictionary"><span class="numb">5.5.4</span><span class="text">WATCH Dictionary</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#4.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#6.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> Request processing (WASD_CONFIG_MAP) and authorization (WASD_CONFIG_AUTH) rules may be conditionally applied depending on request, server or other charactersistics. These include <ul class="list simple list0"> <li class="item"> server host name, port <li class="item"> client IP address and host name <li class="item"> browser-accepted content-types, character sets, languages, encodings <li class="item"> browser identification string <li class="item"> scheme ("http:" or "https:", i.e. is it a secure request?) <li class="item"> HTTP method (GET, POST, etc.) <li class="item"> request path, query string, cookie data, refering page <li class="item"> virtual host:port specified in request header <li class="item"> system information (hardware, Alpha/IA64/X86, node name, VMS version, etc.) <li class="item"> local time <li class="item"> random number generation </ul> <a id="5.1" href="#"></a> <a id="5.1.serviceconditionals" href="#"></a> <a id="serviceconditionals" href="#"></a> <h2 class="head"><span class="numb">5.1</span><span class="text">Service Conditionals</span></h2> <p> As described in <a class="link" href="#2.3.1.virtualserver">2.3.1 [[virtual-server]]</a> a [[<span class="high italic">host</span>:<span class="high italic">port</span>]] rule applies subsequent configuration depending on whether the request service matches the specified service. This makes it a fundamental element of conditional configuration. <p> Note that service conditionals impose a boundary on the scope of <span class="high italic">if..endif</span> constructs. That is, an <span class="high italic">if..endif</span> may not span a virtual service conditional. A conditional flow syntax error is reported if an <span class="high italic">if..endif</span> construct is not properly closed before encountering a subsequent [[<span class="high italic">host</span>:<span class="high italic">port</span>]] rule. <a id="5.2" href="#"></a> <a id="5.2.ifendifconditionals" href="#"></a> <a id="ifendifconditionals" href="#"></a> <h2 class="head"><span class="numb">5.2</span><span class="text">If..endif Conditionals</span></h2> <p> These may be nested up to a maximum depth of eight, are not case sensitive and generally match via string comparison, although some tests are performed as boolean operations, by converting the conditional parameter to a number before comparison, and IP address parameters will accept a network mask as well as a string pattern. <a id="5.2.0.0.1" href="#"></a> <a id="5.2.stringmatching" href="#"></a> <a id="stringmatching" href="#"></a> <h5 class="head"><span class="text">String Matching</span></h5> <p> The basis of much conditional decision making is string pattern matching. Both wildcard and regular expression based pattern matching is available (<a class="link" href="#4.stringmatching">4. String Matching</a>). Wildcard matching in conditional tests is <span class="high italic">greedy</span>. Regular expression matching, in common with usage throughout WASD, is differentiated from wildcard patterns using a leading "^" character. <a id="5.2.0.0.2" href="#"></a> <a id="5.2.conditionalsyntax" href="#"></a> <a id="conditionalsyntax" href="#"></a> <h5 class="head"><span class="text">Conditional Syntax</span></h5> <p> Conditional expressions and processing flow structures may be used in the following formats. Conditional and rule text may be indented for clarifying structure. <div class="blockof code"><span class="high bold">if (<span class="high italic">condition</span>)</span> then apply rest of line <span class="high bold">if (<span class="high italic">condition</span>)</span> then apply one or more rules up until the corresponding … <span class="high bold">endif</span> <span class="high bold">if (<span class="high italic">condition</span>)</span> then apply one or more rules <span class="high bold">else</span> apply one or more other rules up until the corresponding … <span class="high bold">endif</span> <span class="high bold">if (<span class="high italic">condition</span>)</span> then apply one or more rules <span class="high bold">elif (<span class="high italic">condition</span>)</span> apply one or more other rules in a sort or case statement <span class="high bold">else</span> a possible default rule or rules up until the delimiting <span class="high bold">endif</span> </div> <p> Logical operators are also supported, in conjunction with precedence ordering parentheses, allowing moderately complex compound expressions to be applied in conditionals. <table class="tabl"> <tr class="tabr"> <th class="tabh monosp">! <td class="tabd">logical negation <tr class="tabr"> <th class="tabh monosp">&& <td class="tabd">logical AND <tr class="tabr"> <th class="tabh monosp">|| <td class="tabd">logical OR </table> <p> There are two more conditional structures that allow previous decisions to be reused. These are <span class="high italic">unif</span> and the <span class="high italic">ifif</span>. The first unconditionally includes rules regardless of the current state of execution. The second resumes execution only if the previous <span class="high italic">if</span> or <span class="high italic">elif</span> expression was true. The <span class="high italic">else</span> statement may also be used after an <span class="high italic">unif</span> to continue only if the previous expression was false. The purpose of these constructs are to allow a single decision statement to include both conditional and unconditional rules. <div class="blockof code"><span class="high bold">if (<span class="high italic">condition</span>)</span> then apply one or more rules <span class="high bold">unif</span> apply this block of rules unconditionally <span class="high bold">ifif</span> applied only if the original if expression was evaulated as true <span class="high bold">unif</span> apply another block of rules unconditionally <span class="high bold">else</span> and this block of rules only if the original was false <span class="high bold">endif</span> </div> <div class="note"> <a id="5.2.0.0.3" href="#"></a> <a id="5.2.cautions" href="#"></a> <a id="cautions" href="#"></a> <h5 class="head center"><span class="text">CAUTIONS</span></h5> <hr class="note_hr"> Conditional syntax is checked at rule load time (either server startup or reload). Basic errors such as unknown keywords and unbalanced parentheses or structure statements will be detected and reported to the corresponding Admin Menu report and to the server process log. Unless these reports are checked after modifying rule sets syntax errors may result in unexpected mappings or access. <p> Although the server cannot determine the correct intent of an otherwise syntactically correct conditional, if it encounters an unexpected but detectable condition during processing it aborts the request, supplying an appropriate error message. <p> Flow control errors (e.g. an <span class="high italic">if</span> not closed by a subsequent <span class="high italic">endif</span>) abort all rule processing and provide a fatal error report to the client. <hr class="note_hr"> </div> <a id="5.3" href="#"></a> <a id="5.3.conditionalkeywords" href="#"></a> <a id="conditionalkeywords" href="#"></a> <h2 class="head"><span class="numb">5.3</span><span class="text">Conditional Keywords</span></h2> <p> The following keywords provide a match between the corresponding request or other value and a string immediately following the delimiting colon. White space or other reserved characters may not be included unless preceded by a backslash. The actual value being used in the conditional matching may be observed using the mapping item of the WATCH facility. <a id="5.3.0.0.1" href="#"></a> <a id="5.3.conditionalkeywords" href="#"></a> <a id="conditionalkeywords" href="#"></a> <h5 class="head"><span class="text">Conditional Keywords</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Keyword <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">accept: <td class="tabd">Browser-accepted content types as listed in the "Accept:" request header field. Same string as provided in CGI variable HTTP_ACCEPT. <tr class="tabr"> <td class="tabd">accept-charset: <td class="tabd">Browser-accepted character sets as listed in the "Accept-Charset:" request header field. CGI variable HTTP_ACCEPT_CHARSET. <tr class="tabr backlight"> <td class="tabd">accept-encoding: <td class="tabd">Browser-accepted content encoding as listed in the "Accept-Encoding:" request header field. CGI variable HTTP_ACCEPT_ENCODING. <tr class="tabr"> <td class="tabd">accept-language: <td class="tabd">Browser language preferences as listed in the "Accept-Language:" request header field. CGI variable HTTP_ACCEPT_LANGUAGE. <tr class="tabr backlight"> <td class="tabd">authorization: <td class="tabd">The raw authorization string from the request header, if any supplied. This could be simply used to test whether it has been supplied or not. <tr class="tabr"> <td class="tabd">callout: <td class="tabd">Simple boolean value. If a script callout is in progress (see "Scripting Overview, CGI Callouts".) it is true, otherwise false. <tr class="tabr backlight"> <td class="tabd">client_connect_gt: <td class="tabd">An integer representing the current network connections (those currently being processed plus those currently being "kept alive") for the particular client represented by the current request. If greater than this value returns true, otherwise false. See <a class="link" href="#2.6.clientconcurrency">2.6 Client Concurrency</a>. <tr class="tabr"> <td class="tabd">cluster_member: <td class="tabd">If the supplied node name is (perhaps currently) a member of the cluster (if any) the server may be executing on. <tr class="tabr backlight"> <td class="tabd">command_line: <td class="tabd">The command line qualifiers and parameters used when the server image was activated. <tr class="tabr"> <td class="tabd">cookie: <td class="tabd">Raw cookie data as the text string provided in "Cookie:" request header field. CGI variable HTTP_COOKIE. <tr class="tabr backlight"> <td class="tabd">decnet: <td class="tabd">Whether DECnet is active on the system and which version is available. This value will be 0 if not active, 4 if PhaseIV or 5 is PhaseV. <tr class="tabr"> <td class="tabd">dict: <td class="tabd">Matches the specified dictionary entry. See <a class="link" href="#5.5.4.watchdictionary">5.5.4 WATCH Dictionary</a>. <tr class="tabr backlight"> <td class="tabd">directory: <td class="tabd">Tests whether the specified directory exists or not. Parameter can be a URI available for mapping by the server or a VMS file-system specification. If no parameter is supplied the request path is mapped to a file-system specification. As this conditional accesses the file-system it can be <span class="high italic">relatively expensive in terms of server latency</span>. <tr class="tabr"> <td class="tabd">document_root: <td class="tabd">The DOCUMENT_ROOT CGI variable SET using the <span class="high italic">map=root=<string></span> mapping rule. <tr class="tabr backlight"> <td class="tabd">file: <td class="tabd">Tests whether the specified file exists or not. Parameter can be a URI available for mapping by the server or a VMS file-system specification. If no parameter is supplied the request path is mapped to a file-system specification. The specification can be a directory. As this conditional accesses the file-system it can be <span class="high italic">relatively expensive in terms of server latency</span>. <tr class="tabr"> <td class="tabd">forwarded: <td class="tabd">Proxy/gateway host(s) request forwarded by, as specified in request header field "Forwarded:". CGI variable HTTP_FORWARDED. <tr class="tabr backlight"> <td class="tabd">host: <td class="tabd">The host (and optionally port) specified in request header "Host:" field. This is used by all modern browsers to provide virtual host information to the server. CGI variable HTTP_HOST. <tr class="tabr"> <td class="tabd">http2: <td class="tabd">Is true if the request is being transported using HTTP/2 <tr class="tabr backlight"> <td class="tabd">instance: <td class="tabd">Used to check whether a particular, clustered instance of WASD is available. See <a class="link" href="#5.3.4.instanceandrobinkeywords">5.3.4 Instance: and Robin: Keywords</a>. <tr class="tabr"> <td class="tabd">jpi_username: <td class="tabd">The account username the server is executing as. <tr class="tabr backlight"> <td class="tabd">mapped_path: <td class="tabd">The path resulting from mapping (phase 2 if script path involved) from which the path-translated is derived. <tr class="tabr"> <td class="tabd">multihome: <td class="tabd">Somewhat specialised conditional that becomes non-null when a client used a different IP address to connect to the service than the is bound to. Is set to the IP address the client used and may be matched using wildcard matching or as a network mask. <tr class="tabr backlight"> <td class="tabd">note: <td class="tabd">Ad hoc information (string) provided by the server administrator using the /DO=NOTE= facility (and online equivalent) that can be used to quickly and easily modify rule processing on a per-system or per-cluster basis. <tr class="tabr"> <td class="tabd">notepad: <td class="tabd">Information (strings) stored using the SET <span class="high italic">notepad=</span> mapping rule. See <a class="link" href="#5.3.1.notepadkeyword">5.3.1 Notepad: Keyword</a>. <tr class="tabr backlight"> <td class="tabd">ods: <td class="tabd">Specified as 2 or 5 (Extended File System), or as SRI file name encoding (MultiNet NFS and others) PWK encoding (PATHWORKS 4/5), ADS encoding (Advanced Server / PATHWORKS 6), SMB encoding (Samba - same as ADS). <tr class="tabr"> <td class="tabd">pass: <td class="tabd">A numeric value, 1 or 2, representing the first or second pass (if a script component was parsed) through the path mapping rules. Will be zero at other times. When the server is <span class="high italic">reverse-mapping</span> a file specification will be -1. <tr class="tabr backlight"> <td class="tabd">path-info: <td class="tabd">Path specified in the request line. CGI variable PATH_INFO. <tr class="tabr"> <td class="tabd">path-translated: <td class="tabd">VMS translation of path-info. Available after rule mapping (i.e. during authorization rule processing). <tr class="tabr backlight"> <td class="tabd">proctor: <td class="tabd">Simple boolean value. If a proctored script this is true (see <a class="link blank" target="_blank" href="../scripting/#scriptproctor">Script Proctor</a> in <a class="link blank" target="_blank" href="../scripting/#0.">WASD Scripting</a>). <tr class="tabr"> <td class="tabd">query-string: <td class="tabd">Query string specified in request line. Same information as provided in CGI variable QUERY_STRING. <tr class="tabr backlight"> <td class="tabd">rand: <td class="tabd">Value from a random number generator. See <a class="link" href="#5.3.2.randkeyword">5.3.2 Rand: Keyword</a>. <tr class="tabr"> <td class="tabd">redirected: <td class="tabd">If a request has been internally redirected (<a class="link" href="#10.5.2.redirectrule">10.5.2 REDIRECT Rule</a>) this conditional will be non-zero. Can be used as a boolean or with a digit specified. <tr class="tabr backlight"> <td class="tabd">referer: <td class="tabd">URL of refering page as provided in "Referer:" request header field. CGI variable HTTP_REFERER. <tr class="tabr"> <td class="tabd">regex: <td class="tabd">Simple boolean value. If configuration directive [RegEx] is enabled (and hence regular expression string matching, <a class="link" href="#4.stringmatching">4. String Matching</a>) this will be true. <tr class="tabr backlight"> <td class="tabd">remote-addr: <td class="tabd">Client IP address. Same as provided as CGI variable REMOTE_ADDR. As with all IP addresses used for conditional testing this may be wildcard string match or network mask expressed as <span class="high italic">address</span>/<span class="high italic">mask-length</span> (see <a class="link" href="#5.3.7.hostaddresses">5.3.7 Host Addresses</a>). A domain (host) name preceded by a question point may be specified (e.g. "?the.host.name"). The corresponding IP address is then looked up and compared to the client. This allows ad hoc host name based rules and is distinct from use of <span class="high italic">remote-host</span>. Note that DNS lookup can introduce some latency to rule (and request) processing. <tr class="tabr"> <td class="tabd">remote-host: <td class="tabd">Client host name if name resolution enabled, otherwise the IP address (same as <span class="high italic">remote-addr</span>). CGI variable REMOTE_HOST. <tr class="tabr backlight"> <td class="tabd">request: <td class="tabd">Detect the presence of specific or unknown request fields. See <a class="link" href="#5.3.3.requestkeyword">5.3.3 Request: Keyword</a>. <tr class="tabr"> <td class="tabd">request-method: <td class="tabd">HTTP method ("GET", "POST", etc.) specified in the request line. CGI variable REQUEST_METHOD. <tr class="tabr backlight"> <td class="tabd">request-protocol: <td class="tabd">Detect the HTTP protocol in use for the request, as "2", "1.1", "1.0" or "0.9". Note that the <span class="high italic">server-protocol</span> conditional will indicate 1.1 when the <span class="high italic">request-protocol</span> indicates 2. The server and its applications (scripts) still treat it semantically as HTTP/1.1. <tr class="tabr"> <td class="tabd">request-scheme: <td class="tabd">Request protocol as "http:" or "https:". CGI variable REQUEST_SCHEME. <tr class="tabr backlight"> <td class="tabd">request-uri: <td class="tabd">The unescaped request path plus any query-string. CGI variable REQUEST_URI. <tr class="tabr"> <td class="tabd">restart: <td class="tabd">A numeric value, zero to maximum, representing the number of times path mapping has been SET <span class="high italic">map=restart</span>. Can be used as a boolean or with a digit specified. <tr class="tabr backlight"> <td class="tabd">robin: <td class="tabd">Used to check whether a particular, clustered instance of WASD is available and distribute requests to it using a round-robin algorithm. See <a class="link" href="#5.3.4.instanceandrobinkeywords">5.3.4 Instance: and Robin: Keywords</a>. <tr class="tabr"> <td class="tabd">script-name: <td class="tabd">After the first pass of rule mapping (script component resolution), or during authorization processing, any script component of the request URI. <tr class="tabr backlight"> <td class="tabd">server-addr: <td class="tabd">The service IP address. CGI variable SERVER_ADDR. This may be wildcard string match or network mask expressed as <span class="high italic">address</span>/<span class="high italic">mask-length</span>. <tr class="tabr"> <td class="tabd">server_connect_gt: <td class="tabd">An integer representing the current server network connections (those currently being processed plus those currently being "kept alive"). If greater than this value returns true, otherwise false. <tr class="tabr backlight"> <td class="tabd">server_process_gt: <td class="tabd">An integer representing the current server requests in-progress. If greater than this value returns true, otherwise false. <tr class="tabr"> <td class="tabd">server-name: <td class="tabd">The (possibly virtual) server name. This may or may not exactly match any string provided via the <span class="high italic">host</span> keyword. CGI variable SERVER_NAME. <tr class="tabr backlight"> <td class="tabd">server-port: <td class="tabd">The (possibly virtual) server port number. CGI variable SERVER_PORT. <tr class="tabr"> <td class="tabd">server-protocol: <td class="tabd">"1.1", "1.0", "0.9" representing the HTTP protocol used by the request. <tr class="tabr backlight"> <td class="tabd">server-software: <td class="tabd">The server identification string, including the version. For example "HTTPd-WASD/8.0.0 OpenVMS/AXP SSL". CGI variable SERVER_SOFTWARE. <tr class="tabr"> <td class="tabd">service: <td class="tabd">This is the composite server name plus port as <span class="high italic">server-name</span>:<span class="high italic">port</span>. To match an unknown service use "?". <tr class="tabr backlight"> <td class="tabd">ssl: <td class="tabd">Simple boolean value. If request is via Secure Sockets Layer then this will be true. <tr class="tabr"> <td class="tabd">syi_arch_name: <td class="tabd">System information; CPU architecture of the server system, "Alpha", "Itanium" or "x86-64". <tr class="tabr backlight"> <td class="tabd">syi_hw_name: <td class="tabd">System information; hardware identification string, for example "AlphaStation 400 4/233". <tr class="tabr"> <td class="tabd">syi_nodename: <td class="tabd">System information; the node name, for example "KLAATU". <tr class="tabr backlight"> <td class="tabd">syi_version: <td class="tabd">System information; VMS version string, for example "V7.3". <tr class="tabr"> <td class="tabd">tcpip: <td class="tabd">A string derived from the UCX$IPC_SHR shareable image. It looks something like this "Compaq TCPIP$IPC_SHR V5.1-15 (11-JAN-2001 02:28:33.95)" and comprises the agent (Compaq, MultiNet, TCPware, unknown), the name of the image, the version and finally the link date. <tr class="tabr backlight"> <td class="tabd">time: <td class="tabd">Compare to current system time. See <a class="link" href="#5.3.5.timekeyword">5.3.5 Time: Keyword</a>. <tr class="tabr"> <td class="tabd">trnlnm: <td class="tabd">Translate a logical name. See <a class="link" href="#5.3.6.trnlnmkeyword">5.3.6 Trnlnm: Keyword</a>. <tr class="tabr backlight"> <td class="tabd">upstream-addr: <td class="tabd">Client proxy/accelerator IP address, when "SET CLIENT=keyword" has been applied to enable transparent up-stream proxy. Same as provided as CGI variable UPSTREAM_ADDR. As with all IP addresses used for conditional testing this may be wildcard string match or network mask expressed as <span class="high italic">address</span>/<span class="high italic">mask-length</span> (see <a class="link" href="#5.3.7.hostaddresses">5.3.7 Host Addresses</a>). <tr class="tabr"> <td class="tabd">user-agent: <td class="tabd">Browser identification string as provided in "User-Agent:" request header field. CGI variable HTTP_USER_AGENT. <tr class="tabr backlight"> <td class="tabd">webdav: <td class="tabd">Simple boolean value. If the request has been identified as WebDAV then this is true. Takes an optional parameter: <table class="tabl"> <tr class="tabr"> <td class="tabd">webdav:all <td class="tabd">True if path has been <span class="high italic">SET webdav=all</span> <tr class="tabr"> <td class="tabd">webdav:auth <td class="tabd">True if path has been <span class="high italic">SET webdav=auth</span> <tr class="tabr"> <td class="tabd">webdav:MSagent <td class="tabd">True if a Microsoft WebDAV agent has been detected. </table> <tr class="tabr"> <td class="tabd">websocket: <td class="tabd">Simple boolean value. If a WebSocket protocol upgrade request will be true. <tr class="tabr backlight"> <td class="tabd">x-forwarded-for: <td class="tabd">Proxied client name or address as provided in "X-Forwarded-For:" request header field. CGI variable HTTP_X_FORWARDED_FOR. </table> <a id="5.3.1" href="#"></a> <a id="5.3.1.notepadkeyword" href="#"></a> <a id="notepadkeyword" href="#"></a> <h3 class="head"><span class="numb">5.3.1</span><span class="text">Notepad: Keyword</span></h3> <p> The <span class="high italic">request notepad</span> is a string storage area that can be used to store and retrieve ad hoc information during path mapping and subsequent authorization processing. The notepad contents can be changed using the SET <span class="high italic">notepad=<string></span> or appended to using SET <span class="high italic">notepad=+<string></span> (<a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>). These contents then can be subsequently detected using the <span class="high italic">notepad:</span> conditional keyword (or the obsolescent 'NO' mapping conditional) and used to control subsequent mapping or authorization processing. <p> Notepad information persists across internal redirection processing (<a class="link" href="#10.5.2.redirectrule">10.5.2 REDIRECT Rule</a>) and so may be used when the regenerated request is mapped and authorized. To prevent such information from unexpectedly interfering with internally redirected requests a <span class="high italic">notepad=""</span> can be used to empty the storage area. <p> The <span class="high italic">dictionary</span> facility provides similar and arguably superior functionailtiy. See <a class="link" href="#5.5.4.watchdictionary">5.5.4 WATCH Dictionary</a>. In fact <span class="high italic">notepad</span> is now implemented as a dictionary entry. <a id="5.3.2" href="#"></a> <a id="5.3.2.randkeyword" href="#"></a> <a id="randkeyword" href="#"></a> <h3 class="head"><span class="numb">5.3.2</span><span class="text">Rand: Keyword</span></h3> <p> At the commencement of each pass a new pseudo-random number is generated (and therefore remains constant during that pass). The <span class="high italic">rand:</span> conditional is intended to allow some sort of distribution to be built into a set of rules, where each pass (request) generates a different one. The random conditional accepts two parameters, a <span class="high italic">modulas</span> number, which is used to modulas the base number, and a <span class="high italic">comparison</span> number, which is compared to the modulas result. <p> Hence the following conditional rules <div class="blockof code">if (rand:3:0) <span class="high italic">do this</span> elif (rand:3:1) <span class="high italic">do this</span> else <span class="high italic">do this</span> endif </div> would pseudo-randomly generate base numbers of 0, 1, 2 and perform the appropriate conditional block. Over a sufficient number of usages this should produce a relatively even distribution of numbers. If the modulas is specified as less than two (i.e. no distribution factor at all) it defaults to 2 (i.e. a distribution of 50%). Hence the following example should be the equivalent of a coin toss. <div class="blockof code">if (rand:) <span class="high italic">heads</span> else <span class="high italic">tails</span> endif </div> <a id="5.3.3" href="#"></a> <a id="5.3.3.requestkeyword" href="#"></a> <a id="requestkeyword" href="#"></a> <h3 class="head"><span class="numb">5.3.3</span><span class="text">Request: Keyword</span></h3> <p> Looks through each of the lines of the request header for the specified request field and/or value. This may be used to detect the presence of specific or unknown (to the server) request fields. When detecting a specified just field the name can be provided <div class="blockof code">if (request:"Keep-Alive:*") </div> matching any value, or specific values can also be matched for <div class="blockof code">if (request:"User-Agent:*Opera*") </div> <p> Note that all request fields known to the server have a specific associated conditional keyword (i.e. "user-agent:" for the above example). To determine whether any request fields unknown to the server have been supplied use the <span class="high italic">request:</span> keyword as in the following example. <div class="blockof code">if (request:?) map * /cgi-bin/unknown_request_notify.com* endif </div> <a id="5.3.4" href="#"></a> <a id="5.3.4.instanceandrobinkeywords" href="#"></a> <a id="instanceandrobinkeywords" href="#"></a> <h3 class="head"><span class="numb">5.3.4</span><span class="text">Instance: and Robin: Keywords</span></h3> <p> Both of these conditionals are designed to allow the redistribution of requests between clustered WASD services. They are WASD-aware and so allow a slightly more tailored distribution than perhaps an IP package round-robin implementation might. Each tests for the current operation of WASD on a particular node (using the DLM) before allowing the selection of that node as a target. This can allow some systems to be shutting down or starting up, or have WASD shutdown for any reason, without requiring any extraordinary procedures to allow for the change in processing environment. <a id="5.3.4.0.1" href="#"></a> <a id="5.3.4.instance" href="#"></a> <a id="instance" href="#"></a> <h5 class="head"><span class="text">Instance:</span></h5> <p> The instance: directive allows testing for a particular cluster member having a WASD instance currently running. This can allow requests to be redirected or reverse-proxied to a particular system with the knowlege that it should be processed (of course there is a small window of uncertainty as events such as system shutdown and startup occur asynchronously). The behaviour of the conditional block is entirely determinate based on which node names have a WASD instance and the order of evaluation. Compare this to a similar construct using the robin: directive, as described below. <p> This conditional is deployed in two phases. In the first, it contains a comma-separated list of node names (that are expected to have instances of WASD instantiated). In the second, containing a single node name, allowing the selected node to be tested. For example. <div class="blockof code">if (instance:NODE1,NODE2,NODE3) if (instance:NODE1) redirect /* http://node1.domain.name/*? if (instance:NODE2) redirect /* http://node2.domain.name/*? if (instance:NODE3) redirect /* http://node3.domain.name/*? pass * "500 Some sort of logic error!!" endif pass * "503 No instance currently available!" </div> <p> If none of the node names specified in the first phase is currently running a WASD instance the rule returns false, otherwise true. If true the above example has conditional block processed with each of the node names successively tested. If NODE1 has a WASD instance executing it returns true and the associated redirect is performed. The same for NODE2 and NODE3. At least one of these would be expected to test true otherwise the outer conditional established during phase one would have been expected to return false. <a id="5.3.4.0.2" href="#"></a> <a id="5.3.4.robin" href="#"></a> <a id="robin" href="#"></a> <h5 class="head"><span class="text">Robin:</span></h5> <p> The robin: conditional allows rules to be applied sequentially against specified members of a cluster that currently have instances of WASD running. This is obviously intended to allow a form of load sharing and/or with redundancy (not balancing, as no evaluation of the selected target's current workload is performed, see below). As with the instance: directive above, there is, of course, a small window of potential uncertainty as events such as system shutdown and startup occur asynchronously and may impact availability between the phase one test and ultimate request distribution. <p> This conditional is again used in two phases. The first, containing a comma-separated list of node names (that are expected to have instances of WASD instantiated). The second, containing a single node name, allowing the selected node (from phase one) to have a rule applied. For example. <div class="blockof code">if (robin:X861,ALPHA1,ALPHA2,IA64A) if (robin:X861) redirect /* http://x861.domain.name/*? if (robin:ALPHA1) redirect /* http://alpha1.domain.name/*? if (robin:ALPHA2) redirect /* http://alpha2.domain.name/*? if (robin:IA64A) redirect /* http://ia64a.domain.name/*? pass * "500 Some sort of logic error!!" endif pass * "503 No round-robin node currently available!" </div> <p> In this case round-robining will be made through four node names. Of course these do not have to represent all the systems in the cluster currently available or having WASD instantiated. The first time the 'robin:' rule containing multiple names is called X861 will be selected. The second time ALPHA1, the third ALPHA2, and the fourth IA64A. With the fifth call X861 is returned to, the sixth ALPHA1, etc. In addition, the selected nodename is verified to have a instance of WASD currently running (using the DLM and WASD's instance awareness). If it does not, round-robining is applied again until one is found (if none is available the phase one conditional returns false). This is most significant as it ensures that the selected node should be able to respond to a redirected or (reverse-)proxied requested. This is the selection set-up phase. <p> Then there is the selection application phase. Inside the set-up conditional other conditionals apply the selection made in the first phase (through simple nodename string comparison). The rule, in the above example a redirect, is applied if that was the node selected. <p> During selection set-up unequal weighting can be applied to the round-robin algorithm by including particular node names more than once. <div class="blockof code">if (robin:X861,ALPHA,X862,ALPHA) </div> <p> In the above example, the node ALPHA will be selected twice as often as either of X861 and X862 (and because of the ordering interleaved with the X86 selections). <a id="5.3.5" href="#"></a> <a id="5.3.5.timekeyword" href="#"></a> <a id="timekeyword" href="#"></a> <h3 class="head"><span class="numb">5.3.5</span><span class="text">Time: Keyword</span></h3> <p> The <span class="high italic">time:</span> conditional allows server behaviour to change according to the time of day, week, or even year. It compares the supplied parameter to the current system time in one of three ways. <ol class="list"> <li class="item"> The supplied parameter is in the form "1200-1759", which should be read as "twelve noon to five fifty-nine PM" (i.e. as a time range in minutes, generalized as <span class="high italic">hhmm-hhmm</span>), where the first is the start time and the second the end time. If the current time is within that range (inclusive) the conditional returns true, otherwise false. If the range doesn't look correct false is always returned. <div class="blockof code">if (time:0000-0000) <span class="high italic">it's midnight</span> elif (time:0001-1159) <span class="high italic">it's AM</span> elif (time:1200-1200) <span class="high italic">it's noon</span> else <span class="high italic">it's PM</span> endif </div> <li class="item"> If the supplied parameter is a single digit it is compared to the VMS day of the week (1-Monday, 2-Tuesday … 7-Sunday). <div class="blockof code">if (time:6 || time:7) <span class="high italic">it's the weekend</span> else <span class="high italic">it's the working week</span> endif </div> <li class="item"> If the supplied string is not in either of the formats described above it is treated as a string match with a VMS comparision time (i.e. <span class="high italic">yyyy-mm-dd hh-mm-ss.hh</span>). <div class="blockof code">if (time:%%%%-05-*) <span class="high italic">it's the month of May</span> endif </div> </ol> <a id="5.3.6" href="#"></a> <a id="5.3.6.trnlnmkeyword" href="#"></a> <a id="trnlnmkeyword" href="#"></a> <h3 class="head"><span class="numb">5.3.6</span><span class="text">Trnlnm: Keyword</span></h3> <p> The <span class="high italic">trnlnm:</span> conditional dynamically translates a logical name and uses the value. One mandatory and up to two optional parameters may be supplied. <div class="blockof code">trnlnm:logical-name[;name-table][:string-to-match] </div> <p> The <span class="high italic">logical-name</span> must be supplied; without it false is always returned. If just the <span class="high italic">logical-name</span> is supplied the conditional returns true if the name exists or false if it does not. The default <span class="high italic">name-table</span> is LNM$FILE_DEV. When the optional <span class="high italic">name-table</span> is supplied the lookup is confined to that table. If the optional <span class="high italic">string-to-match</span> is supplied it is matched against the value of the logical and the result returned. <a id="5.3.7" href="#"></a> <a id="5.3.7.hostaddresses" href="#"></a> <a id="hostaddresses" href="#"></a> <h3 class="head"><span class="numb">5.3.7</span><span class="text">Host Addresses</span></h3> <p> Host names or addresses can be an alpha-numeric string (if DNS lookup is enabled) or dotted-decimal network address, a slash, then a dotted-decimal mask. For example "131.185.250.0/255.255.255.192". This has a 6 bit subnet. It operates by bitwise-ANDing the client host address with the mask, bitwise-ANDing the network address supplied with the mask, then comparing the two results for equality. Using the above example the host 131.185.250.250 would be accepted, but 131.185.250.50 would be rejected. Equivalent notation for this rule would be "131.185.250.0/26". <a id="5.4" href="#"></a> <a id="5.4.examples" href="#"></a> <a id="examples" href="#"></a> <h2 class="head"><span class="numb">5.4</span><span class="text">Examples</span></h2> <p> The following provides a collection of examples of conditional mapping and authorization rules illustrating the use of wildcard matching, network mask matching and the various formats in which the rules may be blocked. <ol class="list"> <li class="item"> This first example shows an EXEC mapping rule being applied to a path if the request query string contains the string "example". <div class="blockof code">if (query-string:*example*) exec /* /cgi-bin/example/* </div> <li class="item"> In this example a block of mapping statements is processed if the virtual service of the request matches that in the conditional, otherwise the block is skipped. Note the indentation to help clarify the structure. <div class="blockof code">if (service:the.host.name:80) pass /web/* /dka0/the_host_name_web/* pass /graphics/* /dka100/graphics/* pass * "404 Resource not found." endif </div> <li class="item"> This example a series of tests allow a form of case processing where the first to match will be processed and terminate the matching process. In this case if a match does not occur rule processing continues after the <span class="high italic">endif</span>. <div class="blockof code">if (service:the.host.name:80) pass /web/* /dka0/the_host_name_web/* elif (service:next.host.name:80) pass /web/* /dka0/next_host_name_web/* elif (service:another.host.name:80) pass /web/* /dka0/another_host_name_web/* endif pass /graphics/* /dka100/graphics/* pass * "404 Resource not found." </div> <li class="item"> In this (somewhat contrived) example a nested test is used to check (virtual) server name and that the request is being handled via Secure Sockets Layer (SSL) for security. If it is not an informative message is supplied. The <span class="high italic">else</span> and the quotes are not really required but included here for illustration. <div class="blockof code">if (server-name:the.host.name) if (scheme:"https") pass /secure/* /dka0/the_host_name_web/secure/* else pass * /dka0/the_host_name_web/secure/only-via-SSL.html endif endif </div> <li class="item"> This would be another way to accomplish a similar objective to example 4. This uses a <span class="high italic">negation</span> operator to exclude access to successive mappings if not requesting via SSL. <div class="blockof code">if (server-name:the.host.name) if (!SSL:) pass * /web/secure/only-via-SSL.html endif pass /secure/* /web/secure/* pass /other/* /web/other/* pass /web/* /web/web/* pass * "404 Resource not found." endif </div> <li class="item"> This example shows the use of a compound conditional using the AND and OR operators. It also illustrates the use of a network mask. It will exclude all access to the specified path unless the request is originating from within a specified network (perhaps an intranet) or via SSL. <div class="blockof code">if (path:/sensitive/* && !(remote-addr:131.185.250.0/24 || SSL:)) pass * 404 "Access denied (SSL only)." endif </div> <li class="item"> This example illustrates restricting authentication to SSL. <div class="blockof code">[[*]] ["Your VMS password"=VMS] if (!request-scheme:https) * r+w,#0 endif </div> <li class="item"> Logical name translation may be used to dynamically alter the flow of rule interpretation. <div class="blockof code">if (trnlnm:HTTPD_EXAMPLE) pass /* /example/* else pass /* /* endif </div> <li class="item"> Using a site administrator's /DO=NOTE= entry to modify rule processing. In this example the contingency of a broken back-end processor has been prepared for and a document advising clients of the temporary problem is redirected to once the administrator enters <div class="blockof code">$ HTTPD /DO=NOTE=PROBLEM /ALL </div> at the command-line (or via the online equivalent). Note that in this example external clients are provided with the problem advice document while internal clients may still access the back-end for troubleshooting purposes. <div class="blockof code">if (note:PROBLEM && !remote-addr:131.185.0.0/16) pass /* /problem_with_backend.html else pass /* /backend/* endif </div> <p> Of course there are a multitude of possibilities based on this idea! </ol> <div class="note center"><a id="5.4.0.0.0.1" href="#"></a> <a id="5.4.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> The noted data persists across server startups but does not persist across system startups! <hr class="note_hr"> </div> <a id="5.5" href="#"></a> <a id="5.5.dictionary" href="#"></a> <a id="dictionary" href="#"></a> <h2 class="head"><span class="numb">5.5</span><span class="text">Dictionary</span></h2> <p> The per-request dictionary stores key-value string pairs related to request processing. Some entries are generated and used internally by the server and others may be inserted, value changed, removed and tested by the server admin for conditional processing purposes. <p> The dictionary was initially introduced as an abstraction layer between the significantly different HTTP/2 and HTTP/1.<span class="high italic">n</span> header semantics and server internal processing. Its utility was then extended into configuration. It is implemented as a standard hash table with collision lists. The small cost in terms of processing is completely offset by its effectiveness. <a id="5.5.1" href="#"></a> <a id="5.5.1.configurationentries" href="#"></a> <a id="configurationentries" href="#"></a> <h3 class="head"><span class="numb">5.5.1</span><span class="text">Configuration Entries</span></h3> <p> Dictionary entries may be configured using the SET dict=<span class="high italic">key</span>=<span class="high italic">value</span> mapping rule or the DICT <span class="high italic">key</span>=<span class="high italic">value</span> meta keyword. These are known as <span class="high italic">configuration entries</span>. Keys must begin with an alpha-numeric character but otherwise keys and values may contain any printable character, with some needing to be escaped in the text of configuration files. These are some examples of each. <div class="blockof code">set /example/path* dict=example_key=example value set /example/path* dict=example_key="example value" set /example/path* dict=example_key="example "value"" dict example_key=example value dict example_key="example value" dict example_key="example "value"" </div> <p> If an existing key is (re-)inserted it overwrites the old value. <p> An entry can have an empty value. <div class="blockof code">set /example/path* dict=example_key= dict example_key= </div> <p> An entry may be removed from the dictionary by prefixing the key name with an exclamation point. <div class="blockof code">set /example/path* dict=!example_key dict !example_key </div> <p> All configuration entries may be removed by using the exclamation point with an empty key. <div class="blockof code">set /example/path* dict=! dict ! </div> <div class="note"><a id="5.5.1.0.0.1" href="#"></a> <a id="5.5.1.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> Configuration entries persist across internal redirection processing (<a class="link" href="#10.5.2.redirectrule">10.5.2 REDIRECT Rule</a>) and so may be used as flags or otherwise contain useful information when the regenerated request is mapped and authorized. To prevent such information from unexpectedly interfering with internally redirected requests selected or all entries can be removed in the redirected request using the above values. <hr class="note_hr"> </div> <a id="5.5.2" href="#"></a> <a id="5.5.2.otherentries" href="#"></a> <a id="otherentries" href="#"></a> <h3 class="head"><span class="numb">5.5.2</span><span class="text">Other Entries</span></h3> <p> As mentioned, the server generates and uses dictionary entries during request processing. There are multiple types of entry, generally insulated from each other for good reason. These entries are also available for conditional testing. <a id="5.5.2.0.1" href="#"></a> <a id="5.5.2.dictionaryentries" href="#"></a> <a id="dictionaryentries" href="#"></a> <h5 class="head"><span class="text">Dictionary Entries</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Character <th class="tabh">Type <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">~ <td class="tabd">configuration <td class="tabd">admin managed entry <tr class="tabr"> <td class="tabd">$ <td class="tabd">internal <td class="tabd">server processing <tr class="tabr"> <td class="tabd">> <td class="tabd">request <td class="tabd">request header field <tr class="tabr"> <td class="tabd">< <td class="tabd">response <td class="tabd">response header field </table> <p> The "if (dict:<span class="high italic">expression</span>)" contruct first checks for a configuration entry, then for an request header field entry, then finally for an internal entry (response entries are only available for testing after response processing begins and so not in the search list). It is also possible to test for a key of a specific type by prefixing the key name with the type character. This example shows a request header field being conditionally processed. <div class="blockof code">if (dict:>X-example=hello) </div> <p> It is also possible to set an entry of a specific type by prefixing the key with the type character. For example the following will set a response header field that will be included in the header when returned to the client. <div class="blockof code">set /example/path* dict=<X-example=""quoted string"" </div> <p> Setting any non-configuration entry should only be undertaken by the literati or the brave. <a id="5.5.3" href="#"></a> <a id="5.5.3.entrysubstitution" href="#"></a> <a id="entrysubstitution" href="#"></a> <h3 class="head"><span class="numb">5.5.3</span><span class="text">Entry Substitution</span></h3> <p> The value of a dictionary entry can be derived in whole or part from the value of another entry or entries. This uses a somewhat familiar substitution syntax. A contrived example shows an entry being set that transfers back the request user-agent header field as a response header field. <div class="blockof code">set /example/path* dict=<X-user-agent=''>user-agent' </div> A similar rule can be seen applied in the WATCH report example below. <a id="5.5.4" href="#"></a> <a id="5.5.4.watchdictionary" href="#"></a> <a id="watchdictionary" href="#"></a> <h3 class="head"><span class="numb">5.5.4</span><span class="text">WATCH Dictionary</span></h3> <p> The content of a request's dictionary at significant stages of request processing can be viewed using the [x]Internal item of a WATCH report. See <a class="link blank" target="_blank" href="../features/#watchfacility">WATCH Facility</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>. <p> A request dictionary WATCH point is similar to the following (end of request processing) example. Note that all of the entry types described above are present in the example, including two configured entries. Note also that two of the internal entries contain embedded line-breaks and empty lines. This is an HTTP/2 request and the expanded (HTTP/1.<span class="high italic">n</span> style) <span class="high italic">request_header</span> and <span class="high italic">response_header</span> entries are due to WATCH items Request [x]Header and Response [x]Header also being checked. They were not required for request processing. <div class="blockof code">|Time_______|Module__|Line|Item|Category__|Event...| <span class="high italic">8< snip 8<</span> |21:11:00.12 DICT 0836 0001 INTERNAL DICTIONARY size:32 count:29 bytes:4193| ENTRY 001 [005] $ {14}request_method={3}GET ENTRY 002 [009] $ {12}request_path={15}/httpd/-/admin/ ENTRY 003 [014] > {6}accept={63}text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 ENTRY 004 [018] > {15}accept-encoding={13}gzip, deflate ENTRY 005 [001] > {10}user-agent={116}Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/601.4.4 ENTRY 006 [007] > {15}accept-language={5}en-us ENTRY 007 [031] > {13}authorization={30}Basic ************************* ENTRY 008 [004] > {3}dnt={1}1 ENTRY 009 [012] $ {12}request_line={28}GET /httpd/-/admin/ HTTP/1.1 ENTRY 010 [024] > {4}host={18}klaatu.private:443 ENTRY 011 [011] $ {10}http2_ping={6}44.919 ENTRY 012 [013] $ {14}request_header={372}GET /httpd/-/admin/ HTTP/1.1 accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-encoding: gzip, deflate user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/601.4.4 accept-language: en-us authorization: Basic ************************* dnt: 1 host: klaatu.private:443 ENTRY 013 .012. $ {9}path_info={15}/httpd/-/admin/ ENTRY 014 [000] $ {12}query_string={0} ENTRY 015 .004. $ {11}request_uri={15}/httpd/-/admin/ ENTRY 016 [025] ~ {7}this_is={7}a test! ENTRY 017 [028] < {12}x-user-agent={116}Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/601.4.4 ENTRY 018 .018. $ {15}response_status={3}200 ENTRY 019 [026] $ {15}response_reason={2}OK ENTRY 020 .011. < {6}server={33}HTTPd-WASD/11.0.0 OpenVMS/AXP SSL ENTRY 021 [002] < {4}date={29}Tue, 02 Feb 2016 10:40:59 GMT ENTRY 022 .005. < {13}accept-ranges={5}bytes ENTRY 023 [008] < {15}accept-encoding={13}gzip, deflate ENTRY 024 .004. < {7}expires={29}Fri, 13 Jan 1978 14:00:00 GMT ENTRY 025 [030] < {13}cache-control={18}no-cache, no-store ENTRY 026 .028. < {6}pragma={8}no-cache ENTRY 027 .030. < {12}content-type={29}text/html; charset=ISO-8859-1 ENTRY 028 [006] < {14}content-length={5}15741 ENTRY 029 [019] $ {15}response_header={446}HTTP/1.1 200 OK x-user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/601.4.4 (KHTML, like Gecko) Version/9.0.3 Safari/601.4.4 server: HTTPd-WASD/11.0.0 OpenVMS/AXP SSL date: Tue, 02 Feb 2016 10:40:59 GMT accept-ranges: bytes accept-encoding: gzip, deflate expires: Fri, 13 Jan 1978 14:00:00 GMT cache-control: no-cache, no-store pragma: no-cache content-type: text/html; charset=ISO-8859-1 content-length: 15741 <span class="high italic">8< snip 8<</span> </div> <p> The first three digit number is simply the entry count in order of insertion. The second, either square bracketed or period delimited, is the hash table entry. The square brackets indicate the head of the hash table, the periods down the collision list. The single punctuation character is use to indicate and differentiate the entry type. Then are the key and equate-separated value. The brace enclosed numbers are the length of the key and value respectively. <!-- source:0800_GLOBAL.WASDOC --> <hr class="page"> <a id="6." href="#"></a> <a id="6.globalconfiguration" href="#"></a> <a id="globalconfiguration" href="#"></a> <h1 class="head"><span class="numb">6.</span><span class="text">Global Configuration</span></h1> <table class="TOC2table"> <tr><td><a href="#6.1.functionalgroupings"><span class="numb">6.1</span><span class="text">Functional Groupings</span></a> <tr><td><a href="#6.2.alphabeticlisting"><span class="numb">6.2</span><span class="text">Alphabetic Listing</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#5.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#7.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> The example <a class="link blank" target="_blank" href="/wasd_root/example/WASD_CONFIG_GLOBAL.conf">configuration file</a> can be used as a template. <p> By default, the logical name <span class="high bold">WASD_CONFIG_GLOBAL</span> locates a global configuration file. Simple editing of the configuration file changes the rules. Alternatively the Server Administration page configuration interface may be used. Changes to the global configuration file require a server restart to put them into effect. <p> The [IncludeFile] is a directive common to all WASD configuration, allowing a separate file to be included as a part of the current configuration. See <a class="link" href="#2.1.includefiledirective">2.1 Include File Directive</a>. <p> Some directives take a single parameter, such as an integer, string or boolean value. Other directives can/must have multiple parameters. The version 4 configuration requires the directive to be placed on a line by itself and each separate parameter on a separate line following it. All parameter lines apply to the most recently encountered directive. <p> Note that all <span class="high italic">boolean</span> directives are <span class="high italic">disabled</span> (OFF) by default. This is done so that there can be no confusion about what is enabled and disabled by default. To use directive controlled facility it <span class="high bold">must</span> be explicitly enabled. <p> Directives requiring <span class="high italic">periods</span> (timeouts, lifetimes, etc.) can be specified as a single integer (representing seconds, minutes, hours, etc., depending on the directive) or unambiguously using any one of <span class="high italic">minutes:seconds</span>, <span class="high italic">hours:minutes:seconds</span> or <span class="high italic">days-hours:minutes:seconds</span>. <p> Changes to the global configuration file can be validated at the command-line before restart. This detects and reports any syntactical and fatal configuration errors but of course cannot check the <span class="high italic">intent</span> of the rules. <div class="blockof code">$ HTTPD /DO=GLOBAL=CHECK </div> <a id="6.1" href="#"></a> <a id="6.1.functionalgroupings" href="#"></a> <a id="functionalgroupings" href="#"></a> <h2 class="head"><span class="numb">6.1</span><span class="text">Functional Groupings</span></h2> <table class="tabl"> <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.1" href="#"></a> <a id="6.1.authenticationauthorization" href="#"></a> <a id="authenticationauthorization" href="#"></a> <h5 class="head under"><span class="text">Authentication/Authorization</span></h5> <tr class="tabr"> <td class="tabd">[AuthBasic] <td class="tabd">enable BASIC method <tr class="tabr"> <td class="tabd">[AuthCacheEntriesMax] <td class="tabd">maximum concurrent authentication cache entries <tr class="tabr"> <td class="tabd">[AuthCacheEntrySize] <td class="tabd">maximum authentication cache entry size in bytes <tr class="tabr"> <td class="tabd">[AuthCacheMinutes] <td class="tabd">minutes before explicitly reauthorizing user from sources <tr class="tabr"> <td class="tabd">[AuthDigest] <td class="tabd">enable DIGEST method <tr class="tabr"> <td class="tabd">[AuthDigestGetLife] <td class="tabd">DIGEST method GET lifetime <tr class="tabr"> <td class="tabd">[AuthDigestPutLife] <td class="tabd">DIGEST method PUT lifetime <tr class="tabr"> <td class="tabd">[AuthFailureLimit] <td class="tabd">retries allowed before username is marked as intruder <tr class="tabr"> <td class="tabd">[AuthFailurePeriod] <td class="tabd">period during which failure limit is applied <tr class="tabr"> <td class="tabd">[AuthFailureTimeout] <td class="tabd">period during which a recognised authentication failure is applied <tr class="tabr"> <td class="tabd">[AuthRevalidateLoginCookie] <td class="tabd"><span class="high italic">Obsolete for WASD v10.2.1 and following.</span> <tr class="tabr"> <td class="tabd">[AuthRevalidateUserMinutes] <td class="tabd">minutes before use needs to reenter password <tr class="tabr"> <td class="tabd">[AuthSysUafAcceptExpPwd] <td class="tabd">accept expired SYSUAF passwords <tr class="tabr"> <td class="tabd">[AuthSysUafLogonType] <td class="tabd">LOCAL, DIALUP, NETWORK (default), REMOTE <tr class="tabr"> <td class="tabd">[AuthSysUafPwdExpURL] <td class="tabd">redirection URL is SYSUAF password if expired <tr class="tabr"> <td class="tabd">[AuthSysUafUseAcme] <td class="tabd"><span class="high italic">Obsolete for WASD V9.3 and following.</span> <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.2" href="#"></a> <a id="6.1.buffersizes" href="#"></a> <a id="buffersizes" href="#"></a> <h5 class="head under"><span class="text">Buffer Sizes</span></h5> <tr class="tabr"> <td class="tabd">[BufferQuotaDclOutput] <td class="tabd">allows sizing of script process SYS$OUTPUT mailbox quota <tr class="tabr"> <td class="tabd">[BufferSizeDclCgiHeader] <td class="tabd">number of bytes allocated to when processing a CGI response header <tr class="tabr"> <td class="tabd">[BufferSizeDclCgiPlusIn] <td class="tabd">number of bytes allocated to scripting process CGIPLUSIN mailbox <tr class="tabr"> <td class="tabd">[BufferSizeDclCommand] <td class="tabd">bytes allocated to scripting process SYS$COMMAND mailbox <tr class="tabr"> <td class="tabd">[BufferSizeDclOutput] <td class="tabd">bytes allocated to scripting process SYS$OUTPUT mailbox <tr class="tabr"> <td class="tabd">[BufferSizeNetFile] <td class="tabd">maximum bytes allocated to output buffer when transfering file content <tr class="tabr"> <td class="tabd">[BufferSizeNetMTU] <td class="tabd">adjust network buffer to this value of MTU (maximum transmission unit) <tr class="tabr"> <td class="tabd">[BufferSizeNetRead] <td class="tabd">bytes allocated to client request read buffer, and to the scripting process SYS$INPUT mailbox <tr class="tabr"> <td class="tabd">[BufferSizeNetWrite] <td class="tabd">bytes allocated to client output buffer <tr class="tabr"> <td class="tabd">[SocketSizeRcvBuf] <td class="tabd">bytes allocated to a network connection receive buffer <tr class="tabr"> <td class="tabd">[SocketSizeSndBuf] <td class="tabd">bytes allocated to network connection send buffer <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.3" href="#"></a> <a id="6.1.contenttype" href="#"></a> <a id="contenttype" href="#"></a> <h5 class="head under"><span class="text">Content-Type</span></h5> <tr class="tabr"> <td class="tabd">[AddType] <td class="tabd">add a content-type <tr class="tabr"> <td class="tabd">[AddMimeTypesFile] <td class="tabd">add the contents of a standard MIME.TYPES file <tr class="tabr"> <td class="tabd">[CharsetConvert] <td class="tabd">conversion of one character set to another <tr class="tabr"> <td class="tabd">[CharsetDefault] <td class="tabd">default character set for text responses <tr class="tabr"> <td class="tabd">[StreamLF] <td class="tabd">enable and set maximum size of automatic Stream-LF conversion <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.4" href="#"></a> <a id="6.1.directorylisting" href="#"></a> <a id="directorylisting" href="#"></a> <h5 class="head under"><span class="text">Directory Listing</span></h5> <tr class="tabr"> <td class="tabd">[AddIcon] <td class="tabd">path to icon for a specified content-type <tr class="tabr"> <td class="tabd">[AddBlankIcon] <td class="tabd">path to blank icon <tr class="tabr"> <td class="tabd">[AddDefaultIcon] <td class="tabd">path to default icon <tr class="tabr"> <td class="tabd">[AddDirIcon] <td class="tabd">path to directory icon <tr class="tabr"> <td class="tabd">[AddParentIcon] <td class="tabd">path to parent icon <tr class="tabr"> <td class="tabd">[AddUnknownIcon] <td class="tabd">path to icon for unknown content-type <tr class="tabr"> <td class="tabd">[DirAccess] <td class="tabd">enable and form of listing <tr class="tabr"> <td class="tabd">[DirBodyTag] <td class="tabd">specify HTML body tag of listing pages <tr class="tabr"> <td class="tabd">[DirDescriptionLines] <td class="tabd">number of HTML file lines searched for document title <tr class="tabr"> <td class="tabd">[DirLayout] <td class="tabd">layout of the various listing components <tr class="tabr"> <td class="tabd">[DirMetaInfo] <td class="tabd">add server and VMS directory information <tr class="tabr"> <td class="tabd">[DirNoImpliedWildcard] <td class="tabd">do not add wildcards to request if not present in path <tr class="tabr"> <td class="tabd">[DirNoPrivIgnore] <td class="tabd">ignore, do not report, privilege violations on files/directories <tr class="tabr"> <td class="tabd">[DirOwner] <td class="tabd">allow owner of file to be included in layout directive <tr class="tabr"> <td class="tabd">[DirPreExpired] <td class="tabd">pre-expire listing responses <tr class="tabr"> <td class="tabd">[DirReadMeFile] <td class="tabd">specify read-me files <tr class="tabr"> <td class="tabd">[DirWildcard] <td class="tabd">allow wildcards to be specified at all <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.5" href="#"></a> <a id="6.1.filecache" href="#"></a> <a id="filecache" href="#"></a> <h5 class="head under"><span class="text">File Cache</span></h5> <tr class="tabr"> <td class="tabd">[CacheChunkKBytes] <td class="tabd">memory block allocation size <tr class="tabr"> <td class="tabd">[CacheEntriesMax] <td class="tabd">maximum number of files allowed in cache <tr class="tabr"> <td class="tabd">[CacheFileKBytesMax] <td class="tabd">maximum size of a file <tr class="tabr"> <td class="tabd">[CacheFrequentHits] <td class="tabd">identify active files <tr class="tabr"> <td class="tabd">[CacheFrequentPeriod] <td class="tabd">identify active file <tr class="tabr"> <td class="tabd">[CacheGuardPeriod] <td class="tabd">prevent early reloads <tr class="tabr"> <td class="tabd">[CacheTotalKBytesMax] <td class="tabd">maximum memory to be consumed by cache <tr class="tabr"> <td class="tabd">[CacheValidatePeriod] <td class="tabd">maximum period before the cache checks for file modification <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.6" href="#"></a> <a id="6.1.http2" href="#"></a> <a id="http2" href="#"></a> <h5 class="head under"><span class="text">HTTP/2</span></h5> <tr class="tabr"> <td class="tabd">[Http2Protocol] <td class="tabd">enables/disables HTTP/2 on a global basis <tr class="tabr"> <td class="tabd">[Http2FrameSizeMax] <td class="tabd">maximum number of bytes in an HTTP/2 frame <tr class="tabr"> <td class="tabd">[Http2HeaderListMax] <td class="tabd">maximum number of bytes in a request or response header <tr class="tabr"> <td class="tabd">[Http2HeaderTableSize] <td class="tabd">maximum number of bytes in a request lookup table <tr class="tabr"> <td class="tabd">[Http2PingSeconds] <td class="tabd">period between RTT server-client pings <tr class="tabr"> <td class="tabd">[Http2StreamMax] <td class="tabd">number of concurrent streams (requests) permitted on a connection <tr class="tabr"> <td class="tabd">[Http2InitWindowSize] <td class="tabd">initial connection flow-control window size <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.7" href="#"></a> <a id="6.1.logging" href="#"></a> <a id="logging" href="#"></a> <h5 class="head under"><span class="text">Logging</span></h5> <tr class="tabr"> <td class="tabd">[Logging] <td class="tabd">enable logging <tr class="tabr"> <td class="tabd">[LogExcludeHosts] <td class="tabd">hosts to be excluded from log <tr class="tabr"> <td class="tabd">[LogExtend] <td class="tabd">default allocation/extend in blocks <tr class="tabr"> <td class="tabd">[LogFile] <td class="tabd">provides part or all of log file name <tr class="tabr"> <td class="tabd">[LogFormat] <td class="tabd">nature and layout of log contents <tr class="tabr"> <td class="tabd">[LogNaming] <td class="tabd">how the log name is be constructed <tr class="tabr"> <td class="tabd">[LogPeriod] <td class="tabd">period at which new logs are created <tr class="tabr"> <td class="tabd">[LogPerInstance] <td class="tabd">create a separate log for each instance process <tr class="tabr"> <td class="tabd">[LogPerService] <td class="tabd">create a separate log for each configured service <tr class="tabr"> <td class="tabd">[LogPerServiceHostOnly] <td class="tabd">suppress service port number as component of log name <tr class="tabr"> <td class="tabd">[LogWriteFail503] <td class="tabd">generate 530 responses if the access log cannot be written <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.8" href="#"></a> <a id="6.1.operatorconsoleandlog" href="#"></a> <a id="operatorconsoleandlog" href="#"></a> <h5 class="head under"><span class="text">Operator Console and Log</span></h5> <tr class="tabr"> <td class="tabd">[OpcomAdmin] <td class="tabd">Server Administration directives <tr class="tabr"> <td class="tabd">[OpcomAuthorization] <td class="tabd">authentication/authorization messages, e.g. failures <tr class="tabr"> <td class="tabd">[OpcomControl] <td class="tabd">CLI HTTPd control directives <tr class="tabr"> <td class="tabd">[OpcomHTTPd] <td class="tabd">HTTPd events (e.g. startup, exit, SSL private key password requests) <tr class="tabr"> <td class="tabd">[OpcomProxyMaint] <td class="tabd">proxy file cache maintenance <tr class="tabr"> <td class="tabd">[OpcomTarget] <td class="tabd">target operator for online messages <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.9" href="#"></a> <a id="6.1.miscellaneous" href="#"></a> <a id="miscellaneous" href="#"></a> <h5 class="head under"><span class="text">Miscellaneous</span></h5> <tr class="tabr"> <td class="tabd">[Accept] <td class="tabd">restrictive list of host from which to accept requests <tr class="tabr"> <td class="tabd">[ActivityDays] <td class="tabd">activity graph duration <tr class="tabr"> <td class="tabd">[ConnectMax] <td class="tabd">maximum number of concurrent connections <tr class="tabr"> <td class="tabd">[DNSLookupClient] <td class="tabd">enable client host name lookup <tr class="tabr"> <td class="tabd">[DNSLookupLifeTime] <td class="tabd">host name lookup cache entry lifetime <tr class="tabr"> <td class="tabd">[DNSLookupRetry] <td class="tabd">number two second attempts to resolve client host name <tr class="tabr"> <td class="tabd">[EntityTag] <td class="tabd">provide a strong validator for file-system based resources <tr class="tabr"> <td class="tabd">[GzipAccept] <td class="tabd">advertise acceptance of GZIUP (deflated) request bodies <tr class="tabr"> <td class="tabd">[GzipFlush] <td class="tabd">period between GZIP buffer flushes <tr class="tabr"> <td class="tabd">[GzipResponse] <td class="tabd">enable GZIP (deflated) response bodies <tr class="tabr"> <td class="tabd">[InstanceMax] <td class="tabd">number of per-node server processes to maintain <tr class="tabr"> <td class="tabd">[InstancePassive] <td class="tabd">start multiple instances already in <span class="high italic">passive</span> mode <tr class="tabr"> <td class="tabd">[Monitor] <td class="tabd">enable HTTPDMON data exchange <tr class="tabr"> <td class="tabd">[PipelineRequests] <td class="tabd">check for and process pipelined requests <tr class="tabr"> <td class="tabd">[Port] <td class="tabd">default port <tr class="tabr"> <td class="tabd">[ProcessMax] <td class="tabd">maximum number of concurrent requests being processed <tr class="tabr"> <td class="tabd">[PutBinaryRFM] <td class="tabd">record format of uploaded file <tr class="tabr"> <td class="tabd">[PutMaxKBytes] <td class="tabd">maximum size of a POST or PUT <tr class="tabr"> <td class="tabd">[PutVersionLimit] <td class="tabd">maximum RMS file versions retained in a POST or PUT <tr class="tabr"> <td class="tabd">[RegEx] <td class="tabd">enable regular expression matching <tr class="tabr"> <td class="tabd">[Reject] <td class="tabd">proscriptive list of hosts from which request will be rejected <tr class="tabr"> <td class="tabd">[RequestHistory] <td class="tabd">number of requests kept for request report <tr class="tabr"> <td class="tabd">[SearchScript] <td class="tabd">path to default search script <tr class="tabr"> <td class="tabd">[SearchScriptExclude] <td class="tabd">list of file extensions excluded from implied keyword search <tr class="tabr"> <td class="tabd">[Service] <td class="tabd">list of host names and/or port to create services for <span class="high bold"><span class="high italic">(deprecated)</span></span> <tr class="tabr"> <td class="tabd">[ServiceNotFoundURL] <td class="tabd">redirection URL when a request service is not configured <tr class="tabr"> <td class="tabd">[Welcome] <td class="tabd">list of file names that are checked for as home pages <tr class="tabr"> <td class="tabd">[WWWimplied] <td class="tabd">virtual services <span class="high italic">host.name</span> and <span class="high italic">www.host.name</span> are treated as synonyms <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.10" href="#"></a> <a id="6.1.proxyserving" href="#"></a> <a id="proxyserving" href="#"></a> <h5 class="head under"><span class="text">Proxy Serving</span></h5> <tr class="tabr"> <td class="tabd">[ProxyCache] <td class="tabd">enable proxy caching <tr class="tabr"> <td class="tabd">[ProxyCacheFileKBytesMax] <td class="tabd">maximum size of response for caching <tr class="tabr"> <td class="tabd">[ProxyCacheDeviceCheckMinutes] <td class="tabd">minutes between check of cache device usage <tr class="tabr"> <td class="tabd">[ProxyCacheDeviceDirOrg] <td class="tabd">flat 256 or 64x64 directory organization <tr class="tabr"> <td class="tabd">[ProxyCacheDeviceMaxPercent] <td class="tabd">maximum percentage of cache device used before purge <tr class="tabr"> <td class="tabd">[ProxyCacheDevicePurgePercent] <td class="tabd">during purge reduce by this many percent <tr class="tabr"> <td class="tabd">[ProxyConnectPersistMax] <td class="tabd">connection persistence for this number of connections <tr class="tabr"> <td class="tabd">[ProxyConnectPersistSeconds] <td class="tabd">connections persist for this number of seconds <tr class="tabr"> <td class="tabd">[ProxyConnectTimeoutSeconds] <td class="tabd">the proxy to origin server connect times-out after this number of seconds <tr class="tabr"> <td class="tabd">[ProxyNegativeSeconds] <td class="tabd">cache negative (failure) responses for this period <tr class="tabr"> <td class="tabd">[ProxyCacheNoReloadSeconds] <td class="tabd">prevent pragma reloads for this period <tr class="tabr"> <td class="tabd">[ProxyCachePurgeList] <td class="tabd">list of file ages used during purge <tr class="tabr"> <td class="tabd">[ProxyCacheReloadList] <td class="tabd">list of file ages before realod from source <tr class="tabr"> <td class="tabd">[ProxyCacheRoutineHourOfDay] <td class="tabd">hour of day routine cache purge occurs <tr class="tabr"> <td class="tabd">[ProxyForwarded] <td class="tabd">add "Forwarded:" to requests <tr class="tabr"> <td class="tabd">[ProxyHostLookupRetryCount] <td class="tabd">DNS resolution retry count <tr class="tabr"> <td class="tabd">[ProxyReportLog] <td class="tabd">report failures to process log <tr class="tabr"> <td class="tabd">[ProxyReportCacheLog] <td class="tabd">report cache failures to process log <tr class="tabr"> <td class="tabd">[ProxyServing] <td class="tabd">enable proxy server <tr class="tabr"> <td class="tabd">[ProxyVerifyRecordMax] <td class="tabd">enable proxy verification <tr class="tabr"> <td class="tabd">[ProxyXForwardedFor] <td class="tabd">add "X-Forwarded-For:" to requests <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.11" href="#"></a> <a id="6.1.reports" href="#"></a> <a id="reports" href="#"></a> <h5 class="head under"><span class="text">Reports</span></h5> <tr class="tabr"> <td class="tabd">[ErrorReportPath] <td class="tabd">path to script, SSI or "flat" error document <tr class="tabr"> <td class="tabd">[ErrorRecommend] <td class="tabd">for server generated error include probable cause <tr class="tabr"> <td class="tabd">[ReportBasicOnly] <td class="tabd">only ever generate reports containing basic details <tr class="tabr"> <td class="tabd">[ReportMetaInfo] <td class="tabd">add server information to directory listings, etc. <tr class="tabr"> <td class="tabd">[ServerAdmin] <td class="tabd">email address for server-related contact <tr class="tabr"> <td class="tabd">[ServerAdminBodyTag] <td class="tabd">specify HTML body tag of Server Administration (menu) pages <tr class="tabr"> <td class="tabd">[ServerReportBodyTag] <td class="tabd">specify HTML body tag of error and other report pages <tr class="tabr"> <td class="tabd">[ServerSignature] <td class="tabd">add server information to the foot of error and other report pages <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.12" href="#"></a> <a id="6.1.timeout" href="#"></a> <a id="timeout" href="#"></a> <h5 class="head under"><span class="text">Timeout</span></h5> <tr class="tabr"> <td class="tabd">[TimeoutHttp2Idle] <td class="tabd">period an HTTP/2 connection remains without processing a request <tr class="tabr"> <td class="tabd">[TimeoutInput] <td class="tabd">period a connection can wait before sending request <tr class="tabr"> <td class="tabd">[TimeoutNoProgress] <td class="tabd">period a response can continue without data transfer progress <tr class="tabr"> <td class="tabd">[TimeoutOutput] <td class="tabd">period a response can continue to output <tr class="tabr"> <td class="tabd">[TimeoutPersistent] <td class="tabd">period a connection is kept active after request conclusion <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.13" href="#"></a> <a id="6.1.scripting" href="#"></a> <a id="scripting" href="#"></a> <h5 class="head under"><span class="text">Scripting</span></h5> <tr class="tabr"> <td class="tabd">[CgiStrictOutput] <td class="tabd">script output must be CGI compliant <tr class="tabr"> <td class="tabd">[DclBitBucketTimeout] <td class="tabd">period a script continues after a client prematurely disconnects <tr class="tabr"> <td class="tabd">[DclCgiPlusLifeTime] <td class="tabd">period of non-use before CGIplus process is deleted <tr class="tabr"> <td class="tabd">[DclCleanupScratchMinutesMax] <td class="tabd">maximum minutes between WASD_SCRATCH cleanups <tr class="tabr"> <td class="tabd">[DclCleanupScratchMinutesOld] <td class="tabd">cleanup files older than this <tr class="tabr"> <td class="tabd">[DclDetachProcess] <td class="tabd">use detached scripting processes rather than subprocesses <tr class="tabr"> <td class="tabd">[DclGatewayBG] <td class="tabd">enable raw TCP/IP socket for scripts <tr class="tabr"> <td class="tabd">[DclHardLimit] <td class="tabd">maximum number of concurrent processes <tr class="tabr"> <td class="tabd">[DclScriptProctor] <td class="tabd">proactive script and scripting environment startup <tr class="tabr"> <td class="tabd">[DclScriptRunTime] <td class="tabd">script execution environment <tr class="tabr"> <td class="tabd">[DclSoftLimit] <td class="tabd">maximum number of processes before proactive deletion begins <tr class="tabr"> <td class="tabd">[DclSpawnAuthPriv] <td class="tabd">spawn subprocesses with account's authorized privileges <tr class="tabr"> <td class="tabd">[DclZombieLifeTime] <td class="tabd">period of non-use before a CGI/CLI process is deleted <tr class="tabr"> <td class="tabd">[DECnetReuseLifeTime] <td class="tabd">period of non-use before a DECnet process is released <tr class="tabr"> <td class="tabd">[DECnetConnectListMax] <td class="tabd">maximum number of DECnet processes <tr class="tabr"> <td class="tabd">[Scripting] <td class="tabd">enables and disables all scripting <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.14" href="#"></a> <a id="6.1.securesocket" href="#"></a> <a id="securesocket" href="#"></a> <h5 class="head under"><span class="text">Secure Socket</span></h5> <tr class="tabr"> <td class="tabd">[SecureSocket] <td class="tabd">enable Secure Socket (TLS/SSL) (if built with SSL) <tr class="tabr"> <td class="tabd">[SSLcert] <td class="tabd">server certificate file <tr class="tabr"> <td class="tabd">[SSLcipherList] <td class="tabd">list of enabled/disable ciphers <tr class="tabr"> <td class="tabd">[SSLinstanceCacheMax] <td class="tabd">multiple instance shared session cache maximum number of records <tr class="tabr"> <td class="tabd">[SSLinstanceCacheSize] <td class="tabd">multiple instance shared session cache size of record <tr class="tabr"> <td class="tabd">[SSLkey] <td class="tabd">server certificate private key <tr class="tabr"> <td class="tabd">[SSLoptions] <td class="tabd">options flags <tr class="tabr"> <td class="tabd">[SSLsessionCacheMax] <td class="tabd">session cache maximum records <tr class="tabr"> <td class="tabd">[SSLsessionLifetime] <td class="tabd">session lifetime <tr class="tabr"> <td class="tabd">[SSLstrictTransSec] <td class="tabd">HSTS maxiumum age in seconds <tr class="tabr"> <td class="tabd">[SSLverifyPeer] <td class="tabd">verify client certificate <tr class="tabr"> <td class="tabd">[SSLverifyPeerDataMax] <td class="tabd">maximum kBytes of request data buffered during renegotiation <tr class="tabr"> <td class="tabd">[SSLverifyPeerCAFile] <td class="tabd">file of accepted CAs <tr class="tabr"> <td class="tabd">[SSLverifyPeerDepth] <td class="tabd">depth of certificate chain <tr class="tabr"> <td class="tabd">[SSLversion] <td class="tabd">TLS/SSL protocol versions supported <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.15" href="#"></a> <a id="6.1.serversideincludes" href="#"></a> <a id="serversideincludes" href="#"></a> <h5 class="head under"><span class="text">Server Side Includes</span></h5> <tr class="tabr"> <td class="tabd">[SSI] <td class="tabd">enable Server Side Includes (SSI) <tr class="tabr"> <td class="tabd">[SSIaccesses] <td class="tabd">allow access counting <tr class="tabr"> <td class="tabd">[SSIexec] <td class="tabd">allow DCL commands <tr class="tabr"> <td class="tabd">[SSIsizeMax] <td class="tabd">maximum source file size <tr class="tabr"> <td class="tabd" colspan="2"><a id="6.1.0.0.16" href="#"></a> <a id="6.1.webdav" href="#"></a> <a id="webdav" href="#"></a> <h5 class="head under"><span class="text">WebDAV</span></h5> <tr class="tabr"> <td class="tabd">[WebDAV] <td class="tabd">enable WebDAV support <tr class="tabr"> <td class="tabd">[WebDAVCollectionDepth] <td class="tabd">test locking to this depth <tr class="tabr"> <td class="tabd">[WebDAVlocking] <td class="tabd">enable WebDAV locking <tr class="tabr"> <td class="tabd">[WebDAVlockingTimeoutDefault] <td class="tabd">set default lock timeout <tr class="tabr"> <td class="tabd">[WebDAVlockingTimeoutMax] <td class="tabd">set maximumg lock timeout <tr class="tabr"> <td class="tabd">[WebDAVmetaDir] <td class="tabd">location of metadata <tr class="tabr"> <td class="tabd">[WebDAVquota] <td class="tabd">enable disk quota reporting </table> <a id="6.2" href="#"></a> <a id="6.2.alphabeticlisting" href="#"></a> <a id="alphabeticlisting" href="#"></a> <h2 class="head"><span class="numb">6.2</span><span class="text">Alphabetic Listing</span></h2> <ol class="list"> <li class="item"> <span class="high bold">[Accept] <span class="high italic">host/domain name</span></span> <span class="high italic">(default: all)</span> <p> One or more (comma-separated if on the same line) internet host/domain names, with "*" wildcarding for host/subdomain matching, to be explicitly allowed access. If DNS lookup is not enabled hosts must be expressed using literal addresses (see [DNSLookup] directive). Also see the [Reject] directive. Reject directives have precedence over Accept directives. The Accept directive may be used multiple times. <div class="blockof code">[Accept] *.www.example.com 131.185.250.* </div> <li class="item"> <span class="high bold">[ActivityDays] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Specifies the number of days to record activity statistics, available in report form from the Server Administration facility. Zero disables this data collection. The maximum is 28 days. 11520 bytes per day, and 80640 per week, is required to store the per-minute data. <li class="item"> <span class="high bold">[AddIcon] <span class="high italic">icon-URL</span> <span class="high italic">ALT-text</span> <span class="high italic">template</span> <span class="high italic">(no default)</span> </span> <p> Specifies a directory listing icon and alternative text for the mime content type specified in the template. <div class="blockof code">[AddIcon] /icon/-/doc.gif [HTM] text/html /icon/-/text.gif [TXT] text/plain /icon/-/image.gif [IMG] image/gif </div> <li class="item"> <span class="high bold">[AddBlankIcon] <span class="high italic">icon-URL</span></span> <br> <span class="high bold">[AddDefaultIcon] <span class="high italic">icon-URL</span> <span class="high italic">ALT-text</span></span> <br> <span class="high bold">[AddDirIcon] <span class="high italic">icon-URL</span> <span class="high italic">ALT-text</span></span> <br> <span class="high bold">[AddParentIcon] <span class="high italic">icon-URL</span> <span class="high italic">ALT-text</span></span> <br> <span class="high bold">[AddUnknownIcon] <span class="high italic">icon-URL</span> <span class="high italic">ALT-text</span></span> <span class="high italic">(no defaults)</span> <p> Specifies a directory listing icon for these non-content-type parts of the listing. <div class="blockof code">[AddBlankIcon] /icon/-/blank.gif _____ [AddDefaultIcon] /icon/-/file.gif [FIL] [AddDirIcon] /icon/-/dir.gif [DIR] [AddParentIcon] /icon/-/back.gif [<--] [AddUnknownIcon] /icon/-/unknown.gif [???] </div> <li class="item"> <span class="high bold">[AddMimeTypesFile] <span class="high italic">file specification</span> </span> <span class="high italic">(no default)</span> <p> Add the content-types of a (de facto) standard MIME.TYPES file to the already configured [AddType] content-types. This binds a file suffix (extension, type) to a MIME content-type. Any specification in this file will supercede any previously defined via [AddType]. A MIME.TYPES file looks something like <div class="blockof code"># MIME type Extension application/msword doc application/octet-stream bin dms lha lzh exe class application/oda oda application/pdf pdf application/postscript ai eps ps application/rtf rtf </div> <p> The WASD server uses a number of extensions to provide additional information. See <a class="link" href="#2.7.contenttypeconfiguration">2.7 Content-Type Configuration</a>. <li class="item"> <span class="high bold">[AddType] <span class="high italic">suffix</span> <span class="high italic">content-type</span> [<span class="high italic">ftp:</span>] [<span class="high italic">rfm:</span>] [<span class="high italic">script-name</span>] [<span class="high italic">description</span>] </span> <span class="high italic">(no default)</span> <p> Binds a file suffix (extension, type) to a mime content type. The script name is used to auto-script against a specified file type. Use a hyphen as a place-holder and to indicate no auto-script. The description is used as documentation for directory listings. <div class="blockof code">[AddType] .html text/html Web Markup Language .txt text/plain plain text .gif image/gif image (GIF) .hlb text/x-script /Conan VMS Help library .decw$book text/x-script /HyperReader Bookreader book * internal/x-unknown application/octet-stream #* internal/x-unknown text/plain </div> <p> The content-type string may include a specific character set. In this way non-default sets (which is usually ISO-8859-1) can be specified for any particular site or any particular file type. Enclose the content-type string with double-quotation marks. <div class="blockof code">[AddType] .html "text/html; charset=ISO-8859-1" HTML (ISO-8859-1) .html_5 "text/html; charset=ISO-8859-5" Cyrillic HTML (ISO-8859-5) .html_r "text/html; charset=KOI8-R" Cyrillic HTML (KOI8-R) .txt "text/plain; charset=ISO-8859-1" plain text (ISO-8859-1) .txt_5 "text/plain; charset=ISO-8859-5" Cyrillic text (ISO-8859-5) .txt_r "text/plain; charset=KOI8-R" Cyrillic text (KOI8-R) </div> <p> To provide additional information for correct handling of FTP transfers the transfer mode can be indicated after the content type using the FTP: keyword. One of three characters is used. An "A" indicates that this file type should be FTP transfered in ASCII mode. An "I" or a "B" indicates that this file type should be FTP transfered in Image (binary) mode. <div class="blockof code">[AddType] .ps application/postscript ftp:A Postscript document </div> <p> To specify a VMS record format for POST or PUT files use the RFM: keyword following the content-type. This record format will always be used when creating the file. The precedence for determining the created file record format is [AddType] RFM:, then any per-path PUT=RFM= mapping rule, then [PutBinaryRFM], then a default of UDF. <div class="blockof code">[AddType] .doc application/msword rfm:STMCR MS Word document </div> <li class="item"> <span class="high bold">[AuthBasic] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables or disables BASIC username authentication. <li class="item"> <span class="high bold">[AuthCacheEntriesMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 32)</span> <p> Maximum concurrent authentication cache entries. This needs to be sized adequately to prevent the cache from thrashing (too many attempted entries causing each to spend very little time in the cache before being replaced, only to need to be inserted again with the next attempted access). <li class="item"> <span class="high bold">[AuthCacheEntrySize] <span class="high italic">integer</span></span> <span class="high italic">(default: 768)</span> <p> Maximum size of an authentication cache entry. The only reason where this may need to be increased is where a site is using the /PROFILE functionality and one or more accounts have a particularly large number of rights identifiers. <li class="item"> <span class="high bold">[AuthCacheMinutes] <span class="high italic">integer</span></span> <span class="high italic">(default: 60)</span> <p> The number of minutes authentication information is cached before being revalidated from the authentication source. Zero disables caching (with a resultant impact on performance as each request requiring authentication is validated directly from the source). <li class="item"> <span class="high bold">[AuthDigest] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables or disables Digest username authentication. <li class="item"> <span class="high bold">[AuthDigestGetLife] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> The number of seconds a digest nonce for a GET request (read) can be used before becoming stale. <li class="item"> <span class="high bold">[AuthDigestPutLife] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> The number of seconds a digest nonce for a PUT (/POST/DELETE ... write) request can be used before becoming stale. <li class="item"> <span class="high bold">[AuthFailureLimit] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> The number of unsuccessful attempts at authentication before the username is disabled. Once disabled any subsequent attempt is automatically refused without further reference to the authentication source. A disabled username can be reenabled by simply purging the cache. Parallels the purpose of SYSGEN parameter LGI_BRK_LIM. <li class="item"> <span class="high bold">[AuthFailurePeriod] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:00:00)</span> <p> The period during which [AuthFailureLimit] is applied. Parallels the purpose of SYSGEN parameter LGI_BRK_TMO. <li class="item"> <span class="high bold">[AuthFailureTimeout] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:00:00)</span> <p> The period during which which any intrusion aversion is applied. Parallels the purpose of SYSGEN parameter LGI_HID_TIM. <li class="item"> <span class="high bold">[AuthRevalidateUserMinutes] <span class="high italic">integer</span></span> <span class="high italic">(default: 60)</span> <p> The number of minutes between authenticated requests that user authentication remains valid before the user is forced to reenter the authentication information (via browser dialog). Zero disables the requirement for revalidation. <li class="item"> <span class="high bold">[AuthSysUafAcceptExpPwd] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> If a SYSUAF authenticated password has expired (password lifetime has been reached) accept it anyway (in much the same way network logins are accepted in similar circumstances). This is very different to <span class="high italic">account expiry</span>, after which authentication is always rejected. <li class="item"> <span class="high bold">[AuthSysUafLogonType] <span class="high monosp">LOCAL|DIALUP|NETWORK|REMOTE</span></span> <span class="high italic">(default: NETWORK)</span> <p> When SYSUAF authentication is performed <span class="high italic">account access restrictions</span> are checked. By default NETWORK restrictions are used but this global configuration parameter allows another to be specified. <li class="item"> <span class="high bold">[AuthSysUafPwdExpURL] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> If a SYSUAF authenticated password is/has expired the request is redirected to this URL to change the password. <li class="item"> <span class="high bold">[AuthSysUafUseAcme]</span> <p> <span class="high italic">Obsolete for WASD V9.3 and following.</span> <li class="item"> <span class="high bold">[BufferQuotaDclOutput] <span class="high italic">integer</span></span> <span class="high italic">(default: [BufferSizeDclOutput] + 256)</span> <p> The number of bytes allocated to script SYS$OUTPUT mailbox capacity. The [BufferSizeDclOutput] sets the maximum record size and [BufferQuotaDclOutput] the total number of bytes that can be outstanding at any given time. <li class="item"> <span class="high bold">[BufferSizeDclCgiHeader] <span class="high italic">integer</span></span> <span class="high italic">(default: 2048)</span> <p> The number of bytes allocated to store and process a script CGI response header. <li class="item"> <span class="high bold">[BufferSizeDclCgiPlusIn] <span class="high italic">integer</span></span> <span class="high italic">(default: 2048)</span> <p> The number of bytes (and hence BYTLM quota) permanently allocated to each scripting process CGIPLUSIN mailbox. <li class="item"> <span class="high bold">[BufferSizeDclCommand] <span class="high italic">integer</span></span> <span class="high italic">(default: 3072)</span> <p> The number of bytes (and hence BYTLM quota) permanently allocated to each scripting process SYS$COMMAND mailbox. <li class="item"> <span class="high bold">[BufferSizeDclOutput] <span class="high italic">integer</span></span> <span class="high italic">(default: 4096)</span> <p> The number of bytes (and hence BYTLM quota) permanently allocated to each scripting process SYS$OUTPUT mailbox. <li class="item"> <span class="high bold">[BufferSizeNetFile] <span class="high italic">integer</span></span> <span class="high italic">(default: none)</span> <p> The maximum bytes to be allocated to a buffer when transfering file content. For larger files this can improve both the reading of the file content from disk and when appropriately <span class="high italic">tuned</span> to the local system the transmission of that content to the client, significantly increasing data rates. Limited to the $QIO maximum I/O unit of 65,535 bytes. Bigger is not always necessarily better (in the sense it always improves data rates). <li class="item"> <span class="high bold">[BufferSizeNetMTU] <span class="high italic">integer</span></span> <span class="high italic">(default: none)</span> <p> This more esoteric directive attempts to minimise network buffer transmission wastage by rounding the output buffer size up to the network interface MTU (maximum transmission unit). This can provide small improvements to transmission efficiency. For example a filled buffer of 4096 with an MTU of 1500 sends two 1500 byte packets and then one of 1096 bytes, theoretically wasting some 404 bytes. A potentially better choice of buffer size would be 4500. Setting this directive to 1500 would result in the server automatically rounding a [BufferSizeNetWrite] value (for example) from 4096 up to 4500. <li class="item"> <span class="high bold">[BufferSizeNetRead] <span class="high italic">integer</span></span> <span class="high italic">(default: 2048)</span> <p> The number of bytes allocated to the network read buffer (used for request header, POST body, etc.). Also the number of bytes (and hence BYTLM quota) permanently allocated to each scripting process SYS$INPUT mailbox (allowing a script to read a request body). <li class="item"> <span class="high bold">[BufferSizeNetWrite] <span class="high italic">integer</span></span> <span class="high italic">(default: 4096)</span> <p> Number of bytes allocated to the network write buffer. This buffer is used as the basic unit when transfering file contents (from cache or the file system), as an output buffer during SSI pocessing, directory listing, etc. During many activities multiple outputs are buffered into this storage before being written to the network. <li class="item"> <span class="high bold">[Cache] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> File cache control. <li class="item"> <span class="high bold">[CacheChunkKBytes] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Granularity of memory blocks allocated to file data, in kilobytes. <li class="item"> <span class="high bold">[CacheEntriesMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Maximum number of files loaded into the cache before entries are reused removing the original contents from the cache. <li class="item"> <span class="high bold">[CacheFileKBytesMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Maximum size of a file before it is not a candidate for being cached, in kilobytes. <li class="item"> <span class="high bold">[CacheFrequentHits] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Minimum, total number of hits an entry must sustain before being a candidate for [CacheFrequentPeriod] assessment. <li class="item"> <span class="high bold">[CacheFrequentPeriod] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:00:00)</span> <p> If a file has been hit at least [CacheFrequentHits] times in total and the last was within the period here specified it will not be a candidate for reuse. See <a class="link" href="#9.cacheconfiguration">9. Cache Configuration</a>. <li class="item"> <span class="high bold">[CacheGuardPeriod] <span class="high italic">integer</span></span> <span class="high italic">(default: 15)</span> <p> During this period subsequent <span class="high italic">reloads</span> (no-cache) requests will not result in the entry being revalidated or reloaded. This can guard period can help prevent unnecessary file system activity. <li class="item"> <span class="high bold">[CacheEntriesMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> <span class="high italic">Obsolete for WASD V8.0 and following.</span> <li class="item"> <span class="high bold">[CacheTotalKBytesMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Maximum memory allocated to the cache, in kilobytes. <li class="item"> <span class="high bold">[CacheValidatePeriod] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:00:00)</span> <p> The interval after which a cache entry's original, content revision time is revalidated against the file's current revision time. If not the same the contents are declared invalid and reloaded. <li class="item"> <span class="high bold">[CharsetConvert] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Document and CGI script output can be dynamically converted from one character set to another using the standard VMS NCS conversion library. This directive provides the server with character set aliases (those that are for all requirements the same) and which NCS conversion function may be used to convert one character set into another. The general format is <div class="blockof code">document-charset accept-charset[,accept-charset..] [NCS-function-name] </div> <p> When this directive is configured the server compares each text response's character set (if any) to each of the directive's <span class="high italic">document charset</span> string. If it matches it then compares each of the <span class="high italic">accepted charset</span> (if multiple) to the request "Accept-Charset:" list of accepted characters sets. If the same is is either accepted as-is or if a conversion function specified converted by NCS as the document is transfered. <div class="blockof code">windows-1251 windows-1251,cp-1251 windows-1251 koi8-r koi8r_to_windows1251_to_koi8r koi8-r koi8-r,koi8 koi8-r windows-1251,cp-1251 koi8r_to_windows1251 </div> <li class="item"> <span class="high bold">[CharsetDefault] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> The default character set sent in the response header for text documents (plain and HTML). English language sites should specify ISO-8859-1, other Latin alphabet sites, ISO-8859-2, 3, etc. Cyrillic sites might wish to specify ISO-8859-5 or KOI8-R, and so on. <li class="item"> <span class="high bold">[CgiStrictOutput] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> A script must output a full HTTP or CGI-compliant response. If a plain-text stream is output an error is reported (being the more common behaviour for servers). Errors in output can be disagnosed using the WATCH facility. <li class="item"> <span class="high bold">[ConnectMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 200)</span> <p> The maximum number of concurrent client connections before a "<span class="high italic">server too busy right now ... try again shortly</span>" error is returned to the client. <li class="item"> <span class="high bold">[DclBitBucketTimeout] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 0)</span> <p> Period a script is allowed to continue processing before being terminated after a client prematurely disconnects. An approptiate setting allows most scripts to conclude elegantly and be available for further use. This improves scripting efficiency significantly. Setting this period to zero terminates scripts (and their associated processes) immediately a client is detected as having disconnected. <li class="item"> <span class="high bold">[DclCleanupScratchMinutesMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Whenever the last scripting process is removed from the system, or this number of minutes maximum (whichever occurs first), scan the WASD_SCRATCH directory (if logical defined and it exists) deleting all files that are older than [DclCleanupScratchMinutesOld] minutes. Setting to zero disables WASD_SCRATCH scans. <li class="item"> <span class="high bold">[DclCleanupScratchMinutesOld] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> When performing a [DclCleanupScratchMinutesMax] scan delete files that are older than this value (or the value specified by [DclCleanupScratchMinutesMax], whichever is the larger). <li class="item"> <span class="high bold">[DclCgiPlusLifeTime] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 0)</span> <p> If non-zero the CGIplus process is terminated the specified period after it last processed a request (idle for that period). Adjusting the period to suit the site allows frequently used persistent scripts and scripting engines to remain resident while more sporadically accessed ones do not remain unecessarily. If this value is zero (or unconfigured) the idle timeout is one hour. <li class="item"> <span class="high bold">[DclDetachProcess] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> By default scripts are executed within server processes. When enabled this instructs the server to create detached processes. This side-steps the issues of having pooled process quotas and also allows non-server-account scripting and in particular "Scripting Overview, Introduction". <li class="item"> <span class="high bold">[DclDetachProcessPriority] <span class="high italic">integer[,integer]</span></span> <span class="high italic">(default: same as server)</span> <p> When detached scripting processes are created it is possible to assign them base priorities lower that the server itself. This directive takes one or two (comma-separated) integers that determine how many priorities lower than the server scripting processes are created. The first integer determines server processes. A second, if supplied, determines user scripts. User scripts may never be a higher priority that server scripts. <div class="blockof code">[DclDetachProcessPriority] 1 [DclDetachProcessPriority] 0,1 [DclDetachProcessPriority] 1,2 </div> The first of these examples would set both server and user script processes one below the server process. The second, server scripts at the same priority and user scripts one below. The last, server scripts one below, and user scripts two below. <li class="item"> <span class="high bold">[DclGatewayBG] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> When enabled, non-SSL, process script CGI environments have a CGI variable WWW_GATEWAY_BG created containing the device name (BG<span class="high italic">nnnn</span>:) of the TCP/IP socket connected to the client. This socket may be accessed by the script for transmission of data directly to the script bypassing the server entirely. This is obviously much more efficient for certain classes of script. For purposes of accurate logging the server does need to be informed of the quantity of data transfered using a CGI callout. See "Scripting Environment" document. <li class="item"> <span class="high bold">[DclHardLimit] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> The maximum number of DCL/CGI script processing processes that may ever exist concurrently (works in conjunction with [DclSoftLimit]. <li class="item"> <span class="high bold">[DclScriptProctor] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Script proctoring proactively creates and maintains specific persistent scripts and scripting environments (RTEs). It is intended for those environments that have some significant startup latency. <br> See <a class="link blank" target="_blank" href="../scripting/#0.">WASD Web Services - Scripting</a> for further information. <li class="item"> <span class="high bold">[DclScriptRunTime] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> One or more file type (extension) specification and scripting verb pairs. See "Scripting Overview, Runtime". <li class="item"> <span class="high bold">[DclSoftLimit] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> The number of DCL/CGI script processing processes after which idle processes are deleted to make room for new ones. The [DclHardLimit] should be approximately 25% more than the [DclSoftLimit]. The margin exists to allow for occasional slow run-down of deleted/finishing processes. If these limits are not set (i.e. zero) they are calculated with [ProcessMax] using "[DclSoftLimit] = [ProcessMax]" and "[DclHardLimit] = [DclSoftLimit] + [DclSoftLimit] / 4". <li class="item"> <span class="high bold">[DclSpawnAuthPriv] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> By default, when a DCL/scripting subprocess is spawned it inherits the server's currently enabled privileges, which are <span class="high bold">none</span>, not even TMPMBX or NETMBX. If this parameter is enabled the subprocess is created with the server account's SYSUAF-authorized privileges (which should never be other than NETMBX and TMPMBX). Use with caution. <li class="item"> <span class="high bold">[DclZombieLifeTime] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:00:00)</span> <p> If this value is zero the use of persistant DCL processes is disabled. If non-zero the <span class="high italic">zombie</span> process is terminated the specified period after it last processed a request. This helps prevent zombie processes from clogging up a system. See "Scripting Environment" document. <li class="item"> <span class="high bold">[DECnetReuseLifeTime] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:00:00)</span> <p> Period a DECnet scripting connection is maintained with the network task. Zero disables connection reuse. <li class="item"> <span class="high bold">[DECnetConnectListMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> The size of the list used to manage connections for DECnet scripting. Zero effectively allows the server to use as many DECnet scripting connections as demanded. <li class="item"> <span class="high bold">[DirAccess] <span class="high monosp">ENABLED|DISABLED|SELECTIVE</span></span> <span class="high italic">(default: DISABLED)</span> <p> Controls directory listings. <span class="high monosp">SELECTIVE</span> allows access only to those directories containing a file <span class="high monosp">WWW_BROWSABLE</span>. The WASD HTTPd directory access facility always ignores directories containing a file named <span class="high monosp">WWW_HIDDEN</span>. Also see the [DirWildcard] directive. <li class="item"> <span class="high bold">[DirBodyTag] <span class="high italic">string</span></span> <span class="high italic">(default: <BODY>)</span> <p> Specifies the HTML <BODY> tag for directory listing pages. This allows some measure of site "look-and-feel" in page colour, background, etc. to be employed. <li class="item"> <span class="high bold">[DirDescriptionLines] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Non-Zero enables HTML file descriptions during listings. Generating HTML descriptions involves opening each HTML file and searching for <TITLE>...</TITLE> and <H1>...</H1> text to generate the description. This is an obviously resource-intensive activity and on busy servers or systems may be disabled. Any non-zero number specifies the number of lines to be searched before quitting. Set to a very high number to search all of files' contents (e.g. 999999). <li class="item"> <span class="high bold">[DirLayout] <span class="high italic">string</span></span> <span class="high italic">(default: I__L__R__S__D)</span> <p> Allows specification of the directory listing layout. This is a short, case-insensitive string that specifies the included fields, relative placement and optionally the width of the fields in a directory listing. Each field is controlled by a single letter and optional leading decimal number specifying its width. If a width is not specified an appropriate default applies. An underscore is used to indicate a single space and is used to separate the fields (two consecutive works well). <ul class="list simple list0"> <li class="item"> <span class="high bold">C</span> - creation date <li class="item"> <span class="high bold">D</span> - description (generally best specified last) <ul class="list simple list0"> <li class="item"> <span class="high bold">D:L</span> - for files, make a link out of the description text </ul> <li class="item"> <span class="high bold">I</span> - icon (takes no field-width attribute) <ul class="list simple list0"> <li class="item"> <span class="high bold">L</span> - link (highlighted anchor using the name of the file) <li class="item"> <span class="high bold">L:F</span> - file-system name (for ODS-5 displays spaces, etc.) <li class="item"> <span class="high bold">L:N</span> - name-only, do not display the extension <li class="item"> <span class="high bold">L:U</span> - force name to upper-case </ul> <li class="item"> <span class="high bold">N</span> - name (no link, why bother? who knows!) <li class="item"> <span class="high bold">O</span> - owner (can be disabled) <li class="item"> <span class="high bold">R</span> - revision date <li class="item"> <span class="high bold">S</span> - size <ul class="list simple list0"> <li class="item"> <span class="high bold">S:B</span> - in bytes (comma-formatted) <li class="item"> <span class="high bold">S:D</span> - decimal kilos (see below) <li class="item"> <span class="high bold">S:F</span> - kilo and mega are displayed to one decimal place <li class="item"> <span class="high bold">S:K</span> - in kilo-bytes (and fractions thereof) <li class="item"> <span class="high bold">S:M</span> - in mega-bytes (and fractions thereof) </ul> <li class="item"> <span class="high bold">U</span> - upper-case file and directory names (must be the first character) </ul> <p> The following shows some examples: <div class="blockof code">[DirLayout] I__L__R__S__D [DirLayout] I__L__R__S:b__D [DirLayout] I__15L__S__D [DirLayout] UI__15L__S__D [DirLayout] 15L__9R__S [DirLayout] 15N_9C_9R_S [DirLayout] I__L__R__S:d__D [DirLayout] 25D:l__S:b__C__R </div> <p> The size of files is displayed by default as 1024 byte kilos. When using the "S:k", "S:m" and "S:f" size modifiers the size is displayed as 1000 byte kilos. If it is prefered to have the default display in 1000 byte kilos then set the directory listing layout using: <div class="blockof code">[DirLayout] I__L__R__S:d__D </div> <p> If unsure of the kilo value being used check the "<META>" information in the directory listing. <li class="item"> <span class="high bold">[DirMetaInfo] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Includes, as <META> information, the software ID of the server and any relevant VMS file information. <li class="item"> <span class="high bold">[DirNoImpliedWildcard] <span class="high monosp">ENABLED|DISABLED </span></span> <span class="high italic">(default: DISABLED)</span> <p> When a directory is accessed having no file or type component and there is no welcome page available a directory listing is generated. By default any other directory accessed from this listing has the implied wildcards "*.*" added, consequently forcing directory listings. If enabled, this directive ensures no wildcards are added, so subsequent directories accessed with welcome pages display the pages, not a forced listing. <li class="item"> <span class="high bold">[DirNoPrivIgnore] <span class="high monosp">ENABLED|DISABLED </span></span> <span class="high italic">(default: DISABLED)</span> <p> To prevent browsing through directories (perhaps due to inadvertant mapping) that have file permissions allowing no WORLD access the server stops listing and reports the error the first time a protection violation occurs. This behaviour may be changed to ignore the violation, listing only those files to which it has access. <li class="item"> <span class="high bold">[DirOwner] <span class="high monosp">ENABLED|DISABLED</span> </span> <span class="high italic">(default: DISABLED)</span> <p> Allows specification and display of the RMS file owner information. <li class="item"> <span class="high bold">[DirPreExpired] <span class="high monosp">ENABLED|DISABLED</span> <span class="high italic">(default: DISABLED)</span> </span> <p> Directory listings and trees may be <span class="high italic">pre-expired</span>. That is, the listing is reloaded each time the page is referenced. This is convenient in some environments where directory contents change frequently, but adds considerable over-head and so is disabled by default. Individual directory listings may have the default behaviour over-ridden using syntax similar to the following examples: <div class="blockof code">/dir1/dir2/*.*?httpd=index?expired=yes /dir1/dir2/*.*?httpd=index?expired=no /tree/dir2/?httpd=index?expired=yes /tree/dir1/dir2/?httpd=index?expired=no </div> <li class="item"> <span class="high bold">[DirReadme] <span class="high monosp">TOP|BOTTOM | OFF</span></span> <span class="high italic">(default: DISABLED)</span> <p> If any of the files provided using the [DirReadMeFile] directive are located in the directory the contents are included at the top or bottom of the listing (or not at all). Plain-text are included as plain-text, HTML are included as HTML allowing markup tags to be employed. <li class="item"> <span class="high bold">[DirReadMeFile] <span class="high monosp">file.suffix</span></span> <span class="high italic">(no default)</span> <p> Specifies the names and order in which a directory is checked for <span class="high italic">read-me</span> files. This can be enabled or disabled using the [DirReadme] directive. Plain-text are included as plain-text, HTML are included as HTML allowing markup tags to be employed. <p> Examples: <div class="blockof code">[DirReadMeFile] readme.html readme.htm readme. readme.txt readme.1st </div> <li class="item"> <span class="high bold">[DirWildcard] <span class="high monosp">OFF|ON</span></span> <span class="high italic">(default: DISABLED)</span> <p> This enables the facility to <span class="high italic">force</span> the server to provide a directory listing by providing a wildcard file specification, even if there is a home (welcome) document in the directory. This should not be confused with the [DirAccess] directive which controls directory listing itself. <li class="item"> <span class="high bold">[DNSLookupClient] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables or disables connection request host name resolution. This functionality may be expensive (in terms of processing overhead) and make serving granularity coarser if DNS is involved. If not enabled and logging is, the entry is logged against the literal internet address. If not enabled any [Accept], [Reject] or conditional directive, etc., must be expressed as a literal address. <li class="item"> <span class="high bold">[DNSLookupLifetime] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">default 00:10:00</span> <p> The period for which a host name/address is cached (applies to both client lookup and proxy host lookup). <li class="item"> <span class="high bold">[DNSLookupRetry] <span class="high italic">integer</span></span> <span class="high italic">(default: 2)</span> <p> The number of attempts, at two second intervals, made to resolve a host name/address (applies to both client lookup and proxy host lookup). <li class="item"> <span class="high bold">[EntityTag] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: ENABLED)</span> <p> An entity tag is a client-opaque string used in strong cache validation. WASD generates this using the on-disk file identification (FID) and binary last-modified date-time (RDT). This is then used as a definitive identifier for a specified on-disk resource fixed in file-system space-time (hmmm, sounds like an episode of Star Trek). <li class="item"> <span class="high bold">[ErrorReportPath] <span class="high italic">string [status...]</span></span> <span class="high italic">(default: none)</span> <p> Specifies the <span class="high bold">URL-format path</span> to an optional, error reporting SSI document or script. See <a class="link" href="#2.10.errorreporting">2.10 Error Reporting</a>. This path can subsequently be remapped during request processing. Optional, space-separated HTTP status codes restrict the path to those codes, with the remainder handled by server-internal reporting. <li class="item"> <span class="high bold">[ErrorRecommend] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Provides a short message recommending action when reporting an error to a client. For example, if a document cannot be found it may say: <div class="blockof code"><span class="high italic">(document, or bookmark, requires revision)</span> </div> <li class="item"> <span class="high bold">[GzipAccept] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Enables GZIP encoding of request bodies. See <a class="link" href="#2.4.gzipencoding">2.4 GZIP Encoding</a>. <li class="item"> <span class="high bold">[GzipFlushSeconds] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Adjusts the maxiumum period period between GZIP buffer flushes. See <a class="link" href="#2.4.gzipencoding">2.4 GZIP Encoding</a>. <li class="item"> <span class="high bold">[GzipResponse] <span class="high italic">integer</span>[<span class="high italic">integer,integer</span>]</span> <span class="high italic">(default: 0)</span> <p> Enables GZIP encoding (deflation) for suitable requests and responses. Valid values are 1 for minimum compression (and minimum resource usage) through to 9 for maxiumum compression (and maximum resource usage). The value 9 is recommended. See <a class="link" href="#2.4.gzipencoding">2.4 GZIP Encoding</a>. <li class="item"> <span class="high bold">[Http2Protocol]</span> <span class="high bold">enable</span>|<span class="high bold">disable</span> <span class="high italic">(default: disable)</span>) <p> Enable or disable (default) HTTP/2 for all services. The default for a service follows the global setting. A service must explicitly disable HTTP/2 if that is required. <li class="item"> <span class="high bold">[Http2FrameSizeMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 65535)</span> <p> The maximum permitted size (in octets) of an HTTP/2 frame sent from the client. <li class="item"> <span class="high bold">[Http2HeaderListMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 65535)</span> <p> The maximum permitted size (in bytes) of a request header sent from the client. <li class="item"> <span class="high bold">[Http2HeaderTableMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 4096)</span> <p> The maximum permitted size (in bytes) of a request header compression table. <li class="item"> <span class="high bold">[Http2PingSeconds] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:05:00)</span> <p> The period at which HTTP/2 pings are sent from the server to the client to calculate the (then) Round Trip Time (RTT) of the connection. <li class="item"> <span class="high bold">[Http2StreamMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 32)</span> <p> Maximum number of concurrent streams (requests) supported by the connection. <li class="item"> <span class="high bold">[Http2InitWindowSize] <span class="high italic">integer</span></span> <span class="high italic">(default: 65535)</span> <p> Initial flow-control window size (in bytes). <li class="item"> <span class="high bold">[InstanceMax] <span class="high italic">integer</span>|<span class="high monosp">CPU</span></span> <span class="high italic">(default: 1)</span> <p> Number of per-node server processes to create and maintain. If set to "CPU" once instance per CPU is created. <li class="item"> <span class="high bold">[InstancePassive] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Start a multiple instance server already in <span class="high italic">passive</span> mode. <li class="item"> <span class="high bold">[Logging] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables or disables the request log. Logging can slow down request processing and adds overhead. The log file name must be specified using the /LOG qualifier or WASD_CONFIG_LOG logical name (<a class="link" href="#10.2.logicalnames">‘LOGICAL NAMES’ in 10.2 VMS File System Specifications</a>). <li class="item"> <span class="high bold">[LogExcludeHosts] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> One or more (comma-separated if on the same line) internet host/domain names, with "*" wildcarding for host/subdomain matching, requests from which are not placed in any log files. If DNS lookup is not enabled hosts must be expressed using literal addresses (see [DNSLookup] directive). Use for excluding local or web-maintainer's host from logs. <p> Example: <div class="blockof code">[LogExcludeHosts] *.www.example.com 131.185.250.* </div> <li class="item"> <span class="high bold">[LogExtend] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Number of blocks allocated when when a log file is opened or extended. If set to zero it uses the process default (SET RMS_DEFAULT /EXTEND_QUANTITY). <li class="item"> <span class="high bold">[LogFile] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Provides some or all of the access log file name. See <a class="link" href="#2.12.2.logperperiod">2.12.2 Log Per-Period</a>. <li class="item"> <span class="high bold">[LogFormat] <span class="high italic">string</span></span> <span class="high italic">(default: COMMON)</span> <p> Specifies one of three pre-defined formats, or a user-definable format. See <a class="link" href="#2.12.1.logformat">2.12.1 Log Format</a>. <li class="item"> <span class="high bold">[LogNaming] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> When [LogPeriod] or [LogPerService] directives are used to generate multiple log files this directive may be used to modify the naming of the file. See <a class="link" href="#2.12.5.lognaming">2.12.5 Log Naming</a>. <li class="item"> <span class="high bold">[LogPeriod] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Specifies a period at which the log file is changed. See <a class="link" href="#2.12.2.logperperiod">2.12.2 Log Per-Period</a>. <li class="item"> <span class="high bold">[LogPerInstance] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> When multiple instances are configured (see <a class="link blank" target="_blank" href="../features/#instancesandenvironments">Instances and Environments</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>) create a separate log for each. This has significant performance advantages. See <a class="link" href="#2.12.4.logperinstance">2.12.4 Log Per-Instance</a>. <li class="item"> <span class="high bold">[LogPerService] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> When multiple services are specified () a separate log file will be created for each if this is enabled. See <a class="link" href="#2.12.3.logperservice">2.12.3 Log Per-Service</a>. <li class="item"> <span class="high bold">[LogPerServiceHostOnly] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> When generating a log name do not make the port number part of it. This effectively provides a single log file for all ports provided against a host name (e.g. a standard HTTP service on port 80 and an SSL service on port 443 would have entries in the one file). See <a class="link" href="#2.12.3.logperservice">2.12.3 Log Per-Service</a>. <li class="item"> <span class="high bold">[LogWriteFail503] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> After an access log record fails to write all subsequent requests return a 503 service unavailable response until records can be successfully written again. This can be used to prevent access to server resources unless an access audit log is available. <li class="item"> <span class="high bold">[Monitor] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Allows monitoring via the HTTPDMON utility. Adds slight request processing overhead. <li class="item"> <span class="high bold">[OpcomAdmin] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Report to operator log and any enabled operator console (see [OpcomTarget]) server administration directives originating from the Server Administration Menu, for example path map reload, server restart, etc. <li class="item"> <span class="high bold">[OpcomAuthorization] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Report events related to authentication/authorization. For example username-password validation failures. <li class="item"> <span class="high bold">[OpcomControl] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Report HTTPD/DO=<span class="high italic">directive</span> control events, both the command-line directive and the server's response. <li class="item"> <span class="high bold">[OpcomHTTPd] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Report events concerning the server itself. For example, server startup and exit (either normally or with error status). <li class="item"> <span class="high bold">[OpcomProxyMaint] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Report events related to proxy server cache maintenance. For example, the commencement of file cache reactive and proactive purging, the conclusion of this purge, both with cache device statistics. <li class="item"> <span class="high bold">[OpcomTarget] <span class="high italic">string</span></span> <span class="high italic">(default: DISABLED)</span> <p> This enables OPCOM messaging and specifies the target for the OPCOM reports. This must be set to a target to enable OPCOM messages, irrespective of the setting of any of the other [Opcom...] directives. These messages are added to SYS$MANAGER:OPERATOR.LOG and displayed at the specified operator's console if enabled (using REPLY/ENABLE=target). The operator log provides a "permanent" record of server events. Possible settings include CENTRAL, NETWORK, SECURITY, OPER1 … OPER12, etc. <li class="item"> <span class="high bold">[PipelineRequests] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: ENABLED)</span> <p> Pipelining refers to multiple requests being sent over an assumed persistent connection without waiting for the response from previous requests. Such behaviour with capable clients and servers can significantly reduce response latency. <li class="item"> <span class="high bold">[Port] <span class="high italic">integer</span></span> <span class="high italic">(default: 80)</span> <p> IP port number for server to bind to. For anything other than a command-line server control this parameter is overridden by anything supplied via the [Service] <span class="high bold"><span class="high italic">(deprecated)</span></span> directive. <li class="item"> <span class="high bold">[ProcessMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 100)</span> <p> The maximum number of concurrent client request being processed before a "<span class="high italic">server too busy right now ... try again shortly</span>" error is returned to the client. If not explicitly set this defaults to the same value as [ConnectMax]. This directive allows a larger number of persistent connections to be maintained than are concurrently being processed at any given moment. <li class="item"> <span class="high bold">[ProxyCache] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables or disables proxy caching on a whole-of-server basis, irrespective of any proxy services that might be configured for caching. <li class="item"> <span class="high bold">[ProxyCacheFileKBytesMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 256)</span> <p> Maximum size of a cache file in kilobytes before it will not be cached. <li class="item"> <span class="high bold">[ProxyCacheNegativeSeconds] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:05:00)</span> <p> Negative (unsuccessful) responses are cached for this period. <li class="item"> <span class="high bold">[ProxyCacheRoutineHourOfDay] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Hour of day for <span class="high italic">routine</span> cache purge (00-23). <li class="item"> <span class="high bold">[ProxyCacheDeviceCheckMinutes] <span class="high italic">integer</span></span> <span class="high italic">(default: 15)</span> <p> Interval in minutes between checking space availablility on cache device. If space is not available a <span class="high italic">reactive</span> purge is initiated. <li class="item"> <span class="high bold">[ProxyCacheDeviceDirOrg] <span class="high monosp">FLAT256|64X64</span></span> <span class="high italic">(default: FLAT256)</span> <p> Organization of directories on the proxy cache device. The first provides a single level structure with a possible 256 directories at the top level and files organized immediately below these. For versions of VMS prior to V7.2 exceeding 256 files per directory, or a total of approximately 65,000 files, incurs a significant performance penalty for some directory operations. The second organization involves two levels of directory, each with a maximum of 64 directories. This allows for approximately 1,000,000 files before encountering the 256 files per directory issue. <li class="item"> <span class="high bold">[ProxyCacheDeviceMaxPercent] <span class="high italic">integer</span></span> <span class="high italic">(default: 85)</span> <p> The maximum percentage in use on the cache device before a <span class="high italic">reactive</span> purge is scheduled. If device usage exceeds this limit no more cache files are created. <li class="item"> <span class="high bold">[ProxyCacheDevicePurgePercent] <span class="high italic">integer</span></span> <span class="high italic">(default: 1)</span> <p> The percentage by which the cache device usage is attempted to be reduced when a <span class="high italic">reactive</span> purge is initiated. <li class="item"> <span class="high bold">[ProxyCacheNoReloadSeconds] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Prevents pragma reloads actually retrieving the file from the source host again until the period expires. This is designed to limit concurrent or repeated reloads of files into the cache unecessarily. Thirty seconds is probably an adequate period balancing effect against a user legitimately needing to recache the document. <li class="item"> <span class="high bold">[ProxyCachePurgeList] <span class="high italic">string</span></span> <span class="high italic">(default: 168,48,24,8,0)</span> <p> A list of comma-separated integers representing the sequence of last accessed period in hours used during a progressive <span class="high italic">reactive</span> purge. <li class="item"> <span class="high bold">[ProxyCacheReloadList] <span class="high italic">string</span></span> <span class="high italic">(default: 1,2,4,8,12,24,48,96,168)</span> <p> A list of comma-separated integers representing the sequence of age in hours used when determining whether a cache file's contents should be reloaded. <li class="item"> <span class="high bold">[ProxyConnectPersistMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 100)</span> <p> The maximum number of established connections that are maintained to remote servers. <li class="item"> <span class="high bold">[ProxyConnectPersistSeconds] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:00:30)</span> <p> Period for which the established connections persist. At expiry the connection is closed. <li class="item"> <span class="high bold">[ProxyConnectTimeoutSeconds] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:00:30)</span> <p> Period for which the proxy server will attempt to establish a network connection to the origin (remote) server. <li class="item"> <span class="high bold">[ProxyForwarded] <span class="high monosp">BY|DISABLED|FOR|ADDRESS</span></span> <span class="high italic">(default: DISABLED)</span> <p> BY enables the addition of a proxy request header line providing information that the request has been forwarded by another agent. The added header line would look like "Forwarded: by http://server.name.domain (HTTPd-WASD/n.n.n OpenVMS/AXP Digital-TCPIP SSL)". If the FOR variant is used the field included the host name (or ADDRESS) the request is being forwarded on behalf of, as in "Forwarded: by http://server.name.domain (HTTPd-WASD/n.n.n OpenVMS/AXP Digital-TCPIP SSL) for host.name.domain". <li class="item"> <span class="high bold">[ProxyHostLookupRetryCount] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> When the server is resolving the name of a remote host the request may timeout due to up-stream DNS server latencies. This parameter allows a number of retries, at five second intervals, to be enabled. <li class="item"> <span class="high bold">[ProxyReportLog] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables or disables the server process log reporting siginificant proxy processing events, such as cache maintenance activity. <li class="item"> <span class="high bold">[ProxyReportCacheLog] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables or disables the server process log reporting of proxy caching activity. <li class="item"> <span class="high bold">[ProxyServing] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables or disables proxy serving on a whole-of-server basis, irrespective of any proxy services that might be configured. <li class="item"> <span class="high bold">[ProxyUnknonwRequestFields] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> When enabled propagates all request fields provided by the client through to the proxied server. When disabled only propagates fileds that WASD recognises. <li class="item"> <span class="high bold">[ProxyVerifyRecordMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Obscure functionality; see WASD Proxy Service feature. <li class="item"> <span class="high bold">[ProxyXForwardedFor] <span class="high monosp">ADDRESS|DISABLED|ENABLED|UNKNOWN</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables the addition of a proxy request header line providing the host name on behalf of which the request is being proxied. The added header line would look like "X-Forwarded-For: host.name.domain". THE ADDRESS variant provides the IP address, and the UNKNOWN variant substitutes "unknown" for the host. This field is degined to be compatible with the <span class="high italic">Squid</span> de facto standard field of the same name. Any request with an existing "X-Forwarded-For:" field has the local information appended to the existing as a comm-separated list. The first host in the field should be the original requesting client. <li class="item"> <span class="high bold">[PutBinaryRFM] <span class="high italic">FIX512|STM|STMCR|STMLF|UDF</span></span> <span class="high italic">(default: UDF)</span> <p> Record format for a non-text HTTP POST or PUT upload into the file-system. Has a per-path equivalent. The precedence for determining the created file record format is [AddType] RFM:, then any per-path PUT=RFM= mapping rule, then [PutBinaryRFM], then the default of UDF. <li class="item"> <span class="high bold">[PutMaxKBytes] <span class="high italic">integer</span></span> <span class="high italic">(default: 250)</span> <p> Maximum size of an HTTP POST or PUT method request in Kilobytes. Has a per-path equivalent. <li class="item"> <span class="high bold">[PutVersionLimit] <span class="high italic">integer</span></span> <span class="high italic">(default: 3)</span> <p> File created using the POST or PUT methods have the specified version limit applied. <li class="item"> <span class="high bold">[RegEx] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enable regular expression matching. With the possibility of the reserved character "^" being used in existing mapping rules regular expression string matching (<a class="link" href="#4.stringmatching">4. String Matching</a>) is only available after enabling this directive. <p> The default syntax is POSIX EGREP but can be specified by substituting for <span class="high monosp">ENABLED</span> one of the following keywords; AWK, ED, EGREP, GREP, POSIX_AWK, POSIX_BASIC, POSIX_EGREP, POSIX_EXTENDED, POSIX_MINIMAL_BASIC, POSIX_MINIMAL_EXTENDED, SED. When changed from the default <span class="high italic">enabled</span> (WASD) case-insensitivity is lost. <li class="item"> <span class="high bold">[Reject] <span class="high italic">host/domain name</span></span> <span class="high italic">(default: none)</span> <p> One or more (comma-separated if on the same line) internet host/domain names, with "*" wildcarding for host/subdomain matching, to be explicitly denied access. If DNS lookup is not enabled hosts must be expressed using literal addresses (see [DNSLookup] directive). Also see the [Accept] directive. Reject directives have precedence of Accept directives. The Reject directive may be used multiple times. <p> Example: <div class="blockof code">[Reject] *.www.example.com 131.185.250.* </div> <li class="item"> <span class="high bold">[ReportBasicOnly] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Only ever supply basic information in a report (<a class="link" href="#2.10.errorreporting">2.10 Error Reporting</a>). <li class="item"> <span class="high bold">[ReportMetaInfo] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Includes in detailed reports, as <META> information, the software ID of the server and any relevant VMS file information. <li class="item"> <span class="high bold">[RequestHistory] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> The server can keep a list of the most recent requests accessible from the Server Administration page. This value determines the number kept. Zero disables the facility. Each retained request consumes 256 bytes and adds a small amount of extra processing overhead. <li class="item"> <span class="high bold">[Scripting] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: ENABLED)</span> <p> Enables and disables <span class="high bold">all</span> scripting mechanisms. This includes CGI and CGIplus, DECnet-based OSU and CGI, and SSI directives that DCL processes to provide <--#dcl -->, <--#exec -->, etc. <li class="item"> <span class="high bold">[SearchScript] <span class="high italic">path</span></span> <span class="high italic">(no default)</span> <p> Specifies the <span class="high bold">URL-format path</span> to the default query-string keyword search script. This path can subsequently be remapped during request processing. <p> Example: <div class="blockof code">[SearchScript] /wasd_root/script/query </div> <li class="item"> <span class="high bold">[SearchScriptExclude] <span class="high italic">list</span></span> <span class="high italic">(no default)</span> <p> Provides a list of file types that are excluded from an implied keyword search. This is useful for client-side (browser-side) active processing that may require a query string to pass information. This query string would normally be detected by the server and if not in a format to be meaningful to itself is then considered as an implied (HTML <ISINDEX>) keyword search, with the approriate script being activiated. <p> Example: <div class="blockof code">[SearchScriptExclude] .HTA,.HTL </div> <li class="item"> <span class="high bold">[SecureSocket] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enable the Secure Sockets Layer (SSL) Transport Layer Security (TLS) if the server has been built with that option. See <a class="link blank" target="_blank" href="../features/#transportlayersecurity">Transport Layer Security</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <li class="item"> <span class="high bold">[ServerAdmin] <span class="high italic">string</span></span> <span class="high italic">(no default)</span> <p> Specifies the contact email address for server administration issues. Included as a "mailto:" link in the server signature if [ServerSignature] is set to <span class="high italic">email</span>. <li class="item"> <span class="high bold">[ServerAdminBodyTag] <span class="high italic">string</span></span> <span class="high italic">(default: <BODY>)</span> <p> Specifies the HTML <BODY> tag for server administration and administration report pages. This allows some measure of control over the "look-and-feel" of page and link colour, etc.. for the administrator. <li class="item"> <span class="high bold">[ServerReportBodyTag] <span class="high italic">string</span></span> <span class="high italic">(default: <BODY>)</span> <p> Specifies the HTML <BODY> tag for server error and other report pages. This allows some measure of site "look-and-feel" in page colour, background, etc. to be maintained. <li class="item"> <span class="high bold">[ServerSignature] <span class="high monosp">ENABLED|EMAIL|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> The server signature is a short identifying string added to server generated error and other report pages. It includes the server software name and version, along with the host name and port of the service. Setting this to <span class="high italic">email</span> makes the host name a <span class="high italic">mailto:</span> link containing the address specified by the [ServerAdmin] directive. <li class="item"> <span class="high bold">[Service] <span class="high italic">string</span></span> <span class="high italic">(no default)</span> <span class="high bold"><span class="high italic">(deprecated)</span></span> <p> This parameter allows SSL, multi-homed hosts and multiple port serving to be specified. <li class="item"> <span class="high bold">[ServiceNotFoundURL] <span class="high italic">string</span></span> <span class="high italic">(no default)</span> <p> Provides a default path for reporting a virtual host does not exist, see <a class="link" href="#2.3.2.unknownvirtualserver">2.3.2 Unknown Virtual Server</a>. <li class="item"> <span class="high bold">[SocketSizeRcvBuf] <span class="high italic">integer</span></span> <span class="high italic">(no default)</span> <p> Number of bytes allocated at the device-driver level for a network connection receive buffer. See <a class="link blank" target="_blank" href="../install/#vmsserveraccount">VMS Server Account</a> in <a class="link blank" target="_blank" href="../install/#0.">WASD Install</a>. <li class="item"> <span class="high bold">[SocketSizeSendBuf] <span class="high italic">integer</span></span> <span class="high italic">(no default)</span> <p> Number of bytes allocated at the device-driver level for a network connection send buffer. Later versions of TCP/IP Services seem to have large default values for this. MultiNet and TCPware are reported to improve transfers of large responses by increasing low default values. See <a class="link blank" target="_blank" href="../install/#vmsserveraccount">VMS Server Account</a> in <a class="link blank" target="_blank" href="../install/#0.">WASD Install</a>. <li class="item"> <span class="high bold">[SSI] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables or disables Server Side Includes (HTML pre-processing). <li class="item"> <span class="high bold">[SSIaccesses] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables or disables Server Side Includes (HTML pre-processing) file access counter. <li class="item"> <span class="high bold">[SSIexec] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables or disables Server Side Includes (HTML pre-processing) DCL execution functionality. <li class="item"> <span class="high bold">[SSIsizeMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 0 (128kB))</span> <p> SSI source files a completely read into memory before processing. This allows the maximum size to be expanded beyond the default. <li class="item"> <span class="high bold">[SSLcert] <span class="high italic">string</span></span> <span class="high italic">(no default)</span> <div class="note center"> <a id="6.2.0.0.1" href="#"></a> <a id="6.2.tlssslconfiguration" href="#"></a> <a id="tlssslconfiguration" href="#"></a> <h5 class="head center"><span class="text">TLS/SSL Configuration</span></h5> <hr class="note_hr"> See <a class="link blank" target="_blank" href="../features/#transportlayersecurity">Transport Layer Security</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <br>Server command line /SSL= parameter equivalents override the [SSL..] directives. <hr class="note_hr"> </div> <p> TLS/SSL server certificate file path. <li class="item"> <span class="high bold">[SSLcipherList] <span class="high italic">string</span></span> <span class="high italic">(no default)</span> <p> A colon-separated list (OpenSSL syntax) of TLS/SSL ciphers allowed to be used by clients to connect to SSL services. The use of this parameter might allow the selection of stronger ciphers to be forced to be used or the connection not allowed to procede. <li class="item"> <span class="high bold">[SSLinstanceCacheMax] <span class="high italic">integer</span></span> <span class="high italic">(no default)</span> <p> TLS/SSL multiple WASD instance, shared session cache. Maximum number of shared records. <li class="item"> <span class="high bold">[SSLinstanceCacheSize] <span class="high italic">integer</span></span> <span class="high italic">(no default)</span> <p> TLS/SSL multiple WASD instance, shared session cache. Size in bytes of each individual record. <li class="item"> <span class="high bold">[SSLkey] <span class="high italic">string</span></span> <span class="high italic">(no default)</span> <p> TLS/SSL server certificate private key file path. The private key is commonly enbedded into the certificate file. <li class="item"> <span class="high bold">[SSLoptions] <span class="high italic">string</span></span> <span class="high italic">(no default)</span> <p> Alphanumeric flags supported by WASD or hexadecimal value applied to the SSL option of OpenSSL. <li class="item"> <span class="high bold">[SSLsessionCacheMax] <span class="high italic">integer</span></span> <span class="high italic">(no default)</span> <p> Single WASD instance, shared session cache. Maximum number of records. Records are dynamically sized. <li class="item"> <span class="high bold">[SSLsessionLifetime] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(no default)</span> <p> The default maximum period for session reuse is five minutes. This may be set globally using the this directive or on a per-service basis using the per-service equivalent [ServiceSSLsessionLifetime]. <li class="item"> <span class="high bold">[SSLstrictTransSec] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(no default)</span> <p> When non-zero represents the number of seconds, or maximum age, of a HSTS "Strict-Transport-Security:" response header field. See <a class="link blank" target="_blank" href="../features/#transportlayersecurity">Transport Layer Security</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>. There is an equivalent per-service directive. <li class="item"> <span class="high bold">[SSLverifyPeer] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> To access this service a client must provide a verified CA client certificate. <li class="item"> <span class="high bold">[SSLverifyPeerCAfile] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Specifies the location of the collection of Certificate Authority (CA) certificates used to verify a peer certificate (VMS file specification). <li class="item"> <span class="high bold">[SSLverifyPeerDataMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 1024)</span> <p> When a client certificate is requested for authentication via TLS/SSL renegotiation this is the maximum kilobytes POST/PROPFIND/PUT data buffered during the renegotiation. There is an equivalent per-service directive. <li class="item"> <span class="high bold">[SSLverifyPeerDepth] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Level through a certificate chain a client is verified to. <li class="item"> <span class="high bold">[SSLversion] <span class="high italic">string</span></span> <span class="high italic">(default: TLS family of protocols)</span> <p> The abbreviation for the TLS/SSL protocol version allowed to be used to connect to an SSL service. Using the directive a service may select prefered protocols. <li class="item"> <span class="high bold">[StreamLF] <span class="high italic">integer</span></span> <span class="high italic">(default: 0 (disabled))</span> <p> Enables or disables automatic conversion of VARIABLE record format documents (files) to STREAM-LF, which are much more efficient with this server. The integer is the maximum size of a file in kilobytes that the server will attempt to convert. Zero disables any conversions. <li class="item"> <span class="high bold">[StreamLFpaths] <span class="high italic">string</span></span> <span class="high italic">(no default)</span> <p> <span class="high italic">(Retired in v5.3, mapping SET rule provides this now, see <a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>)</span>. <li class="item"> <span class="high bold">[TimeoutHttp2idle] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 01:00:00)</span> <p> The maximum period of time before an idle HTTP/2 connection is issued with a GOAWAY frame. An idle HTTP/2 connection is one where it has not processed a request. <li class="item"> <span class="high bold">[TimeoutInput] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:01:00)</span> <p> Period allowing a connection request to be in progress without submitting a complete request header before terminating it. <li class="item"> <span class="high bold">[TimeoutPersistent] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 0)</span> <p> The period a persistent connection with the client is maintained after the conclusion of a request. Connection persistence improves the overall performance of the server by reducing the number of discrete TCP/IP connections that need to be established. <li class="item"> <span class="high bold">[TimeoutNoProgress] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:02:00)</span> <p> Period allowing request output to continue without any increase in the number of bytes transfered. This directive is targeted at identifying and eliminating requests that have stalled. <li class="item"> <span class="high bold">[TimeoutOutput] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(default: 00:10:00)</span> <p> Period allowing a request to be output before terminating it. This directive sets an absolute maximum time a request can continue to receive output. <li class="item"> <span class="high bold">[WebDAV] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enable WEBdav on a server-wide basis (see <a class="link blank" target="_blank" href="../features/#webdav">WebDAV</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <li class="item"> <span class="high bold">[WebDAVlocking] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enable WebDAV locking. <li class="item"> <span class="high bold">[WebDAVlockCollectionDepth] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Ancestor directory locking depth. <li class="item"> <span class="high bold">[WebDAVlockTimeoutDefault] <span class="high italic">ddd-hh:mm:ss</span></span> <span class="high italic">(default: 01:00:00)</span> <p> Set default locking period. <li class="item"> <span class="high bold">[WebDAVlockTimeoutMax] <span class="high italic">ddd-hh:mm:ss</span></span> <span class="high italic">(default: 7-00:00:00)</span> <p> Maximum locking period. <li class="item"> <span class="high bold">[WebDAVmetaDir] <span class="high italic">string</span></span> <span class="high italic">(default: same as data file)</span> <p> Location of metadata files. <li class="item"> <span class="high bold">[WebDAVquota] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enable disk quota reporting. <li class="item"> <span class="high bold">[Welcome] <span class="high italic">file.suffix</span></span> <span class="high italic">(no default)</span> <p> Specifies the names and order in which a directory is checked for home page files. If no home page is found a directory listing is generated. <div class="blockof code">[Welcome] index.html index.htm home.html home.htm </div> <p> Dynamic home pages (script or interpreter engine driven, e.g. Perl, PHP) may be deployed using a combination of the [Welcome] and [DclScriptRunTime] directives. <div class="blockof code">[Welcome] index.html index.htm index.php index.pl [DclScriptRunTime] .PHP $CGI-BIN:[000000]PHPWASD.EXE .PL $CGI-BIN:[000000]PERLRTE </div> <li class="item"> <span class="high bold">[WWWimplied] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> When enabled considers <span class="high italic">www.host.name</span> and <span class="high italic">host.name</span> to be the same virtual service. If a request being processed has a virtual host of <span class="high italic">www.host.name</span> and the service matching, rule matching or authentication matching process encounters a <span class="high italic">host.name</span> virtual service it is considered match. A request with a virtual host of <span class="high italic">host.name</span> does not match a service of <span class="high italic">www.host.name</span>. </ol> <!-- source:0900_SERVICE.WASDOC --> <hr class="page"> <a id="7." href="#"></a> <a id="7.serviceconfiguration" href="#"></a> <a id="serviceconfiguration" href="#"></a> <h1 class="head"><span class="numb">7.</span><span class="text">Service Configuration</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#7.1.specificservices"><span class="numb">7.1</span><span class="text">Specific Services</span></a> <tr><td><a href="#7.2.genericservices"><span class="numb">7.2</span><span class="text">Generic Services</span></a> <tr><td><a href="#7.3.sslservices"><span class="numb">7.3</span><span class="text">SSL Services</span></a> <tr><td><a href="#7.4.administrationservices"><span class="numb">7.4</span><span class="text">Administration Services</span></a> <tr><td><a href="#7.5.ipv4andipv6"><span class="numb">7.5</span><span class="text">IPv4 and IPv6</span></a> <tr><td><a href="#7.6.towwwornottowww"><span class="numb">7.6</span><span class="text">To www. Or Not To www.</span></a> <tr><td><a href="#7.7.servicedirectives"><span class="numb">7.7</span><span class="text">Service Directives</span></a> <tr><td><a href="#7.8.directivedetail"><span class="numb">7.8</span><span class="text">Directive Detail</span></a> <tr><td><a href="#7.9.administration"><span class="numb">7.9</span><span class="text">Administration</span></a> <tr><td><a href="#7.10.serviceexamples"><span class="numb">7.10</span><span class="text">Service Examples</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#6.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#8.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> By default, the logical name <span class="high bold">WASD_CONFIG_SERVICE</span> locates a common service configuration file. The service configuration file is optional. If the WASD_CONFIG_SERVICE logical is not defined or the file does not exist service configuration is made using the WASD_CONFIG_GLOBAL [Service] <span class="high bold"><span class="high italic">(deprecated)</span></span> directives. For simple sites, those containing one or two services, the use of a separate service configuration file is probably not warranted. Once the number begins to grow this file offers a specific management interface for those services. <p> Precedence of service specifications: <ol class="list"> <li class="item"> /SERVICE= command line qualifier <li class="item"> WASD_CONFIG_SERVICE configuration file (if logical defined and file exists) <li class="item"> WASD_CONFIG_GLOBAL [Service] directive <span class="high bold"><span class="high italic">(deprecated)</span></span> </ol> <p> WASD <span class="high italic">services</span> are also known as <span class="high italic">virtual servers</span> or <span class="high italic">virtual hosts</span> and can provide multiple, autonomous sites from the one HTTP server. Services can each have an independent IP address or multiple virtual sites share a single or set of multiple IP addresses. Whichever the case, the host name entered into the browser URL must able to be resolved to the IP address of an interface configured on the HTTP server system. There is no design limit to the number of services that WASD can support. It can listen on any number of IP ports and for any number of virtual services for any given port. <p> The server must be able to resolve its own host name/address. It is not unknown for completely new systems to have TCP/IP configuration overlooked. The server must also be able to resolve the IP addresses of any configured virtual services (<a class="link" href="#2.3.virtualservices">2.3 Virtual Services</a>). Failure to do so will result in the service not being configured. To avoid startup issues in the absence of a usable DNS it is suggested that for fundamental, business-critical or otherwise important services, static entries be provided in the system TCP/IP agent's local database. <p> Changes to the service configuration file can be validated at the command-line before restart. This detects and reports any syntactical and fatal configuration errors but of course cannot check the <span class="high italic">intent</span> of the rules. <div class="blockof code">$ HTTPD /DO=SERVICE=CHECK </div> <a id="7.1" href="#"></a> <a id="7.1.specificservices" href="#"></a> <a id="specificservices" href="#"></a> <h2 class="head"><span class="numb">7.1</span><span class="text">Specific Services</span></h2> <p> In common with other configuration files, directives associated with a specific virtual services are introduced using a double-bracket delimited host specification (<a class="link" href="#2.3.virtualservices">2.3 Virtual Services</a>). When configuring a service the following three components specify the essential characteristics. <ul class="list"> <li class="item"> <span class="high bold">scheme – </span> HTTP scheme (sometimes refered to as <span class="high italic">protocol</span>). If <span class="high italic">http:</span> (or omitted) it is a standard HTTP service. If <span class="high italic">https:</span> an SSL service is configured. <li class="item"> <span class="high bold">host – </span> Host name or dotted-decimal address. If omitted, or specified as an asterisk ("*"), defaults to the system's IP host name. <li class="item"> <span class="high bold">port – </span> IP port the service is offered on. If omitted it defaults to 80 for an <span class="high italic">http:</span> service, and to 443 for an <span class="high italic">https:</span> (SSL) service. </ul> <p> These WASD_CONFIG_SERVICE examples illustrate the directive. <div class="blockof code">[[http://alpha.example.com:80]] [[http://alpha.example.com:8080]] </div> <a id="7.2" href="#"></a> <a id="7.2.genericservices" href="#"></a> <a id="genericservices" href="#"></a> <h2 class="head"><span class="numb">7.2</span><span class="text">Generic Services</span></h2> <p> A <span class="high italic">generic</span> service is one that specifies a scheme and/or port but no specific host name. This is useful in a cluster where multiple systems all provide a basic service (e.g. a port 80 service). If the host name is omitted or specified as an asterisk the service substitutes the system's IP host name. <div class="blockof code">[[http://*:80]] [[http://*:8080]] </div> <a id="7.3" href="#"></a> <a id="7.3.sslservices" href="#"></a> <a id="sslservices" href="#"></a> <h2 class="head"><span class="numb">7.3</span><span class="text">SSL Services</span></h2> <p> See <a class="link blank" target="_blank" href="../features/#transportlayersecurity">Transport Layer Security</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>. <p> Multiple virtual SSL services (https:) sharing the same certificate can essentially be configured against any host name (unique IP address or alias) and/or port in the same way as standard services (http:). Services requiring unique certificates can only be configured for the same port number against individual and unique IP addresses (i.e. not against aliases). This is not a WASD restriction, it applies to all servers for significant SSL technical reasons. <p> For example, unique certificates for https://www.company1.com:443/ and https://www.company2.com:443/ can be configured only if COMPANY1 and COMPANY2 have unique IP addresses. If COMPANY2 is an alias for COMPANY1 they must share the same certificate. During startup service configuration the server checks for such conditions and issues a warning about "sharing" the service with the first configured. <div class="blockof code">[[https://alpha.example.com]] [[https://*:443]] </div> <a id="7.4" href="#"></a> <a id="7.4.administrationservices" href="#"></a> <a id="administrationservices" href="#"></a> <h2 class="head"><span class="numb">7.4</span><span class="text">Administration Services</span></h2> <p> When multiple instances are configured Server Administration page access, in common with all request processing, is automatically shared between those instances. There are occasions when consistent access to a single instance is desirable. The [ServiceAdmin] directive indicates that the service port number should be used as a <span class="high under">base</span> port and all instances create their own service with unique port for access to that instance alone. The first instance to create an <span class="high italic">administration service</span> uses the specified port, or the next successive if it's already in use, the next instance will use the next available port number, and so on. A high port number should be specified. The Server Administration page lists these services for all server instances in the cluster. This port configuration is not intended for general request activity, although with appropriate mapping and other configuration there is nothing specifically precluding the use (remembering that the actual port in use by any particular instance may vary across restarts). In all other respects the services can (and should) be mapped, authorized and otherwise configured as any other. <div class="blockof code">[[https://alpha.example.com]] [ServiceAdmin] enabled </div> <a id="7.5" href="#"></a> <a id="7.5.ipv4andipv6" href="#"></a> <a id="ipv4andipv6" href="#"></a> <h2 class="head"><span class="numb">7.5</span><span class="text">IPv4 and IPv6</span></h2> <p> Both IP version 4 and 6 are concurrently supported by WASD. All networking functionality, service creation, SSL, proxy HTTP, proxy FTP and RFC1413 authorization is IPv6 enabled. If system TCP/IP services do not support IPv6 the expected error would be <div class="blockof code">%SYSTEM-F-PROTOCOL, network protocol error </div> during any attempted IPv6 service creation. Of course IPv4 service creation would continue as usual. <p> Server configuration handles the standard dotted-decimal addresses of IPv4, as well as "normal" and "compressed" forms of standard IPv6 literal addresses, and a (somewhat) standard variation of these that substitutes hyphens for the colons in these addresses to allow the colon-delimited port component of a "URL" to be resolved. Alteratively, use the de facto standard method of enclosing the IPv6 address within square brackets, followed by any port component. <a id="7.5.0.0.1" href="#"></a> <a id="7.5.ipv6literaladdresses" href="#"></a> <a id="ipv6literaladdresses" href="#"></a> <h5 class="head"><span class="text">IPv6 Literal Addresses</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Normal <th class="tabh">Compressed <tr class="tabr"> <tr class="tabr"> <td class="tabd">1070:0:0:0:0:800:200C:417B <td class="tabd">1070::800:200C:417B <tr class="tabr"> <td class="tabd">0:0:0:0:0:0:13.1.68.3 <td class="tabd">::13.1.68.3 <tr class="tabr"> <td class="tabd">0:0:0:0:0:FFFF:129.144.52.38 <td class="tabd">::FFFF:129.144.52.38 <tr class="tabr under"> <th class="tabh">hyphen-variants <th class="tabh"> <tr class="tabr"> <tr class="tabr"> <td class="tabd">1070-0-0-0-0-800-200C-417B <td class="tabd">1070--800-200C-417B <tr class="tabr"> <td class="tabd">0-0-0-0-0-0-13.1.68.3 <td class="tabd">--13.1.68.3 <tr class="tabr"> <td class="tabd">0-0-0-0-0-FFFF-129.144.52.38 <td class="tabd">--FFFF-129.144.52.38 </table> <p> In common with all virtual services, if a connection can be established with the system and service port the server can respond to that request. The first example binds a service to accept IPv4 connections for any address, while the second the same for IPv6 (and for IPv4 if the interface has IPv4 configuration). <div class="blockof code">[[https://alpha.example.com:80]] [ServiceBind] 0.0.0.0 [[https://alpha6.example.com:80]] [ServiceBind] ::0 </div> <p> If a service needs to be bound to a specific IP address then that can be specified using the [ServiceBind] directive using any of the literal address formats described above. <div class="blockof code">[[http://alpha.example.com:80]] [ServiceBind] 168.192.0.3 [[https://alpha6.example.com:80]] [ServiceBind] fe80::200:f8ff:fe24:1a22 [[https://[fe80::200:f8ff:fe24:1a22]:80]] </div> <a id="7.5.0.0.2" href="#"></a> <a id="7.5.ipv6nameresolution" href="#"></a> <a id="ipv6nameresolution" href="#"></a> <h5 class="head"><span class="text">IPv6 Name Resolution</span></h5> <p> TCP/IP Services for OpenVMS <span class="high italic">does not</span> provide an asynchronous name resolution ACP call for IPv6 as it does for IPv4. This means that dynamic name resolution in IPv6 environments is (currently) an issue. See the server code module [SRC.HTTPD]TCPIP6.C for further detail and workarounds. Let's hope this significant deficiency in VMS' IPv6 support is addressed sooner than later! <a id="7.6" href="#"></a> <a id="7.6.towwwornottowww" href="#"></a> <a id="towwwornottowww" href="#"></a> <h2 class="head"><span class="numb">7.6</span><span class="text">To www. Or Not To www.</span></h2> <p> In the twenty-first century the <span class="high italic">www.</span> prefix to Web services is largely redundant. Generally <span class="high italic">www.host.name</span> and <span class="high italic">host.name</span> are treated as synonymous. WASD conditionals often need to distinguish precisely on the service name and in some cases this can mean a service for the <span class="high italic">www.host.name</span> and the <span class="high italic">host.name</span>. <p> The WASD global configuration directive <div class="blockof code"># WASD_CONFIG_GLOBAL [WWWimplied] enabled </div> (by default, and for backward-compatibility reasons, disabled) results in the server matching a request specifying a leading <span class="high italic">www.</span> matching a virtual service identical <span class="high under">except</span> for the <span class="high italic">www.</span>. So for the configured service. <div class="blockof code">[[http://the.host.name]] </div> a request to http://the.host.name/ (request header "Host: the.host.name") or to http://www.the.host.name/ (request header "Host: www.the.host.name") will be matched to it and allow conditionals, etc., to match to the one "the.host.name". <a id="7.7" href="#"></a> <a id="7.7.servicedirectives" href="#"></a> <a id="servicedirectives" href="#"></a> <h2 class="head"><span class="numb">7.7</span><span class="text">Service Directives</span></h2> <p> Where a service directive has an equivalent configuration directive (e.g. error report path) the service directive takes precedence. This allows specific virtual services to selectively override the generic configuration. <table class="tabl" style="margin-top:-1em;"> <tr class="tabr"> <td class="tabd"><a id="7.7.0.0.1" href="#"></a> <a id="7.7.servicedirectives" href="#"></a> <a id="servicedirectives" href="#"></a> <h5 class="head under"><span class="text">Service Directives</span></h5> <tr class="tabr backlight"> <td class="tabd">[[virtual-service]] <td class="tabd">scheme://host:port <tr class="tabr"> <td class="tabd">[ServiceAdmin] <td class="tabd">an <span class="high italic">instance</span> Server Administration page service <tr class="tabr backlight"> <td class="tabd">[ServiceBind] <td class="tabd">if different to host's <tr class="tabr"> <td class="tabd">[ServiceBodyTag] <td class="tabd"><BODY> tag for server reports., etc <tr class="tabr backlight"> <td class="tabd">[ServiceClientSSLcert] <td class="tabd">proxy SSL connect client certificate file <tr class="tabr"> <td class="tabd">[ServiceClientSSLkey] <td class="tabd">proxy SSL connect client private key file <tr class="tabr backlight"> <td class="tabd">[ServiceClientSSLcipherList] <td class="tabd">proxy SSL connect ciphers <tr class="tabr"> <td class="tabd">[ServiceClientSSLverifyCA] <td class="tabd">verify CA of proxied requests <tr class="tabr backlight"> <td class="tabd">[ServiceClientSSLverifyCAfile] <td class="tabd">location of proxy CA file <tr class="tabr"> <td class="tabd">[ServiceClientSSLversion] <td class="tabd">proxy SSL version to use <tr class="tabr backlight"> <td class="tabd">[ServiceConnect] <td class="tabd">respond to a connection on a port <tr class="tabr"> <td class="tabd">[ServiceErrorReportPath] <td class="tabd">path to script, SSI or "flat" error document <tr class="tabr backlight"> <td class="tabd">[ServiceHttp2Protocol] <td class="tabd">per-service HTTP/2 disabled <tr class="tabr"> <td class="tabd">[ServiceLogFormat] <td class="tabd">per-service access log format <tr class="tabr backlight"> <td class="tabd">[ServiceNoLog] <td class="tabd">suppress logging <tr class="tabr"> <td class="tabd">[ServiceNonSSLRedirect] <td class="tabd">redirect non-SSL on SSL service <tr class="tabr backlight"> <td class="tabd">[ServiceProxy] <td class="tabd">proxy service <tr class="tabr"> <td class="tabd">[ServiceProxyAffinity] <td class="tabd">make origin server "sticky" <tr class="tabr backlight"> <td class="tabd">[ServiceProxyAuth] <td class="tabd">require proxy authorization <tr class="tabr"> <td class="tabd">[ServiceProxyCache] <td class="tabd">proxy caching <tr class="tabr backlight"> <td class="tabd">[ServiceProxyChain] <td class="tabd">chained proxy service host <tr class="tabr"> <td class="tabd">[ServiceProxyChainCred] <td class="tabd">up-stream proxy service access credentials <tr class="tabr backlight"> <td class="tabd">[ServiceProxySSL] <td class="tabd">provide proxy of SSL (connect:) <tr class="tabr"> <td class="tabd">[ServiceProxyTunnel] <td class="tabd">enable tunneling of octets <tr class="tabr backlight"> <td class="tabd">[ServiceRawSocket] <td class="tabd">enable "RawSocket" scripting <tr class="tabr"> <td class="tabd">[ServiceShareSSH] <td class="tabd">share service with SSH <tr class="tabr backlight"> <td class="tabd">[ServiceSSLcert] <td class="tabd">SSL service certificate <tr class="tabr"> <td class="tabd">[ServiceSSLcipherList] <td class="tabd">list of accepted SSL ciphers <tr class="tabr backlight"> <td class="tabd">[ServiceSSLkey] <td class="tabd">SSL service private key <tr class="tabr"> <td class="tabd">[ServiceSSLoptions] <td class="tabd">SSL options <tr class="tabr backlight"> <td class="tabd">[ServiceSSLsessionLifetime] <td class="tabd">SSL session lifetime <tr class="tabr"> <td class="tabd">[ServiceSSLstrictTransSec] <td class="tabd">HSTS maxiumum age in seconds <tr class="tabr backlight"> <td class="tabd">[ServiceSSLverifyPeer] <td class="tabd">access only using verified peer certificate <tr class="tabr"> <td class="tabd">[ServiceSSLverifyPeerCAfile] <td class="tabd">location of CA file <tr class="tabr backlight"> <td class="tabd">[SSLverifyPeerDataMax] <td class="tabd">maximum kBytes of request data buffered during renegotiation <tr class="tabr"> <td class="tabd">[ServiceSSLverifyPeerDepth] <td class="tabd">depth of certificate chain <tr class="tabr backlight"> <td class="tabd">[ServiceSSLversion] <td class="tabd">SSL version to use </table> <p> Configuration keywords equivalent to many of these WASD_CONFIG_SERVICE directives but usable against the deprecated WASD_CONFIG_GLOBAL [Service] directive and the /SERVICE qualifier are available for backward compatibility. See section <span class="high italic">Command Line Parameters</span> in source file [SRC.HTTPD]SERVICE.C for a list of these keywords. <a id="7.8" href="#"></a> <a id="7.8.directivedetail" href="#"></a> <a id="directivedetail" href="#"></a> <h2 class="head"><span class="numb">7.8</span><span class="text">Directive Detail</span></h2> <p> Some of these directives control the behaviour of proxy services. Other directive are Secure Sockets Layer (SSL) specific. <ol class="list"> <li class="item"> <span class="high bold">[[virtual-service]]</span> <span class="high italic">(default: <span class="high italic">none</span>)</span> <p> Specifies the scheme, host name (or asterisk) and port of a service. <li class="item"> <span class="high bold">[ServiceAdmin] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Marks the port as <span class="high italic">administration</span> service (<a class="link" href="#7.4.administrationservices">7.4 Administration Services</a>). <li class="item"> <span class="high bold">[ServiceBind] <span class="high italic">literal address</span></span> <span class="high italic">(default: <span class="high italic">none</span>)</span> <p> If the system has a multi-homed network interface this binds the service to the specific IP address and not to INADDR_ANY. Generally this will not be necessary. The literal address may be in IPv4 dotted-decimal or IPv6 normal or compressed hexdecimal. <li class="item"> <span class="high bold">[ServiceBodyTag] <span class="high italic">string</span></span> <span class="high italic">(default: <BODY>)</span> <p> Specifies the HTML <BODY> tag for server error and other report pages. This allows some measure of site "look-and-feel" in page colour, background, etc. to be maintained. <li class="item"> <span class="high bold">[ServiceClientSSL] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables a proxy service to <span class="high italic">originate</span> HTTP-over-SSL requests. This is different to the CONNECT service enabled using [ServiceProxySSL]. It allows requests to be gatewayed between standard HTTP and Secure Sockets Layer. <div class="note center"> <a id="7.8.0.0.1" href="#"></a> <a id="7.8.tlssslconfiguration" href="#"></a> <a id="tlssslconfiguration" href="#"></a> <h5 class="head center"><span class="text">TLS/SSL Configuration</span></h5> <hr class="note_hr"> See <a class="link blank" target="_blank" href="../features/#transportlayersecurity">Transport Layer Security</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>. <hr class="note_hr"> </div> <li class="item"> <span class="high bold">[ServiceClientSSLcert] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Location of client certificate file if required to authenticate client connection. <li class="item"> <span class="high bold">[ServiceClientSSLcipherList] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <li class="item"> <span class="high bold">[ServiceClientSSLkey] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Location of client private key file if required to authenticate client connection. <p> A comma-separated list of SSL ciphers to be used by the gateway to connect to SSL services. The use of this parameter might allow the selection of stronger ciphers to be forced to be used or the connection not allowed to procede. <div class="note"><a id="7.8.0.0.1.1" href="#"></a> <a id="7.8.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> These <span class="high italic">ServiceClientSSL..</span> directives are used to control behaviour when outgoing SSL connections are established (as with HTTP-to-SSL gatewaying). This should not be confused with verification of client certificates, which is better refered to as peer verification. See [ServiceSSLverifyPeer] and [ServiceSSLverifyPeerCAfile] directives. <hr class="note_hr"> </div> <li class="item"> <span class="high bold">[ServiceClientSSLverifyCA] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Unless this directive is enabled the Certificate Authority (CA) used to issue the service's certificate is not verified. Requires that a CA file be provided. See note in [ServiceClientSSLcipherList] above. <li class="item"> <span class="high bold">[ServiceClientSSLCaFile] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Specifies the location of the collection of Certificate Authority (CA) certificates used to verify the connected-to server's certificate (VMS file specification). See note in [ServiceClientSSLcipherList] above. <li class="item"> <span class="high bold">[ServiceClientSSLversion] <span class="high italic">string</span></span> <span class="high italic">(default: SSLV2/V3)</span> <p> The abbreviation for the SSL protocol version to be used to connect to the SSL service. See note in [ServiceClientSSLcipherList] above. <li class="item"> <span class="high bold">[ServiceConnect] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Request-on-connects do not wait for client data but immediately generate a pseudo request for that service which can be detected and mapped for processing by the server. <p> See <a class="link" href="#7.10.serviceexamples">7.10 Service Examples</a>. <li class="item"> <span class="high bold">[ServiceErrorReportPath] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Specifies the <span class="high bold">URL-format path</span> to an optional, error reporting SSI document or script (<a class="link" href="#2.10.errorreporting">2.10 Error Reporting</a>). This path can subsequently be remapped during request processing. <li class="item"> <span class="high bold">[ServiceHttp2Protocol] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: ENABLED)</span> <p> When HTTP/2 is enabled globally this allows an HTTP/1.<span class="high italic">n</span>-only service to be defined. <p> See <a class="link blank" target="_blank" href="../features/#http2">HTTP/2</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>. <li class="item"> <span class="high bold">[ServiceLogFormat] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Per-service access log format. See . <li class="item"> <span class="high bold">[ServiceNoLog] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> When request logging is enabled then by default all services are logged. This directive allows logging to be suppressed for this service. <li class="item"> <span class="high bold">[ServiceNonSSLRedirect] <span class="high monosp">code][host-name|IP-address][:port]</span></span> <span class="high italic">(default: none)</span> <p> The default behaviour when a non-SSL HTTP request is begun on an SSL service is to return a 400 error and short message. This directive instead redirects the client to the specified non-SSL service. The parameter can be an optional scheme (i.e. http:// or https://), optional full host name or IP address with optional port, or only a colon-delimited port number which will redirect using the current service name. A single colon is the minimum parameter and redirects to port 80 on the current service name. The default redirect code is 307 but this can be changed by providing a leading 301 or 302. <li class="item"> <span class="high bold">[ServiceProxy] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables and disables proxy request processing for this service. <li class="item"> <span class="high bold">[ServiceProxyAffinity] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Uses cookies to allow the proxy server to make every effort to relay successive requests from a given client to the same origin host. This is also known as client to origin affinity or proxy affinity capability. <li class="item"> <span class="high bold">[ServiceProxyAuth] <span class="high monosp"><span class="high italic">none</span> CHAIN|LOCAL|NONE|PROXY</span></span> <span class="high italic">(default: none)</span> <p> Makes a proxy service require authorization before a client is allowed access via it. <span class="high monosp">CHAIN</span> allows an up-stream proxy server to request authorization. <span class="high monosp">LOCAL</span> enables standard server authorization. <span class="high monosp">NONE</span> disables authorization (default). <span class="high monosp">PROXY</span> enables HTTP proxy authorization. authentication. <li class="item"> <span class="high bold">[ServiceProxyCache] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enables and disables proxy caching for a proxy service. <li class="item"> <span class="high bold">[ServiceProxyChain] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Specifies the next proxy host if chained. <li class="item"> <span class="high bold">[ServiceProxyChainCred] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Credentials for the up-stream proxy server (BASIC authentication only); in the format <span class="high italic">username:password</span>. <li class="item"> <span class="high bold">[ServiceProxyTunnel] <span class="high monosp">CONNECT|FIREWALL|RAW</span></span> <span class="high italic">(default: none)</span> <p> Transfers octets through the proxy server. <span class="high monosp">FIREWALL</span> accepts a host and port specification before connecting. <span class="high monosp">CONNECT</span> is the traditional CONNECT protocol. <span class="high monosp">RAW</span> connects to a configured host an port. <li class="item"> <span class="high bold">[ServiceProxySSL] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Specifies the service as providing proxying of SSL requests. This is sometimes refered as a "CONNECT" service. This proxies "https:" requests directly and is different to the HTTP-to-SSL proxying enabled using [ServiceProxyHttpSSL]. <li class="item"> <span class="high bold">[ServiceRawSocket] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> Enable "RawSocket" processing on the service. See the chapter on WebSocket scripting in <a class="link blank" target="_blank" href="../scripting/#websocket">WebSocket</a> in <a class="link blank" target="_blank" href="../scripting/#0.">WASD Web Services - Scripting</a> <li class="item"> <span class="high bold">[ServiceShareSSH] <span class="high italic">integer</span></span> <span class="high italic">(default: 0 (disabled))</span> <p> Non-zero enables service sharing with an SSH server and sets the number of seconds for input timeout. <p> See <a class="link blank" target="_blank" href="../features/#sharedsshtunnel">Shared SSH Tunnel</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>. <li class="item"> <span class="high bold">[ServiceSSLcert] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Specifies the location of the SSL certificates (VMS file specification). <div class="note center"> <a id="7.8.0.0.2" href="#"></a> <a id="7.8.tlssslconfiguration" href="#"></a> <a id="tlssslconfiguration" href="#"></a> <h5 class="head center"><span class="text">TLS/SSL Configuration</span></h5> <hr class="note_hr"> See <a class="link blank" target="_blank" href="../features/#transportlayersecurity">Transport Layer Security</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>. <hr class="note_hr"> </div> <li class="item"> <span class="high bold">[ServiceSSLcipherList] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> A colon-separated list (OpenSSL syntax) of TLS/SSL ciphers allowed to be used by clients to connect to SSL services. The use of this parameter might allow the selection of stronger ciphers to be forced to be used or the connection not allowed to procede. <li class="item"> <span class="high bold">[ServiceSSLkey] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Specifies the location of the SSL private key (VMS file specification). <li class="item"> <span class="high bold">[ServiceSSLsessionLifetime] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(no default)</span> <p> The default maximum period for session reuse is five minutes. This is the per-service equivalent of the global directive [SSLsessionLifetime]. <li class="item"> <span class="high bold">[ServiceSSLstrictTransSec] <span class="high italic">hh:mm:ss</span></span> <span class="high italic">(no default)</span> <p> When non-zero represents the number of seconds, or maximum age, of a HSTS "Strict-Transport-Security:" response header field. See <a class="link blank" target="_blank" href="../features/#transportlayersecurity">Transport Layer Security</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>. There is an equivalent global directive. <li class="item"> <span class="high bold">[ServiceSSLverifyPeer] <span class="high monosp">ENABLED|DISABLED</span></span> <span class="high italic">(default: DISABLED)</span> <p> To access this service a client must provide a verified CA client certificate. <li class="item"> <span class="high bold">[ServiceSSLverifyPeerCAfile] <span class="high italic">string</span></span> <span class="high italic">(default: none)</span> <p> Specifies the location of the collection of Certificate Authority (CA) certificates used to verify a peer certificate (VMS file specification). <li class="item"> <span class="high bold">[ServiceSSLverifyPeerDataMax] <span class="high italic">integer</span></span> <span class="high italic">(default: 1024)</span> <p> When a client certificate is requested for authentication via TLS/SSL renegotiation this is the maximum kilobytes POST/PROPFIND/PUT data buffered during the renegotiation. There is an equivalent global directive. <li class="item"> <span class="high bold">[SSLverifyPeerDepth] <span class="high italic">integer</span></span> <span class="high italic">(default: 0)</span> <p> Level through a certificate chain a client is verified to. <li class="item"> <span class="high bold">[ServiceSSLversion] <span class="high italic">string</span></span> <span class="high italic">(default: TLS family of protocols)</span> <p> The abbreviation for the TLS/SSL protocol version allowed to be used to connect to an SSL service. Using the directive a service may select prefered protocols. </ol> <a id="7.9" href="#"></a> <a id="7.9.administration" href="#"></a> <a id="administration" href="#"></a> <h2 class="head"><span class="numb">7.9</span><span class="text">Administration</span></h2> <p> A service configuration file can be maintained using a simple text editor and WASD_CONFIG_SERVICE. <p> Alternatively the Server Administration facility may be used When using this interface for the first time ensure the WASD_CONFIG_SERVICE logical is correctly defined. If the file did not exist at server startup any services will have been created from the WASD_CONFIG_GLOBAL [Service] directive. These will be displayed as the existing services and will be saved to the configuration file the first time it is saved. Changes to the service configuration file require a server restart to put them into effect. <p> The [IncludeFile] is a directive common to all WASD configuration, allowing a separate file to be included as a part of the current configuration (<a class="link" href="#2.1.includefiledirective">2.1 Include File Directive</a>). <p> Not all configuration directives may be shown depending on the type of service. For instance, unless a service is configured to provide proxy, only the [ServiceProxy] directive is displayed. To fully configure such a service enable it as proxy, save the file, then reload it. The additional directives will now be available. <p> There is always one empty service displayed each time the configuration menu is generated. This information may be changed appropriately and then saved to add new services to the configuration (of course, these will not be available until the server is restarted). To configure multiple new services add one at a time, saving each and reloading the file to provide a new blank service. <a id="7.10" href="#"></a> <a id="7.10.serviceexamples" href="#"></a> <a id="serviceexamples" href="#"></a> <h2 class="head"><span class="numb">7.10</span><span class="text">Service Examples</span></h2> <ol class="list"> <li class="item"> The following example shows three services being configured. The first is standard HTTP on the default (and well-known) port 80. The second is a proxy service on port 8080. This service provides both standard HTTP (with response caching enabled), SSL (connect:) access and proxy authorization required. The third service is SSL, with a host-specific certificate and key. <div class="blockof code">[[http://alpha.example.com:80]] [[http://alpha.example.com:8080]] [ServiceProxy] enabled [ServiceProxyAuth] PROXY [ServiceProxyCache] enabled [ServiceProxySSL] enabled [[https://alpha.example.com:443]] [ServiceSSLcert] WASD_ROOT:[local]alpha.pem </div> <li class="item"> This example shows a generic service service being configured on the well-known port 80. <div class="blockof code">[[http://*:80]] </div> If a cluster of four systems, ALPHA, BETA, GAMMA and DELTA all use this configuration each will have a service accessible via the following four URLs. <div class="blockof code">http://alpha.example.com/ http://beta.example.com/ http://gamma.example.com/ http://delta.example.com/ </div> <li class="item"> The following example show two services configured against specific IP addresses. The first is an IPv4 and the second a compressed IPv6. <div class="blockof code">[[http://alpha.example.com:80]] [ServiceBind] 168.192.0.3 [[https://alpha6.example.com:80]] [ServiceBind] fe80::200:f8ff:fe24:1a22 </div> <li class="item"> An <span class="high italic">administration port</span> is a special configuration used to support the Server Administration facility when multiple per-node instances are configured See description above. <div class="blockof code">[[https://alpha.example.com:44443]] [ServiceAdmin] enabled [ServiceSSLcert] WASD_ROOT:[local]alpha.pem [ServiceSSLkey] WASD_ROOT:[local]alpha.pem </div> <li class="item"> <p> A classic [ServiceConnect] use case is to generate a response when a port is connected to. In this example, a disabled telnet service. <div class="blockof code"># WASD_CONFIG_SERVICE [[http://*:23]] [ServiceConnect] enabled </div> <div class="blockof code"># WASD_CONFIG_MAP # TELNET port advisory [[*:23]] pass * /web/online/port23.txt response=var=crlf </div> <div class="blockof code">$ TYPE WEB:[ONLINE]PORT23.TXT ************************************************ TELNET terminal access to the.host.name is unavailable! Please use the instructions available at... https://the.host.name/online/ssh ************************************************ </div> <p> While the above example shows a simple <span class="high italic">pass</span> to a static file, the mapping could just as simply been mapped to a script to provide a more dynamic response. <div class="blockof code"># WASD_CONFIG_MAP # TELNET port advisory [[*:23]] map * /cgi-bin/port23 … exec /cgi-bin/* /cgi-bin/* </div> </ol> <!-- source:1000_MESSAGE.WASDOC --> <hr class="page"> <a id="8." href="#"></a> <a id="8.messageconfiguration" href="#"></a> <a id="messageconfiguration" href="#"></a> <h1 class="head"><span class="numb">8.</span><span class="text">Message Configuration</span></h1> <table class="TOC2table"> <tr><td><a href="#8.1.behaviour"><span class="numb">8.1</span><span class="text">Behaviour</span></a> <tr><td><a href="#8.2.messagefileformat"><span class="numb">8.2</span><span class="text">Message File Format</span></a> <tr><td><a href="#8.3.multiplelanguagespecifications"><span class="numb">8.3</span><span class="text">Multiple Language Specifications</span></a> <tr><td><a href="#8.4.suppliedmessagefiles"><span class="numb">8.4</span><span class="text">Supplied Message Files</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#7.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#9.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> By default, the logical name <span class="high bold">WASD_CONFIG_MSG</span> locates the global message configuration file. A text editor may be used to modify this configuration file. Changes require a server restart to put them into effect. <p> Message configuration is provided for two purposes. <ol class="list"> <li class="item"> Some sites would prefer to customize or extend the basic information provided to clients when an error or other event occurs. <li class="item"> Sites that do not use English as a first language may wish to provide some or all of the defined messages using a prefered language. </ol> <p> Not all messages provided by the WASD server are customizable, only those generated for non-administrative content. As the WASD server can also report using information derived from the standard VMS message service (via <span class="high italic">sys$getmsg()</span>) it is assumed a language-local implementation of this is in use as well. Unfortunately for the non-first-language-English Web and system administrators, the menus and messages used for administration purposes, etc., are still only in English. The intent of this facility is to provide non-administration clients only with a more familiar language environment. <p> Also note that the message database only applies to messages generated by the server, not to any generated by scripts, etc. <p> Changes to the message configuration file can be validated at the command-line before restart. This detects and reports any syntactical and fatal configuration errors but of course cannot check the <span class="high italic">intent</span> of the rules. <div class="blockof code">$ HTTPD /DO=MSG=CHECK </div> <a id="8.1" href="#"></a> <a id="8.1.behaviour" href="#"></a> <a id="behaviour" href="#"></a> <h2 class="head"><span class="numb">8.1</span><span class="text">Behaviour</span></h2> <p> When an error, or other message or string, needs to be provided for the client the message database is accesssed using the following algorithm. <ol class="list"> <li class="item"> If the client request has specified a list of prefered languages using the "Accept-Language:" HTTP header field the message database is checked for support of that/those languages. If one is found then that language is used to access the message. <li class="item"> If none is found, or the client has not specified a prefered language, the client host address is checked against any list of hosts/domains provided against the language (see below). If a match occurs the specified language is used. <li class="item"> If neither of the above results in a message language the base language is used (the highest numbered language). This <span class="high bold">must</span> have a complete set of messages or the server will not start! </ol> <a id="8.2" href="#"></a> <a id="8.2.messagefileformat" href="#"></a> <a id="messagefileformat" href="#"></a> <h2 class="head"><span class="numb">8.2</span><span class="text">Message File Format</span></h2> <p> By default, the system-table logical name WASD_CONFIG_MSG locates a common message file, unless an individual message file is specified using a job-table logical name. Simple editing of the message file changes the messages (after a server restart, of course). Comment lines may be included by prefixing them with the hash character ("#"), and lines continued by ensuring the last character is a backslash ("^"). The server will concurrently support an additional 3 languages to the base English (although this can be increased by recompilation <span class="high _smiley"> <div class="note center"><a id="8.2.0.0.0.1" href="#"></a> <a id="8.2.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> <span class="high bold">Care must be taken with the message file or the server may refuse to start!</span> <br>Worst-case; the WASD_CONFIG_MSG.CONF message file may be copied from [EXAMPLE]. <hr class="note_hr"> </div> <p> As illustrated below the message file comprises a series of sections. Directives enclosed by square-brackets provide information to the message loader. <div class="blockof code"># this is a comment [version] 9.0 [language] 1 en [general] en 01 Sanity check failure. en 02 String overflow. en 03 Heap allocation failed. en 04 calloc() failed en 05 Request calloc() failed. en 06 Server too busy. en 07 Server access denied. en 08 Facility is disabled. en 09 Wildcard not permitted. en 10 Directory layout problem. [next-section, etc.] </div> <p> The square-bracketed section headings have the following functions. <ul class="list"> <li class="item"> <span class="high bold">[version] – </span> Ensures the correct database version is available for the server version attempting to use it. The message file always needs checking for this version number being changed at server updates, although the version may remain fixed at a previous server version number if there have been no changes to the message database during subsequent server versions. This must be the first directive in the file. <li class="item"> <span class="high bold">[language] – </span> Creates space for assigning the new language's messages. The number specifies an order within the languages, each must be different, but only the lowest and highest (prefered and base respectively) have operational significance. The highest number should always be English to provide a fall-back message. A short string provides an identifier for the language. This identifier should be the same as the identifying string in the browser request "Accept-Language:" header field (e.g. "en", "se", "de", "fr", etc.) Multiple, comma-separated languages may be specified. The first is the primary language of that list and messages must be specified using that. The subsequent languages are equivalents that might be specified by the client. A wildcard may be used to match all possibilities (e.g. "de,de-*", "es,es-*"). Following the language identifier is an optional host/domain list. Multiple hosts/domains may be specified by separating each with a comma. The specifications may contain wildcards. All the [language] directives should be grouped at the start of the file immediately following the [version] directive. A character set may be associated with a particular language by specifying a <span class="high italic">charset=</span> following the language string (e.g. "ru charset=koi8-r"). Setting the language's ordering number to zero disables the language completely. All messages associated with it will then be ignored. <li class="item"> <span class="high bold">[group-name] – </span> The messages are divided into groupings to make them easier to manage. Each group begins with the group name directive. <li class="item"> <span class="high bold">en 01 message – </span> Each message in a group is assigned using using this format. The string identifying the language, then the message number (the leading zero just improves the format, strictly it is not required), then the actual message itself. The message can be of arbitrary length. Long messages may be continued on following lines using the "^" continuation character. </ul> <p> The base language (the highest numbered, which should always be English) must have precisely the right number of messages required by the server, too few or too many and the server will not start! <span class="high bold">Additional languages do not have to reassign every message!</span> The base language will supply any not assigned. A message number of zero is disabled and completely ignored. <p> If messages contain HTML tags that markup must not interfere with the general HTML page it is used within. <p> Some messages are a composite of multiple strings each of which is used on a different part of the one page (e.g. for the [upd] edit-page). Each of the strings is delimited by the vertical bar "|". Care must be taken when customizing these strings that the overall number stays the same and that the length of each does not become excessive. Although it will not disrupt the server it may significantly disrupt the page layout. <p> All message numbers must be included. To provide an empty string for any one message (not recommended) provide the line with nothing following the message number. <a id="8.3" href="#"></a> <a id="8.3.multiplelanguagespecifications" href="#"></a> <a id="multiplelanguagespecifications" href="#"></a> <h2 class="head"><span class="numb">8.3</span><span class="text">Multiple Language Specifications</span></h2> <p> Multiple language messages can be specified in two ways: <ul class="list"> <li class="item"> within the one file <li class="item"> in multiple files specified by a multivalued logical name </ul> <a id="8.3.0.0.1" href="#"></a> <a id="8.3.withintheonefile" href="#"></a> <a id="withintheonefile" href="#"></a> <h5 class="head"><span class="text">Within The One File</span></h5> <p> Language availability is specified through the use of [Language] directives. These must be numbered from 1 to the count of those supplied. The highest numbered language must have the complete set of messages for this is the fallback when obtaining any message (this would normally be "en"). The [Language] may be specified as a comma-separated list of equivalent or similar specifications, which during request processing will be matched against a client specified list of accepted-languages one at a time in specified order. A wildcard may be specified which matches all fitting the template. In this manner a single language can be used also to match minor variants or language specification synonyms. <div class="blockof code">[Version] 9.0 [Language] 1 es,es-ES [Language] 2 de,de-* [Language] 3 en [auth] es 01 Habla Espanol de 01 Sprechen Sie Deutsches en 01 Do you speak English . . .(full set of messages) </div> In the above (rather contrived) example a client request with <div class="blockof code">Accept-Language: es-ES,de;q=0.6,en;q=0.3 </div> would have language 1 selected, a client with <div class="blockof code">Accept-Language: de-ch,es;q=0.6,en;q=0.3 </div> language 2 selected, with <div class="blockof code">Accept-Language: pt-br,de;q=0.6,en;q=0.3 </div> also language 2 selected, with <div class="blockof code">Accept-Language: pt </div> language 3 (the default) selected, etc. <p> Note that the messages for each language must use the *first* language specification provided in the [Language] list. In the example above all messages for language 1 would be introduced using 'es', for language 2 with 'de' and for language 3 with 'en'. <a id="8.3.0.0.2" href="#"></a> <a id="8.3.multiplefilesmultivaluedlogicalname" href="#"></a> <a id="multiplefilesmultivaluedlogicalname" href="#"></a> <h5 class="head"><span class="text">Multiple Files - Multivalued Logical Name</span></h5> <p> With this approach a logical name containing multiple file names is defined (more commonly described as a logical search list). The final file specified must contain the full message set. Files specified prior to this, can contain as many or as few of the full set as is desired. A [Language] number does not need to be specified as they are processed in the order the logical name specifies them in. Other language file directives are required. <p> The following is an example of a logical name providing the same three languages in the examples above. <div class="blockof code">$ DEFINE /SYSTEM WASD_CONFIG_MSG WASD_ROOT:[LOCAL]WASD_CONFIG_MSG_ES.CONF, - WASD_ROOT:[LOCAL]WASD_CONFIG_MSG_DE.CONF, - WASD_ROOT:[LOCAL]WASD_CONFIG_MSG.CONF </div> <p> The file contents would be as follows (very contrived examples :-) <div class="blockof code"># WASD_CONFIG_MSG_ES.CONF [Version] 9.0 [Language] 0 es,es-ES [auth] es 01 Habla Espanol es 02 Habla Inglesi [dir] es 03 Habla Espanol es 04 Habla Inglesi # WASD_CONFIG_MSG_DE.CONF [Version] 9.0 [Language] 0 de,de-* [auth] de 01 Sprechen Sie Deutsches de 02 Sprechen Sie Englisch [dir] de 03 Sprechen Sie Deutsches de 04 Sprechen Sie Englisch # WASD_CONFIG_MSG.CONF [Version] 9.0 [Language] 0 en [auth] . . .(full set of messages) </div> <p> The <span class="high bold">major advantage</span> of maintaining multiple files in this way is there is <span class="high bold">no need to merge files</span> when a new revision is required. Just update the version number and add any new required messages to the existing secondary file. <a id="8.4" href="#"></a> <a id="8.4.suppliedmessagefiles" href="#"></a> <a id="suppliedmessagefiles" href="#"></a> <h2 class="head"><span class="numb">8.4</span><span class="text">Supplied Message Files</span></h2> <p> Any non-English message files that are provided to the author will be included for general use (please take the time to support this endeavour) in the <a class="link blank" target="_blank" href="/wasd_root/example/WASD_CONFIG_msg*.conf">WASD_ROOT:[EXAMPLE]</a> directory. <p> Note that message files can become out-of-date as server versions change, requiring modifications to the message database. Check the version information and/or comments at the top of candidate message files, however even slightly dated files may serve as a good starting point for a locale-specific message base. </span> <!-- source:1100_CACHE.WASDOC --> <hr class="page"> <a id="9." href="#"></a> <a id="9.cacheconfiguration" href="#"></a> <a id="cacheconfiguration" href="#"></a> <h1 class="head"><span class="numb">9.</span><span class="text">Cache Configuration</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#9.1.nonfilecontentcaching"><span class="numb">9.1</span><span class="text">Non-File Content Caching</span></a> <tr><td><a href="#9.2.permanentandvolatile"><span class="numb">9.2</span><span class="text">Permanent and Volatile</span></a> <tr><td><a href="#9.3.cachesuitabilityconsiderations"><span class="numb">9.3</span><span class="text">Cache Suitability Considerations</span></a> <tr><td><a href="#9.4.cachecontentvalidation"><span class="numb">9.4</span><span class="text">Cache Content Validation</span></a> <tr><td><a href="#9.5.cacheconfiguration"><span class="numb">9.5</span><span class="text">Cache Configuration</span></a> <tr><td><a href="#9.6.cachecontrol"><span class="numb">9.6</span><span class="text">Cache Control</span></a> <tr><td><a href="#9.7.circumventingthecache"><span class="numb">9.7</span><span class="text">Circumventing The Cache</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#8.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#10.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> WASD HTTPd provides an optional, configurable, monitorable file data and revision time cache. File data, so that requests for documents can be fulfilled without reference to the underlying file system, potentially reducing request latency and more importantly improving overall server performance and system impact, and file revision time, so that requests specifying an "If-Modified-Since:" header can also benefit from the above. Files are cached using a hash derived from the VMS file-system path equivalent generated during the mapping process (i.e. represents the file name) but before any actual RMS activity. WASD can also cache the content of responses from non-file sources. This can be useful for reducing the system impact of frequently accessed, dynamically generated, but otherwise relatively static pages. These sources are cached using a hash derived from virtual service connected to and the request URI. <a id="9.0.0.0.1" href="#"></a> <a id="9.whyimplementcaching" href="#"></a> <a id="whyimplementcaching" href="#"></a> <h5 class="head"><span class="text">Why Implement Caching?</span></h5> <p> Caching, in concept, attempts to improve performance by keeping data in storage that is faster to access than the usual location. The performance improvement can be assessed in three basic ways; reduction of <ul class="list list0"> <li class="item"> response when accessing the data (latency and transfer time) <li class="item"> processing involved (CPU cycles) <li class="item"> impact on the usual storage location (file system I/O) </ul> <p> This cache is provided to address all three. Where networks are particularly responsive a reduction in request latency can often be noticeable. It is also suggested a cache "hit" may consume less CPU cycles than the equivalent access to the (notoriously expensive) VMS file system. Where servers are particularly busy or where disk subsystems particularly loaded a reduction in the need to access the file system can significantly improve performance while simultaneously reducing the impact of the server on other system activities. <p> A comparison between cached and non-cached performance is provided in in the "Server Performance" section. <a id="9.0.0.0.2" href="#"></a> <a id="9.terminology" href="#"></a> <a id="terminology" href="#"></a> <h5 class="head"><span class="text">Terminology</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Term <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">hit <td class="tabd">Refers to a request path being found in cache. If the data is still valid the request can be supplied from cache. <tr class="tabr"> <td class="tabd">flushing <td class="tabd">Occurs when the cache becomes full, with older, less frequently used cache entries being removed from the cache and replaced by other files. <tr class="tabr backlight"> <td class="tabd">loading <td class="tabd">Refers to reading the contents of a file into cache memory. <tr class="tabr"> <td class="tabd">permanent <td class="tabd">These entries are loaded once and remain in the cache until it is explicitly purged by the administrator or the the server is restarted. They are not flushed or revalidated. <tr class="tabr backlight"> <td class="tabd">revalidate <td class="tabd">Compare the cache entrys size and modification date-time to the file it represents in the file-system. Obviously a difference indicates the content has changed. <tr class="tabr"> <td class="tabd">valid <td class="tabd">The file from which the cached data was originally read has not had its revision date changed (the implication being the file contents have not changed). <tr class="tabr backlight"> <td class="tabd">volatile <td class="tabd">Entries have the original file periodically checked for modification and are reloaded if necessary. They can also be flushed if demand for space requires it. </table> <a id="9.1" href="#"></a> <a id="9.1.nonfilecontentcaching" href="#"></a> <a id="nonfilecontentcaching" href="#"></a> <h2 class="head"><span class="numb">9.1</span><span class="text">Non-File Content Caching</span></h2> <p> The WASD cache was originally provided to reduce file-system access (a somewhat expensive activity under VMS). With the expansion in the use of dynamically generated page content (e.g. PHP, Perl, Python) there is an obvious need to reduce the system impact of some of these activities. While many such responses have content specific to the individual request a large number are also generated as general site pages, perhaps with simple time or date components, or other periodic information. Non-file caching is intended for this type of dynamic content. <p> Revalidation of non-file content is fraught with a number of issues and so is not provided. Instead the cache entry is flushed on expiry of the [CacheValidateSeconds], or as otherwise specified by path mapping, and the request is serviced by the content source (script, PHP, Perl, etc.) with the generated response being freshly cached. All of the considerations described in <a class="link" href="#9.4.cachecontentvalidation">9.4 Cache Content Validation</a> apply equally to file and non-file content. <a id="9.1.0.0.1" href="#"></a> <a id="9.1.controllingnonfilecontentcaching" href="#"></a> <a id="controllingnonfilecontentcaching" href="#"></a> <h5 class="head"><span class="text">Controlling Non-File Content Caching</span></h5> <p> Determining which non-file content is cached and which not, and how long before flushing, is done using mapping rules (<a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>). The source of non-file cache content is specified using one or a combination of the following SET rules against general or specific paths. <ul class="list simple list0"> <li class="item"> <span class="high bold">cache=[no]cgi </span> from Common Gateway Interface (CGI) script response <li class="item"> <span class="high bold">cache=[no]file </span> from the file system (default and pre-8.4 cache behaviour) <li class="item"> <span class="high bold">cache=[no]net </span> caches the full data stream irrespective of the source <li class="item"> <span class="high bold">cache=[no]nph </span> full stream from Non-Parse Header (NPH) script response <li class="item"> <span class="high bold">cache=[no]query </span> cache requests with query strings (<span class="high bold">use with care</span>) <li class="item"> <span class="high bold">cache=[no]script </span> both CGI and NPH script responses <li class="item"> <span class="high bold">cache=[no]ssi </span> from Server-Side Includes (SSI) documents </ul> <p> A good understanding of site requirements and dynamic content sources, along with considerable care in specifying cache path SETings, is required to cache dynamic content effectively. It is especially important to get the content revalidation period appropriate to the content of the pages. This is specified using the following path SETings. <ul class="list simple list0"> <li class="item"> <span class="high bold">cache=expires=0 </span> cancels any expiry <li class="item"> <span class="high bold">cache=expires=DAY </span> expires when the day changes <li class="item"> <span class="high bold">cache=expires=HOUR </span> when the clock hour changes <li class="item"> <span class="high bold">cache=expires=MINUTE </span> when the clock minute changes <li class="item"> <span class="high bold">cache=expires=<hh:mm:ss> </span> expires after the specified period in the cache </ul> <p> For example. To cache the content of PHP-generated home pages that contain a time-of-day clock, resolving down to the minute, would require a mapping rule similar to the following. <div class="blockof code">set /**/index.php cache=cgi cache=expires=minute </div> <a id="9.2" href="#"></a> <a id="9.2.permanentandvolatile" href="#"></a> <a id="permanentandvolatile" href="#"></a> <h2 class="head"><span class="numb">9.2</span><span class="text">Permanent and Volatile</span></h2> <p> The WASD file cache provides for some resources to be permanently cached while others are allowed to be moved into and out of the cache according to demand. Most sites have at least some files that are fundamental components of the site's pages, are rarely modified, commonly accessed, and therefore should be permanently available from cache. Other files are modified on a regular or ad hoc basis and may experience fluctuations in demand. These more volatile resources should be cached based on current demand. <p> Volatile caching is the default with the site administrator using mapping rules to indicate to the server which resources on which paths should be permanently cached (<a class="link" href="#9.cacheconfiguration">9. Cache Configuration</a>). <p> Although permanent and volatile entries share the same cache structure and are therefore subject to the configuration's maximum number of cache entries, the memory used store the cached file data is derived from separate pools. The total size of all volatile entries data is constrained by configuration. In contrast there is no configuration limit placed on the quantity of data that can be cached by permanent entries. One of the purposes of the permanent aspect of the cache is to allow the site administrator considerable discretion in the configuration of the site's low-latency resources, no matter how large or small that might be. Of course there is the ultimate constraint of server process and system virtual memory limits on this activity. It should also be kept in mind that unless sufficient physical memory is available to keep such cached content in-memory the site may only end up trading file-system I/O for page file I/O. <a id="9.3" href="#"></a> <a id="9.3.cachesuitabilityconsiderations" href="#"></a> <a id="cachesuitabilityconsiderations" href="#"></a> <h2 class="head"><span class="numb">9.3</span><span class="text">Cache Suitability Considerations</span></h2> <p> A cache is not always of benefit! the cost may outweigh the return. <p> Any cache's efficiencies can only occur where subsets of data are consistently being demanded. Although these subsets may change slowly over time a consistent and rapidly changing aggregate of requests lose the benefit of more readily accessible data to the overhead of cache management, due to the constant and continuous flushing and reloading of cache data. This server's cache is no different, it will only improve performance if the site experiences some consistency in the files requested. For sites that have only a small percentage of files being repeatedly requested it is probably better that the cache be disabled. The other major consideration is available system memory. On a system where memory demand is high there is little value in having cache memory sitting in page space, trading disk I/O and latency for paging I/O and latency. On memory-challenged systems cache is probably best disabled. <p> To help assessment of the cache's efficiency for any given site monitor the Server Administration facility's cache report. <p> Two sets of data provide complementary information, cache activity and file request profile. <ul class="list"> <li class="item"> <span class="high bold">Activity Data</span> <p> This summarizes the cache search behaviour, in particular that of the hash table. <p> The "searched" item, indicates the number of times the cache has been searched. Most importantly, this may include paths that can never be cached because they represent non-file requests (e.g. directory listings). Requests involving scripts, and some others, never attempt a cache search. <p> The "hit" item, indicates the number of times the hash table directly provided a cached path. This is very efficient. <p> The "miss" item, indicates the number of times the hash table directly indicated a path was not cached. This is decisive and is also very efficient. <p> The "collision" item, indicates the number of times multiple paths resolved to the same hash table entry. Collisions require further processing and are far less efficient. The sub-items, "collision hits" and "collision misses" indicate the number of times that further processing resulted in a found or not-found cache item. <p> A large number of cache misses compared to searches may only indicate a large number of non-cacheable requests and so depending on that further datum is not of great concern. A large proportion of collisions (say greater than 12.5%) is however, indicating either the hash table size needs increasing (1024 should be considered a minimum) or the hashing algorithm in the software need reviewing :-) <li class="item"> <span class="high bold">Files Data</span> <p> This summarizes the site's file request profile. <p> With the "loads not hit" item, the count represents the cumulative number of files loaded but never subsequently hit. If this percentage is high it means most files loaded are never hit, indicating the site's request profile is possibly unsuitable for caching. <p> The item "hits" respresents the cumulative, total number of hits against the cumulative, total number of loads. The percentage here can range from zero to many thousands of percent :-) with less than 100% indicating poor cache performance and from 200% upwards better and good performance. The items "1-9", "10-99" and "100+" show the count and percentage of total hits that occured when a given entry had experienced hits within that range (e.g. if an entry has had 8 previous hits, the ninth increments the "1-9" item whereas the tenth and eleventh increments the "10-99" item, etc.) <p> Other considerations also apply when assessing the benefit of having a cache. For example, a high number and percentage of hits can be generated while the percentage of "loads not hit" could be in the also be very high. The explanation for this would be one or two frequently requested files being hit while most others are loaded, never hit, and flushed as other files request cache space. In situations such as this it is difficult to judge whether cache processing is improving performance or just adding overhead. </ul> <a id="9.4" href="#"></a> <a id="9.4.cachecontentvalidation" href="#"></a> <a id="cachecontentvalidation" href="#"></a> <h2 class="head"><span class="numb">9.4</span><span class="text">Cache Content Validation</span></h2> <p> The cache will automatically revalidate the volatile entry file data after a specified number of seconds ([CacheValidateSeconds] configuration parameter), by comparing the original file revision time to the current revision time. If different the file contents have changed and the cache contents declared invalid. If found invalid the file transfer then continues outside of the cache with the new contents being concurrently reloaded into the cache. Permanent entries are not subject to revalidation and the associated reloading. <p> Cache validation is also always performed if the request uses "Cache-Control:" with <span class="high italic">no-cache</span>, <span class="high italic">no-store</span> or <span class="high italic">max-age=0</span> attributes (HTTP/1.1 directive), or if a "Pragma: no-cache" field (HTTP/1.0 directive). These request directives are often associated with a browser agent <span class="high italic">reload page</span> function. Hence there is no need for any explicit flushing of the cache under normal operation. If a document does not immediately reflect any changes made to it (i.e. validation time has not been reached) validation (and consequent reload) can be "forced" with a browser reload. Permanent entries are also not subject to this source of revalidation. The configuration directive [CacheGuardPeriod] limits this form of revalidation when used within the specified period since last revalidated. It has a default value of fifteen seconds. <p> If a site's contents are relatively static the validation seconds could be set to an extended period (say 3600 seconds, one hour) and then rely on an explicit "reload" to force validation of a changed file. <p> The entire cache may be purged of cached data, both volatile and permanent entries, either from the Server Administration facility or using command line server control. <div class="blockof code">$ HTTPD /DO=CACHE=PURGE </div> <a id="9.5" href="#"></a> <a id="9.5.cacheconfiguration" href="#"></a> <a id="cacheconfiguration" href="#"></a> <h2 class="head"><span class="numb">9.5</span><span class="text">Cache Configuration</span></h2> <p> The cache is controlled using WASD_CONFIG_GLOBAL configuration file and WASD_CONFIG_MAP mapping file directives. A number of parameters control the basics of cache behaviour. <ul class="list"> <li class="item"> <span class="high bold">[Cache] – </span> Enables and disables caching. <li class="item"> <span class="high bold">[CacheEntriesMax]</span> and <span class="high bold">[CacheTotalKBytesMax] – </span> Provide growth limits to cache expansion. Maximum entries limits the number of files loaded into the cache before entries begin to be reused (flushing the original contents). Maximum total kilobytes allocated to the cache provides a ceiling on the memory consumed. These parameters operate to limit each other (i.e. if one reaches its limit before the other, the other will not grow further either). <li class="item"> <span class="high bold">[CacheFileKBytesMax] – </span> Provides a limit on file size (in kilobytes). Files larger than the specified limit will not be cached. This may be overridden on a per-path basis using the <span class="high italic">set cache=max=<integer></span> mapping rule (see below). <li class="item"> <span class="high bold">[CacheFrequentHits]</span> and <span class="high bold">[CacheFrequentSeconds] – </span> Attempt to reduce unproductive reuse of cache entries by providing the cache with some indication of what constitutes a frequently hit entry. If it is frequently hit then it should not be immediately reused when there is a demand for cache space. The first parameter sets the number of hits an entry must sustain before being a candidate for <span class="high italic">CacheFrequentSeconds</span> assessment. If a file has been hit at least <span class="high italic">CacheFrequentHits</span> times in total and the last hit was within the number of seconds set by <span class="high italic">CacheFrequentSeconds</span> it will not be flushed and reused. If it has not been hit within the specified period it will be reused. <li class="item"> <span class="high bold">[CacheGuardPeriod] – </span> Prevents browser initiated content revalidation described above (<a class="link" href="#9.4.cachecontentvalidation">9.4 Cache Content Validation</a>). It is provided to help limit unnecessary file-system activity. The default is fifteen seconds. <li class="item"> <span class="high bold">[CacheEntriesMax] – </span> <span class="high italic">(obsolete)</span> <li class="item"> <span class="high bold">[CacheValidateSeconds] – </span> The interval after which a cache entry's original, content revision time is revalidated against the file's current revision time. If not the same the contents are declared invalid and reloaded. Setting this to a greater period reduces disk I/O but revised files may not be obvious within an acceptable timer unless a revalidation is forced with a <span class="high italic">reload</span>. Permanent entries are not subject to validation. </ul> <a id="9.5.0.0.1" href="#"></a> <a id="9.5.mappingrules" href="#"></a> <a id="mappingrules" href="#"></a> <h5 class="head"><span class="text">Mapping Rules</span></h5> <p> Mapping rules (<a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>) allow further tailoring of cache behaviour based on request (file) path. Those files that should be made permanent entries are indicated using the <span class="high italic">cache=perm</span> directive. In the following example all files in the WASD runtime directories (directory icons, help files, etc.) are made permanent cache entries at the same time the path is mapped. <div class="blockof code">pass /*/-/* /wasd_root/runtime/*/* cache=perm </div> <p> Of course, specified file types as well as specific paths can be mapped in this way. Here all files in the site's /help/ path are made permanent entries except those having a .PS type (PostScript documents). <div class="blockof code">set /help/* cache=perm set /help/*.ps cache=noperm </div> <p> The configuration directive [CacheFileKBytesMax] puts a limit on individual file size. Those exceeding that limit are considered too large and not cached. It is possible to override this general constraint by specifying a maximum size (in kilobytes) on a per-path basis. <div class="blockof code">set /help/examples*.jpg cache=max=128 set /cai/*.mpg cache=max=2048 cache=perm </div> <p> Caching may be disabled and/or enabled for specified paths and subpaths. <div class="blockof code">set /web/* cache=none set /web/icons/* cache </div> <a id="9.6" href="#"></a> <a id="9.6.cachecontrol" href="#"></a> <a id="cachecontrol" href="#"></a> <h2 class="head"><span class="numb">9.6</span><span class="text">Cache Control</span></h2> <p> The cache may be enabled, disabled and purged from the Server Administration facility. In addition the same control may be exercised from the command-line using <div class="blockof code">$ HTTPD /DO=CACHE=ON $ HTTPD /DO=CACHE=OFF $ HTTPD /DO=CACHE=PURGE </div> <p> If cache parameters are altered in the configuration file the server must be restarted to put these into effect. Disabling the cache on an ad hoc basis (from menu or command line) does not alter the contents in any way so it can merely be reenabled with use of the cache's previous contents resuming. In this way comparisions between the two environments may more easily be made. <a id="9.7" href="#"></a> <a id="9.7.circumventingthecache" href="#"></a> <a id="circumventingthecache" href="#"></a> <h2 class="head"><span class="numb">9.7</span><span class="text">Circumventing The Cache</span></h2> <p> There are often good reasons for bypassing or avoiding the cache. For instance, where a document is being refreshed within the cache revalidation period specified by [CacheValidateSeconds] (<a class="link" href="#9.4.cachecontentvalidation">9.4 Cache Content Validation</a>). There are two mechanisms available for bypassing or invalidating the file cache. <ol class="list"> <li class="item"> This directs the server to always get the file from the file-system. <div class="blockof code">SET /path/not/to/cache/* cache=none </div> <li class="item"> Specify a version component when requesting the file. WASD never caches a file if the request contains a version component. It does not need to be a full version number, a semi-colon is sufficient. For example: <div class="blockof code">/wasd_root/robots.txt; </div> </ol> <!-- source:1200_PROCESSING.WASDOC --> <hr class="page"> <a id="10." href="#"></a> <a id="10.requestprocessingconfiguration" href="#"></a> <a id="requestprocessingconfiguration" href="#"></a> <h1 class="head"><span class="numb">10.</span><span class="text">Request Processing Configuration</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#10.1.ruleinterpretation"><span class="numb">10.1</span><span class="text">Rule Interpretation</span></a> <tr><td><a href="#10.2.vmsfilesystemspecifications"><span class="numb">10.2</span><span class="text">VMS File System Specifications</span></a> <tr><td><a href="#10.3.traditionalfilespecificationsods2"><span class="numb">10.3</span><span class="text">Traditional File Specifications (ODS-2)</span></a> <tr><td><a href="#10.4.extendedfilespecificationsods5"><span class="numb">10.4</span><span class="text">Extended File Specifications (ODS-5)</span></a> <tr><td><a href="#10.4.1.charactersinrequestpaths"><span class="numb">10.4.1</span><span class="text">Characters In Request Paths</span></a> <tr><td><a href="#10.4.2.filenameambiguity"><span class="numb">10.4.2</span><span class="text">File Name Ambiguity</span></a> <tr><td><a href="#10.4.3.charactersinservergeneratedpaths"><span class="numb">10.4.3</span><span class="text">Characters In Server-Generated Paths</span></a> <tr><td><a href="#10.5.rules"><span class="numb">10.5</span><span class="text">Rules</span></a> <tr><td><a href="#10.5.1.mappassfailrules"><span class="numb">10.5.1</span><span class="text">MAP, PASS, FAIL Rules</span></a> <tr><td><a href="#10.5.2.redirectrule"><span class="numb">10.5.2</span><span class="text">REDIRECT Rule</span></a> <tr><td><a href="#10.5.3.userrule"><span class="numb">10.5.3</span><span class="text">USER Rule</span></a> <tr><td><a href="#10.5.4.execuxecandscriptscriptmappingrules"><span class="numb">10.5.4</span><span class="text">EXEC/UXEC and SCRIPT, Script Mapping Rules</span></a> <tr><td><a href="#10.5.5.setrule"><span class="numb">10.5.5</span><span class="text">SET Rule</span></a> <tr><td><a href="#10.6.reversemapping"><span class="numb">10.6</span><span class="text">Reverse Mapping</span></a> <tr><td><a href="#10.7.mappingexamples"><span class="numb">10.7</span><span class="text">Mapping Examples</span></a> <tr><td><a href="#10.8.virtualservers"><span class="numb">10.8</span><span class="text">Virtual Servers</span></a> <tr><td><a href="#10.9.conditionalmapping"><span class="numb">10.9</span><span class="text">Conditional Mapping</span></a> <tr><td><a href="#10.10.mappinguserdirectoriestildecharacterquotquot"><span class="numb">10.10</span><span class="text">Mapping User Directories (tilde character ("~"))</span></a> <tr><td><a href="#10.10.1.usingthesysuaf"><span class="numb">10.10.1</span><span class="text">Using The SYSUAF</span></a> <tr><td><a href="#10.10.2.withoutusingthesysuaf"><span class="numb">10.10.2</span><span class="text">Without Using The SYSUAF</span></a> <tr><td><a href="#10.11.crossoriginresourcesharing"><span class="numb">10.11</span><span class="text">Cross Origin Resource Sharing</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#9.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#11.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> By default, the logical name <span class="high bold">WASD_CONFIG_MAP</span> locates a common mapping rule file. Simple editing of the mapping file and reloading into the running server changes the processing rules. The [IncludeFile] is a directive common to all WASD configuration, allowing a separate file to be included as a part of the current configuration (<a class="link" href="#2.1.includefiledirective">2.1 Include File Directive</a>). <p> Mapping rules are used for a number of different request processing purposes. <ol class="list"> <li class="item"> To map a request <span class="high italic">path</span> onto the VMS file system. That is, to map from web-space into file-space. <li class="item"> To map from file-space back into web-space. There is often not a one-to-one correspondance between file specifcations and web paths. <li class="item"> To process a request path according to specified criteria resulting in an effective path that is different to that supplied with the request. <li class="item"> To identify requests requiring script activation and to parse the script from the path portion of that request. The path portion is then independently re-mapped. <li class="item"> To conditionally map to different end-results based on one or more criteria of the request or environment. <li class="item"> To provide differing virtual sites depending on the actual service accessed by the client. </ol> <p> Mapping is basically for server-internal purposes only. The only time the path information of the request itself is modified is when a script component is removed. At all other times the path information remains unchanged. Path authorization is always applied to the path supplied with the request. <p> Rules are given a basic consistency check when loaded (i.e. server startup, map reload, etc.) If there is an obvious problem (unknown rule, missing component, etc., path not absolute) a warning message is generated and the rule is not loaded into the database. This will not cause the server startup to fail. These warning messages may be found in the server process log. <p> Changes to the mapping configuration file can be validated at the command-line before reload or restart. This detects and reports any syntactical and fatal configuration errors but of course cannot check the <span class="high italic">intent</span> of the rules. <div class="blockof code">$ HTTPD /DO=MAP=CHECK </div> <p> A server's currently loaded mapping rules may also be interrogated from the Server Administration menu (see <a class="link blank" target="_blank" href="../features/#serveradministration">Server Administration</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <a id="10.1" href="#"></a> <a id="10.1.ruleinterpretation" href="#"></a> <a id="ruleinterpretation" href="#"></a> <h2 class="head"><span class="numb">10.1</span><span class="text">Rule Interpretation</span></h2> <p> The rules are scanned from first towards last, until a matching final rule is encountered (PASS, EXEC, SCRIPT, FAIL, REDIRECT, UXEC and USER) when the mapping pass concludes. Non-final rules (MAP and SET) perform the appropriate action and continue to the next rule. One, two or more passes through the rules may occur due to implicit processing (if the path contains a script component) or by explicit restart (SET <span class="high italic">map=restart</span>). <a id="10.1.0.0.1" href="#"></a> <a id="10.1.stringmatching" href="#"></a> <a id="stringmatching" href="#"></a> <h5 class="head"><span class="text">String Matching</span></h5> <p> The basis of path mapping is string pattern matching, comparing the request specified path, and optionally other components of the request when using configuration conditionals (<a class="link" href="#5.conditionalconfiguration">5. Conditional Configuration</a>), to a series of patterns, usually until one of the patterns matches, at which stage some processing is performed. Both wildcard and regular expression based pattern matching is available. All rules have a <span class="high italic">template</span> (string pattern to match against the path). Some rules have a <span class="high italic">result</span> (how to restructure the components matching from the template). <ul class="list"> <li class="item"> The <span class="high bold">template</span> may contain one or more asterisk ("*") wildcard symbols, or a regular expression with optional grouping operators. This is pattern matched against the request path (<a class="link" href="#4.stringmatching">4. String Matching</a>). If neither is present then the path must match the <span class="high italic">template</span> exactly. <li class="item"> The <span class="high bold">result</span> may contain one or more asterisk ("*") substitution symbols. The <span class="high italic">result</span> wildcards are expanded to replace the matching strings of the respective <span class="high italic">template</span> wildcards or pattern groups. Specified wildcard substitution is available (<a class="link" href="#4.4.expressionsubstitution">4.4 Expression Substitution</a>). Characters represented by wildcards in the <span class="high italic">template</span> not represented by a corresponding wildcard in the <span class="high italic">result</span> are ignored. Non-wildcard <span class="high italic">result</span> characters are directly inserted in reconstructed path. Non-wildcard characters in the <span class="high italic">template</span> are ignored. If the <span class="high italic">result</span> contains no wildcards it completely replaces the URL path. </ul> <a id="10.1.0.0.2" href="#"></a> <a id="10.1.virtualservers" href="#"></a> <a id="virtualservers" href="#"></a> <h5 class="head"><span class="text">Virtual Servers</span></h5> <p> As described in <a class="link" href="#2.3.virtualservices">2.3 Virtual Services</a> virtual service syntax may be used with mapping rules to selectively apply rules to one specific service. If virtual services are configured rule interpretation sees only rules common to all services and those specific to its own service (host address and port). In all other aspects rule interpretation applies as described above. <a id="10.1.0.0.3" href="#"></a> <a id="10.1.processingoverhead" href="#"></a> <a id="processingoverhead" href="#"></a> <h5 class="head"><span class="text">Processing Overhead</span></h5> <p> Naturally, each rule that needs to be processed adds a little to consumed CPU, introduces some latency, and ultimately reduces throughput. The test-bench has shown this to be acceptably small compared to the overall costs of responding to a request. Using the ApacheBench tool on a COMPAQ Professional Workstation XP1000 with 2048MB, VMS V8.3, TCP/IP Service 5.7 and WASD v10.1, with a simple access to <span class="high monosp">/wasd_root/exercise/0k.txt</span> showed approximately 744 requests/second throughput using the following mapping file. <div class="blockof code">pass /wasd_root/exercise/* </div> <p> After adding various quantities of the same intervening rule <div class="blockof code">pass /wasd_root/example/* pass /wasd_root/example/* . . . pass /wasd_root/example/* pass /wasd_root/exercise/* </div> the following results were derived. <div class="blockof block center"><a id="10.1.0.0.4" href="#"></a> <a id="10.1.mappingoverhead" href="#"></a> <a id="mappingoverhead" href="#"></a> <h5 class="head"><span class="text">Mapping Overhead</span></h5> <p> <table class="tabu tabauto"> <tr class="tabr"> <th class="tabh">Rule Count <th class="tabh">Requests/S <th class="tabh">Throughput <tr class="tabr"> <td class="tabd">0 <td class="tabd">744 <td class="tabd">baseline <tr class="tabr"> <td class="tabd">100 <td class="tabd">701 <td class="tabd">-5.8% <tr class="tabr"> <td class="tabd">200 <td class="tabd">665 <td class="tabd">-10.6% <tr class="tabr"> <td class="tabd">500 <td class="tabd">571 <td class="tabd">-23.3% <tr class="tabr"> <td class="tabd">1000 <td class="tabd">461 <td class="tabd">-38.4% </table> </div> <p> Although this is a fairly contrived set-up and actual real-world rule-sets are more complex than this, even one hundred rules is a <span class="high under">very</span> large set, and it does indicate that for all intents and purposes mapping rules may be used to achieve desired objectives without undue concern about impact on server throughput. <a id="10.2" href="#"></a> <a id="10.2.vmsfilesystemspecifications" href="#"></a> <a id="vmsfilesystemspecifications" href="#"></a> <h2 class="head"><span class="numb">10.2</span><span class="text">VMS File System Specifications</span></h2> <p> The VMS file system in mapping rules is always assumed to begin with a device or concealed device logical. Specifying a Master File Directory (MFD) component, the [000000] is completely optional, although always implied. The mapping functions will always insert one if required for correct file system syntax. That is, if the VMS file system mapping of a path results in a file in a top-level directory an MFD is inserted if not explicitly present in the mapping. For example, both of the following paths <div class="blockof code">/dka100/example.txt /dka100/000000/example.txt </div> would result in a mapping to <div class="blockof code">DKA100:[000000]EXAMPLE.TXT </div> The MFD is completely optional when both specifying paths in mapping rules and when supplying paths in a request. Similarly, when supplying a path that includes directory components, as in <div class="blockof code">/dka100/dir1/dir2/example.txt /dka100/000000/dir1/dir2/example.txt </div> both mapping to <div class="blockof code">DKA100:[DIR1.DIR2]EXAMPLE.TXT </div> <div class="note"> <a id="10.2.0.0.1" href="#"></a> <a id="10.2.logicalnames" href="#"></a> <a id="logicalnames" href="#"></a> <h5 class="head center"><span class="text">LOGICAL NAMES</span></h5> <hr class="note_hr"> When using logical names in file system mappings they must be able to be used as concealed devices and cannot be logical equivalents of directory specifications. You must be able to perform a <div class="blockof code">$ DIRECTORY logical-name:[000000] </div> to be able to use the specification as a WASD mapping rule. <hr class="note_hr"> </div> <p> Concealed device logicals are created using the following syntax: <div class="blockof code">$ DEFINE LOGICAL_NAME device:[dir1.dir2.] $ DEFINE LOGICAL_NAME /TRANSLATION=CONCEALED physical_device:[dir1.dir2.] $ DEFINE LOGICAL_NAME /TRANSLATION=CONCEALED - physical_device1:,physical_device2: $ DEFINE LOGICAL_NAME /TRANSLATION=CONCEALED - physical_device3:[dir1.dir2.],physical_device4:[dir1.dir3.] </div> <p> The logical name may be multi-valued and provided the DIRECTORY command can be used successfully with them (as described above) should be amenable to WASD directory listing producing equivalent results. <a id="10.3" href="#"></a> <a id="10.3.traditionalfilespecificationsods2" href="#"></a> <a id="traditionalfilespecificationsods2" href="#"></a> <h2 class="head"><span class="numb">10.3</span><span class="text">Traditional File Specifications (ODS-2)</span></h2> <p> For ODS-2 volumes, when during rule mapping of a path to a VMS file specification an RMS-invalid character (e.g. "+") or syntax (e.g. multiple periods) is encountered a dollar symbol is substituted in an attempt to make it acceptable. This functionality is often useful for document collections imported to the local web originating from, for instance, a Unix site that utilizes non-VMS file system syntax. The default substitution character may be changed on a per-path basis using the SET rule (<a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>). <a id="10.4" href="#"></a> <a id="10.4.extendedfilespecificationsods5" href="#"></a> <a id="extendedfilespecificationsods5" href="#"></a> <h2 class="head"><span class="numb">10.4</span><span class="text">Extended File Specifications (ODS-5)</span></h2> <p> OpenVMS Alpha V7.2 introduced a new on-disk file system structure, ODS-5. This brings to VMS in general, and WASD and other Web servers in particular, a number of issues regarding the handling of characters previously not encountered during (ODS-2) file system activities. ODS-2 and ODS-5 volumes should be automatically distinguished by the server however it is possible to <span class="high italic">force</span> interpretation using a path mapping rule (<a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>). <a id="10.4.1" href="#"></a> <a id="10.4.1.charactersinrequestpaths" href="#"></a> <a id="charactersinrequestpaths" href="#"></a> <h3 class="head"><span class="numb">10.4.1</span><span class="text">Characters In Request Paths</span></h3> <p> There is a standard for characters used in HTTP requests paths and query strings (URLs). This includes conventions for the handling of reserved characters, for example "?", "+", "&", "=" that have specific meanings in a request, characters that are completely forbidden, for example white-space, control characters (0x00 to 0x1f), and others that have usages by convention, for example the "~", commonly used to indicate a username mapping. The request can otherwise contain these characters provided they are URL-encoded (i.e. a percentage symbol followed by two hexadecimal digits representing the hexadecimal-encoded character value). <p> There is also an RMS standard for handling characters in extended file specifications, some of which are forbidden in the ODS-2 file naming conventions, and others which have a reserved meaning to either the command-line interpreter (e.g. the space) or the file system structure (e.g. the ":", "[", "]" and "."). Generally the allowed but reserved characters can be used in ODS-5 file names if escaped using the "^" character. For example, the ODS-2 file name "THIS_AND_THAT.TXT" could be named "This^_^&^_That.txt" on an ODS-5 volume. More complex rules control the use of character combinations with significance to RMS, for instance multiple periods. The following file name is allowed on an ODS-5 volume, "A-GNU-zipped-TAR-archive^.tar.gz", where the non-significant period has been escaped making it acceptable to RMS. <p> Of course characters absolutely forbidden in request paths must still be URL-encoded, the most obvious example is the space. RMS will accept the file name "This^ and^ that.txt" (i.e. containing escaped spaces) but the request path would need to be specified as "This%20and%20that.txt". <p> Unlike for ODS-2 volumes, ODS-5 volumes do not have "invalid" characters, so no processing is performed to ensure RMS compliance. <a id="10.4.2" href="#"></a> <a id="10.4.2.filenameambiguity" href="#"></a> <a id="filenameambiguity" href="#"></a> <h3 class="head"><span class="numb">10.4.2</span><span class="text">File Name Ambiguity</span></h3> <p> ODS-5 allows for some file name ambiguity in web-space. <p> For example the file name <div class="blockof code">This^_is^_an^_EXAMPLE^.txt.;1 </div> would be presented to the client as <div class="blockof code">This is an EXAMPLE.txt </div> which when provided in a URL as <div class="blockof code">This%20is%20an%20EXAMPLE.txt </div> and translated from that URL into the file specification <div class="blockof code">This^_is^_an^_EXAMPLE.txt;1 </div> of course will not be able to be accessed. <p> In addition, the two files <div class="blockof code">This^_is^_an^_EXAMPLE.txt;1 This^_is^_an^_EXAMPLE^.txt.;1 </div> are distinct in the file-system, independently parsed from the directory structure, presented by a web directory listing (and WebDAV resource property list) as consecutive entries having the same name, with only the accessible file name actually available. <div class="blockof code">This is an EXAMPLE.txt This is an EXAMPLE.txt </div> <p> To avoid this situation a potentially ambiguous file name containing an escaped period and no type (extension) is ignored by directory listings and WebDAV property lists. When an ambiguous file name is detected it is reported in WATCH reports. <p> While these sorts of situations are corner-cases it is best to try and avoid <span class="high italic">interesting</span> file names that can challenge the rather convoluted VMS file-system environment. <a id="10.4.3" href="#"></a> <a id="10.4.3.charactersinservergeneratedpaths" href="#"></a> <a id="charactersinservergeneratedpaths" href="#"></a> <h3 class="head"><span class="numb">10.4.3</span><span class="text">Characters In Server-Generated Paths</span></h3> <p> When the server generates a path to be returned to the browser, either in a viewable page such as a directory listing or error message, or as a part of the HTTP transaction such as a redirection, the path will contain the URL-encoded equivalent of the <span class="high italic">canonical form</span> of an extended file specification escaped character. For example, the file name "This^_and^_that.txt" will be represented by "This%20and%20that.txt". <p> When presenting a file name in a viewable page the general rule is to also provide this URL-equivalent of the unescaped file name, with a small number of exceptions. The first is a directory listing where VMS format has been requested by including a version component in the request file specification. The second is in similar fashion, but with the <span class="high italic">tree</span> facility, displaying a directory tree. The third is in the navigation page of the <span class="high italic">UPDate</span> menu. In all of the instances the canonical form of the extended file specification is presented (although any actual reference to the file is URL-encoded as described above). <a id="10.5" href="#"></a> <a id="10.5.rules" href="#"></a> <a id="rules" href="#"></a> <h2 class="head"><span class="numb">10.5</span><span class="text">Rules</span></h2> <p> These are the categories of mapping rules. <ul class="list"> <li class="item"> Map paths to the file system, and to other paths: <ul class="list simple list0"> <li class="item"> MAP <li class="item"> PASS <li class="item"> FAIL <li class="item"> REDIRECT <li class="item"> USER </ul> <li class="item"> Provide access to scripting: <ul class="list simple list0"> <li class="item"> EXEC <li class="item"> SCRIPT <li class="item"> UXEC </ul> <li class="item"> Sets characteristics against particular paths: <ul class="list simple list0"> <li class="item"> SET </ul> </ul> <a id="10.5.1" href="#"></a> <a id="10.5.1.mappassfailrules" href="#"></a> <a id="mappassfailrules" href="#"></a> <h3 class="head"><span class="numb">10.5.1</span><span class="text">MAP, PASS, FAIL Rules</span></h3> <ol class="list"> <li class="item"> <span class="high bold">map <span class="high italic">template result</span></span> <p> If the URL path matches the template, substitute the <span class="high italic">result</span> string for the path and use that for further rule processing. Both template and result paths must be absolute (i.e. begin with "/"). <li class="item"> <span class="high bold">pass <span class="high italic">template</span> </span> <br> <span class="high bold">pass <span class="high italic">template result</span> </span> <br> <span class="high bold">pass <span class="high italic">template "999 message text"</span> </span> <br> <span class="high bold">pass <span class="high italic">template "200 $command"</span> </span> <p> If the URL path matches the template, substitute the result if present (if not just use the original URL path), processing no further rules. <p> The <span class="high italic">result</span> should be a either a physical VMS file system specification in URL format or an <span class="high italic">HTTP status-code message</span> (see below). If there is a direct correspondance between the <span class="high italic">template</span> and <span class="high italic">result</span> the result may be omitted. <div class="note"><a id="10.5.1.0.0.1" href="#"></a> <a id="10.5.1.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> The PASS directive is also used to <span class="high italic">reverse-map</span> VMS file specifications to the URL path format equivalent. See <a class="link" href="#10.6.reversemapping">10.6 Reverse Mapping</a>. <hr class="note_hr"> </div> <p> <span class="high bold">An HTTP status-code message</span> can be provided as a result. The server then generates a response corresponding to that status code containing the supplied message. Status-code results should be enclosed in one of single or double quotes, or curly braces. See examples. A 3<span class="high italic">nn</span> status results in a redirection response with the message text comprising the location. Codes 4<span class="high italic">nn</span> and 5<span class="high italic">nn</span> result in an error message. Other code ranges (e.g. 0, 1<span class="high italic">nn</span>, 2<span class="high italic">nn</span>, etc.) simply cause the connection to be immediately dropped, and can be used for that purpose (i.e. no indication of why!) <p> <span class="high bold">A 200 with following $</span> will cause the DCL script processor to execute the command. The output will be returned to the client. <li class="item"> <span class="high bold">fail <span class="high italic">template</span> <p> If the URL path matches the template, prohibit access, processing no further rules. The template path must be absolute (i.e. begin with "/"). </span> </ol> <a id="10.5.2" href="#"></a> <a id="10.5.2.redirectrule" href="#"></a> <a id="redirectrule" href="#"></a> <h3 class="head"><span class="numb">10.5.2</span><span class="text">REDIRECT Rule</span></h3> <ol class="list"> <li class="item"> <span class="high bold">redirect <span class="high italic">template</span> <span class="high italic">result</span></span> <p> If the URL path matches the template, substitute the <span class="high italic">result</span> string for the path. Process no further rules. Redirection rules can provide result URLs in one of a number of formats, each with a slightly different behaviour. <ol class="list"> <li class="item"> The <span class="high italic">result</span> can be a full URL ("http://host.domain/path/to/whatever"). This is used to redirect requests to a specific service, usually on a another host. A <span class="high italic">result</span> may or may not contain a fixed query string ("/path/to/whatever?one=two"). <li class="item"> If the scheme (e.g. "http:") is omitted the scheme of the current request is substituted. This allows HTTP requests to be transparently redirected via HTTP and HTTPS (SSL) requests via HTTPS (e.g. "//host.domain/path/to/whatever", note the leading double-slash). <li class="item"> In a similar fashion both the scheme and the host name may be omitted (e.g. "///path/to/whatever", note the leading triple-slash). The server then substitutes the appropriate request scheme and host name before returning the redirection to the client. <li class="item"> If the scheme is provided but no host component the current request's host information is substituted and the redirection made using that (e.g. "https:///secure/path/to/whatever". This effectively allows a request to be redirected from standard to SSL, or from SSL to standard HTTP on the same server. <li class="item"> As a variation on this, if no host but a port number is present, the redirection is to the (presumably) non-standard port on that same host. <p> See <a class="link" href="#10.7.mappingexamples">10.7 Mapping Examples</a> for examples of each of these. <li class="item"> Alternatively, it may be just a path ("/path/to/whatever", a single leading slash), which will cause the server to <span class="high under">internally</span> generate an entire new request structure to process the new path (i.e. request redirection is not returned to the client). <div class="note"><a id="10.5.2.0.0.1" href="#"></a> <a id="10.5.2.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> Internal redirection (as this is termed) is a fundamental mechanism available with WASD to completely change the request path and/or query string components for the request - transparently to the client. It is essentially a complete rewrite of the request. <hr class="note_hr"> </div> <li class="item"> Full request URI rewriting (path and any query string) is available using the <span class="high italic">map=uri</span> path SETing (<a class="link" href="#10.5.5.setrule">10.5.5 SET Rule</a>). <li class="item"> Only if the <span class="high under">last</span> character in the <span class="high italic">result</span> is a question mark ("?") will any query string in the original be propagated into the redirection URL (that is the original request "/original/test.txt?plus=query" is mapped using "redirect /original/* /path/to/*?" does the resulting URL become "/path/to/test.txt?plus=query"). </ol> </ol> <a id="10.5.3" href="#"></a> <a id="10.5.3.userrule" href="#"></a> <a id="userrule" href="#"></a> <h3 class="head"><span class="numb">10.5.3</span><span class="text">USER Rule</span></h3> <p> The USER rule maps a VMS user account default device and directory (i.e. <span class="high italic">home</span> directory) into a request path. That is, the base location for the request is obtained from the VMS systems SYSUAF file. This is usually invoked by a request path in the form "/~username/", see <a class="link" href="#10.9.mappinguserdirectories">‘Mapping User Directories’ in 10.9 Conditional Mapping</a> for more detailed information. <ol class="list"> <li class="item"> <span class="high bold">user <span class="high italic">template</span> <span class="high italic">result</span></span> <p> If the path matches the template then the result is substituted, with the following conditions. At least one wildcard must be present. The first wildcard in the result substitutes the username's home directory into the path (in place of the "~username"). Any subsequent wildcard(s) substitute corresponding part(s) of the original path. <p> If the user DANIEL's default device and directory were <div class="blockof code">USER$DISK:[DANIEL] </div> the following rule <div class="blockof code">user /~*/* /*/www/* </div> would result in the following path being mapped and used <div class="blockof code">/user$disk/daniel/www/ </div> </ol> <div class="note"><a id="10.5.3.0.0.1" href="#"></a> <a id="10.5.3.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> Accounts that possess SYSPRV, are CAPTIVE, have been DISUSERED or that have expired passwords will not be mapped. A "directory not found" error report is returned. <hr class="note_hr"> </div> <a id="10.5.4" href="#"></a> <a id="10.5.4.execuxecandscriptscriptmappingrules" href="#"></a> <a id="execuxecandscriptscriptmappingrules" href="#"></a> <h3 class="head"><span class="numb">10.5.4</span><span class="text">EXEC/UXEC and SCRIPT, Script Mapping Rules</span></h3> <p> Also see <a class="link blank" target="_blank" href="../scripting/#0.">WASD Scripting Environment</a> for further information. <p> The EXEC/UXEC and SCRIPT directives have the <span class="high bold">variants EXEC+/UXEC+ and SCRIPT+</span>. These behave in exactly the same fashion and simply mark the rule as representing a CGIplus script environment. <p> The EXEC/UXEC rules maps script <span class="high bold">directories</span>. <p> The SCRIPT rules maps script <span class="high bold">file names</span>. It behaves a little differently to the EXEC rule, essentially supplying in a single rule the effect of a MAP then an EXEC rule. <p> Both rules must have a <span class="high italic">template</span> and <span class="high italic">result</span>, and both must end in a wildcard asterisk. The placement of the wildcards and the subsequent functionality is slightly different however. Both template and result paths must be absolute (i.e. begin with "/"). <ol class="list"> <li class="item"> <span class="high bold">exec <span class="high italic">template result</span> </span> <p> The EXEC rule requires the <span class="high italic">template</span>'s asterisk to immediately follow the slash terminating the directory specification containing the scripts. The script name follows immediately as part of the wildcard-matched string. For example: <div class="blockof code">exec /htbin/* /wasd_root/script/* </div> <p> If the URL path matches the template, the result, including the first slash-terminated part of the wildcard-matched section, becomes the URL format physical VMS file specification the script to be executed. What remains of the original URL path is used to create the path information. Process no further rules. <p> Hence, the EXEC rule will match multiple script specifications without further rules, the script name being supplied with the URL path. Hence any script (i.e. procedure, executable) in the specified directory is accessible, a possible security concern if script management is distributed. <li class="item"> <span class="high bold">exec <span class="high italic">template (run-time-environment)result</span> </span> <p> A variation on the "exec" rules allows a Run-Time Environment (RTE) to be mapped. An RTE is a persistant scripting environment not unlike CGIplus. The essential difference is an RTE provides an environment in which a variety of scripts can be run. It is often an interpreter, such as Perl, where the advantages of persistance (reduced response latency and system impact) are available. For more information on RTEs and how they operate see the <a class="link blank" target="_blank" href="../scripting/#0.">WASD Scripting Environment</a> document. <p> The RTE executable is specified in parentheses prefixed to the mapping result, as show in this example: <div class="blockof code">exec /pl-bin/* (cgi-bin:[0000000]perlrte.exe)/wasd_root/src/perl/* </div> <li class="item"> <span class="high bold">script <span class="high italic">template result</span> </span> <p> The SCRIPT rule requires the <span class="high italic">template</span>'s asterisk to immediately follow the <span class="high italic">unique string</span> identifying the script in the URL path. The wildcard-matched string is the following path, and supplied to the script. For example: <div class="blockof code">script /conan* /wasd_root/script/conan* </div> <p> If the URL path matches the template, the result becomes the URL format physical VMS file specification for the DCL procedure of the script to be executed (the default file extension of ".COM" is not required). What remains of the original URL path is used to create the path information. Process no further rules. <div class="note"><a id="10.5.4.0.0.1" href="#"></a> <a id="10.5.4.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> The wildcard asterisk is best located immediately after the unique script identifier. In this way there does not need to be any path supplied with the script. If even a slash follows the script identifier it may be mapped into a file specification that may or may not be meaningful to the script. <hr class="note_hr"> </div> <p> Hence, the SCRIPT rule will match only the script specified in the <span class="high italic">result</span>, making for finely-granular scripting at the expense of a rule for each script thus specified. It also implies that only the script name need precede any other path information. <p> It may be thought of as a more efficient implementation of the equivalent functionlity using two CERN rules, as illustrated in the following example: <div class="blockof code">map /conan* /script/conan* exec /cgi-bin/* /cgi-bin/* </div> <li class="item"> <span class="high bold">uxec <span class="high italic">template result</span> </span> <p> The UXEC rule is an analog to the EXEC rule, except it is used to map user scripts. It requires two mapping asterisks, the first for the username, the second for the script name. It must be used in conjunction with a SET <span class="high italic">script=as=~</span> rule. For example: <div class="blockof code">SET /~*/cgi-bin/* script=as=~ UXEC /~*/cgi-bin/* /*/www/cgi-bin/* </div> <p> For further information see <a class="link" href="#10.10.1.useraccountscripting">‘User Account Scripting’ in 10.10.1 Using The SYSUAF</a> and the <a class="link blank" target="_blank" href="../scripting/#introduction">Introduction</a> of <a class="link blank" target="_blank" href="../scripting/#0.">WASD Scripting Environment</a>. </ol> <a id="10.5.4.0.1" href="#"></a> <a id="10.5.4.scriptlocation" href="#"></a> <a id="scriptlocation" href="#"></a> <h5 class="head"><span class="text">Script Location</span></h5> <p> It is conventional to locate script images in WASD_ROOT:[AXP-BIN] or WASD_ROOT:[X86_64-BIN] (depending on the platform), and procedures, etc. in WASD_ROOT:[CGI-BIN]. These multiple directories are accessible via the single search list logical CGI-BIN. <p> Script files can be located in area completely outside of the WASD_ROOT tree. Two approaches are available. <ol class="list"> <li class="item"> Modify the search list CGI-BIN to include the additional directories. Only should be done with extreme care. <li class="item"> Use mapping rules to make the script accessible. This can be done by using the EXEC or SCRIPT rule to specify the directory directly as in these examples <div class="blockof code">exec /mycgi-bin/* /site_local_scripts/bin/* script /myscript* /web/myscripts/bin/myscript.exe* </div> or by using the MAP rules to make a hierarchy of script locations obvious and accessible, as in this example <div class="blockof code">map /cgi-bin/myscripts/* /cgi-bin_myscripts/* exec /cgi-bin_myscripts/* /web/myscripts/bin/* </div> </ol> <a id="10.5.4.0.2" href="#"></a> <a id="10.5.4.execdirectoriesandexecfiles" href="#"></a> <a id="execdirectoriesandexecfiles" href="#"></a> <h5 class="head"><span class="text">EXEC Directories and EXEC Files</span></h5> <p> Generally directories are specified as locations for script files. This is the more common application, with the EXEC rules used as in this example <div class="blockof code">exec /cgi-bin/* /cgi-bin/* </div> <p> Mapping a file type into an EXEC behaviour is also supported. This allows all files within the specified path and with the matching file suffix (extension) to be activated as scripts. Of course a script runtime must be available for the server to be able activate it. The following example demonstrates mapping all files ending in .CGI in the /web/ tree as executable scripts. <div class="blockof code">exec /web/*.cgi* /web/*.cgi* </div> <div class="note"> <a id="10.5.4.0.3" href="#"></a> <a id="10.5.4.warning" href="#"></a> <a id="warning" href="#"></a> <h5 class="head center"><span class="text">WARNING</span></h5> <hr class="note_hr"> Remember scripts are <span class="high bold">executables</span>. Enabling scripting in a general user area allows <span class="high bold">any</span> user to write and execute any script, by default under the scripting account. Deploy with discretion. <hr class="note_hr"> </div> <a id="10.5.5" href="#"></a> <a id="10.5.5.setrule" href="#"></a> <a id="setrule" href="#"></a> <h3 class="head"><span class="numb">10.5.5</span><span class="text">SET Rule</span></h3> <p> The SET rule does not change the mapping of a path, it just sets one or more characteristics against that path that affect the subsequent processing in some way. It is a general purpose rule that conveniently allows the administrator to tell the server to process requests with particular paths in some ad hoc and generally useful fashion. Most SET parameters are single keywords that act as boolean switches on the request, some require parameter strings. Multiple space-separated parameters may be set against against the one path in a single SET statement. <ul class="list"> <li class="item"> <span class="high bold">ACCEPT=LANG=<span class="high italic"><parameter></span> – </span> Allows a path to be marked for language-variant document processing. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">ACCEPT=LANG= DEFAULT=<span class="high italic"><language></span> <td class="tabd">sets the default language <tr class="tabr"> <td class="tabd">ACCEPT=LANG= CHAR=<span class="high italic"><character></span> <td class="tabd">sets the delimiting character <tr class="tabr"> <td class="tabd">ACCEPT=LANG= VARIANT=<span class="high italic"><name>|<type></span> <td class="tabd">allows the alternate file-type variant to be specified <tr class="tabr"> <td class="tabd">ACCEPT=LANG= (DEFAULT=<span class="high italic"><language></span>, <br> CHAR=<span class="high italic"><character></span>) <td class="tabd">sets both (etc.) <tr class="tabr"> <td class="tabd">NOACCEPT=LANG <td class="tabd">disables language variant processing (on a subtree for example) </table> <p> For detailed configuration information see <a class="link" href="#2.8.languagevariants">2.8 Language Variants</a>. <li class="item"> <span class="high bold">ALERT[=<span class="high italic"><keyword></span>] – </span> Marks a path as being of specific interest. When a request containing this path is detected by the server it puts a message into the the server process log and perhaps of greater immediate usefulness the increase in alert hits is detected by HTTPDMON and this (optionally) provides an audible alert. The following is ordered according to how early in processing the alert is signalled. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">ALERT=MAP <td class="tabd">generates this alert immediately after path mapping (i.e. before the request actually begins being processed) <tr class="tabr"> <td class="tabd">ALERT=AUTH <td class="tabd">after authorization (i.e. when any remote username has been resolved) <tr class="tabr"> <td class="tabd">ALERT=<span class="high italic"><integer></span> <td class="tabd">if the response HTTP status matches the specific integer <tr class="tabr"> <td class="tabd">ALERT=END <td class="tabd">at the conclusion of process (the default) <tr class="tabr"> <td class="tabd">NOALERT <td class="tabd">cancels alerts on this path (perhaps subpath) </table> <li class="item"> <span class="high bold">AUTH=<span class="high italic"><keyword></span> – </span> Changes the specified characteristic during subsequent authorization processing. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">[NO]AUTH=ALL <td class="tabd">All requests matching this path must have been subject to authorization or fail with a forbidden status. This is a per-path requivalent of implementing the per-server /AUTHORIZE=ALL policy, and is a little "belt and braces" in a certain sense, but does permit a site to further avoid unintended information leakage (in this case through the failure ensure a given path has authorization). <tr class="tabr"> <td class="tabd">[NO]AUTH=ONCE <td class="tabd">If a request path contains both a script component and a resource component by default the WASD server makes sure both parts are authorized before allowing access. This can be disabled using this path setting. When this is done only the original request path undergoes authorization. <tr class="tabr"> <td class="tabd">AUTH=REVALIDATE=<span class="high italic"><hh:mm:ss></span> <td class="tabd">Authorization is cancelled and the client requested to reenter the username and password if this period expires between authorized requests. Overrides configuration directive [AuthRevalidateUserMinutes]. <tr class="tabr"> <td class="tabd">AUTH=SYSUAF= PWDEXPURL=<span class="high italic"><string></span> <td class="tabd">Parallels the [AuthSysUafPwdExpURL] configuration directive, allowing it to be set on a per-path or virtual service basis. </table> <li class="item"> <span class="high bold">CACHE=<span class="high italic"><keyword></span> – </span> The default is to cache files (when caching is enabled, <a class="link" href="#9.cacheconfiguration">9. Cache Configuration</a>). <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">CACHE=NONE <td class="tabd">disables caching of files matching this rule <tr class="tabr"> <td class="tabd">CACHE=EXPIRES=0 <td class="tabd">cancels previous mapped expiry <tr class="tabr"> <td class="tabd">CACHE=EXPIRES=DAY <td class="tabd">expires on change of day <tr class="tabr"> <td class="tabd">CACHE=EXPIRES=HOUR <td class="tabd">expires on change of hour <tr class="tabr"> <td class="tabd">CACHE=EXPIRES=MINUTE <td class="tabd">expires on change of minute <tr class="tabr"> <td class="tabd">CACHE=EXPIRES=<span class="high italic"><period></span> <td class="tabd">sets the expiry period for the entry <tr class="tabr"> <td class="tabd">CACHE=GUARD=<span class="high italic"><period></span> <td class="tabd">sets the guard period (no reload) for the cache entry <tr class="tabr"> <td class="tabd">CACHE=MAX=<span class="high italic"><integer></span> <td class="tabd">cache files up to this many kilobytes (overrides [CacheFileKBytesMax]) <tr class="tabr"> <td class="tabd">CACHE=[NO]CGI <td class="tabd">cache CGI-compliant (script) responses <tr class="tabr"> <td class="tabd">CACHE=[NO]FILE <td class="tabd">cache files matching this rule (the default) <tr class="tabr"> <td class="tabd">CACHE=[NO]NET <td class="tabd">cache any network output <tr class="tabr"> <td class="tabd">CACHE=[NO]NPH <td class="tabd">cache NPH (non-parse-header script) responses <tr class="tabr"> <td class="tabd">CACHE=[NO]SCRIPT <td class="tabd">cache both CGI and NPH responses <tr class="tabr"> <td class="tabd">CACHE=[NO]SSI <td class="tabd">cache SSI document responses <tr class="tabr"> <td class="tabd">CACHE=[NO]QUERY <td class="tabd">cache (script) regardless of containing a query string <tr class="tabr"> <td class="tabd">CACHE=[NO]PERM <td class="tabd">permanently cache these files </table> <li class="item"> <span class="high bold">CGIPLUSIN=<span class="high italic"><keyword></span> – </span> Provides control over how CGIplus records on the CGIPLUSIN stream are carriage controlled and how the stream is terminated. A little esoteric certainly; ask Alex Ivanov ;-) <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">CGIPLUSIN=CC=NONE <td class="tabd">no carriage control <tr class="tabr"> <td class="tabd">CGIPLUSIN=CC=LF <td class="tabd">each record has a trailing line feed (0x0a) <tr class="tabr"> <td class="tabd">CGIPLUSIN=CC=CR <td class="tabd">a trailing carriage return (0x0d) <tr class="tabr"> <td class="tabd">CGIPLUSIN=CC=CRLF <td class="tabd">a trailing line feed then carriage return (0x0d0a) <tr class="tabr"> <td class="tabd">CGIPLUSIN=[NO]EOF <td class="tabd">the end of the record stream is indicated using an end-of-file </table> <li class="item"> <span class="high bold">CGIPREFIX=<span class="high italic"><string></span> – </span> CGI environment variable names are by default prefixed with "WWW_". This may be changed on a per-path basis using this SET rule. To remove the prefix altogether for selected scripts use "CGIprefix=". <li class="item"> <span class="high bold">CHARSET=<span class="high italic"><string></span> – </span> This setting allows overriding of the server default ([CharsetDefault] configuration parameter) content-type character set (in the response header) for text files (plain and HTML). A string is required as in the following example, "charset=ISO-8859-5". <li class="item"> <span class="high bold">CLIENT=<span class="high italic"><keyword></span> – </span> Client IP address data is often used during conditional mapping and as represented by CGI variable data in scripts and interpreter environments. This setting allows an up-stream proxy/accelerator to provide the actual client IP address via request header and have that data substitute for the instrinsic IP address of the up-stream proxy. This provides a level of transparency to server processing via such a proxy. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">CLIENT=FORWARDED <td class="tabd">Substitute the (first) address from the "Forwarded": request header. Return a 403 status if no "Forwarded:" header present. <tr class="tabr"> <td class="tabd">CLIENT=IF=FORWARDED <td class="tabd">As above but the absence of a "Forwarded:" request header is not fatal. <tr class="tabr"> <td class="tabd">CLIENT=LITERAL=<span class="high italic"><string></span> <td class="tabd">Substitue the following string. Intended for testing purposes. <tr class="tabr"> <td class="tabd">CLIENT=RESET <td class="tabd">Reset the substituted client data to the original (up-stream proxy). <tr class="tabr"> <td class="tabd">CLIENT=XFORWARDEDFOR <td class="tabd">Substitute the (first) address from the "X-Forwarded-For": request header. Return a 403 status if no "X-Forwarded-For:" header present. <tr class="tabr"> <td class="tabd">CLIENT=IF=XFORWARDEDFOR <td class="tabd">As above but the absence of a "X-Forwarded-For:" request header is not fatal. </table> <li class="item"> <span class="high bold">CONTENT=<span class="high italic"><string></span> – </span> The content-type of a file is normally determined by the file's type (extension). This setting allows files matching the template to be returned with the specified content-type. The content-type must be specified as a parameter, e.g. "content=application/binary". <li class="item"> <span class="high bold">CSS=<span class="high italic"><URI>|<URL></span> – </span> Provides a path (URI) or full URL to a stylesheet for a WASD-generated page (e.g. a directory listing). Adds a <div class="blockof code"><LINK REL="stylesheet" TYPE="text/css" HREF="<span class="high italic">uri</span>"> </div> to the page HTML header. <li class="item"> <span class="high bold">DICT=<span class="high italic"><key>=<value></span> – </span> Set a dictionary entry. See <a class="link" href="#5.5.dictionary">5.5 Dictionary</a>. <li class="item"> <span class="high bold">DIR=<span class="high italic"><keyword></span> – </span> Allows directory listing to be controlled on a per path basis. These parallel the coresponding configuration [Dir..] directives. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">DIR=[NO]ACCESS <td class="tabd">allows directory listing <tr class="tabr"> <td class="tabd">DIR=ACCESS=SELECTIVE <td class="tabd">allows directory listing if the directory contain the file .WWW_BROWSABLE <tr class="tabr"> <td class="tabd">DIR=DELIMIT=<span class="high italic"><keyword></span> <td class="tabd">header, footer, both, none <tr class="tabr"> <td class="tabd">DIR=[NO]ILINK <td class="tabd">icon plain-text link can be disabled <tr class="tabr"> <td class="tabd">DIR=[NO]IMPLIEDWILDCARD <td class="tabd">add wildcards if not in path <tr class="tabr"> <td class="tabd">DIR=SORT=<span class="high italic"><column></span> <td class="tabd">pre-sort a listing <tr class="tabr"> <td class="tabd">DIR=STYLE=<span class="high italic"><keyword></span> <td class="tabd">set the style of a directory listing <p> <ul class="list simple list0"> <li class="item"> "ANCHOR" the v8.2 thru v10.3 WASD style <li class="item"> "DEFAULT" the current WASD style (v10.4 and later) <li class="item"> "HTDIR" Alex Ivanov's HTdir style <li class="item"> "ORIGINAL" WASD traditional style (before v8.2) <li class="item"> "SORT" listing sortable on column <li class="item"> "TABLE" using HTML table layout (v10.4 and later) <li class="item"> "<span class="high italic">above</span>2" any of the above without horizontal rules </ul> <tr class="tabr"> <td class="tabd">DIR=TARGET=<span class="high italic"><string></span> <td class="tabd">open the file in another window <p> <ul class="list simple list0"> <li class="item"> "_blank" opens the file in a new window or tab <li class="item"> "_self" in the same frame <li class="item"> "_parent" in the parent frame <li class="item"> "_top" in the full body of the window <li class="item"> "<span class="high italic">framename</span>" in the named frame </ul> <tr class="tabr"> <td class="tabd">DIR=THESE=<span class="high italic"><filespec></span> <td class="tabd">restrict listing to specified filename(s) <tr class="tabr"> <td class="tabd">DIR=TITLE=<span class="high italic"><keyword></span> <td class="tabd">format the title of the window (tab) <p> <ul class="list simple list0"> <li class="item"> "0" (digit zero) suppress any title <li class="item"> "1..99" where 1 is the top-level directory (device), 2 is the second-level directory, 3 … 99 the current directory <li class="item"> "DEFAULT" the default for the directory <span class="high italic">style</span> <li class="item"> "OWNER" the VMS account owning the directory <li class="item"> "REMOTE" the remote user name (for X509 authentication the certificate common-name) <li class="item"> "THIS=<string>" a literal string </ul> <tr class="tabr"> <td class="tabd">DIR=VERSIONS=<span class="high italic"><integer></span> <td class="tabd">list the specified maximum number of file versions, or if an asterisk all versions <tr class="tabr"> <td class="tabd">DIR=[NO]WILDCARD <td class="tabd">allow a directory listing to be "forced" by including wildcards in the path </table> <li class="item"> <span class="high bold">[NO]EXPIRED – </span> This setting allows files in the specified paths to be sent pre-expired. The browser should always then reload them whenever accessed. <li class="item"> <span class="high bold">HTML=<span class="high italic"><keyword>=<string></span> – </span> Allows the <BODY> tag, and header and/or footer characteristics and text to be added to selected server generated pages such as directory listings and error messages. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">HTML=BODYTAG= <td class="tabd">specifies the page <BODY> tag characteristics (e.g. html=bodytag="BGCOLOR=#ffffff") <tr class="tabr"> <td class="tabd">HTML=HEADER= <td class="tabd">the page header text <tr class="tabr"> <td class="tabd">HTML=HEADERTAG= <td class="tabd">the <TD> tag characteristics of the header table (e.g. html=headertag="BGCOLOR=#cccccc") <tr class="tabr"> <td class="tabd">HTML=FOOTER= <td class="tabd">the page footer text <tr class="tabr"> <td class="tabd">HTML=FOOTERTAG= <td class="tabd">the <TD> tag characteristics of the footer table </table> <p> The <span class="high italic">headertag</span> and <span class="high italic">footertag</span> directives also allow the full table tag to be specified, allowing greater flexibility with these parts of the page (e.g. html=footertag="<TABLE BORDER=1 CELLPADDING=10 CELLSPACING=0><TR><TD BGCOLOR=#cccccc>". <li class="item"> <span class="high bold">HTTP=<span class="high italic"><parameter></span> – </span> Explicitly sets an aspect of the HTTP request header. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">HTTP=ACCEPT-CHARSET=<span class="high italic"><string></span> <td class="tabd">the "Accept-Charset:" field <tr class="tabr"> <td class="tabd">HTTP=ACCEPT-LANGUAGE=<span class="high italic"><string></span> <td class="tabd">the "Accept-Language:" field </table> <li class="item"> <span class="high bold">HTTP2=<span class="high italic"><parameter></span> – </span> Controls an aspect of an HTTP/2 connection, or initiates an action on that connection. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">HTTP2=PROTOCOL=1.1 <td class="tabd">send the client an HTTP_1_1_REQUIRED error whcich should cause it to re-request as HTTP/1.1 <tr class="tabr"> <td class="tabd">HTTP2=SEND=GOAWAY[=<span class="high italic"><integer></span>] <td class="tabd">send the client a connection GOAWAY frame with optional error number <tr class="tabr"> <td class="tabd">HTTP2=SEND=PING <td class="tabd">send the client an HTTP/2 ping <tr class="tabr"> <td class="tabd">HTTP2=SEND=RESET[=<span class="high italic"><integer></span>] <td class="tabd">send the client a stream (request) reset (close) with optional error number <tr class="tabr"> <td class="tabd">HTTP2=WRITE=<span class="high italic">LOW|NORMAL|HIGH</span> <td class="tabd">this stream (request) will write to the network at the specified priority relative to other data on the connection </table> <li class="item"> <span class="high bold">INDEX=<span class="high italic"><string></span> – </span> This setting provides the "Index of" (directory listing) format string for directory paths matching the template. It uses the same formatting as can be supplied with a URL and overrides any query string passed via any URL. <li class="item"> <span class="high bold">[NO]LOG – </span> When server access logging is enabled the default is to log all requests. The NOLOG setting suppresses logging for requests involving the specified path template. <li class="item"> <span class="high bold">MAP=<span class="high italic"><parameter></span> – </span> Controls aspects of the mapping processing itself (from that point in the rules onwards of course). <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">[NO]MAP=ELLIPSIS <td class="tabd">By default the use of the VMS file specification ellipsis wilcard ("...") is not allowed. This enables this for the path specified. Use with caution. <tr class="tabr"> <td class="tabd">[NO]MAP=ONCE <td class="tabd">Normally, when a script has been identified during mapping, the resultant path information is also mapped in a second pass. This can be suppressed by SETing the path as MAP=ONCE. The resultant path is then given to the script without further processing. <tr class="tabr"> <td class="tabd">MAP=RESTART <td class="tabd">Causes an immediate change to the order of rule processing. Instead of the next rule, the first rule in the configuration is processed. This is intended to remove the need for copious repetition in the rule set. A common or set of common processing blocks can be established near the start of the rule set and be given requests from processing points further down in the rules. It is intended to be used only once or perhaps twice and will abort the request if it occurs too often. Can be detected using the <span class="high italic">restart:</span> conditional (<a class="link" href="#5.3.conditionalkeywords">5.3 Conditional Keywords</a>). Use with caution! Injudicious use would make unexpected mappings expected! <tr class="tabr"> <td class="tabd">[NO]MAP=ROOT=<span class="high italic"><string></span> <td class="tabd">Prefixes the results of following rules with the specified path so that they are all subordinate to it. This also populates the DOCUMENT_ROOT CGI variable. See <a class="link" href="#2.2.documentroot">‘Document Root’ in 2.2 Site Organisation</a>. <tr class="tabr"> <td class="tabd">[NO]MAP=SET=IGNORE <td class="tabd">All path SETings following an IGNORE are completely ignored (not applied to the mapping or request characteristics) until a subsequent NOINGORE is encountered. <tr class="tabr"> <td class="tabd">[NO]MAP=SET=REQUEST <td class="tabd">All path SETings following a NOMAP=SET=REQUEST are only applied to the mapping and not to the request's characteristics until a subsequent MAP=SET=REQUEST is encountered. Intended for use during callouts. These can be detected using the <span class="high italic">callout:</span> conditional (<a class="link" href="#5.3.conditionalkeywords">5.3 Conditional Keywords</a>). <tr class="tabr"> <td class="tabd">[NO]MAP=URI <td class="tabd">Normally mapping is performed on the request path. This SETing replaces the path with the full, raw, request URI (undecoded path plus any query string). This allows subsequent mapping rules to be applied to the full URI and therefore path components to be remapped into query components, and query components into path components (using specified substitution, see <a class="link" href="#4.4.expressionsubstitution">4.4 Expression Substitution</a>). </table> <li class="item"> <span class="high bold">NOTEPAD=[+]<span class="high italic"><string></span> – </span> The <span class="high italic">request notepad</span> is a string storage area that can be used to store and retrieve ad hoc information during path mapping and subsequent authorization processing. Multiple <span class="high italic">notepad=string</span> set against the one request override previous settings unless preceded by a leading plus symbol, when it appends. These contents then can be subsequently detected using the <span class="high italic">notepad:</span> conditional keyword (<a class="link" href="#5.3.1.notepadkeyword">5.3.1 Notepad: Keyword</a>) or the obsolescent 'NO' mapping conditional. <li class="item"> <span class="high bold">ODS=<span class="high italic"><keyword></span> – </span> Directs the server on how to process file names for naming conventions other than ODS-2 (the default). Be sure to add an asterisk at the end of the specific ODS path otherwise only the top-level will set! <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">ODS=2 <td class="tabd">is basically redundant, because if a path is not indicated as anything else it is assumed to be ODS-2. This can be used for clarity in the mapping rules if required. <tr class="tabr"> <td class="tabd">ODS=5 <td class="tabd">is used to indicate that a particular path maps to files on an ODS-5 (EFS) volume and so the names may comply to extended specifications. This changes the way file names are processed, including for example the replacement of invalid RMS characters (see below). <tr class="tabr"> <td class="tabd">ODS=ADS <td class="tabd">is used to process file names that are encoded using the Advanced Server (PATHWORKS 6) schema. <tr class="tabr"> <td class="tabd">ODS=NAME=<span class="high italic">8BIT|UTF8|DEFAULT</span> <td class="tabd">When a file is PUT (created) using WebDAV or upload, for non-7bit ASCII file names use native ODS-5 8bit syntax (default) or UTF-8 encoded character sequences. <tr class="tabr"> <td class="tabd">ODS=PWK <td class="tabd">is used for processing file names encoded using the PATHWORKS 4/5 schema. <tr class="tabr"> <td class="tabd">ODS=SMB <td class="tabd">is a synonym for ODS=ADS and makes clear the path is also being served by Samba. <tr class="tabr"> <td class="tabd">ODS=SRI <td class="tabd">for file names encoded using the SRI schema (used by MultiNet and TCPware NFS, FTP and other utilities). </table> <li class="item"> <span class="high bold">QUERY-STRING=<span class="high italic"><string></span> – </span> Set the request's query string to that specified in the directive. Overloads any current query string. Specify URL-encoded if the characters require it. <li class="item"> <span class="high bold">PROXY=<span class="high italic"><parameter></span> – </span> Sets an aspect of proxy request processing. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">PROXY=[NO]AFFINITY <td class="tabd">sets client to origin server affinity. <tr class="tabr"> <td class="tabd">PROXY=BIND=<span class="high italic"><ip-address></span> <td class="tabd">makes outgoing proxy requests appear to originate from this IP address. Must be an address that the media can be bound to. <tr class="tabr"> <td class="tabd">PROXY=CHAIN=<span class="high italic"><host:port></span> <td class="tabd">makes outgoing proxy requests chain to this up-stream proxy server. <tr class="tabr"> <td class="tabd">PROXY=CHAIN=CRED=<span class="high italic"><username:password></span> <td class="tabd">provides proxy authentication credentials to an up-stream proxy server. <tr class="tabr"> <td class="tabd">PROXY=FORWARDED <td class="tabd">controls generatation a proxy "Forwarded:" request field. This optional field contains information on the proxy server and as a further option the client name or IP address. <p> <ul class="list simple list0"> <li class="item">"PROXY=NOFORWARDED" disables <li class="item">"PROXY=FORWARDED[=BY]" contains the <span class="high italic">by</span> component. <li class="item">"PROXY=FORWARDED=FOR" contains <span class="high italic">by</span> and the <span class="high italic">for</span> components (client host name). Also used with WASD_TUNNEL (proxy tunneling). <li class="item">"PROXY=FORWARDED=ADDRESS" contains <span class="high italic">by</span> and the <span class="high italic">for</span> components (client host address). Also used with WASD_TUNNEL (proxy tunneling). </ul> <tr class="tabr"> <td class="tabd">PROXY=HEADER=<span class="high italic"><name></span>[=<span class="high italic"><string></span>] <td class="tabd">removes or sets the value of the specified proxied request header. Examples: <p> <ul class="list simple list0"> <li class="item">"PROXY=HEADER=referer" would remove the "Referer:" header field from the proxied request <li class="item">"PROXY=HEADER=referer=http://whatever/" would set the "Referer:" header field to the specified URL <li class="item">"PROXY=HEADER=user-agent=Nosey 1.0" would set the "User-Agent:" header field to the "Nosey 1.0" </ul> <tr class="tabr"> <td class="tabd">PROXY=REVERSE=[NO]AUTH <td class="tabd">suppresses propogation of any "Authorize" header. <tr class="tabr"> <td class="tabd">PROXY=REVERSE=LOCATION=<span class="high italic"><string></span> <td class="tabd">rewrites the matching "Location:" header field URL of a 302 response from an internal, reverse-proxied server. <tr class="tabr"> <td class="tabd">PROXY=REVERSE=[NO]VERIFY <td class="tabd">sets a specialized authorization capability. See <a class="link blank" target="_blank" href="/wasd_root/src/httpd/proxyverify.c">WASD_ROOT:[SRC.HTTPD]PROXYVERIFY.C</a> for further information. <tr class="tabr"> <td class="tabd">PROXY=REWORK=<span class="high italic"><string></span> <td class="tabd">rework the response (see <a class="link blank" target="_blank" href="../features/#reworkproxyresponse">Rework Proxy Response</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <tr class="tabr"> <td class="tabd">PROXY=TUNNEL=REQUEST=<span class="high italic"><string></span> <td class="tabd">allows the originating end of a WASD tunnel to specify an HTTP request line or even request header to be provided to the tunnel target end when the connection is established. <tr class="tabr"> <td class="tabd">PROXY=UNKNOWN <td class="tabd">causes the server to propagate all request field provided by the client to the proxied server (by default WASD only propagates those it recognises). <tr class="tabr"> <td class="tabd">PROXY=XFORWARDEDFOR=<span class="high italic"><keyword></span> <td class="tabd">controls generation of a proxy "X-Forwarded-For:" request field. This optional field (a defacto standard originally from the <span class="high italic">Squid</span> caching package) contains the name or IP address of the proxied client. <p> <ul class="list simple list0"> <li class="item">"PROXY=NOXFORWARDEDFOR" disables <li class="item">"PROXY=XFORWARDEDFOR[=ENABLED]" enables <li class="item">"PROXY=XFORWARDEDFOR=ADDRESS" field contains client host address <li class="item">"PROXY=XFORWARDEDFOR=UNKNOWN" field contains <span class="high italic">unknown</span> for the client host name </ul> </table> <li class="item"> <span class="high bold">PUT=<span class="high italic"><parameter></span> – </span> Per-path control over HTTP POST or PUT request body. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">PUT=MAX=<span class="high italic"><integer> | *</span> <td class="tabd">Maximum number of kilobytes allowed for a request body, if "*" then effectively unlimited (per-path equivalent of the global directive [PutMaxKbytes]). <tr class="tabr"> <td class="tabd">PUT=RFM=<span class="high italic">FIX512|STM|STMCR|STMLF|UDF</span> <td class="tabd">When a request body is uploaded into the file-system and the content-type is not text this determines the file record format. The precedence for determining the created file record format is [AddType] RFM:, then any per-path PUT=RFM= mapping rule, then [PutBinaryRFM], then the default of UDF. </table> <li class="item"> <span class="high bold">[NO]PROFILE – </span> When using the server /PROFILE qualifier allow or disallow the authentication profile when assessing access for a specific path. Must be used in conjunction with an equivalent authorisation rule (WASD_CONFIG_AUTH) flagging the profile use against an equivalent path (see <a class="link blank" target="_blank" href="../features/#sysuafsecurityprofile">SYSUAF Security Profile</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <li class="item"> <span class="high bold">REGEX=<span class="high italic"><keyword></span> – </span> The default regular expression syntax is POSIX EGREP but can be specified on a per-path basis using one of the following keywords; AWK, ED, EGREP, GREP, POSIX_AWK, POSIX_BASIC, POSIX_EGREP, POSIX_EXTENDED, POSIX_MINIMAL_BASIC, POSIX_MINIMAL_EXTENDED, SED. When changed from the default <span class="high italic">enabled</span> (WASD) case-insensitivity is lost. Reset expression syntax to global default using <span class="high italic">regex=default</span>. <span class="high bold">Note</span> that SETing the regular expression syntax in this way adds overhead as each expression then needs to be regex-compiled with each match. <li class="item"> <span class="high bold">REPORT=<span class="high italic"><parameter></span> – </span> This setting allows error and other server-generated reports for any specified path to changed between <span class="high italic">detailed</span> and <span class="high italic">basic</span> (<a class="link" href="#2.10.1.basicanddetailed">2.10.1 Basic and Detailed</a>). <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">REPORT=BASIC <td class="tabd">include less detail in error message <tr class="tabr"> <td class="tabd">REPORT=DETAILED <td class="tabd">includes more detail <tr class="tabr"> <td class="tabd">REPORT=TUNNEL <td class="tabd">brief, non-HTML error messages suitable for proxy tunnel <tr class="tabr"> <td class="tabd">REPORT=4<span class="high italic"><nn></span>=<span class="high italic"><nnn></span> <td class="tabd">maps one 400 class HTTP status to another (to conceal the true origins of some error messages) </table> <li class="item"> <span class="high bold">RMSCHAR=<span class="high italic"><character></span> – </span> This setting applies to ODS-2 paths (the default) only. Paths SET as ODS-5 do not have this applied. During rule mapping of a path to a VMS file specification, if an RMS-invalid character (e.g. "+") or syntax (e.g. multiple periods) is encountered a dollar symbol is substituted in an attempt to make it acceptable. This setting provides an alternate substitution character. Any general RMS-valid character may be specified (e.g. alpha-numeric, '$', '-' or '_', although the latter three are probably the only REAL choices). A single character is required as in the following example, "RMSchar=_". <li class="item"> <span class="high bold">RESPONSE=<span class="high italic"><parameter></span> –</span> Provides control of the response header and/or content. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">RESPONSE=CSP=<span class="high italic"><parameter></span> <br> RESPONSE=CSPRO=<span class="high italic"><parameter></span> <td class="tabd">see <a class="link" href="#3.10.contentsecuritypolicycsp">3.10 Content Security Policy (CSP)</a> <tr class="tabr"> <td class="tabd"> <tr class="tabr"> <td class="tabd">RESPONSE=GZIP=<span class="high italic"><keyword></span> <td class="tabd">controls generation of GZIPed response bodies (<a class="link" href="#2.4.gzipencoding">2.4 GZIP Encoding</a>) <p> <ul class="list simple list0"> <li class="item"> "ALL" suitable responses <li class="item"> "NONE" of the responses <li class="item"> "<span class="high italic">integer</span>" kilobytes, responses known to be this size or greater </ul> <tr class="tabr"> <td class="tabd"><span class="high nowrap">RESPONSE=HEADER=<span class="high italic"><parameter></span></span> <td class="tabd">changes the way in which a response header is generated by the server. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">RESPONSE=HEADER=BEGIN <td class="tabd">suppresses the response header terminating empty line so that the file or other resource can supply additional header fields. It, of course, must supply the header-terminating empty line before beginning to supply the response body. <tr class="tabr"> <td class="tabd">RESPONSE=HEADER=FULL <td class="tabd">reverts to normal response header generation behaviour. <tr class="tabr"> <td class="tabd">RESPONSE=HEADER=NONE <td class="tabd">suppresses the normal response header generation. It is considered the file or other resource contains and will supply the full HTTP response (in a non-parse-header script fashion). <tr class="tabr"> <td class="tabd">RESPONSE=HEADER=ADD=<span class="high italic"><string></span> <td class="tabd">appends the specified string to the response header. Of course the string should be a legitimate HTTP response field and value line. This mapping can be used to add a particular response directive to matching requests. </table> <tr class="tabr"> <td class="tabd">RESPONSE=VAR=<span class="high italic"><parameter></span> <td class="tabd">where a response is being provided from a variable-length record file each record should be terminated as follows. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">RESPONSE=VAR=ASIS <td class="tabd">return records exactly as they are on-disk <tr class="tabr"> <td class="tabd"> <td class="tabd">(i.e. prefixed by the record length word) <tr class="tabr"> <td class="tabd">RESPONSE=VAR=CRLF <td class="tabd">carriage-return+line-feed (0x0D then 0x0A) <tr class="tabr"> <td class="tabd">RESPONSE=VAR=LF <td class="tabd">line-feed (0x0A) character (default) <tr class="tabr"> <td class="tabd">RESPONSE=VAR=NONE <td class="tabd">nothing should be appended to the record </table> </table> <li class="item"> <span class="high bold">SCRIPT=<span class="high italic"><parameter></span> – </span> Provides controls over various aspects of the scripting environment. <p> For scripting detail see the <a class="link blank" target="_blank" href="../scripting/#0.">WASD Scripting Environment</a> document. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">SCRIPT=AS=<span class="high italic"><parameter></span> <td class="tabd">for non-server account scripting this rule allows the user account to be either explicitly specified or substituted through the use of the tilde character "~" or the dollar "$". <tr class="tabr"> <td class="tabd">SCRIPT=BIT-BUCKET=<span class="high italic"><hh:mm:ss></span> <td class="tabd">specifies the period for which a script continues to execute if the client disconnects. Overrides the WASD_CONFIG_GLOBAL [DclBitBucketTimeout] configuration directive. <tr class="tabr"> <td class="tabd">[NO]SCRIPT=BODY=DECODE <td class="tabd">instructs the server to decode (un-chunk and/or un-GZIP) an encoded request body before transfering it to the script. The script must be aware of this and change its processing accordingly. See <a class="link" href="#2.4.gzipencoding">2.4 GZIP Encoding</a>. <tr class="tabr"> <td class="tabd">SCRIPT=CONTROL=<span class="high italic"><string></span> <td class="tabd">Supply the specified string to the CGI processor as if the a script had provided it using a "Script-Control:" response header field. <tr class="tabr"> <td class="tabd">SCRIPT=COMMAND=<span class="high italic"><string></span> <td class="tabd">allows additional parameters and qualifiers to be passed to the script activation command line. First parameter must be an asterisk to use the server resolved script command. If the first parameter is not an asterisk it substitutes for the script activation verb. Subsequent parameters must be as they would be used on the command line. The following setting <div class="blockof code">set /cgi-bin/example* script=command="* /ONE /TWO=THREE FOUR" </div> would result in the hypothetical script being command-line activated <div class="blockof code">$ EXAMPLE /ONE /TWO=THREE FOUR </div> <tr class="tabr"> <td class="tabd">SCRIPT=CPU=<span class="high italic"><hh:mm:ss></span> <td class="tabd">specifies that the server should not allow the script to use more than the specified quantity of CPU time. This is approximate, due to the way the server administers scripting. It can serve to prevent scripts from consuming indefinite quantities of system resources. <tr class="tabr"> <td class="tabd">SCRIPT=DEFAULT=<span class="high italic"><string></span> <td class="tabd">sets the default directory for the script environment (a SET DEFAULT immediately prior to script activation). This can be suppressed (for backward compatibility purposes) using a "#" as the target directory. This string is reflected in CGI variable SCRIPT_DEFAULT so that CGIplus script and RTE engines can be informed of this setting for a particular script's environment. Unix syntax paths may also be specified. If the default begins with a "/" character the SET DEFAULT is not performed but the SCRIPT_DEFAULT variable is set appropriately allowing the equivalent of a <span class="high italic">chdir()</span> to be performed by the scripting environment. <tr class="tabr"> <td class="tabd">[NO]SCRIPT=FIND <td class="tabd">by default the server always confirms the existance and accessability of a script file by searching for it before attempting to activate it. If it does not exist it reports an error. It may be possible a Run-Time Environment (RTE) may require to access its own script file via a mechanism available only to itself. The server script search may be disabled by SETing the path as <span class="high italic">nofind</span>, for example "script=nofind". The script path and filename is directly passed to the RTE for it to process and activate. <tr class="tabr"> <td class="tabd">SCRIPT=LIFETIME=<span class="high italic"><hh:mm:ss></span> <td class="tabd">provides a per-path (and hence per-script) value for a script process <span class="high italic">zombie</span> (idle scripting process) or idle CGIplus and RTE process lifetime. This per-path SETing overrides the respective [DclZombieLifeTime] and [DclCGIplusLifeTime] global directives. <tr class="tabr"> <td class="tabd">SCRIPT=PARAM=<span class="high italic"><name=value></span> <td class="tabd">allows non-CGI environment variables to be associated with a particular script path. The name component becomes a variable containing the specified value passed to the script. Multiple, comma-separated <span class="high italic">name=value</span> pairs may be specified. The value may be quoted. The following path setting <div class="blockof code">set /cgi-bin/example* script=params=(first=one,second="Two (and Three)") </div> would result in additional CGI variables available to the script <div class="blockof code">WWW_FIRST == "one" WWW_SECOND == "Two (and Three)" </div> <p> Multiple <span class="high italic">script=params</span> set against the one request override previous settings unless the parameters are specified with a leading plus symbol, as in <div class="blockof code">set /cgi-bin/example* script=params=+(third=three,fourth="number 4") </div> <tr class="tabr"> <td class="tabd">[NO]SCRIPT=PATH=FIND <td class="tabd">directs the server to check for and report if the file specified in the path does not exist before activating the script process. Normally this would be left up to the script. <tr class="tabr"> <td class="tabd">[NO]SCRIPT=QUERY=NONE <td class="tabd">saves a small amount of overhead by suppressing the decomposition of any query string into key or form fields for those environments that do this for themselves. <tr class="tabr"> <td class="tabd">[NO]SCRIPT=QUERY=RELAXED <td class="tabd">normally when the CGI variables are being prepared for a script and the query string is parsed an error is reported if it uses <span class="high italic">x-www-form-urlencoded</span> format and the encoding contains an error. However some scripts use non-strict encodings and this rule allows those scripts to receive the query strings without the server complaining first. <tr class="tabr"> <td class="tabd">[NO]SCRIPT=SYNTAX=UNIX <td class="tabd">provides the SCRIPT_FILENAME and PATH_TRANSLATED CGI variables in Unix file-system syntax rather than VMS file-system syntax (i.e. /DEVICE/dir1/dir2/file.type rather than DEVICE:[DIR1.DIR2]FILE.TYPE). <tr class="tabr"> <td class="tabd">[NO]SCRIPT=SYMBOL=TRUNCATE <td class="tabd">allows otherwise aborted script processing to continue. Script CGI variables are provided using DCL symbols. With VMS V7.3-2 and later symbol capacity is in excess of 8000 characters. For VMS V7.3-1 and earlier it has a limit of around 1000 characters. If a symbol is too large the server by default aborts the request generating a 500 HTTP status. If the above mapping is made (against the script path) excessive symbol values are truncated and such symbol names placed into a special CGI variable named SERVER_TRUNCATE. </table> <li class="item"> <span class="high bold">[NO]SEARCH=NONE – </span> Do not activate the automatic document search script for any query strings associated with this path. <li class="item"> <span class="high bold">SERVICE=<span class="high italic"><string></span> </span> When mapping is concluded move the request to this virtual service or to the first virtual service matching a wildcarded specification. <li class="item"> <span class="high bold">SSI=<span class="high italic"><parameter></span> </span> Controls aspects of Server-Side Include engine behaviour. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">[NO]SSI=PRIV <td class="tabd">SSI documents cannot contain privileged directives (e.g. <--#exec ... -->) unless owned by SYSTEM ([1,4]) or are in path set as allowing these directives. Use SSI=priv to enable this, NOSSI=priv to disable. <span class="high bold">Caution:</span> these SSI directives are quite powerful, use great care when allowing any particular document author or authors to use them. <tr class="tabr"> <td class="tabd">SSI=EXEC=<span class="high italic"><string></span> <td class="tabd">where <string> is a comma-separated list of the #dcl parameters permitted for the path allows fine-grained control of what capabilities are enabled. The parameter "#" enables SSI on a per-path basis. <div class="blockof code">ssi=exec=say,show ssi=exec=# </div> </table> <li class="item"> <span class="high bold">SSLCGI=<span class="high italic"><keyword></span> – </span> Enables and sets the type of CGI variables used to represent a Secure Sockets Layer (SSL) CGI variables. <p> When enabling these variables it is advised to increase the WASD_CONFIG_GLOBAL [BufferSizeDclCommand] and [BufferSizeCgiPlusIn] directives by approximately 2048. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">NOSSLCGI <td class="tabd">disables the facility <tr class="tabr"> <td class="tabd">SSLCGI=none <td class="tabd">disables the facility <tr class="tabr"> <td class="tabd">SSLCGI=Apache_mod_SSL <td class="tabd">provides Apache mod_ssl style variables <tr class="tabr"> <td class="tabd">SSLCGI=Apache_mod_SSL_extens <td class="tabd">provides variables representing X509 V3 extensions from the server certificate <tr class="tabr"> <td class="tabd">SSLCGI=Apache_mod_SSL_client <td class="tabd">provides variables representing X509 V3 extensions from the client certificate <tr class="tabr"> <td class="tabd">SSLCGI=Purveyor <td class="tabd">provides Purveyor style variables </table> <li class="item"> <span class="high bold">[NO]STMLF – </span> Specify files to be automatically converted to Stream-LF format. The default is to ignore conversion. STMLF allows selected paths to be converted. <li class="item"> <span class="high bold">THROTTLE=<span class="high italic"><parameter></span> – </span> Controls the concurrent number of scripts being processed on the path. <p> See <a class="link" href="#2.5.requestthrottling">2.5 Request Throttling</a>. <table class="tabl"> <tr class="tabr"> <th class="tabh">Rule <th class="tabh"> <tr class="tabr"> <tr class="tabr"> <td class="tabd">THROTTLE=<span class="high italic">n[/u][,n,n,n,hh:mm:ss,hh:mm:ss]</span> <td class="tabd"> <tr class="tabr"> <td class="tabd">THROTTLE=FROM=<span class="high italic"><n></span> <td class="tabd"> <tr class="tabr"> <td class="tabd">THROTTLE=USER=<span class="high italic"><u></span> <td class="tabd"> <tr class="tabr"> <td class="tabd">THROTTLE=TO=<span class="high italic"><n></span> <td class="tabd"> <tr class="tabr"> <td class="tabd">THROTTLE=RESUME=<span class="high italic"><n></span> <td class="tabd"> <tr class="tabr"> <td class="tabd">THROTTLE=BUSY=<span class="high italic"><n></span> <td class="tabd"> <tr class="tabr"> <td class="tabd">THROTTLE=TIMEOUT=QUEUE=<span class="high italic"><hh:mm:ss></span> <td class="tabd"> <tr class="tabr"> <td class="tabd">THROTTLE=TIMEOUT=BUSY=<span class="high italic"><hh:mm:ss></span> <td class="tabd"></table> <li class="item"> <span class="high bold">TIMEOUT=<span class="high italic"><parameter></span> – </span> Sets the appropriate timeout period on a per-path basis. The string "none" can be used to specify <span class="high italic">no timeout</span>. <p> These parallel the respective configuration timeout periods. See <a class="link" href="#6.2.alphabeticlisting">6.2 Alphabetic Listing</a>. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">TIMEOUT=<span class="high italic"><hh:mm:ss>, <hh:mm:ss>,<hh:mm:ss></span> <td class="tabd">Keep-alive, then no-progress, then output timeouts. <tr class="tabr"> <td class="tabd">TIMEOUT=KEEPALIVE= <span class="high italic"><hh:mm:ss></span> <td class="tabd">Keep idle network connections alive for this long. <tr class="tabr"> <td class="tabd">TIMEOUT=NOPROGRESS= <span class="high italic"><hh:mm:ss></span> <td class="tabd">Terminate connection when no data is transferred to the client for this period. <tr class="tabr"> <td class="tabd">TIMEOUT=OUTPUT= <span class="high italic"><hh:mm:ss></span> <td class="tabd">Terminate connection after this period when no response data has been sent. <tr class="tabr"> <td class="tabd">NOTIMEOUT <td class="tabd">No timeouts are applied to the request. </table> <li class="item"> <span class="high bold">WEBDAV=<span class="high italic"><parameter></span> – </span> Controls aspects of WebDAV processing or behaviour. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">WEBDAV=[NO]ALL <td class="tabd">all requests using WebDAV processing (even if not WebDAV request) <tr class="tabr"> <td class="tabd">WEBDAV=[NO]AUTH <td class="tabd">authorise access using WebDAV rules (even if not WebDAV request) <tr class="tabr"> <td class="tabd">WEBDAV=[NO]HIDDEN <td class="tabd">list (default) or hide U*x <span class="high italic">hidden</span> files (i.e. those with names beginning with period) <tr class="tabr"> <td class="tabd">WEBDAV=[NO]LOCK <td class="tabd">allow/apply WebDAV locking to this path <tr class="tabr"> <td class="tabd">WEBDAV=[NO]PROFILE <td class="tabd">WebDAV access according to SYSUAF profile <tr class="tabr"> <td class="tabd">WEBDAV=[NO]PROP <td class="tabd">allow/apply WebDAV 'dead' property(ies) to this path <tr class="tabr"> <td class="tabd">WEBDAV=[NO]PUT=LOCK <td class="tabd">a resource must be locked before a PUT is allowed <tr class="tabr"> <td class="tabd">WEBDAV=[NO]READ <td class="tabd">WebDAV methods allowed read this tree <tr class="tabr"> <td class="tabd">WEBDAV=[NO]SERVER <td class="tabd">WebDAV access as server account (best effort) <tr class="tabr"> <td class="tabd">WEBDAV=[NO]WINPROP <td class="tabd">when NOWINPROP windows properties are ignored and emulated <tr class="tabr"> <td class="tabd">WEBDAV=[NO]WRITE <td class="tabd">WebDAV methods allowed write to this path (implied read) <tr class="tabr"> <td class="tabd">WEBDAV=LOCK=TIMEOUT=DEFAULT= <td class="tabd">hh:mm:ss <tr class="tabr"> <td class="tabd">WEBDAV=LOCK=TIMEOUT=MAX= <td class="tabd">hh:mm:ss <tr class="tabr"> <td class="tabd">WEBDAV=META=DIR= <td class="tabd">per-path equivalent of global [WebDAVmetaDir] </table> <li class="item"> <span class="high bold">WEBSOCKET=<span class="high italic"><parameter></span> – </span> Controls aspects of WebSocket processing or behaviour. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">WEBSOCKET=INPUT=<span class="high italic">integer</span> <td class="tabd">Specifies the size of the WEBSOCKET_INPUT mailbox buffer; in bytes. <tr class="tabr"> <td class="tabd">WEBSOCKET=OUTPUT=<span class="high italic">integer</span> <td class="tabd">Specifies the size of the WEBSOCKET_OUTPUT mailbox buffer; in bytes. </table> </ul> <p> Of course, as with all mapping rules, paths containing file types (extensions) may be specified so it is quite easy to apply settings to particular groups of files. Multiple settings may be made against the one path, merely separate set directives from each other with white-space. If a setting string is required to contain white-space enclose the string with single or double quotes, or curly brackets. The following example gives a small selection of potential uses. <div class="blockof code"># examples of SET rule usage # -------------------------- # disable caching for selected paths set /wasd_root/src/* NOcache set /sys$common/* NOcache # enable stream-LF conversion in selected directory trees set /web/* stmlf set /wasd_root/* stmlf # respond with Cyrillic character set(s) from relevant directories set /*/8859-5/* charset=ISO-8859-5 set /*/koi8-r/* charset=KOI8-R # the Sun Java tutorial when UNZIPped contains underscores for invalid characters set /vms/java/tutorial/* RMSchar=_ # if a request has "/plain-text/" in its path then ALWAYS return as plain-text! set /*/plain-text/* content=text/plain map /*/plain-text/* /*/* # same for "/binary/" set /*/binary/* content=text/plain map /*/binary/* /*/* # indicate extended file specifications on this path set /Documents/* ODS=5 pass /Documents/* /ods5_device/Documents/* # throttle this script's execution, 5 executing, unlimited waiting set /cgi-bin/big_script* throttle=5 # disable server script search for this RTE set /onerte/* script=nofind exec /onerte/* (CGI-BIN:[000000]ONERTE.EXE)/wasd_root/src/one/* </div> <a id="10.5.5.0.1" href="#"></a> <a id="10.5.5.postfixsetrule" href="#"></a> <a id="postfixsetrule" href="#"></a> <h5 class="head"><span class="text">Postfix SET Rule</span></h5> <p> Path SETings may appended to any rule that contains both a template and result. This makes it possible to apply path SETings using matching final rules. For example a matching PASS rule does not require a separate, preceding SET rule containing the same path to also apply required SETings. This is more efficient (requiring less pattern matching) and tends to make the rule set less cluttered. <div class="blockof code"># examples of postfix SET rule usage # ---------------------------------- # if a request has "/plain-text/" in its path then ALWAYS return as plain-text! map /*/plain-text/* /*/* content=text/plain # same for "/binary/" map /*/binary/* /*/* content=text/plain # indicate extended file specifications on this path pass /Documents/* /ods5_device/Documents/* ODS=5 # throttle this script's execution, 5 executing, unlimited waiting script /big_script* /cgi-bin/big_script* throttle=5 </div> <a id="10.6" href="#"></a> <a id="10.6.reversemapping" href="#"></a> <a id="reversemapping" href="#"></a> <h2 class="head"><span class="numb">10.6</span><span class="text">Reverse Mapping</span></h2> <p> Path mapping is required to get from web-space into file-space, and that mapping is not <span class="high italic">necessarily</span> one-to-one. That is, /web/doc/ may not be WEB:[DOC] but for example, DKA0:[WEB.DOC] so that mapping would be <div class="blockof code">pass /web/* /dka0/web/* </div> <p> Mapping paths in reverse is needed to get something like DKA0:[WEB.DOC]THIS.TXT (that may come from a $SEARCH result) back into the web-space of /web/doc/this.txt. So WASD needs paths that may be mapped using the <span class="high italic">result</span> back to the <span class="high italic">template</span>. In simple mappings the one rule can serve both purposes. In some situations explicit, extra rules are needed. <p> The above example is trivial, and if WASD needs to turn something like DKA0:[DOC]THIS.TXT into a web-space representation (URI) it makes the file-space specification into URI syntax (i.e. /dka0/web/doc/this.txt) and then scans the rules comparing that to <span class="high italic">result</span> strings in the MAP rules. When one matches, the <span class="high italic">template</span> component is used to generate a web-space representation - the reverse of what was done when the request was initially being processed. <p> The non-trivial example is often associated with concealed, search-list devices. For example, the somewhat contrived <div class="blockof code">$ DEFINE /SYSTEM /TRANSLATION=CONCEALED WEB DKA100:[WEB1.],DKA200:[WEB2.] </div> with which the mapping from web- to file-space can be <div class="blockof code">pass /web/* /web/* </div> using the logical device, and quite naturally maps into file-space. WASD's file-system actions are complex and low-level, often needing to access to the underlying device (and so tend to $PARSE NOCONCEAL). Results from the above mapping can come back DKA100:[WEB1]THIS.TXT and DKA200:[WEB2]THAT.TXT and so the above mapping can't be used to get back into web-space because there is no <span class="high italic">template</span> with a matchable rule. <p> In such a case there is a need to add explicit reverse-mapping rules (often immediately following the forward mapping rule for convenience of grouping, but rules are also a little position sensitive so some skill is required) for the purpose of getting the underlying file specifications into a form for web consumption. In the above scenario an example would be <div class="blockof code">pass /web/* /web/* pass /web/* /dka100/web1/* pass /web/* /dka200/web2/* </div> where the latter two are never hit during forward mapping (because the first rule will always map a request URI beginning /web/...) but will be hit during reverse-mapping. If a reverse mapping exhausts the rules before finding a match the NO:[REVERSE.MAPPING.FOR.THIS]FILE.PATH! mapping is explicitly generated. <p> It is not always straight-forward and sometimes a decision is necessary about how the web-space is to be presented to the clients. For instance, while you easily can have multiple web-space views of the one file-space area, it is less straight-forward to have multiple web-space reverse mappings of the one file-space (as normally only the first matching rule will ever be reverse-mapped). <a id="10.7" href="#"></a> <a id="10.7.mappingexamples" href="#"></a> <a id="mappingexamples" href="#"></a> <h2 class="head"><span class="numb">10.7</span><span class="text">Mapping Examples</span></h2> <p> The example <a class="link blank" target="_blank" href="/wasd_root/example/wasd_config_map.conf">mapping rule file</a> for the WASD HTTP server can be viewed. <a id="10.7.0.0.1" href="#"></a> <a id="10.7.exampleofmaprule" href="#"></a> <a id="exampleofmaprule" href="#"></a> <h5 class="head"><span class="text">Example of <span class="high bold">Map</span> Rule</span></h5> <p> The <span class="high italic">result</span> string of these rules may or may not correspond to to a VMS physical file system path. Either way the resulting rule is further processed before passing or failing. <ol class="list"> <li class="item"> The following example shows a path "/web/unix/shells/c" being mapped to "/web/software/unix/scripts/c", with this being used to process further rules. <div class="blockof code">map /web/unix/* /web/software/unix/* </div> </ol> <a id="10.7.0.0.2" href="#"></a> <a id="10.7.examplesofpassrule" href="#"></a> <a id="examplesofpassrule" href="#"></a> <h5 class="head"><span class="text">Examples of <span class="high bold">Pass</span> Rule</span></h5> <ol class="list"> <li class="item"> This example shows a path "/web/rts/home.html" being mapped to "/user$rts/web/home.html", and this returned as the mapped path. <div class="blockof code">pass /web/rts/* /user$rts/web/* </div> <li class="item"> This maps a path "/icon/bhts/dir.gif" to "/web/icon/bhts/dir.gif", and this returned as the mapped path. <div class="blockof code">pass /icon/bhts/* /web/icon/bhts/* </div> <li class="item"> This example illustrates HTTP status code mapping. Each of these does basically the same thing, just using one of the three possible delimiters according to the characters required in the message. The server generates a 403 response with has as its text the following message. (Also see the conditional mapping examples.) <div class="blockof code">pass /private/* "403 Can't go in there!" pass /private/* '403 "/private/" is off-limits!' pass /private/* {403 Can't go into "/private/"} </div> </ol> <a id="10.7.0.0.3" href="#"></a> <a id="10.7.examplesoffailrule" href="#"></a> <a id="examplesoffailrule" href="#"></a> <h5 class="head"><span class="text">Examples of <span class="high bold">Fail</span> Rule</span></h5> <ol class="list"> <li class="item"> If a URL path "/web/private/home.html" is being mapped the path would immediately be failed. <div class="blockof code">fail /web/private/* </div> <li class="item"> To ensure all access fails, other than that explicitly passed, this entry should be included the the rules. <div class="blockof code">fail /* </div> </ol> <a id="10.7.0.0.4" href="#"></a> <a id="10.7.examplesofexecandscriptrules" href="#"></a> <a id="examplesofexecandscriptrules" href="#"></a> <h5 class="head"><span class="text">Examples of <span class="high bold">Exec</span> and <span class="high bold">Script</span> Rules</span></h5> <ol class="list"> <li class="item"> If a URL path "/htbin/ismap/web/example.conf" is being mapped the "/wasd_root/script/" must be the URL format equivalent of the physical VMS specification for the directory locating the script DCL procedure. The "/web/example.conf" that followed the "/htbin/ismap" in the original URL becomes the translated path for the script. <div class="blockof code">exec /cgi-bin/* /cgi-bin/* </div> <li class="item"> If a URL path "/pl-bin/example/this/directory/and-file.txt" is being mapped the script name and filename become "/pl-bin/example" and "WASD_ROOT:[SRC.PERL]EXAMPLE.PL" respectively, the path information and translated become "/this/directory/and-file.txt" and "THIS:[DIRECTORY]AND-FILE.TXT", and the interpreter (run-time environment) activated to interpret the script is CGI-BIN:[000000]PERLRTE.EXE. <div class="blockof code">exec /pl-bin/* (cgi-bin:[000000]perlrte.exe)/wasd_root/src/perl/* </div> <li class="item"> If a URL path "/conan/web/example.hlb" is being mapped the "/wasd_root/script/conan" must be the URL format equivalent of the physical VMS specification for the DCL procedure. The "/web/example.hlb" that followed the "/conan/" in the original URL becomes the translated path for the script. <div class="blockof code">script /conan* /wasd_root/script/conan* </div> </ol> <a id="10.7.0.0.5" href="#"></a> <a id="10.7.examplesofredirectrule" href="#"></a> <a id="examplesofredirectrule" href="#"></a> <h5 class="head"><span class="text">Examples of <span class="high bold">Redirect</span> Rule</span></h5> <ol class="list"> <li class="item"> If a URL path "/AnotherGroup/this/that/other.html" is being mapped the URL would be redirected to "http://host/this/that/other.html" <div class="blockof code">redirect /AnotherGroup/* http://host/group/* </div> <li class="item"> If a cleartext service (http://) is deprecated and all requests to it should instead be redirected to a secure service (https://) <div class="blockof code">[[the.host.name:80]] redirect /* https:///*? </div> <p> And to a non-standard port number <div class="blockof code">[[the.host.name:80]] redirect /* https://:4443/*? </div> </ol> <a id="10.8" href="#"></a> <a id="10.8.virtualservers" href="#"></a> <a id="virtualservers" href="#"></a> <h2 class="head"><span class="numb">10.8</span><span class="text">Virtual Servers</span></h2> <p> As described in <a class="link" href="#2.3.virtualservices">2.3 Virtual Services</a>, virtual service syntax may be used with mapping rules to selectively apply rules to one specific service. This example provides the essentials of using this syntax. Note that service-specific and service-common rules may be mixed in any order allowing common mappings (e.g. for scripting) to be shared. <div class="blockof code"># a mapping rule example of virtual servers [[alpha.domain.name:80]] # ALPHA is the only service allowing access to VMS help directory pass /sys$common/syshlp/* [[beta.domain.name:80]] # good stuff is only available from BETA pass /good-stuff/* # BETA has its own error report format, the others share one pass /errorreport /httpd/-/errorreportalpha.shtml [[gamma.domain.name:80]] # gamma responds with documents using the Cyrillic character set set /* charset=ISO-8859-5 [[*]] # common file and script mappings exec /cgi-bin/* /cgi-bin/* exec+ /cgiplus-bin/* /cgi-bin/* script+ /help/* /cgiplus-bin/conan/* pass /errorreport /httpd/-/errorreport.shtml # now the base directories for all documents [[alpha.domain.name:80]] /* /web/alpha/* [[beta.domain.name:80]] /* /web/beta/* [[gamma.domain.name:80]] /* /web/gamma/* [[*]] # catch-all rule (just in case :-) pass /* /web/* </div> <p> The Server Administration page WATCH report provides the capability to view the rule databse as well as rule mapping during actual request processing, using the WATCH facility. <a id="10.9" href="#"></a> <a id="10.9.conditionalmapping" href="#"></a> <a id="conditionalmapping" href="#"></a> <h2 class="head"><span class="numb">10.9</span><span class="text">Conditional Mapping</span></h2> <div class="note"> <a id="10.9.0.0.1" href="#"></a> <a id="10.9.deprecatedanddiscouraged" href="#"></a> <a id="deprecatedanddiscouraged" href="#"></a> <h5 class="head center"><span class="text">Deprecated and Discouraged</span></h5> <hr class="note_hr"> See <a class="link" href="#5.conditionalconfiguration">5. Conditional Configuration</a> for current funtionality. <p> As this has been deprecated for some years now the documentation for this functionality has been removed. <p> For backward-reference see the "WASD Hypertext Services - Technical Overview" document for release v9.3 or earlier. <hr class="note_hr"> </div> <a id="10.9.0.0.1.1" href="#"></a> <a id="10.9.mappinguserdirectories" href="#"></a> <a id="mappinguserdirectories" href="#"></a> <h6 class="head display0"><span class="text">Mapping User Directories</span></h6> <a id="10.10" href="#"></a> <a id="10.10.mappinguserdirectoriestildecharacterquotquot" href="#"></a> <a id="mappinguserdirectoriestildecharacterquotquot" href="#"></a> <h2 class="head"><span class="numb">10.10</span><span class="text">Mapping User Directories (<span class="high italic">tilde</span> character ("~"))</span></h2> <p> The convention for specifying user web areas is "/~username/". The basic idea is that the user's web-available file-space is mapped into the request in place of the tilde and username. <a id="10.10.1" href="#"></a> <a id="10.10.1.usingthesysuaf" href="#"></a> <a id="usingthesysuaf" href="#"></a> <h3 class="head"><span class="numb">10.10.1</span><span class="text">Using The SYSUAF</span></h3> <p> The USER rule maps a VMS user account default device and directory (i.e. <span class="high italic">home</span> directory) into a request path (<a class="link" href="#10.5.3.userrule">10.5.3 USER Rule</a>). That is, the base location for the request is obtained from the VMS systems SYSUAF file. A user's home directory information is cached, to reduce load on the authorization databases. As this information is usually quite static there is no timeout period on such information (although it may be flushed to make room for other user's). Cache contents is include in the Mapping Rules Report and is implicitly flushed when the server's rules are reloaded. <p> The following is a typical usage of the rule. <div class="blockof code">USER /~*/* /*/www/* </div> <p> Note the "/www" subdirectory component. It is <span class="high bold">stongly recommended</span> that users never be mapped into their top-level, but into a web-specific subdirectory. This effectively "sandboxes" Web access to that subdirectory hierarchy, allowing the user privacy elsewhere in the home area. <p> To accomodate request user paths that do not incorporate a trailing delimiter after the username the following redirect may be used to cause the browser to re-request with a more appropriate path (make sure it follows the USER rule). <div class="blockof code">REDIRECT /~* ///~*/ </div> <p> WASD also "reverse maps" VMS specifications into paths and so requires additional rules to provide these mappings. (Reverse mapping is required during directory listings and error reporting.) For the continuing example the following rules would be required (and in the stated order). <div class="blockof code">USER /~*/* /*/www/* REDIRECT /~* ///~*/ PASS /~*/* /user$disk/*/www/* </div> <p> Where user home directories are spread over multiple devices (physical or concealed logical) a reverse-mapping rule would be required for each. Consider the following situation, where user directories are distributed across these devices (concealed logicals) <div class="blockof code">USER$GROUP1: USER$GROUP2: USER$GROUP2: USER$OTHER: </div> <p> This would require the following mapping rules (in the stated order). <div class="blockof code">USER /~*/* /*/www/ PASS /~*/* /user$group1/*/www/* PASS /~*/* /user$group2/*/www/* PASS /~*/* /user$group3/*/www/* PASS /~*/* /user$other/*/www/* </div> <p> Accounts with a search list as a default device (e.g. SYS$SYSROOT) present particular complications in this schema and should be avoided. <div class="note"><a id="10.10.1.0.0.1" href="#"></a> <a id="10.10.1.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> Accounts that possess SYSPRV, are CAPTIVE, have been DISUSERED or that have expired passwords will not be mapped. A "directory not found" error report is returned. This error was chosen to make it to make more difficult to <span class="high italic">probe</span> the authorization environment, determining whether accounts exist or not. <hr class="note_hr"> </div> <p> Of course vanilla mapping rules may be used to provide for special cases. For instance, if there is requirement for a particular, privileged account to have a user mapping that could be provided as in the following (rather exagerated) example. <div class="blockof code">PASS /~system/* /sys$common/sysmgr/www/* USER /~*/* /*/www/ PASS /~*/* /user$disk/*/www/* </div> <a id="10.10.1.0.1" href="#"></a> <a id="10.10.1.useraccountscripting" href="#"></a> <a id="useraccountscripting" href="#"></a> <h5 class="head"><span class="text">User Account Scripting</span></h5> <p> In some situations it may be desirable to allow the average Web user to experiment with or implement scripts. With WASD 7.1 and later, and VMS V6.2 and later, this is possible. Detached scripting must be enabled, the /PERSONA startup qualifier used, and appropriate mapping rules in place. If the SET "script=as=" mapping rule specifies a tilde character then for a user request the mapped SYSUAF username is substituted. <p> The following example shows the essentials of setting up a user environment where access to a subdirectory in the user's home directory, [.WWW] with script's located in a subdirectory of that, [.WWW.CGI-BIN]. <div class="blockof code">UXEC /~*/cgi-bin/* /*/www/cgi-bin/* script=as=~ USER /~*/* /*/www/* REDIRECT /~* /~*/ PASS /~*/* /dka0/users/*/* </div> <p> For more detailed information see the "Scripting Overview, Introduction". <a id="10.10.2" href="#"></a> <a id="10.10.2.withoutusingthesysuaf" href="#"></a> <a id="withoutusingthesysuaf" href="#"></a> <h3 class="head"><span class="numb">10.10.2</span><span class="text">Without Using The SYSUAF</span></h3> <div class="note"><a id="10.10.2.0.0.1" href="#"></a> <a id="10.10.2.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> See <a class="link" href="#10.9.mappinguserdirectories">‘Mapping User Directories’ in 10.9 Conditional Mapping</a> for current funtionality. <p> As this has been deprecated for some years now the documentation for this functionality has been removed. <p> For backward-reference see the "WASD Hypertext Services - Technical Overview" document for release v9.3 or earlier. <hr class="note_hr"> </div> <a id="10.11" href="#"></a> <a id="10.11.crossoriginresourcesharing" href="#"></a> <a id="crossoriginresourcesharing" href="#"></a> <h2 class="head"><span class="numb">10.11</span><span class="text">Cross Origin Resource Sharing</span></h2> <p> Cross-site HTTP requests are HTTP requests for resources from a domain different to the domain of the resource making the request. For instance, a resource loaded from domain one (http://domain.example) such as an HTML web page, makes a request for a resource on domain two (http://domain.foo), such as an image, using the img element (http://domain.foo/image.jpg). This occurs very commonly on the web today. Pages load a number of resources in a cross-site manner, including CSS stylesheets, images and scripts, and other resources. <p> Cross-site HTTP requests initiated from within browser-based applications have been subject to well-known restrictions, for well-understood security reasons. In particular, this meant that an actively processing web application could only make HTTP requests to the domain it was loaded from, and not to other domains. Developers expressed the desire to safely evolve capabilities to make cross-site requests, for better, safer web applications. The Web Applications Working Group within the W3C has recommended the new Cross-Origin Resource Sharing (CORS) mechanism, which provides a way for web servers to support cross-site access controls, which enable secure cross-site data transfers. <a id="10.11.0.0.1" href="#"></a> <a id="10.11.basicreferences" href="#"></a> <a id="basicreferences" href="#"></a> <h5 class="head"><span class="text">Basic References</span></h5> <p> This section is not a CORS reference, just the WASD implementation. Readers are referred to more authoritative CORS resources. <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="http://www.w3.org/TR/cors/">http://www.w3.org/TR/cors/</a> <li class="item"> <a class="link blank" target="_blank" href="http://www.html5rocks.com/en/tutorials/cors/">http://www.html5rocks.com/en/tutorials/cors/</a> <li class="item"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Cross-origin_resource_sharing">http://en.wikipedia.org/wiki/Cross-origin_resource_sharing</a> <li class="item"> <a class="link blank" target="_blank" href="http://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS">http://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS</a> </ul> <a id="10.11.0.0.2" href="#"></a> <a id="10.11.wasdcors" href="#"></a> <a id="wasdcors" href="#"></a> <h5 class="head"><span class="text">WASD CORS</span></h5> <p> WASD supports CORS using mapping rules. This means cross-origin requests are evaluated prior to accessing any resources or activating any scripts, etc. If the request has an "Origin: .." header and the path has been <span class="high italic">set cors=origin=..</span> the server performs preflighted and request checks. If CORS authorised adds CORS response headers. If not CORS authorised adds nothing. Some significant understanding of the purpose and operation of CORS is required to tailor the provision of the required response headers. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">CORS=AGE=<span class="high italic">integer seconds</span> <td class="tabd">Access-Control-Max-Age: response header <tr class="tabr"> <td class="tabd">CORS=CRED=<span class="high italic">true|false</span> <td class="tabd">Access-Control-Allow-Credentials: response header <tr class="tabr"> <td class="tabd">CORS=EXPOSE=<span class="high italic">header[,header2,header3]</span> <td class="tabd">Access-Control-Expose-Headers: response header <tr class="tabr"> <td class="tabd">CORS=HEADERS=<span class="high italic"></span> <td class="tabd">Access-Control-Allow-Headers: response header <tr class="tabr"> <td class="tabd">CORS=METHODS=<span class="high italic">method[,method2,method3]</span> <td class="tabd">Access-Control-Allow-Methods: response header <tr class="tabr"> <td class="tabd">CORS=ORIGIN=<span class="high italic">URL</span> <td class="tabd">Access-Control-Allow-Origin: response header </table> <a id="10.11.0.0.3" href="#"></a> <a id="10.11.wasdcorsexamples" href="#"></a> <a id="wasdcorsexamples" href="#"></a> <h5 class="head"><span class="text">WASD CORS Examples</span></h5> <ol class="list"> <li class="item"> <p> For a request containing <div class="blockof code">OPTIONS /resources/post-here/ HTTP/1.1 Host: bar.other … Origin: http://foo.example Access-Control-Request-Method: POST Access-Control-Request-Headers: X-PINGOTHER </div> with the mapping rules <div class="blockof code">SET /resources/post-here/* CORS=origin=* CORS=methods=POST,GET,OPTIONS CORS=headers=X-PINGOTHER CORS=age=3600 </div> would produce a response <div class="blockof code">HTTP/1.1 200 OK … Content-Length: 0 Connection: Keep-Alive Content-Type: text/plain Access-Control-Allow-Origin: http://foo.example Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-PINGOTHER Access-Control-Max-Age: 3600 </div> <li class="item"> <p> For a request containing <div class="blockof code">GET /resources/credentials/ HTTP/1.1 Host: bar.other … Connection: keep-alive Referer: http://foo.example/examples/credential.html Origin: http://foo.example </div> with the mapping rules <div class="blockof code">SET /resources/credentials/* CORS=origin=http://foo.example CORS=credEntials=true </div> would produce a response <div class="blockof code">HTTP/1.1 200 OK … Content-Length: 106 Connection: Keep-Alive Content-Type: text/plain Access-Control-Allow-Origin: http://foo.example Access-Control-Allow-Credentials: true … </div> </ol> <!-- source:1300_AUTHORIZATION.WASDOC --> <hr class="page"> <a id="11." href="#"></a> <a id="11.authorizationconfigurationbasics" href="#"></a> <a id="authorizationconfigurationbasics" href="#"></a> <h1 class="head"><span class="numb">11.</span><span class="text">Authorization Configuration (Basics)</span></h1> <table class="TOC2table"> <tr><td><a href="#11.1.sysuafidentifierauthentication"><span class="numb">11.1</span><span class="text">SYSUAF/Identifier Authentication</span></a> <tr><td><a href="#11.2.otherauthentication"><span class="numb">11.2</span><span class="text">Other Authentication</span></a> <tr><td><a href="#11.3.readandwritegroupings"><span class="numb">11.3</span><span class="text">Read and Write Groupings</span></a> <tr><td><a href="#11.4.considerations"><span class="numb">11.4</span><span class="text">Considerations</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#10.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#12.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> WASD offers a comprehensive and versatile authentication and authorization environment. A little too comprehensive, often leaving the new administrator wondering where to begin. The role of this chapter is to provide a starting place, especially for sources of authentication, along with some basic configurations. <a class="link blank" target="_blank" href="../features/#authenticationandauthorization">Authentication and Authorization</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a> contains a detailed explanation of all aspects. All examples here assume a standard installation and environment. <p> Just to clarify. <span class="high bold">Authentication</span> is the verification of a user's identity, usually through username/password credentials. <span class="high bold">Authorization</span> is allowing a certain action to be applied to a particular path based on that identity. <p> Changes to the authorization configuration file can be validated at the command-line before reload or restart. This detects and reports any syntactical and configuration errors but of course cannot check the <span class="high italic">intent</span> of the rules. <div class="blockof code">$ HTTPD /DO=AUTH=CHECK </div> <p> If additional server startup qualifiers are required to enable specific authorization features then these must also be provided when checking. For example: <div class="blockof code">$ HTTPD /DO=AUTH=CHECK /SYSUAF /PROFILE </div> <p> A server's currently loaded authorization rules may also be interrogated from the Server Administration menu (see <a class="link blank" target="_blank" href="../features/#serveradministration">Server Administration</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <a id="11.1" href="#"></a> <a id="11.1.sysuafidentifierauthentication" href="#"></a> <a id="sysuafidentifierauthentication" href="#"></a> <h2 class="head"><span class="numb">11.1</span><span class="text">SYSUAF/Identifier Authentication</span></h2> <p> This setup allows any active account to authenticate using the local VMS username and password. By default not every account may authenticate this way, only those holding specified VMS rights identifiers. The examples provided in this section allows access to the WASD online Server Administration facility, and so may be followed specifically for that purpose, as well as serve as a general guide. <ul class="list"> <li class="item"> Define the following logical before calling the server startup procedure. To make such a definition permanent add it to the system or Web environment startup procedures. This logical contains a startup qualifier that configures the server to allow authentication from the SYSUAF, using VMS rights identifiers (<a class="link blank" target="_blank" href="../features/#authenticationpolicy">Authentication Policy</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <div class="blockof code">$ DEFINE /SYSTEM WASD_STARTUP_SERVER "/SYSUAF=ID" $ @<span class="high italic">device</span>:[WASD_ROOT.LOCAL]STARTUP.COM </div> After a change to a command-line qualifier of the server such as the above it needs to be restarted using the following directive. <div class="blockof code">$ HTTPD/DO=RESTART </div> <li class="item"> Decide on an identifier name. This can be an existing identifier, or one created for the purpose. For this example the identifier will be "WASD_WEBADMIN". Any identifier can be created using actions similar to the following example. <div class="blockof code">$ SET DEFAULT SYS$SYSTEM $ MCR AUTHORIZE UAF> ADD /IDENTIFIER WASD_WEBADMIN </div> <li class="item"> Modify the authorization configuration file, accessed by the server using the system logical WASD_CONFIG_AUTH, to contain the following. This allows full access to the online Server Administration facility and [.LOCAL] directory (and no world access). Additional paths may be added as required, and of course multiple identifiers may be created and used for multiple realms and paths. <div class="blockof code">["Web Admin"=WASD_WEBADMIN=id] /httpd/-/admin/* r+w /wasd_root/local/* r+w </div> <li class="item"> The identifier must then be granted to those accounts allowed to authenticate in this way. <div class="blockof code">$ SET DEFAULT SYS$SYSTEM $ MCR AUTHORIZE UAF> GRANT /IDENTIFIER WASD_WEBADMIN SYSTEM </div> <li class="item"> Using this approach useful discrimination may be exercised. For instance, one identifier for Web administrators, another (or others) for different authentication requirements. <div class="blockof code">["Web Admin"=WASD_WEBADMIN=id] /wasd_root/local/* r+w /httpd/-/admin/* r+w ["Area Access"=<span class="high italic">area-identifier-name</span>=id] /web/area/* r+w ; r </div> <p> Of course the one account may hold multiple identifiers and so may have access to various areas. <div class="blockof code">UAF> GRANT /IDENTIFIER WASD_WEBADMIN SYSTEM UAF> GRANT /IDENTIFIER <span class="high italic">area-identifier-name</span> SYSTEM </div> <p> Using VMS rights identifiers allows significant granularity in providing access. </ul> <a id="11.1.0.0.1" href="#"></a> <a id="11.1.afterchanges" href="#"></a> <a id="afterchanges" href="#"></a> <h5 class="head"><span class="text">After Changes</span></h5> <p> If the WASD_CONFIG_AUTH configuration file is changed, or rights identifiers are granted or revoked from accounts, the server should be directed to reload the file and purge any cached authorization information. <div class="blockof code">$ HTTPD/DO=AUTH=LOAD $ HTTPD/DO=AUTH=PURGE </div> <a id="11.2" href="#"></a> <a id="11.2.otherauthentication" href="#"></a> <a id="otherauthentication" href="#"></a> <h2 class="head"><span class="numb">11.2</span><span class="text">Other Authentication</span></h2> <p> Other sources of authentication are available, either by themselves or used in the same configuration file (different realms and paths) as those already discussed (<a class="link blank" target="_blank" href="../features/#authenticationsources">Authentication Sources</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). Non-SYSUAF sources do not require any startup qualifier to be enabled. <ul class="list"> <li class="item"> <span class="high bold">ACME</span> DOIs (Authentication and Credential Management Extension, Domains of Interpretation) may be used to authenticate requests. <div class="blockof code">["Whatever you want to call it!"=<span class="high italic">doi</span>=ACME] /web/area/* r+w </div> <li class="item"> <span class="high bold">Simple lists</span> contain usernames and unencrypted passwords. These are plain-text files, created and modified using any desired editor. <div class="blockof code">["Whatever you want to call it!"=<span class="high italic">list-name</span>=list] /web/area/* r+w </div> <p> This is a <span class="high under">very</span> simple arrangement, with little inherent security. Lists are more useful when grouping names together for specifying which group may do what to where. <li class="item"> <span class="high bold">HTA databases</span> are WASD-specific, binary repositories of usernames, encrypted passwords, capabilities, user and other detail. <div class="blockof code">["Whatever you want to call it!"=<span class="high italic">HTA-database-name</span>=HTA] /web/area/* r+w </div> <p> These databases may be administered using the online Server Administration facility (<a class="link blank" target="_blank" href="../features/#httpdserverrevise">HTTPd Server Revise</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). or the HTAdmin command-line utility (<a class="link blank" target="_blank" href="../features/#htadmin">HTAdmin</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). are quite secure and versatile. <li class="item"> <span class="high bold">External agents</span> are authentication and authorization scripts executed on demand, under the control-of but external to the server. It is possible for a site to write its own, custom authorization agent. <div class="blockof code">["Whatever you want to call it!"=<span class="high italic">agent-name</span>=agent] /web/area/* r+w </div> Two variations on a versatile LDAP authenticator and a CEL-compatible authenticator, along with example code is available in the <a class="link blank" target="_blank" href="/wasd_root/src/agent/"">WASD_ROOT:[SRC.AGENT]</a> directory. <li class="item"> <span class="high bold">X.509</span> establishes identity based on Public Key Infrastructure (PKI) authentication certificates. This is only available for SSL transactions. <div class="blockof code">[X509] /web/area/* r+w </div> <li class="item"> <span class="high bold">RFC1413</span> IETF document describes an identification protocol that can be used as a form of <span class="high italic">authentication</span> within this realm. <div class="blockof code">["Whatever you want to call it!"=RFC1413;A_PROJECT=list] /web/area/* r+w ; r </div> </ul> <a id="11.3" href="#"></a> <a id="11.3.readandwritegroupings" href="#"></a> <a id="readandwritegroupings" href="#"></a> <h2 class="head"><span class="numb">11.3</span><span class="text">Read and Write Groupings</span></h2> <p> WASD allows separate sources for groups of usernames to control read and write access in a particular realm (<a class="link blank" target="_blank" href="../features/#realmfullaccessreadonly">Realm, Full-Access, Read-Only</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <p> These groups may be provided via simple lists, VMS identifiers, HTA databases and authorization agents. The following example shows an identifier authenticated realm with full and read-only access controlled by two simple lists. For the first path the world has no access, for the second read-only access (with the read-only grouping becoming basically redundant information). <div class="blockof code">["Realm Name"=<span class="high italic">identifier_name</span>=id;<span class="high italic">full_access_name</span>=list;<span class="high italic">read-only_name</span>=list] /web/area/* r+w ; /web/another-area/* r+w ; r </div> <a id="11.4" href="#"></a> <a id="11.4.considerations" href="#"></a> <a id="considerations" href="#"></a> <h2 class="head"><span class="numb">11.4</span><span class="text">Considerations</span></h2> <p> Multiple authentication sources (realms) may be configured in the one WASD_CONFIG_AUTH file. <p> Multiple paths may be mapped against a single authentication source. <p> Any path may be mapped only once (for any single virtual service). <p> Paths may have additional access restrictions placed on them, including client host name, username, etc. (<a class="link blank" target="_blank" href="../features/#accessrestrictionkeywords">Access Restriction Keywords</a> of <a class="link blank" target="_blank" href="../features/#0.">WASD Features and Facilities</a>). <p> The configuration file is loaded and stored by the server at startup. If changed it must be reloaded to take effect. This can be done manually using <div class="blockof code">$ HTTPD/DO=AUTH=LOAD </div> <p> Authentication information is cached. Access subsequently removed or modified will not take effect until the entry expires, or is manually purged using <div class="blockof code">$ HTTPD/DO=AUTH=PURGE </div> <p> Failed attempts to authenticate against a particular source are limited. When this is exceeded access is always denied. If this has happened the cache must be manually purged before a user can successfully authenticate <div class="blockof code">$ HTTPD/DO=AUTH=PURGE </div> <!-- source:1400_INDEX.WASDOC --> <hr class="page"> <a id="12." href="#"></a> <a id="12.index" href="#"></a> <a id="index" href="#"></a> <h1 class="head"><span class="numb">12.</span><span class="text">Index</span></h1> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#11.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#13.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <div class="IDXcols2"> <table class="IDXtable"> <tr><td class="alpha">A</td><td class="text"><a href="#2.12.1.aquotquotfollowedby">‘A "!" followed by’ in 2.12.1 Log Format</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.1.aquot94quotfollowedby">‘A "^" followed by’ in 2.12.1 Log Format</a> <tr><td class="alpha"> </td><td class="text"><a href="#0.abstract">‘Abstract’ in WASD Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.7.accessalert">2.12.7 Access Alert</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.accesslogging">2.12 Access Logging</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.6.accesstracking">2.12.6 Access Tracking</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.7.1.addingcontenttypes">2.7.1 Adding Content-Types</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.9.administration">7.9 Administration</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.4.administrationservices">7.4 Administration Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.afterchanges">‘After Changes’ in 11.1 SYSUAF/Identifier Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.2.alphabeticlisting">6.2 Alphabetic Listing</a> <tr><td class="alpha"> </td><td class="text"><a href="#0.apachelicenseversion20">‘Apache License, Version 2.0’ in WASD Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.attributionandacknowledgement">13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.authenticationauthorization">‘Authentication/Authorization’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.7.authorization">3.7 Authorization</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.authorizationconfigurationbasics">11. Authorization Configuration (Basics)</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.9.authorizationholes">‘Authorization Holes’ in 3.9 Site Attacks</a> <tr><td class="alpha">B</td><td class="text"><a href="#2.10.1.basicanddetailed">2.10.1 Basic and Detailed</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.11.basicreferences">‘Basic References’ in 10.11 Cross Origin Resource Sharing</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.8.becareful">‘Be careful!’ in 3.8 Miscellaneous Issues</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.1.behaviour">8.1 Behaviour</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.bjoumlernhoumlehrmann">‘Bjöern Höehrmann’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.buffersizes">‘Buffer Sizes’ in 6.1 Functional Groupings</a> <tr><td class="alpha">C</td><td class="text"><a href="#9.cacheconfiguration">9. Cache Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.5.cacheconfiguration">9.5 Cache Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.4.cachecontentvalidation">9.4 Cache Content Validation</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.6.cachecontrol">9.6 Cache Control</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.3.cachesuitabilityconsiderations">9.3 Cache Suitability Considerations</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.2.cautions">‘CAUTIONS’ in 5.2 If..endif Conditionals</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.9.charactersetconversion">2.9 Character Set Conversion</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.4.1.charactersinrequestpaths">10.4.1 Characters In Request Paths</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.4.3.charactersinservergeneratedpaths">10.4.3 Characters In Server-Generated Paths</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.circumventingthecache">9.7 Circumventing The Cache</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.clarkcooperetal">‘Clark Cooper, et.al.’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.6.clientconcurrency">2.6 Client Concurrency</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.conditionalconfiguration">5. Conditional Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.conditionalkeywords">5.3 Conditional Keywords</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.conditionalkeywords">‘Conditional Keywords’ in 5.3 Conditional Keywords</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.9.conditionalmapping">10.9 Conditional Mapping</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.2.conditionalsyntax">‘Conditional Syntax’ in 5.2 If..endif Conditionals</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.5.configuration">3.5 Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.configurationconsiderations">2. Configuration Considerations</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.5.1.configurationentries">5.5.1 Configuration Entries</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.configurationfiles">‘Configuration Files’ in 2. Configuration Considerations</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.4.considerations">11.4 Considerations</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.contentsecuritypolicycsp">3.10 Content Security Policy (CSP)</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.contenttype">‘Content-Type’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.8.contenttype">‘Content-Type’ in 2.8 Language Variants</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.7.contenttypeconfiguration">2.7 Content-Type Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.1.controllingnonfilecontentcaching">‘Controlling Non-File Content Caching’ in 9.1 Non-File Content Caching</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.11.crossoriginresourcesharing">10.11 Cross Origin Resource Sharing</a> <tr><td class="alpha">D</td><td class="text"><a href="#3.6.defaultaccounts">‘Default Accounts’ in 3.6 Scripting</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.9.denialofservice">‘Denial of Service’ in 3.9 Site Attacks</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.9.deprecatedanddiscouraged">‘Deprecated and Discouraged’ in 10.9 Conditional Mapping</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.5.dictionary">5.5 Dictionary</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.5.2.dictionaryentries">‘Dictionary Entries’ in 5.5.2 Other Entries</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.8.directivedetail">7.8 Directive Detail</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.directorylisting">‘Directory Listing’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.5.1.directorylistings">3.5.1 Directory Listings</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.2.documentroot">‘Document Root’ in 2.2 Site Organisation</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.dontthinkitcanthappentoyou">‘don't think it can't happen to you!’ in 3. Security Considerations</a> <tr><td class="alpha">E</td><td class="text"><a href="#5.5.3.entrysubstitution">5.5.3 Entry Substitution</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.10.errorreporting">2.10 Error Reporting</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.10.2.errorvariables">‘Error Variables’ in 2.10.2 Site Specific</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.7.exampleofmaprule">‘Example of Map Rule’ in 10.7 Mapping Examples</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.1.examples">‘Examples’ in 2.12.1 Log Format</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.3.examples">4.3 Examples</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.4.examples">5.4 Examples</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.5.examples">‘Examples’ in 2.5 Request Throttling</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.7.examplesofexecandscriptrules">‘Examples of Exec and Script Rules’ in 10.7 Mapping Examples</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.7.examplesoffailrule">‘Examples of Fail Rule’ in 10.7 Mapping Examples</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.7.examplesofpassrule">‘Examples of Pass Rule’ in 10.7 Mapping Examples</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.7.examplesofredirectrule">‘Examples of Redirect Rule’ in 10.7 Mapping Examples</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.4.execdirectoriesandexecfiles">‘EXEC Directories and EXEC Files’ in 10.5.4 EXEC/UXEC and SCRIPT, Script Mapping Rules</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.4.execuxecandscriptscriptmappingrules">10.5.4 EXEC/UXEC and SCRIPT, Script Mapping Rules</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.7.4.explicitlyspecifyingcontenttype">2.7.4 Explicitly Specifying Content-Type</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.4.expressionsubstitution">4.4 Expression Substitution</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.4.extendedfilespecificationsods5">10.4 Extended File Specifications (ODS-5)</a> <tr><td class="alpha">F</td><td class="text"><a href="#6.1.filecache">‘File Cache’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.4.2.filenameambiguity">10.4.2 File Name Ambiguity</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.4.1.flushperiod">‘Flush Period’ in 2.4.1 Response Encoding</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.freesoftwarefoundation">‘Free Software Foundation’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.functionalgroupings">6.1 Functional Groupings</a> <tr><td class="alpha">G</td><td class="text"><a href="#7.2.genericservices">7.2 Generic Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.globalconfiguration">6. Global Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.1.greedyandnongreedy">‘Greedy and Non-Greedy’ in 4.1 Wildcard Patterns</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.4.gzipencoding">2.4 GZIP Encoding</a> <tr><td class="alpha">H</td><td class="text"><a href="#5.3.7.hostaddresses">5.3.7 Host Addresses</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.http2">‘HTTP/2’ in 6.1 Functional Groupings</a> <tr><td class="alpha">I</td><td class="text"><a href="#5.2.ifendifconditionals">5.2 If..endif Conditionals</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.1.includefiledirective">2.1 Include File Directive</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.4.independentpackageandlocalresources">3.4 Independent Package and Local Resources</a> <tr><td class="alpha"> </td><td class="text"><a href="#12.index">12. Index</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.4.instance">‘Instance:’ in 5.3.4 Instance: and Robin: Keywords</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.4.instanceandrobinkeywords">5.3.4 Instance: and Robin: Keywords</a> <tr><td class="alpha"> </td><td class="text"><a href="#1.introduction">1. Introduction</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.5.ipv4andipv6">7.5 IPv4 and IPv6</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.5.ipv6literaladdresses">‘IPv6 Literal Addresses’ in 7.5 IPv4 and IPv6</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.5.ipv6nameresolution">‘IPv6 Name Resolution’ in 7.5 IPv4 and IPv6</a> <tr><td class="alpha">K</td><td class="text"><a href="#1.keepsitespecificresourcesandserverinstallationseparateanddistinct">‘Keep site-specific resources and server installation separate and distinct.’ in 1. Introduction</a> <tr><td class="alpha">L</td><td class="text"><a href="#2.8.languagevariants">2.8 Language Variants</a> <tr><td class="alpha"> </td><td class="text"><a href="#0.license">‘License’ in WASD Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.licensedundertheapachelicenseversion20">‘Licensed under the Apache License, Version 2.0’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.1.logformat">2.12.1 Log Format</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.5.lognaming">2.12.5 Log Naming</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.4.logperinstance">2.12.4 Log Per-Instance</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.2.logperperiod">2.12.2 Log Per-Period</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.3.logperservice">2.12.3 Log Per-Service</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.logging">‘Logging’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.2.logicalnames">‘LOGICAL NAMES’ in 10.2 VMS File System Specifications</a> <tr><td class="alpha">M</td><td class="text"><a href="#3.3.maintainingpackagesecurity">3.3 Maintaining Package Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.1.mappassfailrules">10.5.1 MAP, PASS, FAIL Rules</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.7.mappingexamples">10.7 Mapping Examples</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.1.mappingoverhead">‘Mapping Overhead’ in 10.1 Rule Interpretation</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.5.mappingreload">‘Mapping Reload’ in 2.5 Request Throttling</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.5.mappingrules">‘Mapping Rules’ in 9.5 Cache Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.9.mappinguserdirectories">‘Mapping User Directories’ in 10.9 Conditional Mapping</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.10.mappinguserdirectoriestildecharacterquotquot">10.10 Mapping User Directories (tilde character ("~"))</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.2.matchingoperators">‘Matching Operators’ in 4.2 Regular Expressions</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.messageconfiguration">8. Message Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.2.messagefileformat">8.2 Message File Format</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.7.2.mimetypes">2.7.2 MIME.TYPES</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.miscellaneous">‘Miscellaneous’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.8.miscellaneousissues">3.8 Miscellaneous Issues</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.3.multiplefilesmultivaluedlogicalname">‘Multiple Files - Multivalued Logical Name’ in 8.3 Multiple Language Specifications</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.3.multiplelanguagespecifications">8.3 Multiple Language Specifications</a> <tr><td class="alpha">N</td><td class="text"><a href="#9.1.nonfilecontentcaching">9.1 Non-File Content Caching</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.8.nontextcontent">‘Non-Text Content’ in 2.8 Language Variants</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.noneofthefollowinglicensingappearsincompatiblewiththeapachelicense">‘None of the following licensing appears incompatible with the Apache License’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.10.2.note">‘Note’ in 10.10.2 Without Using The SYSUAF</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.10.1.note">‘Note’ in 10.10.1 Using The SYSUAF</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.4.note">‘Note’ in 10.5.4 EXEC/UXEC and SCRIPT, Script Mapping Rules</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.3.note">‘Note’ in 10.5.3 USER Rule</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.2.note">‘Note’ in 10.5.2 REDIRECT Rule</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.1.note">‘Note’ in 10.5.1 MAP, PASS, FAIL Rules</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.8.note">‘Note’ in 7.8 Directive Detail</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.2.note">‘Note’ in 8.2 Message File Format</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.1.note">‘Note’ in 2.1 Include File Directive</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.5.1.note">‘Note’ in 5.5.1 Configuration Entries</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.4.note">‘Note’ in 5.4 Examples</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.7.1.note">‘Note’ in 2.7.1 Adding Content-Types</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.5.note">‘Note’ in 2.5 Request Throttling</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.3.1.note">‘Note’ in 2.3.1 [[virtual-server]]</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.1.notepadkeyword">5.3.1 Notepad: Keyword</a> <tr><td class="alpha">O</td><td class="text"><a href="#13.ohiostateuniversity">‘Ohio State University’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#0.onlinesearch">‘Online Search’ in WASD Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.11.opcomlogging">2.11 OPCOM Logging</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.opensslproject">‘OpenSSL Project’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.operatorconsoleandlog">‘Operator Console and Log’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.2.operatoroverview">‘Operator Overview’ in 4.2 Regular Expressions</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.2.otherauthentication">11.2 Other Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.10.1.othercustomization">‘Other Customization’ in 2.10.1 Basic and Detailed</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.5.2.otherentries">5.5.2 Other Entries</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.1.owaspzap">‘OWASP ZAP’ in 3.1 Server and Site Testing</a> <tr><td class="alpha">P</td><td class="text"><a href="#2.12.1.quotpaquotandquotrqquot">‘"PA" and "RQ"’ in 2.12.1 Log Format</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.2.packageaccess">‘Package Access’ in 3.2 Recommended Package Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.8.packagetree">‘Package Tree’ in 3.8 Miscellaneous Issues</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.9.passwordcracking">‘Password Cracking’ in 3.9 Site Attacks</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.paulejones">‘Paul E. Jones’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.5.peruserthrottle">‘Per-User Throttle’ in 2.5 Request Throttling</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.2.permanentandvolatile">9.2 Permanent and Volatile</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.9.platformvulnerabilities">‘Platform Vulnerabilities’ in 3.9 Site Attacks</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.5.postfixsetrule">‘Postfix SET Rule’ in 10.5.5 SET Rule</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.1.predefinedplususerdefined">‘Pre-defined Plus User-Defined’ in 2.12.1 Log Format</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.1.processingoverhead">‘Processing Overhead’ in 10.1 Rule Interpretation</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.proxyserving">‘Proxy Serving’ in 6.1 Functional Groupings</a> <tr><td class="alpha">R</td><td class="text"><a href="#5.3.2.randkeyword">5.3.2 Rand: Keyword</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.3.readandwritegroupings">11.3 Read and Write Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.2.recommendedpackagesecurity">3.2 Recommended Package Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.2.redirectrule">10.5.2 REDIRECT Rule</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.4.regularexpressionsubstitution">‘Regular Expression Substitution’ in 4.4 Expression Substitution</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.2.regularexpressions">4.2 Regular Expressions</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.2.repetitionoperators">‘Repetition Operators’ in 4.2 Regular Expressions</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.reports">‘Reports’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.4.2.requestencoding">2.4.2 Request Encoding</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.requestprocessingconfiguration">10. Request Processing Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.5.requestthrottling">2.5 Request Throttling</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.3.requestkeyword">5.3.3 Request: Keyword</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.4.1.responseencoding">2.4.1 Response Encoding</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.6.reversemapping">10.6 Reverse Mapping</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.2.rightsidentifiers">‘Rights Identifiers’ in 3.2 Recommended Package Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.4.robin">‘Robin:’ in 5.3.4 Instance: and Robin: Keywords</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.rsadatasecurity">‘RSA Data Security’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.1.ruleinterpretation">10.1 Rule Interpretation</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.rules">10.5 Rules</a> <tr><td class="alpha">S</td><td class="text"><a href="#10.5.4.scriptlocation">‘Script Location’ in 10.5.4 EXEC/UXEC and SCRIPT, Script Mapping Rules</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.6.scripting">3.6 Scripting</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.scripting">‘Scripting’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.5.3.scripting">3.5.3 Scripting</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.3.sechanutility">‘SECHAN Utility’ in 3.3 Maintaining Package Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.securesocket">‘Secure Socket’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.3.securecom">‘SECURE.COM’ in 3.3 Maintaining Package Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.6.securingauthorisation">‘Securing Authorisation’ in 3.6 Scripting</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.5.4.securingscripting">‘Securing Scripting’ in 3.5.4 Server Side Includes</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.securityconsiderations">3. Security Considerations</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.1.serverandsitetesting">3.1 Server and Site Testing</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.5.2.serverreports">3.5.2 Server Reports</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.5.4.serversideincludes">3.5.4 Server Side Includes</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.serversideincludes">‘Server Side Includes’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.1.serviceconditionals">5.1 Service Conditionals</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.3.1.serviceconditionals">‘Service Conditionals’ in 2.3.1 [[virtual-server]]</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.serviceconfiguration">7. Service Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.servicedirectives">7.7 Service Directives</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.servicedirectives">‘Service Directives’ in 7.7 Service Directives</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.10.serviceexamples">7.10 Service Examples</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.5.setrule">10.5.5 SET Rule</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.9.siteattacks">3.9 Site Attacks</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.2.siteorganisation">2.2 Site Organisation</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.10.2.sitespecific">2.10.2 Site Specific</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.9.sitevulnerabilities">‘Site Vulnerabilities’ in 3.9 Site Attacks</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.specificservices">7.1 Specific Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.4.specifiedsubstitution">‘Specified Substitution’ in 4.4 Expression Substitution</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.3.sslservices">7.3 SSL Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.9.strategies">‘Strategies’ in 3.9 Site Attacks</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.2.stringmatching">‘String Matching’ in 5.2 If..endif Conditionals</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.1.stringmatching">‘String Matching’ in 10.1 Rule Interpretation</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.stringmatching">4. String Matching</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.stuartlangridge">‘Stuart Langridge’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.4.suppliedmessagefiles">8.4 Supplied Message Files</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.sysuafidentifierauthentication">11.1 SYSUAF/Identifier Authentication</a> <tr><td class="alpha">T</td><td class="text"><a href="#0.tableofcontent">‘Table of Content’ in WASD Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.tatsuhirotsujikawa">‘Tatsuhiro Tsujikawa’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.terminology">‘Terminology’ in 9. Cache Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.thissectionisnotanexplanationofcsp">‘This section is not an explanation of CSP’ in 3.10 Content Security Policy (CSP)</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.5.timekeyword">5.3.5 Time: Keyword</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.timeout">‘Timeout’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.2.tlssslconfiguration">‘TLS/SSL Configuration’ in 6.2 Alphabetic Listing</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.8.tlssslconfiguration">‘TLS/SSL Configuration’ in 7.8 Directive Detail</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.8.tlssslconfiguration">‘TLS/SSL Configuration’ in 7.8 Directive Detail</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.towwwornottowww">7.6 To www. Or Not To www.</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.3.traditionalfilespecificationsods2">10.3 Traditional File Specifications (ODS-2)</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.6.trnlnmkeyword">5.3.6 Trnlnm: Keyword</a> <tr><td class="alpha"> </td><td class="text"><a href="#1.1.troubleshooting">1.1 Troubleshooting?</a> <tr><td class="alpha">U</td><td class="text"><a href="#2.7.3.unknowncontenttypes">2.7.3 Unknown Content-Types</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.3.2.unknownvirtualserver">2.3.2 Unknown Virtual Server</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.10.1.useraccountscripting">‘User Account Scripting’ in 10.10.1 Using The SYSUAF</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.3.userrule">10.5.3 USER Rule</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.12.1.userdefined">‘User-Defined’ in 2.12.1 Log Format</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.10.2.usingascript">‘Using a Script’ in 2.10.2 Site Specific</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.10.2.usinganssidocument">‘Using an SSI Document’ in 2.10.2 Site Specific</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.10.2.usingstatichtmldocuments">‘Using Static HTML Documents’ in 2.10.2 Site Specific</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.10.1.usingthesysuaf">10.10.1 Using The SYSUAF</a> <tr><td class="alpha">V</td><td class="text"><a href="#10.1.virtualservers">‘Virtual Servers’ in 10.1 Rule Interpretation</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.8.virtualservers">10.8 Virtual Servers</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.3.virtualservices">2.3 Virtual Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.2.vmsfilesystemspecifications">10.2 VMS File System Specifications</a> <tr><td class="alpha">W</td><td class="text"><a href="#10.5.4.warning">‘WARNING’ in 10.5.4 EXEC/UXEC and SCRIPT, Script Mapping Rules</a> <tr><td class="alpha"> </td><td class="text"><a href="#0.wasdconfiguration">‘WASD Configuration’ in WASD Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.11.wasdcors">‘WASD CORS’ in 10.11 Cross Origin Resource Sharing</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.11.wasdcorsexamples">‘WASD CORS Examples’ in 10.11 Cross Origin Resource Sharing</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.wasdvmswebservicesndashcopyrightcopy19962021markgdaniel">‘WASD VMS Web Services – Copyright © 1996-2021 Mark G. Daniel’ in 13. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.3.wasdconfigglobalservicedeprecated">‘WASD_CONFIG_GLOBAL [Service] (deprecated) ’ in 2.3 Virtual Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.3.wasdconfigservice">‘WASD_CONFIG_SERVICE’ in 2.3 Virtual Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.5.4.watchdictionary">5.5.4 WATCH Dictionary</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.webdav">‘WebDAV’ in 6.1 Functional Groupings</a> <tr><td class="alpha"> </td><td class="text"><a href="#1.welcome">‘Welcome!’ in 1. Introduction</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.whyimplementcaching">‘Why Implement Caching?’ in 9. Cache Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.1.wildcardoperators">‘Wildcard Operators’ in 4.1 Wildcard Patterns</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.1.wildcardpatterns">4.1 Wildcard Patterns</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.4.wildcardsubstitution">‘Wildcard Substitution’ in 4.4 Expression Substitution</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.3.withintheonefile">‘Within The One File’ in 8.3 Multiple Language Specifications</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.10.2.withoutusingthesysuaf">10.10.2 Without Using The SYSUAF</a> <tr><td class="alpha">Z</td><td class="text"><a href="#3.1.zapandhttp2">‘ZAP and HTTP/2’ in 3.1 Server and Site Testing</a> </table> </div> <hr class="page"> <a id="13." href="#"></a> <a id="13.attributionandacknowledgement" href="#"></a> <a id="attributionandacknowledgement" href="#"></a> <h1 class="head"><span class="numb">13.</span><span class="text">Attribution and Acknowledgement</span></h1> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#12.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a>↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <a id="13.0.0.0.1" href="#"></a> <a id="13.wasdvmswebservicesndashcopyrightcopy19962021markgdaniel" href="#"></a> <a id="wasdvmswebservicesndashcopyrightcopy19962021markgdaniel" href="#"></a> <h5 class="head"><span class="text">WASD VMS Web Services – Copyright © 1996-2021 Mark G. Daniel</span></h5> <a id="13.0.0.0.2" href="#"></a> <a id="13.licensedundertheapachelicenseversion20" href="#"></a> <a id="licensedundertheapachelicenseversion20" href="#"></a> <h5 class="head"><span class="text">Licensed under the <span class="high bold">Apache License</span>, Version 2.0</span></h5> <p> <div class="blockof code">You may not use this software except in compliance with the License. You may obtain a copy of the License at <a class="link blank" target="_blank" style="margin-left:1em;" href="https://www.apache.org/licenses/LICENSE-2.0">https://www.apache.org/licenses/LICENSE-2.0</a> Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. </div> <a id="13.0.0.0.3" href="#"></a> <a id="13.noneofthefollowinglicensingappearsincompatiblewiththeapachelicense" href="#"></a> <a id="noneofthefollowinglicensingappearsincompatiblewiththeapachelicense" href="#"></a> <h5 class="head"><span class="text">None of the following licensing appears incompatible with the Apache License</span></h5> <a id="13.0.0.0.4" href="#"></a> <a id="13.clarkcooperetal" href="#"></a> <a id="clarkcooperetal" href="#"></a> <h5 class="head"><span class="text">Clark Cooper, et.al.</span></h5> <p> This package uses the Expat XML parsing toolkit. <div class="blockof code">Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. </div> <a id="13.0.0.0.5" href="#"></a> <a id="13.bjoumlernhoumlehrmann" href="#"></a> <a id="bjoumlernhoumlehrmann" href="#"></a> <h5 class="head"><span class="text">Bjöern Höehrmann</span></h5> <p> This package uses essential algorithm and code from Flexible and Economical UTF-8 Decoder. <div class="blockof code">Copyright (c) 2008-2009 Bjöern Höehrmann (<bjoern@hoehrmann.de>) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. </div> <a id="13.0.0.0.6" href="#"></a> <a id="13.freesoftwarefoundation" href="#"></a> <a id="freesoftwarefoundation" href="#"></a> <h5 class="head"><span class="text">Free Software Foundation</span></h5> <p> This package contains software made available by the Free Software Foundation under the GNU General Public License. <div class="blockof code">This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. </div> <a id="13.0.0.0.7" href="#"></a> <a id="13.ohiostateuniversity" href="#"></a> <a id="ohiostateuniversity" href="#"></a> <h5 class="head"><span class="text">Ohio State University</span></h5> <p> This package contains software provided with the OSU (DECthreads) HTTP server package, authored by David Jones: <div class="blockof code">Copyright 1994,1997 The Ohio State University. The Ohio State University will not assert copyright with respect to reproduction, distribution, performance and/or modification of this program by any person or entity that ensures that all copies made, controlled or distributed by or for him or it bear appropriate acknowlegement of the developers of this program. </div> <a id="13.0.0.0.8" href="#"></a> <a id="13.opensslproject" href="#"></a> <a id="opensslproject" href="#"></a> <h5 class="head"><span class="text">OpenSSL Project</span></h5> <p> This product <span class="high italic">can</span> include software developed by the OpenSSL Project for use in the OpenSSL Toolkit (<a class="link blank" target="_blank" href="https://www.openssl.org/">https://www.openssl.org/</a>). <div class="blockof code">Redistribution and use in source and binary forms, with or without modification, are permitted ... </div> <a id="13.0.0.0.9" href="#"></a> <a id="13.paulejones" href="#"></a> <a id="paulejones" href="#"></a> <h5 class="head"><span class="text">Paul E. Jones</span></h5> <p> This package uses SHA-1 hash code. <div class="blockof code">Copyright (C) 1998, 2009 Paul E. Jones <paulej@packetizer.com> Freeware Public License (FPL) This software is licensed as "freeware." Permission to distribute this software in source and binary forms, including incorporation into other products, is hereby granted without a fee. </div> <a id="13.0.0.0.10" href="#"></a> <a id="13.rsadatasecurity" href="#"></a> <a id="rsadatasecurity" href="#"></a> <h5 class="head"><span class="text">RSA Data Security</span></h5> <p> This software contains code derived in part from RSA Data Security, Inc: <div class="blockof code">permission granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. </div> <a id="13.0.0.0.11" href="#"></a> <a id="13.stuartlangridge" href="#"></a> <a id="stuartlangridge" href="#"></a> <h5 class="head"><span class="text">Stuart Langridge</span></h5> <p> SortTable version 2 <br> Stuart Langridge, http://www.kryogenix.org/code/browser/sorttable/ <div class="blockof code">Thanks to many, many people for contributions and suggestions. Licenced as X11: <a class="link blank" target="_blank" href="http://www.kryogenix.org/code/browser/licence.html">http://www.kryogenix.org/code/browser/licence.html</a> This basically means: do what you want with it. </div> <a id="13.0.0.0.12" href="#"></a> <a id="13.tatsuhirotsujikawa" href="#"></a> <a id="tatsuhirotsujikawa" href="#"></a> <h5 class="head"><span class="text">Tatsuhiro Tsujikawa</span></h5> <p> nghttp2 - HTTP/2 C Library <br> Tatsuhiro Tsujikawa, <a class="link blank" target="_blank" href="https://github.com/tatsuhiro-t">https://github.com/tatsuhiro-t</a> <div class="blockof code">Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. </div> <p> <span class="high bold">VSI OpenVMS</span>, <span class="high bold">VSI TCP/IP Services for OpenVMS</span>, <span class="high bold">VSI C</span> <br> are registered trademarks of VMS Software Inc. <p> <span class="high bold">OpenVMS</span>, <span class="high bold">HP TCP/IP Services for OpenVMS</span>, <span class="high bold">HP C</span>, <span class="high bold">Alpha</span>, <span class="high bold">Itanium</span> and <span class="high bold">VAX</span> <br> are registered trademarks of Hewlett Packard Enterprise <p> <span class="high bold">MultiNet</span> and <span class="high bold">TCPware</span> are registered trademarks of Process Software Corporation <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#12.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a>↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <title>WASD Configuration</title>